From owner-freebsd-security@FreeBSD.ORG Tue Dec 28 02:31:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0B4816A4CE for ; Tue, 28 Dec 2004 02:31:24 +0000 (GMT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8071C43D41 for ; Tue, 28 Dec 2004 02:31:22 +0000 (GMT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA03706; Mon, 27 Dec 2004 19:30:50 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.0.14.2.20041227190210.04f88bf0@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14 Date: Mon, 27 Dec 2004 19:30:28 -0700 To: "Jerry Bell" , estover@nativenerds.com From: Brett Glass In-Reply-To: <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-security@freebsd.org Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Dec 2004 02:31:24 -0000 The "PHPInclude" worm seeks out sites which are running PHP and tries to break into them by injecting unexpected data into variables. If those variables are fed without proper input checking to the include(), require(), or urldecode() functions within the script, or (worse) treated as UNIX commands, it is possible to retrieve the contents of sensitive files and/or execute arbitrary commands on the server. The same old lesson that seasoned programmers learn just before they get kicked upstairs into management, and the new young ones don't know yet: Never trust potentially hostile input. And always use "tainting" or a similar mechanism if it's available. (What? Don't know about "tainting?" You must be a C programmer.) ;-) Also see: http://www.pcworld.com/news/article/0,aid,119051,00.asp Interestingly, the worm is written in Perl, not PHP. I know for a fact that Santy.A, the version that attacked phpBB exclusively, was written in Perl, because I've captured the source in a honeypot. If it's not exactly the same code as that displayed at http://www.k-otik.com/exploits/20041222.sanityworm.pl.php what I caught is darned similar. The more generalized script is at http://www.k-otik.com/exploits/20041225.PhpIncludeWorm.php --Brett At 06:28 PM 12/27/2004, Jerry Bell wrote: >The update for phpbb came out a while ago, and it looks like the ports >were updated on 11/25/2004. Have you tried updating the ports? I think >this is already addressed. > >On a side note, I'm suprised you didn't get hit by the worm (unless it >happened before the worm came out). There is a new worm out now that >attacks some weak php programming, though it's not very widespread. See >http://www.syslog.org/Article10.phtml for a little more detail. > >I don't know if it's a worm or not, but I'm seeing people trying to attack >my site pretty frequently lately. > >Best regards & happy holidays, > >Jerry >http://www.syslog.org