LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page PHP/phpBB Malware/Scanning tool
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-27-2005, 02:45 AM   #1
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
PHP/phpBB Malware/Scanning tool

With all the recent PHP and phpBB vulnerabilities over the last 6 months, it was really just a matter of time before someone released a scanning tool targeting bulletin boards. Several suspicious scans appeared in one of my webservers logs over the last few nights that looks automated (entire scan lasts about 6 seconds) and appears to be scouring for php forums. Here is an example scan:

Code:
X.X.X.X - - [24/Mar/2005:19:51:33 -0500] "GET /forum/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:33 -0500] "GET /phpBB/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:33 -0500] "GET / HTTP/1.1" 200 3852 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /forums/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /phpbb/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /board/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /boards/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:34 -0500] "GET /phpBB2/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:35 -0500] "GET /msgboard/ HTTP/1.1" 404 207 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:35 -0500] "GET /foros/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:35 -0500] "GET /portal/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:35 -0500] "GET /discussion/ HTTP/1.1" 404 209 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /nar/ HTTP/1.1" 404 202 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /html/forum/ HTTP/1.1" 404 209 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /html/forums/ HTTP/1.1" 404 210 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /Forum/ HTTP/1.1" 404 204 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:36 -0500] "GET /Forums/ HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /bb/ HTTP/1.1" 404 201 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /ugboard/ HTTP/1.1" 404 206 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /ugboards/ HTTP/1.1" 404 207 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /newboard/ HTTP/1.1" 404 207 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:37 -0500] "GET /newboards/ HTTP/1.1" 404 208 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /members/phpBB/ HTTP/1.1" 404 212 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /members/phpBB2/ HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /members/phpbb/ HTTP/1.1" 404 212 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /portal/forum/ HTTP/1.1" 404 211 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:38 -0500] "GET /portal/forums/ HTTP/1.1" 404 212 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:39 -0500] "GET /bbs/ HTTP/1.1" 404 202 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:39 -0500] "GET /bulletinboard/ HTTP/1.1" 404 212 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:39 -0500] "GET /bulletinboards/ HTTP/1.1" 404 213 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.0.3705)"
X.X.X.X - - [24/Mar/2005:19:51:39 -0500] "GET  HTTP/1.1" 400 226 "-" "-"
For those running forums, especially with PHP/phpBB, it's highly recommended to make sure that you're using the most recent versions (for phpBB it's 2.0.13). Any info on the identity of this malware and what actions it takes if a bulletin board is found would be appreciated (especially if someone can get a packet dump of any exploit payloads).
 
Old 03-27-2005, 12:28 PM   #2
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Re: PHP/phpBB Malware/Scanning tool
Quote:
Originally posted by Capt_Caveman
For those running forums, especially with PHP/phpBB, it's highly recommended to make sure that you're using the most recent versions (for phpBB it's 2.0.13).
Or switch to a better forum package.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
best tool for PHP development ?? ALInux Programming 5 11-03-2005 11:48 PM
phpbb won't work with mysql 4.x and php 4.x Gsee Linux - Software 2 07-27-2005 09:22 AM
Best tool for PHP bahadur Programming 6 04-10-2005 12:41 PM
Getting PHP code to execute in phpBB templates Travis86 Linux - Software 3 12-22-2003 07:53 PM
PHP Parse error.....PHPBB bentman78 Linux - Software 0 07-09-2003 06:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:06 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration