Re: phpBB Worm

[Alvin Packard <appredator () gmail com>]

Last look at my log files and I was hit a total of 421 times by 278
different IPs. It seems to be moving rather quickly as these were from
the last 2 days. Good luck to those who have not patched yet.

Alvin Packard, CWNA
www.networksecuritytech.com


On 22 Dec 2004 04:34:59 -0000, ycw1bh302 () sneakemail com
<ycw1bh302 () sneakemail com> wrote:
> In-Reply-To: <Pine.LNX.4.61.0412212325470.1764 () mailbox prolocation net>
>
> Forgive me if this is a newbie question, but a site I help run was hit by this, and I'm trying to understand it to 
> protect against future worms.
>
> The worm exploits the phpBB highlight vulnerability.  It uses PHP to run Perl to write the Perl script file, then 
> executes it.  The script then proceeds to traverse the entire directory structure, overwriting .php, .htm, .shtm, 
> .phtm, and on our server, .ssi files, and then spreads itself.  Correct?
>
> I have two questions:
>
> 1.  Why has the worm been as effective on Windows servers as on *nix servers?  At the very least, shouldn't the 
> difference in file and directory naming cause a problem?  I looked at the decoded Perl script, but I'm not a Perl 
> expert, so I couldn't understand all of it.  And what about the difference in file permissions?
>
> 2.  More importantly, why wasn't the worm's destructive ability limited by file permissions, especially on *nix 
> servers?  If, for example, an HTML file on the server was uploaded by user bob, and has permissions of 755, how can 
> the Perl script delete that file?  Shouldn't the Perl script be created with the Perl process's permissions, which 
> was invoked by PHP, which should have the Web server's permissions, which should be, at least on most *nix servers, 
> the nobody user?
>
> This is a big issue on shared servers, or virtual hosts, whatever you want to call them.  Our site is on a shared 
> server, and our site does not even run phpBB, but most of our HTML files were replaced with the worm's content.  
> Obviously, then, another site on the server must have an old version of phpBB.  But why could the worm, coming in 
> through another site, modify files created by other users?  Even if the worm's script ran as the owner of the 
> vulnerable viewtopic.php file, how could it then modify non-world-writable files created by other users?
>
> I have long been concerned with the security of PHP scripts, especially on shared servers.  Since PHP almost always 
> runs as an Apache module, and Apache usually runs as nobody, one must make files and directories world-writable for 
> PHP scripts to be able to write to them.  But that means that any process on the server, including anyone's PHP 
> script, can modify the files.
>
> Thanks for any insights.
>
> Adam Porter