The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Perl.Santy? Too many accounts? Script within! :)

Discussion in 'General Discussion' started by LiNUxG0d, Jan 13, 2005.

  1. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Hi all,

    I was hit hard by Perl.Santy and got really pissed, so, here's the code I created to seek out and archive (optionally) the old deprecated phpBB boards. It generates a report and if set to do so, will backup boards and replace with a "WARNING" index.

    It's very efficient and worked great for me. Saved me lots of time and headaches.

    It'll detect and give you deprecated boards + admin contacts for the boards, versions and all that good stuff. :D It keeps the DB's intact as well.

    It should be run as root.

    I run Fedora Core 1 and 2 as well as RH 9 and it was successful in targetting/disabling over 96 deprecated boards in about 10 minutes. :)

    Let me know what you think or if it helps, etc, etc, etc. :) It's not guarenteed, however, worked wonders for me. :)

    Feel free to message me if you have questions, programming needs, etc. I love working with cPanel servers and if anyone needs anything, I'm up to contract work. :)

    j.savard at impact6 dot com

    Jamie S.

    Code:
    #!/usr/local/bin/php -q
    
    <?php
    //////////////////////////////////////////////////////////
    //               ....                                   //
    //            ,od88888bo.                               //
    //          ,d88888888888b                              //
    //         ,dP""'   `"Y888b       ,.                    //
    //         d'         `"Y88b     .d8b. ,                //
    //         '            `Y88[  , `Y8P' db               //
    //                       `88b  Ybo,`',d88)              //
    //                        ]88[ `Y888888P"               //
    //                       ,888)  `Y8888P'                //
    //                      ,d888[    `""'                  //
    //                   .od8888P          ...              //
    //             ..od88888888bo,      .d888b              //
    //                   `""Y888888bo. .d888888b            //
    //         .             `Y88b"Y88888P"' `Y8b           //
    //         :.             `Y88[ `"""'     `88[          //
    //         |b              |88b            Y8b.         //
    //         `8[             :888[ ,         :88)         //
    //          Yb             :888) `b.       d8P'         //
    //          `8b.          ,d888[  `Ybo.  .d88[          //
    //           Y8b.        .dWARP'   `Y8888888P           //
    //           `Y88bo.  .od8888P'      "YWARP'            //
    //           `"Y8888888888P"'         `"'               //
    //              `"Y8888P""'                             //
    //                `""'           Impact 6...            //
    //                                                      //
    //      ... infinite spirit.                            //
    //                                                      //
    //////////////////////////////////////////////////////////
    // This program is used in conjunction with cPanel 4.5+ //
    //////////////////////////////////////////////////////////
    //                                                      //
    // Title:        phpBBchecker v.1.0                     //
    //                                                      //
    // Created by:   Jamie Savard                           //
    // Created for:  Impact 6 Productions                   //
    // URL:          http://www.impact6.com/                //
    // Created on:   01-13-2005                             //
    //                                                      //
    // In response to:  Perl.Santy worm                     //
    // http://www.us-cert.gov/cas/techalerts/TA04-356A.html //
    //                                                      //
    // Description:                                         //
    //                                                      //
    // This script locates phpBB versions smaller than "n"  //
    // and admonishes them.  If they are equal or above,    //
    // then it will leave them alone.  It doesn't delete    //
    // data, simply:                                        //
    //                                                      //
    //      + The deprecated phpBB chmodded 000.            //
    //      + Shift board to name_compromised               //
    //        (IE:  /forums becomes /forums_compromised)    //
    //      + Create folder with index.html advising to     //
    //        contact host.                                 //
    //                                                      //
    // NOTE:  This script should be run as a super-user.    //
    //                                                      //
    //////////////////////////////////////////////////////////
    //              DO NOT EDIT THIS PROGRAM                //
    //////////////////////////////////////////////////////////
    
    // Acceptable version of phpBB. (IE:  2.0.11 would be 11)
    $acceptableversion = "11";
    
