#90182
12/21/2004 8:22 PM
|
Joined: Dec 2004
Posts: 2
Junior Member
|
Junior Member
Joined: Dec 2004
Posts: 2 |
We've had 6.7.2 breached by this worm:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1036174,00.html
The only crucial file it got was ultimatebb.php, but that's enough to bring down most the board....
Any suggestions?
|
|
|
#90183
12/21/2004 8:27 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
UBB.classic is not a vector for this worm - it only infects phpBB boards.
The worm, once attached to the board, proceeds to scour the server for writable files with certain extensions, which then proceed to get overwritten with the worm's message.
Your server has a phpBB running on it somewhere that was infected, and proceeded to jump boundaries into your account (and surely everyone else's on that server) and do its work.
Again, there is no way for UBB.classic (or UBB.threads) to be a vector for this worm.
UBB.classic: Love it or hate it, it was mine.
|
|
|
#90184
12/21/2004 8:40 PM
|
Joined: Dec 2004
Posts: 2
Junior Member
|
Junior Member
Joined: Dec 2004
Posts: 2 |
Thanks for the quick reply Charles...
Just to confirm - you're saying that the host would have to have had another customer running phpBB on the same box in order for this to happen?
Is there anything I can do to stop this on my end? Permissions? Turning off the php accelerator? Or is it just up to the hosting co. to enforce the boundaries between accounts?
|
|
|
#90185
12/21/2004 8:47 PM
|
Joined: Nov 2001
Posts: 745
Admin Emeritus
|
Admin Emeritus
Joined: Nov 2001
Posts: 745 |
You should contact your host regarding this. I, personally, would be leery of this happening on my host.
1 - phpBB 2.1.11 fixed the vulnerability 2 - Your host should upgrade to 4.3.10 to fix security issues.
|
|
|
#90186
12/21/2004 8:54 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
3 - Your host should be running in safe_mode with an open_basedir restriction
4 - Your host should be running suexec or another CGI wrapper...
UBB.classic: Love it or hate it, it was mine.
|
|
|
#90187
12/22/2004 12:16 PM
|
Joined: May 2000
Posts: 1,356
Addict
|
Addict
Joined: May 2000
Posts: 1,356 |
wow! a lot of sites affected from this thing. MSN search returns 30k results:
http://beta.search.msn.com/results.aspx?q=%22NeverEverNoSanity+WebWorm+Generation%22&FORM=QBRE
(found this link in bugtraq)
|
|
|
#90188
12/22/2004 11:11 PM
|
Joined: Mar 2000
Posts: 21,079 Likes: 3
I type Like navaho
|
I type Like navaho
Joined: Mar 2000
Posts: 21,079 Likes: 3 |
Looks like with the public release of the worm code there'll be more variants coming if your host doesn't fix the server: http://www.eweek.com/article2/0,1759,1744978,00.asp
|
|
|
#90189
12/22/2004 11:33 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
There is nothing server-side that can fix this.
It is a phpBB issue, not a PHP issue.
The PHP security problems are not related to this.
UBB.classic: Love it or hate it, it was mine.
|
|
|
#90190
12/23/2004 1:13 AM
|
Joined: Mar 2000
Posts: 21,079 Likes: 3
I type Like navaho
|
I type Like navaho
Joined: Mar 2000
Posts: 21,079 Likes: 3 |
um, that's what I meant
|
|
|
#90191
12/23/2004 5:12 PM
|
Joined: May 2000
Posts: 1,356
Addict
|
Addict
Joined: May 2000
Posts: 1,356 |
some people are now distributing the source code of this. It is stopped now, but we may see a variation soon, since google' s blocking is limited (if I understand that correctly). I must say that this was a *bad action*, but clever code
|
|
|
#90192
02/08/2005 10:56 PM
|
Joined: Mar 2000
Posts: 21,079 Likes: 3
I type Like navaho
|
I type Like navaho
Joined: Mar 2000
Posts: 21,079 Likes: 3 |
Looks like phpbb is still having issues with the hackers for some reason: quote: Last updated: 8th February 2005, 02:08 GMT At present [censored] is offline due to a group of politically motivated hackers wishing to use an opensource project to push their agenda ... shame on them. We have some possible further details of the events which led to the loss of [censored]. Though I have not spoken with them myself I have learnt through an intermediary the group that appears to have attacked phpbb.com did indeed use a vulnerability in awstats to gain entry to our server (note the singular use of server there, we don't own a server cluster, just a server). Somebody don't like somebody bad...
|
|
|
#90193
02/09/2005 8:11 AM
|
Joined: Jan 2000
Posts: 5,833 Likes: 20
UBBDev / UBBWiki Owner Time Lord
|
UBBDev / UBBWiki Owner Time Lord
Joined: Jan 2000
Posts: 5,833 Likes: 20 |
On pnphpbb.com there was a bug in Awstats 6.2 and below with the "AllowUpdateFromBrowser" function; easiest fix is to turn it off or upgrade to 6.3... I spent the last night upgrading my personal sites though... But I cna't for the life of me figure why people would want the "allow updates from browser" options turned on as any user going to the stats page can generate a new stats log as soon as they click the button ... can we say resource waste?
|
|
|
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
|
|
Posts: 808
Joined: July 2001
|
|
Forums63
Topics37,573
Posts293,925
Members13,849
|
Most Online5,166 Sep 15th, 2019
|
|
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
|
|
|
|