An internet worm exploits the phpBB highlight vulnerabilityBack in november I became aware of a security vulnerability in the phpBB forum software that I use to run the Lux forums. This would allow nasty users to get access to the server running phpBB and from there accomplish a wide range of undesirable stuff. There was a new version of phpBB available that fixed this issue, so I patched up my boards and remained unhacked.Today I noticed an activity spike in the Lux forums and went to check it out. It turns out that there's a new internet worm that just came out that exploits the phpBB vulnerability to infect webservers, deface them and then continue to spread itself. Since I had the new and improved version of phpBB I am unaffected by these attacks. However I can still watch what they are trying to do. One instance of the worm (seems like there are a few different ones out there) doesn't encode all of its commands, so it was easy to take a peek. It was trying to a download a perl script onto the vulnerable webserver and then run it. Seeing this command lead me to a copy of the perl script itself. Since perl is an uncompiled language this is the same as getting a copy of the worm's source code. So anyone who speaks perl (I know enough to get by) can tell what the worm does. Basically, it searches both google and yahoo on the string "inurl:viewtopic.php?t=#", where # is a random digit. This is a search for sites running phpBB, since viewtopic.php is the phpBB page that is vulnerable. Then it loops through all the pages it finds and tries to compromise them using a command crafted to take advantage of the phpBB exploit. So all in all this copy of the worm that I have found isn't that bad. It doesn't seem to delete any files or steal passwords. However, anybody could take this source and modify it to add something like this. The work to self-propagate it has already been done. And there are for sure variations of it out there doing such things. The phpBB forums are full of users who have been hacked and had their boards deleted or backdoor programs installed. Thank the lord that I patched myself up in time. phpBB now has a mailing list that gets notified if any further exploits are found. I highly suggest that anyone running a phpBB board sign up. Furthermore, if you are running any other major software package you should go and look to see if they have a mailing list and sign up to get notified of updates. Packages like wordpress, movable type and other such things could just as easily have the same type of exploit discovered in them. The only real solution to such things is to get notified as quickly as possible and patch any unsecure systems before the resulting worm comes to hit you.
|
Written by dustin
| |||||||
Hey You! Subscribe to
dustin's RSS feed. | Members login here.
|