    // Set to 1 to deprecate boards, if not, report alone is generated.
    // ATTENTION:  This will perform the above description.  Run once to see logs first.
    $shift = 0;
    
    // Grab a list of all current phpBB DB's.
    $locatelist = `locate phpbb | grep sql | grep config.MYI`;
    $locatearray = explode("\n",trim($locatelist));
    
    // Log Directory is the pwd.
    $logdir = `pwd`;
    $log = trim($logdir) . "/phpBBchecker.log";
    
    if(sizeof($locatearray) == 0) {
    
            // Do nothing.
    }
    else {
    
            foreach ($locatearray as $locateline) {
    
                    $i++;
                    $linearray = explode("/", $locateline);
                    $db = $linearray[4];
    
                    $versionquery = "use $db; select config_value from phpbb_config WHERE config_name = 'version' OR config_name='board_email' OR ";
                    $versionquery .= "config_name='script_path' OR config_name='server_name'";
                    $dosql = `mysql --execute="$versionquery"`;
    
                    $versionarray = explode("\n",$dosql);
    
                    $version = explode(".", $versionarray[4]);
                    if ($version[2] < $acceptableversion) {
    
                            if (!$firstrun) {
    
                                    $firstrun = 1;
                                    $date = date("Y-m-d") . "\n";
                                    $echo = `echo "$date" >> $log`;
                                    $echo = `echo "Version -> DB -> Admin Email -> Location\n" >> $log`;
                            }
    
                            if ($versionarray[1]) {$adminemail = $versionarray[1];} else { $adminemail = "None";}
    
                            $echo = `echo "$versionarray[4] -> $db -> $adminemail -> $versionarray[3]$versionarray[2]" >> $log`;
    
                            if ($shift) {
    
                                    $homedirinfo = explode("_", $db);
                                    $homedir = $homedirinfo[0];
                                    $dirinfo = explode("/", $versionarray[2]);
                                    $dir = $dirinfo[1];
                                    $compdir = $dir . "_compromised";
    
                                    // Initiate the protection sequence.
                                    $do = `chmod 000 /home/$homedir/www/$dir`;
                                    $do = `mv /home/$homedir/www/$dir /home/$homedir/www/$compdir`;
                                    $do = `mkdir /home/$homedir/www/$dir`;
                                    $do = `echo "Your phpBB was compromised, contact your host ASAP for details.  Databases are intact but the board is disabled for security purposes." >> /home/$homedir/www/$dir/index.html`;
                                    $do = `echo "<br>Please see this for details: http://www.us-cert.gov/cas/techalerts/TA04-356A.html" >> /home/$homedir/www/$dir/index.html`;
                            }
    
                            $j++;
                    }
                    else {
    
                            // Nothing.
                    }
            }
    }
    
    if ($j > 0) {
    
            print "\nPlease consult the resulting log:  $log\n\n";
            print "$j deprecated phpBB's were located and must be updated.\n\n";
    }
    else {
    
            print "\nNo deprecated phpBB versions were found.\n\n";
    }
    ?>
    
    
     
  2. jester.ro

    jester.ro Well-Known Member
    PartnerNOC

    Joined:
    Feb 6, 2004
    Messages:
    304
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucharest, Romania
    cPanel Access Level:
    DataCenter Provider
    this script is a good idea, but you are making too many assumtions:


    1. you think that the phpbb tables have to be named containing phpBB
    2. users may have patched viewtopic.php, and leave the version old.
    3. what if someone has, by accident, a folder called forum_compromised, and you overwrite it with that mv
    3. this is cpanel, but this could have been made for all directory structures (not only /home/user/www


    so, the way i would see a good script for this:

    start with "updatedb" :))
    locate viewtopic.php
    grep for the vulnerable code
    if found, backup in the same dir, and replace vulnerable code with good one.
    done
     
  3. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    cpLicensing have a very similar script available via http://www.cplicensing.net/scripts.php :

    Name: chkphpbbver

    Version: 0.1

    Downloaded: 184 times
    This script will scan and find vulnerable versions of phpBB 2.0.x. The script was created after a nasty hole was discovered in phpbb which allowed a unauthorized guest to execute code on the server. This script has a few options, run the script with the --help argument to get a list of options.
     
