NeverEverNoSanity worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Mopat
Registered User
Posts: 10
Joined: Sun Apr 25, 2004 12:11 am

Post by Mopat »

TekFi

BE WORRIED!

I got up this morning to find my entire site - three domains - affected. Needless to say, I hadn't upgraded PHPbb so this "worm" exploited the loophole and gave the same message throughout my domains.

My server restored everything to the point of their last backup, which had been only hours earlier, so I lost nothing. Then I came here to read up on the cause and solution, and by the time I got back to my sites, it had happened again.

I emailed my server, begging for help. They were wonderful. They not only restored my three sites to pristine condition, but also performed the upgrades on PHPbb and Mambo ... which really was above and beyond the call of duty.

Don't know if it's okay to recommend a server here (if not, someone please delete) but mine is BLUE HOST and I can't praise them highly enough. They helped me to move three sites and have given great support during the last year I have been with them.

Anyway, the moral of the story is - UPGRADE ASAP. This one is a persistent little beggar and I would hate to see anyone else's site affected
transm
Registered User
Posts: 99
Joined: Mon Feb 09, 2004 2:26 pm

Post by transm »

blujay wrote:
Techie-Micheal wrote:I'm not really sure how many times this needs to be repeated ...

Update to 2.0.11 now. It is not vulnerable to this worm.
Update to 4.3.10 now. It is not vulnerable to this worm.
Prior to 2.0.11, phpBB had a serious vulnerability released.
Prior to 4.3.10/5.0.3, PHP had a serious vulnerability released.
Ignore any and all MODs you may or may not have installed and update to 2.0.11 now.


Ok, but you realize that the highlight vulnerability in phpBB and the serialize/unserialize vulnerabilities in PHP are separate issues, right? According to SANS, the worm exploits the phpBB vulnerability, not a PHP vulnerability.

So the question remains:

Is a server running phpBB < 2.0.11 and PHP >= 4.3.10 vulnerable?



This is insane. I am very confused about this issue and disabled my site until I can understand and fix it correctly. My site has been down for hours even though I have had no successful hack attempts (I fix any security issues that come up even though I am using 2.04). I just changed my passwords yet again in case the http://securityfocus.com/archive/1/3847 ... 04-12-21/0 hack was carried out. THe highlight issue I dealt with well over a month ago now so the new worm can't work and have no backdoors.

My site is not large but it isn't small either and there were activities that I was planning. Don't the PHP developers understand that almost everyone using PHPbb are on shared servers! The worm may not be working on the latest release or on a patched PHPbb but I need to know if ANY PHPPbb is vulnerable to the PHP exploit that can find the database password in config files.

It's no use saying to upgrade to PHP 4.3.10 as this isn't possible for the users to do! They are on shared servers and must wait for their hosting service to do this. What do the users do about the PHP exploit on PHPbb??


Do we all need to disable our boards if our hosts don't have PHP 4.3.10 ??

Also, it's no use saying upgrade PHPbb when it won't fix the PHP issue!!
espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

where the problems are

Post by espicom »

Do we all need to disable our boards if our hosts don't have PHP 4.3.10 ??


Possibly, yes. Please note that the particular vulnerability being exploited in this attack is, technically, a PHP issue - an interreaction between two functions that do not work quite as the PHPBB developers envisioned them. The code that fails makes sense... it just doesn't work.

However, the unserialize() issue should not be the problem that it is, except that PHPBB is applying it to data not under program control, i.e., you don't know where it's been. And, in my opinion, that's bad design. All of the variables being serialized into the cookie being unserialized should be stored in session variables on the server, and never given into the control of an external person. The cookie should just be the key to reference it.

Any time you put data into the hands of a user, you must assume that someone is going to mangle it in ways you can't imagine. One of the projects I was brought in on embedded SQL statements directly into the web page, and executed what it got back without so much as a mysql_escape_string() call, because they wanted to "remember" the string from request to request. It now uses keeps all that SQL in a session variable, and the user's input to the form can manipulate what data gets put in, but none of the control. I.e., their POST says "Sort=Reverse", and we add in "desc" on the SQL, but if they try adding any SQL to the string, it's ignored.

