annie Posted December 20, 2004 Posted December 20, 2004 Some friends of mine had their website defaced today. Here's what the pages said: ------------- This site is defaced!!! NeverEverNoSanity WebWorm generation 10. -------------- Problem is, I can't find anything on Google or anywhere else about the defacer or the tool. So what on earth is this? And who's the proper party to report it to in case we find evidence of what was done? All index files were replaced, as well as all php files. That included a little script I'd hidden in a password protected directory!!!! They're running phpBB. Don't know if that's significant. They'll work with the webhost (not TCH) on figuring it out, but as one who's been on the receiving end of this sort of joke before, I'd like to DO SOMETHING! sniff... Quote
Head Guru Posted December 20, 2004 Posted December 20, 2004 There is nothing you can do except make sure your own web hosting account is as secure as it can be. Bottom line is this. The only way to fully protect your site, is to unplug the server it resides on. Web Sites get hacked, defaced and much more. Plenty of smart people on the internet thats for sure. Stick one in the cap for them and move on. Just make sure your keeping all your code up to date and so on. Bill Quote
MikeJ Posted December 20, 2004 Posted December 20, 2004 (edited) They're running phpBB. Don't know if that's significant. They'll work with the webhost (not TCH) on figuring it out, but as one who's been on the receiving end of this sort of joke before, I'd like to DO SOMETHING! <{POST_SNAPBACK}> As Bill said, the main thing is they just need to make sure they keep their software up to date. There have been a couple of vulnerabilities disclosed recently that affect phpBB. The first was in phpBB itself for versions prior to 2.0.11, and the other was in PHP versions prior to 4.3.10 which phpBB (among many other packages) was also affected by. So they just need to make sure their phpBB (and all modules) is up to date, and their provider's PHP is up to date (as well as any other software used). [Moving to appropriate forum...] Edited December 20, 2004 by TCH-MikeJ Quote
annie Posted December 20, 2004 Author Posted December 20, 2004 This is really weird! The forum was starting to work again. Then another friend IM's me and tells me he gets that message again after 'View your posts'. I checked last modified date on web root when I first saw the defacement, and now again, and the time doesn't match. But it DID match when I rechecked it before the forum stopped working. Logic bomb or the hacker redefaced? Quote
annie Posted December 21, 2004 Author Posted December 21, 2004 Looks like a lot of people got hit: http://www.phpbb.com/phpBB/viewtopic.php?t=241300 I haven't read the whole thread yet (24 pages long right now), but this is likely where solutions will emerge. I should say that my friends' site is not on IPower. Quote
annie Posted December 21, 2004 Author Posted December 21, 2004 By now they've figured this thing out and the news reports are coming hard and fast. Upgrade to phpBB 2.0.11 and you'll be fine if you haven't already been hit. Renaming the forum while you do might be a good idea, so you won't get hit while working on it. If your blog isn't in Google, you should be safe. I have a friend who's got two phpBB forums on one server. One's hit, the others' not. The one that wasn't hit wasn't in Google. Then there are others who've been lucky so far, but there's a lot of pain in the webworlf today... Quote
Glovebox Posted December 21, 2004 Posted December 21, 2004 Yah, there is a major security issue with the last release of phpbb, I would recommend upgrading to the latest version straight away. Hackers are able to access the config.php file, which is bad news. Adam! Quote
MikeJ Posted December 21, 2004 Posted December 21, 2004 Yah, there is a major security issue with the last release of phpbb, I would recommend upgrading to the latest version straight away. Hackers are able to access the config.php file, which is bad news. <{POST_SNAPBACK}> phpBB versions prior to 2.0.11 are vulnerable to multiple methods of compromise, as noted here. The compromise that allows access to config.php actually uses a vulnerability in PHP (the language, not phpBB) versions prior 4.3.10. TCH has already upgraded to 4.3.10 to protect against those attacks. While we are on the subject of phpBB, I'd also like to note again that there is a vulnerability in the widely used Attachment Module for phpBB that you should be aware of if you use that module. Quote
annie Posted December 21, 2004 Author Posted December 21, 2004 Also, note this story: http://www.theinquirer.net/?article=20329 We might see exploits targetting other software soon. Even got a guy insisting his Movable type weblog got infected with this! He doesn't seem to have phpBB listed in Google. Might be on an insecure host, though? TCH already updated PHP, I see. Quote
jme574 Posted December 22, 2004 Posted December 22, 2004 here is another article about the phpbb worm http://www.kaspersky.com/news?id=156681162 Quote
annie Posted December 22, 2004 Author Posted December 22, 2004 My local TextTV reported that the internet could break down today because of Santy.A! Come online early, to find out F-secure had heard from Google that they're filtering the queries from the worm, and now it's stopped! But upgrading is still not negotiable. You never know when the next yokel has a good idea! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.