Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: phpBB Worm

from [Alvin Packard] Network Security [Permanent Link]
Subject: Re: phpBB Worm
Date: Wed, 22 Dec 2004 21:28:01 -0600 
Last look at my log files and I was hit a total of 421 times by 278
different IPs. It seems to be moving rather quickly as these were from
the last 2 days. Good luck to those who have not patched yet.

Alvin Packard, CWNA
www.networksecuritytech.com


On 22 Dec 2004 04:34:59 -0000, ycw1bh302@sneakemail.com
<ycw1bh302@sneakemail.com> wrote:

In-Reply-To: <Pine.LNX.4.61.0412212325470.1764@mailbox.prolocation.net>

Forgive me if this is a newbie question, but a site I help run was hit by 
this, and I'm trying to understand it to protect against future worms.

The worm exploits the phpBB highlight vulnerability.  It uses PHP to run Perl 
to write the Perl script file, then executes it.  The script then proceeds to 
traverse the entire directory structure, overwriting .php, .htm, .shtm, 
.phtm, and on our server, .ssi files, and then spreads itself.  Correct?

I have two questions:

1.  Why has the worm been as effective on Windows servers as on *nix servers? 
 At the very least, shouldn't the difference in file and directory naming 
cause a problem?  I looked at the decoded Perl script, but I'm not a Perl 
expert, so I couldn't understand all of it.  And what about the difference in 
file permissions?

2.  More importantly, why wasn't the worm's destructive ability limited by 
file permissions, especially on *nix servers?  If, for example, an HTML file 
on the server was uploaded by user bob, and has permissions of 755, how can 
the Perl script delete that file?  Shouldn't the Perl script be created with 
the Perl process's permissions, which was invoked by PHP, which should have 
the Web server's permissions, which should be, at least on most *nix servers, 
the nobody user?

This is a big issue on shared servers, or virtual hosts, whatever you want to 
call them.  Our site is on a shared server, and our site does not even run 
phpBB, but most of our HTML files were replaced with the worm's content.  
Obviously, then, another site on the server must have an old version of 
phpBB.  But why could the worm, coming in through another site, modify files 
created by other users?  Even if the worm's script ran as the owner of the 
vulnerable viewtopic.php file, how could it then modify non-world-writable 
files created by other users?

I have long been concerned with the security of PHP scripts, especially on 
shared servers.  Since PHP almost always runs as an Apache module, and Apache 
usually runs as nobody, one must make files and directories world-writable 
for PHP scripts to be able to write to them.  But that means that any process 
on the server, including anyone's PHP script, can modify the files.

Thanks for any insights.

Adam Porter
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [VulnWatch] Oracle Trigger Abuse (#NISR2122004I), NGSSoftware Insight Security Research
Next by Date:  Crystal FTP Pro 2.8 PoC, cybertronic
Previous by Thread:  Re: phpBB Worm, ycw1bh302
Next by Thread:  Re: phpBB Worm, Anders Henke
Indexes:  [Date] [Thread] [Top] [All Lists]