Date: Mon, 27 Dec 2004 19:30:28 -0700 From: Brett Glass <brett@lariat.org> To: "Jerry Bell" <jerry@syslog.org>, estover@nativenerds.com Cc: freebsd-security@freebsd.org Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 Message-ID: <6.2.0.14.2.20041227190210.04f88bf0@localhost> In-Reply-To: <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57>
next in thread | previous in thread | raw e-mail | index | archive | help
The "PHPInclude" worm seeks out sites which are running PHP and tries to break into them by injecting unexpected data into variables. If those variables are fed without proper input checking to the include(), require(), or urldecode() functions within the script, or (worse) treated as UNIX commands, it is possible to retrieve the contents of sensitive files and/or execute arbitrary commands on the server. The same old lesson that seasoned programmers learn just before they get kicked upstairs into management, and the new young ones don't know yet: Never trust potentially hostile input. And always use "tainting" or a similar mechanism if it's available. (What? Don't know about "tainting?" You must be a C programmer.) ;-) Also see: http://www.pcworld.com/news/article/0,aid,119051,00.asp Interestingly, the worm is written in Perl, not PHP. I know for a fact that Santy.A, the version that attacked phpBB exclusively, was written in Perl, because I've captured the source in a honeypot. If it's not exactly the same code as that displayed at http://www.k-otik.com/exploits/20041222.sanityworm.pl.php what I caught is darned similar. The more generalized script is at http://www.k-otik.com/exploits/20041225.PhpIncludeWorm.php --Brett At 06:28 PM 12/27/2004, Jerry Bell wrote: >The update for phpbb came out a while ago, and it looks like the ports >were updated on 11/25/2004. Have you tried updating the ports? I think >this is already addressed. > >On a side note, I'm suprised you didn't get hit by the worm (unless it >happened before the worm came out). There is a new worm out now that >attacks some weak php programming, though it's not very widespread. See >http://www.syslog.org/Article10.phtml for a little more detail. > >I don't know if it's a worm or not, but I'm seeing people trying to attack >my site pretty frequently lately. > >Best regards & happy holidays, > >Jerry >http://www.syslog.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.0.14.2.20041227190210.04f88bf0>