Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-12-20 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

* UPDATE: phpBB Worm. Holiday Security Guide, Predictions for 2005, Sign that you take security too serious.

Published: 2004-12-20
Last Updated: 2004-12-21 17:32:03 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)
phpBB Worm (added Dec 21st 12 pm EST)

We just received reports about a new worm that infects web servers running phpBB. Apparently, there is no patch at this point. However, according to, a workaround can be found here: .

Currently, Google returns about 5.7 Million hits when searching for 'powered by phpBB'. A quick look at some of the sites matched didn't turn up any defacement so far.

According to some reports we got, patching php to the latest version (4.3.10 or 5.0.3) will fix the problem. The bug is a php bug, but phpBB makes it easy to mass-exploit this bug.

If you are infected and are able to extract a copy of the perl script, submit it via our contact form: .
Holiday Security Guide

If you read this diary, chances are that some piece of computer equipment is on your Santa list. So here comes a short list of things to think about (I hope its short enough so you will remember ;-) ):

Wireless Access points: Enable WEP. Yes, WEP sucks. But its better then nothing. If you can, enable 'WPA'. Make sure to use a strong passphrase either way, and turn off ESSID broadcasting. Once you got the new gadget tested and feel more comfortable with it, try and limit access to MAC addresses you own.
(brief update: As one of our readers, Chuck, pointed out, turning off the SSID can cause support issues and doesn't provide anything WEP doesn't already do. Turning off the SSID will prevent accidental connections to the AP, not determined association attempts).

New PCs: Lucky you. Got a new system waiting for you under the tree? Before connecting it to a network, make sure it is patched. If you got a system with Windows pre-installed, make sure it got Service Pack 2 and the firewall is enabled. Many systems shipped these days will allow you to install SP2 the first time you turn it on. If you are planning to give away a system, make sure to attach a Service Pack 2 CD (its ok to give away your own. MSFT's license on SP2 explicitly states that you can share the upgrade CD. NOTE: If you got a new PC with XP-SP2, you may not use the OEM version obtained with this PC to upgrade older Windows 9x PCs. You need to purchase a "boxed" version of Windows, or upgrade to another operating system)

Routers/Firewalls: Got a new firewall appliance / router? Good for you. But even security devices have to be secured. As always, apply patches. Router manufacturers regularly publish firmware upgrades. Some of which may fix security holes. Also, disable remote administration and setup a strong password. If possible, familiarize yourself with the admin interface first, before connecting the device to an outside network. This may not alway be possible. I just ran across a Netgear wireless router, which as part of its 'quick start wizard' requires an IP address at its external ("WAN") port.

VoIP: Jim mentioned VoIP yesterday. For sure, it will be a popular gift this Christmas. I tested a number of commercial VoIP providers over the last year, and non of them used any encryption. Overall, use it like e-mail. On the plus side: The provider will take care of any updates (but most of them time the updates are retrieved via TFTP, which is not exactly secure). If you are using a VoIP device over a free service like FWD, you can get a free SSL certificate for encryption from ( ). At this point, this service only works with Sipura devices.

Other issues you may want to consider:

* If you got better things to do over the holidays then working with your computer, shut it down. Not only will a turned off computer be more secure, but it also saves power.

* End of year is a good opportunity to do a complete backup of your system, and clean out some of the crud that accumulated.

* while you are cleaning out things, change your passwords. Not all sites expire passwords. The new year may be a good time to change things like your online banking password.

Predictions for 2005

Care to share what you think will be the big security topic in 2005? Use our
contact form ( ). My own favorites: VoIP, BotNet control using p2p protocols, device security ("Did you patch your toaster today?").

Top 10 signs that you are taking security too serious

Finally, don't forget to keep things in perspective ;-)

(10) you just waited in line at the post office to mail a 15 1/2 oz package instead of dropping it into the drop box.

(9) you painted your house in green/blue/yellow/orange/red.

(8) you insist on wearing safety glasses while watching IDS logs in case a packet jumps out at you.

(7) only use a C64 to browse the web and read your e-mail. No exploits since ??

(6) your password can't be cracked by a Cray supercomputer, but you need one to remember it.

(5) you bought an x-ray scanner to screen your presents for dangerous contraband.

(4) you installed a metal detector at the cat door to screen the cats as they come back from outside.

(3) your middle initial is 'D' for duct tape.

(2) C4 attached to router wired to IPS.

(1) Tin foil beany AND lead underwear.
have fun with all your new toys!


Johannes Ullrich, jullrich'@';
1 comment(s)
Diary Archives