  4. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Hi!

    I appreciate the feedback. As aformentionned, it's unguarenteed and was created to patch holes on FC2, FC1 and RH9 using cPanel. I'll just address the concerns themselves.

    1. This is not an assumption. This is for all cPanel-based phpBB's. Have you checked the installer at all in the cPanel back-end? You can't specify DB prefixes.

    2. Yes, true, but better to be safe than sorry. I'd rather have an admin come back to me in my helpdesk asking, "What's going on? Oh, only Perl.Santy? I fixed that, can you unlock my board?" and then I'd do so.

    3. Sure, it's an assumption, however, in my experience in locating, now, over 350 borked boards, this occurence has never happened. I know what you mean though. I could always check if the file exists first. Agreed. However keep in mind that your logic is flawed. Move doesn't overwrite in this case, it moves INTO the other folder, keeping data intact.

    4. As stated, this was created for cPanel servers using the same OS as mine. I even state to leave the $switch to 0 first to insure you don't go overwriting/killing good boards. Create reporting first, and when you're sure, execute it.

    I have not seen the cPanel staff address this issue and thought I'd take it into my own hands since, well, nobody else seemed to care. If however, someone was running a quad-xeon with 600+ websites on it, he'd appreciate this script. ;) Better yet, maybe they have 4 quad-xeons with 600+ each... that makes for lotsa possible compromises.

    Thank you for your feedback though, it's VERY appreciated. :)

    Have a great day!

    Jamie
     
  5. shopcentar

    shopcentar Well-Known Member
    PartnerNOC

    Joined:
    Jul 10, 2004
    Messages:
    55
    Likes Received:
    1
    Trophy Points:
    8
    Hello,

    we make script for change specific files on our servers...
    here is code for change vulnerability viewtopic.php with new file 2.0.11
    we have many forums so this code maybe help for fast update (any file).

    Also you can run patch file in this code with small change in code.

    So if someone have sugesstions here we are...
    by, SC


    Code:
    #!/bin/sh
    
    patch_file="/downloads/phpbb2_patch/viewtopic.php"
    
    patch_dest[1]="/home/USERNAME/public_html/forum/viewtopic.php"
    patch_dest[2]="/home/USERNAME/public_html/forum/viewtopic.php"
    #patch_dest[3]="/
    #patch_dest[800]="/
    #etc
    
    LIMIT=2  # Upper limit plese change this if you have 800 or more users
    
    echo  "<===================START LOOP...===============>"
    
    a=0
    
    while [ $a -le "$LIMIT" ]
    do
     a=$(($a+1))
    
    BASE_STR=${patch_dest[$a]}
    POS=6
    LEN=3
    
    usersuffix=${BASE_STR:POS:${#BASE_STR}}
    #echo $usersuffix
    
    string_pos=`expr index $usersuffix "/"`
    #echo $string_pos
    
    #usersuffix=${BASE_STR::${#string_pos}}
    string_new=${usersuffix:0:string_pos-1}
    
    
    echo "::" $string_new "::" $patch_path ${patch_dest[$a]} ${patch_dest[$a]}"_backup" "::"
    
       if [ $a -ge "$LIMIT" ]
        then
          echo  "<===================BREAK====================>"
          break
        fi
    
      #run script in loop what you wont
      cp ${patch_dest[$a]} ${patch_dest[$a]}"_backup"
      cp $patch_file ${patch_dest[$a]}
      cp ${patch_dest[$a]} ${patch_dest[$a]}"_backup"
      cp $patch_file ${patch_dest[$a]}
      chown $string_new"."$string_new ${patch_dest[$a]}
    
    done
    echo  "<===================END====================>"
     
  6. jfall

    jfall Member

    Joined:
    May 8, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Looks good.

    One suggestion. Use public_html instead of WWW. This will help in cases where the user does not have a WWW symlink
     
Loading...

Share This Page