Granted, this isn't quite as bad as EZBoard's use of a GET variable as the URL for including code in a script without checking it...

We'll be updating our boards to 2.0.11, but there is some serious patching work that needs to be done to avoid the NEXT vulnerability.
future assassin
Registered User
Posts: 34
Joined: Wed Apr 09, 2003 12:45 am

Post by future assassin »

Man thats gonna be a lot of updating tonight 8O Two modified forums and PHP, hmmm not looking forward to this but I guess it has to be done.
blujay
Registered User
Posts: 11
Joined: Wed Dec 22, 2004 3:24 am

Post by blujay »

SailorDonut wrote: Okay, creating a new user took care of the password thing, so thank you! :D I have just one more problem. :(

I'm getting an error message that says:
Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in db/mysql4.php on line 330

Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resource in db/mysql4.php on line 331

phpBB : Critical Error

Could not connect to the database


The lines in "mysql4.php" that it corresponds with are:
$result['message'] = mysql_error($this->db_connect_id);
$result['code'] = mysql_errno($this->db_connect_id);


I'm assuming that this might have to do with the fact that I created a new user...? Any idea on how to help?


Apparently it didn't work as well as you thought. :) The script is not connecting to the database at all. Make sure you give the new user you created the correct privileges on the database. You might need to look at the phpBB install script to find the correct ones to assign.
SailorDonut
Registered User
Posts: 12
Joined: Wed Dec 22, 2004 4:18 am

Post by SailorDonut »

blujay wrote: Apparently it didn't work as well as you thought. :) The script is not connecting to the database at all. Make sure you give the new user you created the correct privileges on the database. You might need to look at the phpBB install script to find the correct ones to assign.


You are absolutely wonderful! Everything is back! Thank you soooooo much! *hugs* You saved my life. :D
pip
Registered User
Posts: 17
Joined: Sat Jan 05, 2002 4:18 pm

Re: where the problems are

Post by pip »

espicom wrote: Please note that the particular vulnerability being exploited in this attack is, technically, a PHP issue - an interreaction between two functions that do not work quite as the PHPBB developers envisioned them. The code that fails makes sense... it just doesn't work.


I've been reading this thread trying to find a clarification like yours, but still don't quite understand. phpBB 2.0.11 was released over a month ago. The PHP vulnerabilities, if I'm not mistaken, only came to light a few days ago. Is it just coincidence that changes in 2.0.11 meant that the PHP vulnerabilities which became known a month later could not be used to exploit phpBB (or, at least, the particular phpBB function targeted by Santy)?

The relationship between the Santy exploit, phpBB, and PHP remains very cloudy to someone reading these threads and the linked articles, and it would be nice to see an official clarification.
blujay
Registered User
Posts: 11
Joined: Wed Dec 22, 2004 3:24 am

Post by blujay »

Very well put, pip. However, personally, I am...oh...90% convinced that Santy (why is it called that instead of "Sanity"?) exploits the phpBB highlight vulnerability, and not any of the PHP-native vulnerabilities. I looked at the worm's Perl code from a message posted on Bugtraq, and you can see for yourself the URL it accesses.

Here are some links you might want to check out:

http://isc.sans.org/diary.php?date=2004-12-21
http://marc.theaimsgroup.com/?l=bugtraq ... 909029&w=2
http://www.f-secure.com/weblog/
http://www.kaspersky.com/news?id=156681162

I think this is the vulnerability that Santy exploits:

http://www.securiteam.com/unixfocus/6J00O15BPS.html

As a contrast, I think these PHP-native vulnerabilities are unrelated to Santy:

http://www.hardened-php.net/advisories/012004.txt

Finally, take everything on Slashdot with a grain of salt, as there are many outright falsehoods, but there are some truthful comments:

http://it.slashdot.org/article.pl?sid=04/12/21/2135235

SailorDonut, glad it worked out. :) It's a pleasure helping someone like yourself who knows enough and has enough initiative to figure things out on their own after they are pointed in the right direction. Let me know if I can help with anything else.
User avatar
cubechris
Registered User
Posts: 138
Joined: Fri Aug 13, 2004 9:54 am
Location: Lincoln, UK
Contact:

