<<< Date Index >>>     <<< Thread Index >>>

Re: phpBB Worm



Last look at my log files and I was hit a total of 421 times by 278
different IPs. It seems to be moving rather quickly as these were from
the last 2 days. Good luck to those who have not patched yet.

Alvin Packard, CWNA
www.networksecuritytech.com


On 22 Dec 2004 04:34:59 -0000, ycw1bh302@xxxxxxxxxxxxxx
<ycw1bh302@xxxxxxxxxxxxxx> wrote:
> In-Reply-To: <Pine.LNX.4.61.0412212325470.1764@xxxxxxxxxxxxxxxxxxxxxxx>
> 
> Forgive me if this is a newbie question, but a site I help run was hit by 
> this, and I'm trying to understand it to protect against future worms.
> 
> The worm exploits the phpBB highlight vulnerability.  It uses PHP to run Perl 
> to write the Perl script file, then executes it.  The script then proceeds to 
> traverse the entire directory structure, overwriting .php, .htm, .shtm, 
> .phtm, and on our server, .ssi files, and then spreads itself.  Correct?
> 
> I have two questions:
> 
> 1.  Why has the worm been as effective on Windows servers as on *nix servers? 
>  At the very least, shouldn't the difference in file and directory naming 
> cause a problem?  I looked at the decoded Perl script, but I'm not a Perl 
> expert, so I couldn't understand all of it.  And what about the difference in 
> file permissions?
> 
> 2.  More importantly, why wasn't the worm's destructive ability limited by 
> file permissions, especially on *nix servers?  If, for example, an HTML file 
> on the server was uploaded by user bob, and has permissions of 755, how can 
> the Perl script delete that file?  Shouldn't the Perl script be created with 
> the Perl process's permissions, which was invoked by PHP, which should have 
> the Web server's permissions, which should be, at least on most *nix servers, 
> the nobody user?
> 
> This is a big issue on shared servers, or virtual hosts, whatever you want to 
> call them.  Our site is on a shared server, and our site does not even run 
> phpBB, but most of our HTML files were replaced with the worm's content.  
> Obviously, then, another site on the server must have an old version of 
> phpBB.  But why could the worm, coming in through another site, modify files 
> created by other users?  Even if the worm's script ran as the owner of the 
> vulnerable viewtopic.php file, how could it then modify non-world-writable 
> files created by other users?
> 
> I have long been concerned with the security of PHP scripts, especially on 
> shared servers.  Since PHP almost always runs as an Apache module, and Apache 
> usually runs as nobody, one must make files and directories world-writable 
> for PHP scripts to be able to write to them.  But that means that any process 
> on the server, including anyone's PHP script, can modify the files.
> 
> Thanks for any insights.
> 
> Adam Porter
>