1 (edited by lament 2004-12-21 19:23)

Topic: punBB, defaced sites and Chacmool's converter

Hello,

I've been putting off switching over to punBB until the new year, and yesterday all of my sites were hacked into/defaced because of the phpBB/PHP exploit, so i'm going to start fresh.

Does Chacmool's converter need the phpBB files to be on my site (which have been written over by the worm that hacked my sites), or can i just setup punBB as new, create a converter folder and run it?

or do i need to go through the hassle of reinstalling phpbb.

all of my phpbb data is safe on the MySQL server.  it was just all the .php files in the phpbb folder that were screwed.

any help would be appreciated.

god is punishing me for using phpbb, i know. smile

edit: also while i'm here, punBB doesn't have a PM system by default, right?  it's a plugin?

and what are some of the more popular plugins that something like phpBB already have installed?

thanks!

2

Re: punBB, defaced sites and Chacmool's converter

lament, what did they do?

How do you know they used the latest exploit?

3 (edited by lament 2004-12-21 19:41)

Re: punBB, defaced sites and Chacmool's converter

Here's one of my sites (it's actually my friend's site but he's obviously too lazy to correct it right now) smile

Here's a phpBB thread on the phpBB site discussing the highlight issue.

It's pretty well known that it's a php/phpBB exploit.

here's the official word from phpBB

Re: punBB, defaced sites and Chacmool's converter

lament: One way to be sure is to check your server access logs for viewtopic.php entries with highlight=%2527 in them. Those will be the ones where it got exploited
And looking at the screenshot, all you need is the database stuff somewhere you can access it

Re: punBB, defaced sites and Chacmool's converter

per Netcraft

http://news.netcraft.com/archives/2004/ … words.html

Re: punBB, defaced sites and Chacmool's converter

Smartys wrote:

lament: One way to be sure is to check your server access logs for viewtopic.php entries with highlight=%2527 in them. Those will be the ones where it got exploited
And looking at the screenshot, all you need is the database stuff somewhere you can access it

screenshot?

Re: punBB, defaced sites and Chacmool's converter

Screenshot (taken from the sticky thread here)

Re: punBB, defaced sites and Chacmool's converter

nice.. thanks!

Re: punBB, defaced sites and Chacmool's converter

Santy Worm Spreads Through phpBB Forums    

Thousands of servers hosting phpBB forums have been defaced today by a worm that exploits a security hole in the popular bulletin board program.

Santy worm defacement The Santy worm is written in Perl, and exploits a flaw in a file called viewtopic.php that allows an SQL injection exploit, in which SQL database commands typed into a web form can be executed. The worm defaces the web site with the phrase "This site is defaced!!! NeverEver NoSanity" and then seeks out other phpBB sites to attack, apparently using Google to locate the target viewtopic.php files. A Google search for the file currently returns more than 4 million results, while an MSN search lists more than 37,000 appearances of the defacement. Internet security firms are issuing public requests for Google to block these searches to limit the spread of the worm.

The viewtopic.php security hole in phpBB is fixed in version 2.0.11, which has been available for more than a month. The security hole is different from a phpBB exploit published earlier this week that targets a flaw in the PHP scripting language.

PHP, an open source server-side scripting language, is widely used to power web applications that connect with databases such as MySQL, and is commonly bunded with shared hosting accounts offered by web hosting providers. phpBB is among the web's most popular bulletin board programs, with more than 156,000 registered members of its user forum.


Source...

10

Re: punBB, defaced sites and Chacmool's converter

Yup I also read that.

And I got my forum converted over with ease.  thanks for everyone's help!

11 (edited by bashscripts 2004-12-29 21:30)

Re: punBB, defaced sites and Chacmool's converter

For those running Apache, using mod_rewrite to send the offending worms to a very small 403 error page is fairly simple. This assumes you have access the apache config files. The added benifit of doing that is you can keep it from filling up your log file with garbage as well. Unless you just WANT to keep track of the worm hits... (I don't), I prefer to send them to my 403 page.

<Directory /var/www/html/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system32/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system32/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/cmd\.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/scripts/root.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadc/root\.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\\\.\.(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/admin\.dll[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadcs\.dll[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/ext\.dll[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI} (.*)/\.(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/php\.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\<(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\>(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\|(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)%252(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)%252echr(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)rush=%(.*) [OR]
RewriteCond %{REQUEST_URI} (.{255,}) [OR]
RewriteCond %{QUERY_STRING} (.{127,}) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [\x00-\x1f]+ [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [\x7f|\xff]+ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*Indy [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^sitecheck.internetseer.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^InternetSeer.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ping [OR]
RewriteCond %{HTTP_USER_AGENT} ^Link [OR]
RewriteCond %{HTTP_USER_AGENT} ^ia_archiver [OR]
RewriteCond %{HTTP_USER_AGENT} ^DIIbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^psbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector
RewriteRule ^.* - [F]
</Directory>

The part that will disable the hack attempts to phpbb viewtopic are:

Code:

RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)%252(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)%252echr(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)rush=%(.*) [OR]

If you use
RewriteRule ^.* - [F,E=nolog:1]

Then you don't even LOG the hits, saves on diskspace if your getting hit hard. Save's on apaches time to process as well.  For REALLY hard hit sites, you might want to look into mod_security for apache.
HTH's

USA Linux Users Group
http://www.usalug.org

Bashscripts Scripts for the Bourne Again SHell
http://www.bashscripts.org

12

Re: punBB, defaced sites and Chacmool's converter

In order to combat the latest perl worm you need to add these two lines:

RewriteCond %{HTTP_USER_AGENT} ^lwp-trivial [OR]
RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple [OR]

I got hit over the weekend, my bandwidth got sucked up by it.

Re: punBB, defaced sites and Chacmool's converter

THANKS smile

USA Linux Users Group
http://www.usalug.org

Bashscripts Scripts for the Bourne Again SHell
http://www.bashscripts.org