Last Updated: 2006-04-19 20:58:31 UTC
by Johannes Ullrich (Version: 1)
viewtopic.php? [...] &highlight=%2527%252esystem(chr(99)%252echr [...]
I omited the long string of URL encoded hex characters. If you run phpBB, grep your Apache access log for 'viewtopic.php', 'highlight' and 'system':
grep viewtopic < access_log | grep highlight | grep system
Now the part you are interested in is what is attempted to be executed as part of the "system" call. In order to quickly decode it, use php's "urldecode" function. Just open a shell, and enter:
$ php -e
print urldecode(" ... [paste gibberish here ] ... ");
Make sure you do not copy any quotes. This will likely reveal an ftp command and with that the location of the actual bot code. Let us know what you find. I posted a quick analysis of a typical phpBB bot here Important: a few users reported Antivirus alerts after clicking this URL. Since it quotes parts from the bot, it likely triggers some signatures. However, the page wil not execute any malware (trust me ;-) )
These bots typically work all very much alike:
- search google for vulnerable systems
- send the exploit
- the exploit will trigger the download and execution of a perl script
- the perl script will join an IRC channel and wait for commands.
Couple simple counter measures to keep in mind:
- First of all don't forget to patch your systems. Its all too easy to forget random web applications like phpBB.
- make /tmp a non-executable partition. (and link /usr/tmp and /var/tmp to it). Its not perfect, but most of the web based exploits need a place to write their files to, and /tmp is the most common location available.
- block outbound ftp/web traffic from your web server. Many web servers do not need outbound traffic on port 80/21.
- run php in "safe mode"
- for extra credit: chroot apache (not all that easy, but very effective once it is done).
- use mod_security (thanks to Ramon for reminding me about mod_security. its GGGrreat!)