Re: [PHPwestoz] are there any know php vulnerabilities around?

[Sol Hanna <sol@autonomon.net>]

firepages.com.au wrote:

> You running phpBB ? if so patch it (or FUD yourself up ...
> http://fud.prohost.org)
>
> Its unlikely to be a vunerability in PHP itself , more likely a PHP or PERL
> application (phpBB && Awstats both recently compromised to this extent)
>
> Regards,
> Simon.
>
>
> ----- Original Message -----
> From: "Sol Hanna" <sol@autonomon.net>
> To: <PHPwestoz@lists.linux.org.au>
> Sent: Wednesday, February 16, 2005 5:11 PM
> Subject: [PHPwestoz] are there any know php vulnerabilities around?
>
>
>  
>
> > Mondo bad news - my server just got cracked! >:o
> >
> > The crack involved index.php files in all directories under the web root
> > being overwritten with an intelligent bit of cracker poetry thus:
> >
> > "Noturnos Crimez... OwnZ yOu, By Lord Cha0s.. * Mais um Dia se
> > passa..tudo novo.. mais pq eu sempre me ferro? fiko triste.. e tudo por
> > causa de uma minina que eu amo d+... nossa.. eu daria tudo pra tela
> > comigo. nos meus braços abraçala , beijala.. pedir desculpas a ela..
> > nossa.. eu seria o cara mais feliz se vesse ela a ultima vez.. soh
> > queria dizer .. GISLAINE EU TI AMO! d+!!!!!"
> >
> > Just a text file.
> >
> > That seems to be the extent of the damage, though I'm still quite pissed
> > off. Given that it has only affected index.php files in this way, it
> > seems that a PHP vulnerability is to blame. Anyone know anything about
> > this so I know how to take action to prevent it?????
> >
> >    
Thanks for this tip Simon. I know that I'm not using a vulnerable 
version of phpBB because I was aware of the flaw in phpBB and was using 
a more recent version (2.0.11) that wasn't vulnerable. BUT I am using a 
vulnerable version of AwStats. I found out about it simply by Googling. 
There's an interesting article here:
http://it.slashdot.org/article.pl?sid=05/02/08/1834203&tid=172&tid=156

It points to how phpBB can be attacked from perl. The very sad part of 
this story is that last night I noticed when I ran 'top' on my server 
that perl was using over 90% of cpu. I thought, "that's odd, there's no 
cron jobs scheduled for this time of night." so i killed the process and 
thought nothing more of it.

silly me. :-[

thankyou also to Leon. you've raised a lot of points that i want to look 
at more closely. i've been getting a bit lack about permissions, etc and 
this is the wake up call i needed to have a good review of what's going 
on. and thanks to you i've got a good starting point of reference.

thanks guys; sol :-)