The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mata.txt - PHPBB Worm...

Discussion in 'General Discussion' started by stevieb, Mar 1, 2005.

  1. stevieb

    stevieb Member

    Joined:
    Oct 31, 2004
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Hello,
    I received a complaint off the provider for one of my servers today.
    The load of it has been suprisingly high recently, about 3.0 where as normally it wouldnt rise above 0.10

    I have checked the Current CPU Usage and I an see that "perl /tmp/mata.txt 208.53.165.253 9999999 53" is using 99.8% CPU - I tried to delete this file using the command rm /tmp/mata.txt and it has removed it. The server load has now dropped to about 1.5-2.

    Still, I would guess that all the PHPBB forum installations need to be updated. I have done this on all the cpanel ones, but now the fantastico ones to go..

    Could anyone think of what else cound be causing this, or is it all down to PHPBB old installations?

    Also, I would like to share the email I got with you;

    ".... 2005-02-26 03:37:53 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 205.138.198.157 port 51397 destination: 216.250.243.13 port 80
    2005-02-27 19:07:21 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 205.138.198.157 port 43054 destination: 216.250.243.13 port 80
    2005-02-27 19:38:24 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 205.138.198.157 port 47580 destination: 216.250.243.13 port 80
    2005-02-27 21:08:25 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 205.138.198.157 port 34463 destination: 216.250.243.13 port 80
    2005-02-27 22:01:09 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 205.138.198.157 port 45196 destination: 216.250.243.13 port 80
    2005-02-28 01:29:38 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 205.138.198.157 port 55789 destination: 216.250.243.13 port 80

    Your system appears to have been hit with the phpBB worm (Perl.Santy)
    and is actively scouring the net looking for other phpBB sites to
    infect. For more information on this worm, please visit
    http://securityresponse.symantec.com/avcenter/venc/data/perl.santy.html
    or http://www.us-cert.gov/cas/techalerts/TA04-356A.html .

    You need to clean up your server, remove the active infection, and
    update your phpBB installation to at least version 2.0.11.

    ..."

    Thats the main part of it.

    Is there anyway for me to scan for older versions than PHPBB 2.0.11, and then upgrade them, or is it going to be a long process of patching every account manually?

    I have a total of 6 infected files on my server, but around 30PHPBB installations.

    Thanks alot for your help

    Regards
    Steven Billings
     
  2. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    So long as you AREN'T using a "Stable" release, CPANEL already has phpBB 2.0.13 in it and using the Addon scripts addon module in WHM can identify and attempt to upgrade older installs (with varying levels of sucess).

    In addition, you can download the cplicensing phpBB installation finder to help in the search, but as is the case with many of their free scripts, it isn't perfect, but hey, it's free. :)

    http://www.cplicensing.net/files/scripts/chkphpbbver

    just save that file, chmod it and run it as root. It can display results to the screen or send e-mails.
     
  3. brentp

    brentp Well-Known Member

    Joined:
    Mar 11, 2004
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ayr, North Queensland, Australia
    i made a script similar to shauns that can be run via whm. Its at http://brentp.info:30000/trunk/ and its called antisanty or something of the sort.

    Regards,
    Brent
     
  4. jmoe2008

    jmoe2008 Member

    Joined:
    Jan 18, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Installing mod_security with even the basic WHM/CPanel rule set is also a big help. My server is currently bouncing 20-30 attacks like this per hour.
     
  5. Biotron2000

    Biotron2000 Active Member

    Joined:
    Jul 20, 2004
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    Is there a trick to get it to work? I click on it in WHM and get "The page cannot be displayed."

    EDIT: Never mind. Forgot to CHMOD. Works great, thanks for the script!
     
    #5 Biotron2000, Mar 7, 2005
    Last edited: Mar 7, 2005
Loading...

Share This Page