LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page PHP/phpBB Malware/Scanning tool
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 03-27-2005, 02:45 AM   #1
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
PHP/phpBB Malware/Scanning tool

With all the recent PHP and phpBB vulnerabilities over the last 6 months, it was really just a matter of time before someone released a scanning tool targeting bulletin boards. Several suspicious scans appeared in one of my webservers logs over the last few nights that looks automated (entire scan lasts about 6 seconds) and appears to be scouring for php forums. Here is an example scan:

Code:
X.X.X.X - - [24/Mar/2005:19:51:33 -0500] "GET /forum/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:33 -0500] "GET /phpBB/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:33 -0500] "GET / HTTP/1.1" 200 3852 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /forums/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /phpbb/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /board/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /boards/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /phpBB2/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:35 -0500] "GET /msgboard/ HTTP/1.1" 404 207 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:35 -0500] "GET /foros/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:35 -0500] "GET /portal/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:35 -0500] "GET /discussion/ HTTP/1.1" 404 209 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /nar/ HTTP/1.1" 404 202 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /html/forum/ HTTP/1.1" 404 209 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /html/forums/ HTTP/1.1" 404 210 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /Forum/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /Forums/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /bb/ HTTP/1.1" 404 201 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /ugboard/ HTTP/1.1" 404 206 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /ugboards/ HTTP/1.1" 404 207 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /newboard/ HTTP/1.1" 404 207 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /newboards/ HTTP/1.1" 404 208 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /members/phpBB/ HTTP/1.1" 404 212 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /members/phpBB2/ HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /members/phpbb/ HTTP/1.1" 404 212 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /portal/forum/ HTTP/1.1" 404 211 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /portal/forums/ HTTP/1.1" 404 212 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:39 -0500] "GET /bbs/ HTTP/1.1" 404 202 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:39 -0500] "GET /bulletinboard/ HTTP/1.1" 404 212 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:39 -0500] "GET /bulletinboards/ HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:39 -0500] "GET  HTTP/1.1" 400 226 "-" "-"
For those running forums, especially with PHP/phpBB, it's highly recommended to make sure that you're using the most recent versions (for phpBB it's 2.0.13). Any info on the identity of this malware and what actions it takes if a bulletin board is found would be appreciated (especially if someone can get a packet dump of any exploit payloads).
 
Old 03-27-2005, 12:28 PM   #2
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Re: PHP/phpBB Malware/Scanning tool
Quote:
Originally posted by Capt_Caveman
For those running forums, especially with PHP/phpBB, it's highly recommended to make sure that you're using the most recent versions (for phpBB it's 2.0.13).
Or switch to a better forum package.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
best tool for PHP development ?? ALInux Programming 5 11-03-2005 11:48 PM
phpbb won't work with mysql 4.x and php 4.x Gsee Linux - Software 2 07-27-2005 09:22 AM
Best tool for PHP bahadur Programming 6 04-10-2005 12:41 PM
Getting PHP code to execute in phpBB templates Travis86 Linux - Software 3 12-22-2003 07:53 PM
PHP Parse error.....PHPBB bentman78 Linux - Software 0 07-09-2003 06:35 AM


All times are GMT -5. The time now is 04:35 PM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration