Re: phpBB Worm
In-Reply-To: <Pine.LNX.4.61.0412212325470.1764@xxxxxxxxxxxxxxxxxxxxxxx>
Forgive me if this is a newbie question, but a site I help run was hit by this,
and I'm trying to understand it to protect against future worms.
The worm exploits the phpBB highlight vulnerability. It uses PHP to run Perl
to write the Perl script file, then executes it. The script then proceeds to
traverse the entire directory structure, overwriting .php, .htm, .shtm, .phtm,
and on our server, .ssi files, and then spreads itself. Correct?
I have two questions:
1. Why has the worm been as effective on Windows servers as on *nix servers?
At the very least, shouldn't the difference in file and directory naming cause
a problem? I looked at the decoded Perl script, but I'm not a Perl expert, so
I couldn't understand all of it. And what about the difference in file
permissions?
2. More importantly, why wasn't the worm's destructive ability limited by file
permissions, especially on *nix servers? If, for example, an HTML file on the
server was uploaded by user bob, and has permissions of 755, how can the Perl
script delete that file? Shouldn't the Perl script be created with the Perl
process's permissions, which was invoked by PHP, which should have the Web
server's permissions, which should be, at least on most *nix servers, the
nobody user?
This is a big issue on shared servers, or virtual hosts, whatever you want to
call them. Our site is on a shared server, and our site does not even run
phpBB, but most of our HTML files were replaced with the worm's content.
Obviously, then, another site on the server must have an old version of phpBB.
But why could the worm, coming in through another site, modify files created by
other users? Even if the worm's script ran as the owner of the vulnerable
viewtopic.php file, how could it then modify non-world-writable files created
by other users?
I have long been concerned with the security of PHP scripts, especially on
shared servers. Since PHP almost always runs as an Apache module, and Apache
usually runs as nobody, one must make files and directories world-writable for
PHP scripts to be able to write to them. But that means that any process on
the server, including anyone's PHP script, can modify the files.
Thanks for any insights.
Adam Porter