Net.Worm.Perl.Santy-A - UBB.Developers

We've had 6.7.2 breached by this worm:

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1036174,00.html

The only crucial file it got was ultimatebb.php, but that's enough to bring down most the board....

Any suggestions?

UBB.classic is not a vector for this worm - it only infects phpBB boards.

The worm, once attached to the board, proceeds to scour the server for writable files with certain extensions, which then proceed to get overwritten with the worm's message.

Your server has a phpBB running on it somewhere that was infected, and proceeded to jump boundaries into your account (and surely everyone else's on that server) and do its work.

Again, there is no way for UBB.classic (or UBB.threads) to be a vector for this worm.

Thanks for the quick reply Charles...

Just to confirm - you're saying that the host would have to have had another customer running phpBB on the same box in order for this to happen?

Is there anything I can do to stop this on my end? Permissions? Turning off the php accelerator? Or is it just up to the hosting co. to enforce the boundaries between accounts?

You should contact your host regarding this. I, personally, would be leery of this happening on my host.

1 - phpBB 2.1.11 fixed the vulnerability
2 - Your host should upgrade to 4.3.10 to fix security issues.

3 - Your host should be running in safe_mode with an open_basedir restriction

4 - Your host should be running suexec or another CGI wrapper...

wow! a lot of sites affected from this thing. MSN search returns 30k results:

http://beta.search.msn.com/results.aspx?q=%22NeverEverNoSanity+WebWorm+Generation%22&FORM=QBRE

(found this link in bugtraq)

Looks like with the public release of the worm code there'll be more variants coming if your host doesn't fix the server:

http://www.eweek.com/article2/0,1759,1744978,00.asp

There is nothing server-side that can fix this.

It is a phpBB issue, not a PHP issue.

The PHP security problems are not related to this.

um, that's what I meant

some people are now distributing the source code of this. It is stopped now, but we may see a variation soon, since google' s blocking is limited (if I understand that correctly).

I must say that this was a *bad action*, but clever code

Looks like phpbb is still having issues with the hackers for some reason:

Quote

quote:

Last updated: 8th February 2005, 02:08 GMT

At present [censored] is offline due to a group of politically motivated hackers wishing to use an opensource project to push their agenda ... shame on them.

We have some possible further details of the events which led to the loss of [censored]. Though I have not spoken with them myself I have learnt through an intermediary the group that appears to have attacked phpbb.com did indeed use a vulnerability in awstats to gain entry to our server (note the singular use of server there, we don't own a server cluster, just a server).

Somebody don't like somebody bad...

On pnphpbb.com there was a bug in Awstats 6.2 and below with the "AllowUpdateFromBrowser" function; easiest fix is to turn it off or upgrade to 6.3...

I spent the last night upgrading my personal sites though... But I cna't for the life of me figure why people would want the "allow updates from browser" options turned on as any user going to the stats page can generate a new stats log as soon as they click the button

... can we say resource waste?