phpBB mass-hack warning
p2p news / p2pnet: Bots are registering user accounts on phpBB forums, "raising concerns that the bot’s authors are laying the groundwork for mass exploitation down the road," warns Netcraft.
One such showed up on Digg, yesterday. "During the last few days a bot using a name FuntKlakow, has been registering to maybe thousands of phpBB forums," says the post. "During the last few days a bot using a name FuntKlakow, has been registering to maybe thousands of phpBB forums."
FuntKlakow’s post signatures have included links to proxy surfing and traffic generator services, "raising the prospect that its goal may be spam rather than exploits,"says Netcraft.
"Bot is also capable for posting to forums, says Juuso Hukkanen on newsreader. "But most on most forums the bot keeps silent.
"Ok, what is a danger? Next time the phpBB announces a critical vulnerability, the bot would have everything ready (just a post click away) from attacking thousands of sites/forums.
"Best defence against these kinds of bot-members, might be setting up honeypot-forums, which the search engines can find but to which there are no permanent links from the web. When new bot-members are detected, such would be listed at each particular forum makers homepage.
"When a bot would then try to register to a forum, the forum program would check the user/bot inputted user-name (or other characteristics) and if those would match to those catched by a honeypot-forums, registering such user detais would be eliminated ( and possible IP banned for some time)."
Nor is this the first time phpBB has been in the news with security problems.
phpBB has been banned by some web hosts but, "That hasn’t prevented a 79 percent increase in active sites using phpBB between June and December of 2005, according to data from our Web Server Survey and related datasets," adds Netcraft.
Also See:
Netcraft – Bot Authors Targeting phpBB Forums, March 20, 2006
Digg – phpBB mass hack being prepared?, March 19, 2006
newsreader – phpBB mass-hack being prepared, March 7, 2006
security problems – Slyck hacked, March 7, 2005
March 21st, 2006 at 7:03 am
This is really not a terribly difficult problem to deal with. All of the attempts of bots and other idiots to try and screw around with any php objects on my websites show up in the logs as errors when the targets are simply not there because that site does not have a php Board. Now that the target .php files are known, simply change the names of the target files and edit the package of scripts using global search and replace to change the reference to them in scripts that run the php Board. Change any hyperlinks to the correct files names.
Now, legitimate users who access the board through proper mechanisms can access the board and shouldn’t notice any difference (aisde from the different file names in the location bar) and the bots will get 404ed because they attempt to perform a POST function on the standard filename. The people who wrote bots arrogantly assume that most webmasters are simply too stupid to institute simple countermeasures.
For additional fun, one could leave malicious scripts on the server under the ’standard’ file names as a tarpit or poison for uninvited pests.
March 21st, 2006 at 5:21 pm
Mass hack? I just see it as one of the many spam bots out there, the majority of them advertise links to proxies, casinos and various drugs.