Pro security in phpBB
Good afternoon friends! I will begin with the fact that with php and phpbb I am familiar with the need that we use this forum on our project, since we have not found a more worthy alternative. In addition to periodic updates with php, I do not come across and the features of the work of this forum are not familiar with.
Recently a terrible thing happened - our server with uptime a little less than a year (after the last migration) rebooted. On the server, the actual site and forum phpbb 3.0.12 is deployed.
The /var/log/auth.log is uninformative
Not finding any more details restored the work site. The next day I discovered more important information.
')
That is, access has been obtained. This time, several interesting processes were found running from www-data.
First of all I update the forum to the latest version of phpBB 3.1.9 at the moment. After that, I kill the processes and wait for new entries in auth.log. It turned out that it is not necessary at all - after a while the nailed processes appeared again.
Go to / var / www / forum, do:
Especially you need to pay attention to the files * .php, marked as executable. My attention was drawn to a file called members.php with the flag turned on for execution, in which both bp.pl and the well-known port 31337 were encountered. This file is not in the list of files from the phpBB archive. I delete the file, in the logs of nginx and apache constant requests to this file were found. I do grep again, lo and behold - this time the executable ucpi.php is found , with the same content. By the way, the initial exploit code was found on github, it helped a lot.
The process of updating phpBB is quite convenient - the main part of the folder is updated, but there are folders that are transferred from the previous version of the project. I have thus exploits migrated to the updated forum.
Now it seems the problem has been solved, but from time to time I will look at auth.log, the list of processes and the source code should be checked. Maybe my opinion is not objective, but even for our forum this is not the first invasion of hackers and this is one of the reasons for my cool attitude to php in general and phpBB in particular.
I would be interested to know how relevant this information is and how widespread this vulnerability is.
Thanks for attention.
UPD. Thank you for the warm welcome and support. Your feedback really came in handy for me! The server was successfully recaptured. Special thanks for the help of PaulAtreides .
Recently a terrible thing happened - our server with uptime a little less than a year (after the last migration) rebooted. On the server, the actual site and forum phpbb 3.0.12 is deployed.
The /var/log/auth.log is uninformative
Oct 6 09:36:21 fsr sudo: pam_unix(sudo:auth): auth could not identify password for [www-data] Oct 6 09:36:21 fsr sudo: www-data : user NOT in sudoers ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=... Not finding any more details restored the work site. The next day I discovered more important information.
')
Oct 5 22:55:55 fsr su[18114]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/21 ruser=www-data rhost= user=admin Oct 5 22:55:57 fsr su[18114]: FAILED su for admin by www-data Oct 5 22:55:57 fsr su[18114]: - /dev/pts/21 www-data:admin Oct 5 22:57:50 fsr su[18310]: pam_unix(su:auth): authentication failure; logname= uid=33 euid=0 tty=/dev/pts/21 ruser=www-data rhost= user=admin Oct 5 22:57:52 fsr su[18310]: FAILED su for admin by www-data Oct 5 22:57:52 fsr su[18310]: - /dev/pts/21 www-data:admin Oct 5 22:58:39 fsr su[18384]: Successful su for admin by www-data Oct 5 22:58:39 fsr su[18384]: + /dev/pts/21 www-data:admin That is, access has been obtained. This time, several interesting processes were found running from www-data.
ps aux|grep www-data perl /tmp/bp.pl 31337 /bin/sh -i import pty; pty.spawn( /bin/sh ) First of all I update the forum to the latest version of phpBB 3.1.9 at the moment. After that, I kill the processes and wait for new entries in auth.log. It turned out that it is not necessary at all - after a while the nailed processes appeared again.
Go to / var / www / forum, do:
ack-grep -l '\.pl' Especially you need to pay attention to the files * .php, marked as executable. My attention was drawn to a file called members.php with the flag turned on for execution, in which both bp.pl and the well-known port 31337 were encountered. This file is not in the list of files from the phpBB archive. I delete the file, in the logs of nginx and apache constant requests to this file were found. I do grep again, lo and behold - this time the executable ucpi.php is found , with the same content. By the way, the initial exploit code was found on github, it helped a lot.
The process of updating phpBB is quite convenient - the main part of the folder is updated, but there are folders that are transferred from the previous version of the project. I have thus exploits migrated to the updated forum.
Now it seems the problem has been solved, but from time to time I will look at auth.log, the list of processes and the source code should be checked. Maybe my opinion is not objective, but even for our forum this is not the first invasion of hackers and this is one of the reasons for my cool attitude to php in general and phpBB in particular.
I would be interested to know how relevant this information is and how widespread this vulnerability is.
Thanks for attention.
UPD. Thank you for the warm welcome and support. Your feedback really came in handy for me! The server was successfully recaptured. Special thanks for the help of PaulAtreides .
Source: https://habr.com/ru/post/312052/
All Articles