phpBB vulnerability exploited
Hello debian-isp,
maybe little off-topic, but I want to remind you of this phpBB
vulnerability, which is fixed in version 2.0.11 (announced on 18th
November) which "addresses a potentially serious exploit".
I am writing this because it's not potentional, but real. Before 2
weeks, someone got into my server and run a program which gave shell
access on port 2000 (check your machines). Fortunately it had only
apache user prividges, but the person tried to run various exploits.
So I was sure the only option to get to my server was php. When I
was sure no damage could be done, I leaved everything and set-up 2
traps - one was periodic running of netstat | grep ":2000" and the
other was creating world-writable /.bash_history :)
Today I was lucky, I have IP address probably of the attacker (some
GSM provider in Romania) and IP of another "hacked" server.
Searching for that IP in apache logs gave me this:
213.xxx.xxx.xxx - - [11/Dec/2004:04:01:59 +0100] "GET /forum/viewtopic.php?t=%38&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20%63%64%20%2F%74%6D%70...... HTTP/1.1" 200 27712 "-" "-"
I don't want to give hints on how to exploit this, but the attacker
did wget the .tgz file, unpacked it in /tmp and run the program.
So update all your phpBB installations ASAP (and of course all
installations of your customers).
--
bYE, Marki
Reply to: