[PHPwestoz] are there any know php vulnerabilities around?

Sol Hanna sol at autonomon.net
Wed Feb 16 19:40:02 UTC 2005


firepages.com.au wrote:

>You running phpBB ? if so patch it (or FUD yourself up ...
>http://fud.prohost.org)
>
>Its unlikely to be a vunerability in PHP itself , more likely a PHP or PERL
>application (phpBB && Awstats both recently compromised to this extent)
>
>Regards,
>Simon.
>
>
>----- Original Message -----
>From: "Sol Hanna" <sol at autonomon.net>
>To: <PHPwestoz at lists.linux.org.au>
>Sent: Wednesday, February 16, 2005 5:11 PM
>Subject: [PHPwestoz] are there any know php vulnerabilities around?
>
>
>  
>
>>Mondo bad news - my server just got cracked! >:o
>>
>>The crack involved index.php files in all directories under the web root
>>being overwritten with an intelligent bit of cracker poetry thus:
>>
>>"Noturnos Crimez... OwnZ yOu, By Lord Cha0s.. * Mais um Dia se
>>passa..tudo novo.. mais pq eu sempre me ferro? fiko triste.. e tudo por
>>causa de uma minina que eu amo d+... nossa.. eu daria tudo pra tela
>>comigo. nos meus braços abraçala , beijala.. pedir desculpas a ela..
>>nossa.. eu seria o cara mais feliz se vesse ela a ultima vez.. soh
>>queria dizer .. GISLAINE EU TI AMO! d+!!!!!"
>>
>>Just a text file.
>>
>>That seems to be the extent of the damage, though I'm still quite pissed
>>off. Given that it has only affected index.php files in this way, it
>>seems that a PHP vulnerability is to blame. Anyone know anything about
>>this so I know how to take action to prevent it?????
>>
>>    
>>
Thanks for this tip Simon. I know that I'm not using a vulnerable 
version of phpBB because I was aware of the flaw in phpBB and was using 
a more recent version (2.0.11) that wasn't vulnerable. BUT I am using a 
vulnerable version of AwStats. I found out about it simply by Googling. 
There's an interesting article here:
http://it.slashdot.org/article.pl?sid=05/02/08/1834203&tid=172&tid=156

It points to how phpBB can be attacked from perl. The very sad part of 
this story is that last night I noticed when I ran 'top' on my server 
that perl was using over 90% of cpu. I thought, "that's odd, there's no 
cron jobs scheduled for this time of night." so i killed the process and 
thought nothing more of it.

silly me. :-[

thankyou also to Leon. you've raised a lot of points that i want to look 
at more closely. i've been getting a bit lack about permissions, etc and 
this is the wake up call i needed to have a good review of what's going 
on. and thanks to you i've got a good starting point of reference.

thanks guys; sol :-)




More information about the PHPwestoz mailing list