The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Scanning for phpBB2 Worm vulnerabilities

Discussion in 'General Discussion' started by elleryjh, Dec 21, 2004.

  1. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    One of my customers was hit with this worm yesterday. It is very quick to act (struct again after restoring from backup, before patching was possible) and brutal (replaces all html, php pages). I'm just glad that mod_basedir and PHP suexec are running.

    So my question is... is there an easy way to find all installations of phpBB2 (including those not done with Fantastico), and their versions? Does anyone have a script to detect and/or upgrade these? Thanks.
     
  2. kmenzel

    kmenzel Registered

    Joined:
    Mar 12, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Supposedly upgrading to PHP 4.3.10 fixes this, but it might not

    According to the phpBB site, once you upgrade to PHP 4.3.10, this exploit should no longer be possible. However, we upgraded yesterday at around 5pm Central and still got hit with the worm today around 7:30am Central. I don't know why this is. It could be that the vulnerability isn't really fixed. I did verify that our servers really were running 4.3.10 at that time. I'm not sure if the problem is on phpBB itself or on PHP for not really fixing what they claim the fixed. Anyone have any more insight into this?
     
  3. BrooksBridges

    BrooksBridges Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    if you're referring to this post about the php problem, that's not the same as the worm.

    The actual fix to to upgrade to phpbb 2.0.11 or do this patch

    if you upgrade php to 4.3.10, make sure your version of Zend is 2.5+ first, or it breaks other stuff too.

    as far as finding all the phpbb2 installs on a box, you should be able to do this on a CLI (as root):

    Code:
    updatedb && locate viewtopic.php | grep home
    that might get you some extra results that aren't phpbb, but it's a good start
     
    #3 BrooksBridges, Dec 21, 2004
    Last edited: Dec 21, 2004
  4. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    You just saved me so much time, BrooksBridges. Thanks:)
     
  5. kmenzel

    kmenzel Registered

    Joined:
    Mar 12, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Ditto here. Thanks much, and sorry if my confusion spread any confusion.
     
  6. plake

    plake Active Member

    Joined:
    Apr 22, 2003
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Interesting... Information on the web conflicts itself, finger pointing in sues... Anywho, you guys are always on the ball...
     

Share This Page