Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: phpBB Worm

from [ycw1bh302] Network Security [Permanent Link]
Subject: Re: phpBB Worm
Date: 22 Dec 2004 04:34:59 -0000 
In-Reply-To: <Pine.LNX.4.61.0412212325470.1764@mailbox.prolocation.net>

Forgive me if this is a newbie question, but a site I help run was hit by this, 
and I'm trying to understand it to protect against future worms.

The worm exploits the phpBB highlight vulnerability.  It uses PHP to run Perl 
to write the Perl script file, then executes it.  The script then proceeds to 
traverse the entire directory structure, overwriting .php, .htm, .shtm, .phtm, 
and on our server, .ssi files, and then spreads itself.  Correct?

I have two questions:

1.  Why has the worm been as effective on Windows servers as on *nix servers?  
At the very least, shouldn't the difference in file and directory naming cause 
a problem?  I looked at the decoded Perl script, but I'm not a Perl expert, so 
I couldn't understand all of it.  And what about the difference in file 
permissions?

2.  More importantly, why wasn't the worm's destructive ability limited by file 
permissions, especially on *nix servers?  If, for example, an HTML file on the 
server was uploaded by user bob, and has permissions of 755, how can the Perl 
script delete that file?  Shouldn't the Perl script be created with the Perl 
process's permissions, which was invoked by PHP, which should have the Web 
server's permissions, which should be, at least on most *nix servers, the 
nobody user?

This is a big issue on shared servers, or virtual hosts, whatever you want to 
call them.  Our site is on a shared server, and our site does not even run 
phpBB, but most of our HTML files were replaced with the worm's content.  
Obviously, then, another site on the server must have an old version of phpBB.  
But why could the worm, coming in through another site, modify files created by 
other users?  Even if the worm's script ran as the owner of the vulnerable 
viewtopic.php file, how could it then modify non-world-writable files created 
by other users?

I have long been concerned with the security of PHP scripts, especially on 
shared servers.  Since PHP almost always runs as an Apache module, and Apache 
usually runs as nobody, one must make files and directories world-writable for 
PHP scripts to be able to write to them.  But that means that any process on 
the server, including anyone's PHP script, can modify the files.

Thanks for any insights.

Adam Porter
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DJB's students release 44 *nix software vulnerability advisories, Valdis . Kletnieks
Next by Date:  Re: Local versus remote security holes, Adam Shostack
Previous by Thread:  Re: phpBB Worm, Alexander Klimov
Next by Thread:  Re: phpBB Worm, Alvin Packard
Indexes:  [Date] [Thread] [Top] [All Lists]