The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

phpBB contains worm, how do i get rid of problem?

Discussion in 'General Discussion' started by webbhost, Jan 12, 2005.

  1. webbhost

    webbhost Well-Known Member

    Joined:
    Feb 4, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    got this e-mail, keep getting them and dont know how to fix or what to do . Any help appreciated

    The e-mail:

    Code:
    Dear Valued Customer,
    
    RE:  65.75.143.160 final warning, your immediate response pls
     
    
    Managed.com has received numerous complaints about unauthorized 
    activities from
    
    your server.  A copy of the complaints is attached for your perusal.
    
    Please be advised that your server is currently in violation of our 
    Acceptable User Policy---http://www.managed.com/policy.htm.
    
    To avoid termination of service and a penalty fee of $10.00 per 
    violation, we request that you investigate and terminate the 
    aforementioned account as soon as possible.  Here by, we shall give you 
    a 24 hours notice before we shall take any unwanted action.
    
    Thank you for your kind attention and full co-operation.
    
    Best regards
    
    Network security Team
    
    www.managed.com
    
    
    
    -------- Original Message --------
    Subject: Abuse (Worm phpBB Worm) from your network (65.75.143.160)
    Date: Tue, 11 Jan 2005 23:30:20 -0500
    From: Irides Abuse Desk <abuse@irides.com>
    Reply-To: abuse@irides.com
    To: abuse@managedsg-inc.com, abuse@managedsg-inc.com
    
    
    
    You are receiving this message because our Intrusion Detection System 
    detected abuse originating from your network.  We are providing you 
    with dates/times, source and destination addresses and ports, and the 
    type of abuse detected.  If you have any questions, or if this message 
    should go somewhere else, please let us know.  We do our best to route 
    this message to the correct party according to ARIN, RIPE and other 
    regional registries.
    
    If you need to contact us about this notification, please refer to 
    the notification number provided below.  Relevant abuse data follows:
    
    If you investigate and do not believe your system was the source of 
    an attack, I urge you to investigate the possibility that your system
    has been compromised and is running an open proxy, in which case other 
    parties may be orchestrating attacks and/or routing spam THROUGH your 
    server without your knowledge.
    
    Thank you for your cooperation. 
    
    Bob German
    Director of Operations/Engineering, Irides
    
    2005-01-11 00:02:43 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 51917 destination: 216.147.197.160 port 80
    2005-01-11 01:12:23 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 37246 destination: 216.147.197.160 port 80
    2005-01-11 01:45:17 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 57913 destination: 216.147.197.160 port 80
    2005-01-11 02:20:52 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 46794 destination: 216.147.197.160 port 80
    2005-01-11 02:53:00 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 44435 destination: 216.147.197.160 port 80
    2005-01-11 03:23:46 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 42718 destination: 216.147.197.160 port 80
    2005-01-11 04:27:41 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 47706 destination: 216.147.197.160 port 80
    2005-01-11 05:10:48 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 48843 destination: 216.147.197.160 port 80
    2005-01-11 05:52:20 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 40124 destination: 216.147.197.160 port 80
    2005-01-11 06:23:27 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 36181 destination: 216.147.197.160 port 80
    2005-01-11 06:54:19 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 55545 destination: 216.147.197.160 port 80
    2005-01-11 07:25:31 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 43635 destination: 216.147.197.160 port 80
    2005-01-11 07:59:15 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 52665 destination: 216.147.197.160 port 80
    2005-01-11 10:39:47 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 43084 destination: 216.147.197.160 port 80
    2005-01-11 11:11:15 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 47241 destination: 216.147.197.160 port 80
    2005-01-11 12:11:38 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 47770 destination: 216.147.197.160 port 80
    2005-01-11 12:53:54 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 57500 destination: 216.147.197.160 port 80
    2005-01-11 13:29:33 EDT (GMT+4:00) : 5437 (phpBB highlight parameter) -
    source: 65.75.143.160 port 38035 destination: 216.147.197.160 port 80
    
    
    Your system appears to have been hit with the phpBB worm (Perl.Santy) 
    and is actively scouring the net looking for other phpBB sites to 
    infect.  For more information on this worm, please visit 
    http://securityresponse.symantec.com/avcenter/venc/data/perl.santy.html 
    or http://www.us-cert.gov/cas/techalerts/TA04-356A.html .  
    
    You need to clean up your server, remove the active infection, and 
    update your phpBB installation to at least version 2.0.11.
    
    Because your server is actively scanning random servers around the Internet,
    
    we request that you remove it from service until it has been cleaned.  
    With your assistance, these viruses and worms can be put out of 
    commission for good.  Please remind your customers never to put an unpatched
    
    server on the network.
    
    
    
    Total alarms detected: 18
    
    Irides is a hosting company and data center based in Arlington, Virginia.  
    We provide web and application hosting, managed servers, and local
    connectivity.
    For more information, please visit http://www.irides.com .
    
    
    NOTIFICATION NUMBER: [11767]
    
    
    
    
     
  2. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    First thing update to phpbb 2.0.11. Second thing install mod_security and implment the rule set below.

    SecFilterSelective ARG_highlight %27


    Third scan the server for any rouge perl scripts. Find them and kill them and remove them. And finally update php to 4.3.10
     
  3. webbhost

    webbhost Well-Known Member

    Joined:
    Feb 4, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    how can i install this new phpBB thing and how can i install this security thing? Taking in mind theres over 200 accounts on my server in which god knows how many of them have a phpBB board
     
  4. autumnwalker

    autumnwalker Member

    Joined:
    Jan 5, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    how do you go about implementing that security option in mod_security?
     
  5. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    You can do 'locate viewtopic.php' to find the vulnerable phpbb file (some other scripts may also use a similarly named file).

    But it sounds like you really need to hire an experienced server administrator to cleanup your server.
     
  6. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    I agree you should probably hire somebody to make sure your server is totaly clean. Without looking at it you probably need to delete the extra files in /tmp then install mod_security among other things. ::shameless plug:: take a look at my website (in sig) for a guide on mod_security and other things you should probably do to help prevent stuff like this from happening.
     
Loading...

Share This Page