Post by cubechris »

Ive just been hacked everything gone, all my hard work :(

Any way im trying to install a fresh PHPBB 2.0.11 forum but it keeps on saying that it cant contact the DB?
ednerd
Registered User
Posts: 2
Joined: Tue Dec 21, 2004 5:35 pm

Santy vs Sanity

Post by ednerd »

On why it's called "Santy" instead of "Sanity" - this is how antivirus companies name viruses; they steer away from the names the virus writer would like to give to the virus. That would only make the virus writers feel good.

There are tons of examples where a virus writer labeled his virus something cool and antivirus companies named it something goofy.
Peteleco
Registered User
Posts: 1
Joined: Wed Dec 22, 2004 9:46 am

Post by Peteleco »

http://news.com.com/Google+squashes+San ... ?tag=st_lh

Apparently Google has stopped the worm from spreading any further.
User avatar
Gatas Parlament
Registered User
Posts: 3
Joined: Wed Dec 22, 2004 8:23 am
Location: Norway, Oslo, Kampen
Contact:

Never ever sanity web worm - what to do?

Post by Gatas Parlament »

Gatas Parlament
Registered User


Ble Medlem: 22 Des 2004
Innlegg: 2 :

http://www.phpbb.com/phpBB/viewtopic.ph ... 04#1361804

Bosted: Norway, Oslo, Kampen


Skrevet: Ons Des 22, 2004 10:15 am  

Tittel: http://www.bbfreedom.com/gatas_parlament/



Hello!

We have problems with the forum at

http://www.bbfreedom.com/

We got the answer : cannot connect to the host www.bbfreedom.com

We have an free account there http://www.bbfreedom.com/gatas_parlament/

but we have been told that it is was this answer before it was al blackout

" This site is defaced!!!
NeverEverNoSanity WebWorm generation 14. "

what ever it means...

a friend of us have checked up the link, and for him it is also impossible to get in.


br

Gatas Parlament

please visit our forum
at

http://www.gatasparlament.no/

go to killhim.nu

and if the forum is up... great..
if the forum is down.. as it is today.. only an white screen there..
but yeasterday it was black with red letters.

ok.. thanks again for help.

br

Gatas Parlament


Til våre norske lesere.

desverre så har forumet vært utsatt for en virus orm. Det har hendt på den serveren som forumet var på

leverandøren til forumet http://www.bbfreedom.com/

er også nede, ihvertfall når dette ble skrevet.(22.12.04, kl. 11.09

desverre, så må vi bare vente på at forumet kanskje kommer opp igjen.

mvh

Andreas

Gatas Parlament
Last edited by Gatas Parlament on Wed Dec 22, 2004 8:35 pm, edited 1 time in total.
For peace and common sense, there is a declaration for al. Human Rights.
kezlehan
Registered User
Posts: 346
Joined: Sat Jul 17, 2004 3:56 pm
Location: Leeds, UK
Contact:

Post by kezlehan »

my forum was recently hacked too by a worm. they changed al the .php files into text saying "This site has been defaced"

Is there any way of restoring all files? Like posts and members and such. The other files I can just download 2.0.11 and install that. but i dont want to lose all members and posts, can anyone help?
collectorfbody.com
Registered User
Posts: 90
Joined: Mon Feb 17, 2003 9:35 pm

Post by collectorfbody.com »

Just replace the phpBB2 folder with a backup and you will be fine. The database is ok. I would update to the new version oh phpbb as well.
kezlehan
Registered User
Posts: 346
Joined: Sat Jul 17, 2004 3:56 pm
Location: Leeds, UK
Contact:

Post by kezlehan »

so all i need to do is download 2.0.11 and upload it? what about all posts and stuff. will they be fine?
Locked

Return to “2.0.x Support Forum”