Re: phpBB Worm
Last look at my log files and I was hit a total of 421 times by 278
different IPs. It seems to be moving rather quickly as these were from
the last 2 days. Good luck to those who have not patched yet.
Alvin Packard, CWNA
www.networksecuritytech.com
On 22 Dec 2004 04:34:59 -0000, ycw1bh302@xxxxxxxxxxxxxx
<ycw1bh302@xxxxxxxxxxxxxx> wrote:
> In-Reply-To: <Pine.LNX.4.61.0412212325470.1764@xxxxxxxxxxxxxxxxxxxxxxx>
>
> Forgive me if this is a newbie question, but a site I help run was hit by
> this, and I'm trying to understand it to protect against future worms.
>
> The worm exploits the phpBB highlight vulnerability. It uses PHP to run Perl
> to write the Perl script file, then executes it. The script then proceeds to
> traverse the entire directory structure, overwriting .php, .htm, .shtm,
> .phtm, and on our server, .ssi files, and then spreads itself. Correct?
>
> I have two questions:
>
> 1. Why has the worm been as effective on Windows servers as on *nix servers?
> At the very least, shouldn't the difference in file and directory naming
> cause a problem? I looked at the decoded Perl script, but I'm not a Perl
> expert, so I couldn't understand all of it. And what about the difference in
> file permissions?
>
> 2. More importantly, why wasn't the worm's destructive ability limited by
> file permissions, especially on *nix servers? If, for example, an HTML file
> on the server was uploaded by user bob, and has permissions of 755, how can
> the Perl script delete that file? Shouldn't the Perl script be created with
> the Perl process's permissions, which was invoked by PHP, which should have
> the Web server's permissions, which should be, at least on most *nix servers,
> the nobody user?
>
> This is a big issue on shared servers, or virtual hosts, whatever you want to
> call them. Our site is on a shared server, and our site does not even run
> phpBB, but most of our HTML files were replaced with the worm's content.
> Obviously, then, another site on the server must have an old version of
> phpBB. But why could the worm, coming in through another site, modify files
> created by other users? Even if the worm's script ran as the owner of the
> vulnerable viewtopic.php file, how could it then modify non-world-writable
> files created by other users?
>
> I have long been concerned with the security of PHP scripts, especially on
> shared servers. Since PHP almost always runs as an Apache module, and Apache
> usually runs as nobody, one must make files and directories world-writable
> for PHP scripts to be able to write to them. But that means that any process
> on the server, including anyone's PHP script, can modify the files.
>
> Thanks for any insights.
>
> Adam Porter
>