more phpBB 2.0.12 fun; Identity theft; alternative browser java exploit
More about phpBB <= 2.0.12
phpBB 2.0.13 is still safe.
An exploit has been released for phpBB bulletin boards. This exploit tries to drop netcat into the web root. There is another binary in tmp which I have not directly identified which appears to exploit a race condition in the Linux kernel. The file name is pwned and it calls a data file called TTdummyfile.
Previous diary entries regarding phpBB:
http://isc.sans.org/diary.php?date=2005-03-12
http://isc.sans.org/diary.php?date=2005-02-27
http://isc.sans.org/diary.php?date=2005-02-22
We have had one report of a system compromised with this tool. Since it creates at least one backdoor on the system my recommendation is to take the machine offline and rebuild it. With the caveat that the same exploit path may still exist since from the report that I have seen the exploit works on all the current versions of phpBB, Apache, and PHP. I will update this information as I learn more. The exploit is listed as affecting versions phpbb <= 2.0.12. The report we got today was running version 2.0.12. It had not been fully patched to 2.0.13.
I was informed this evening that the netcat file was downloaded by the owner and not the exploit to compare to the pwned and other files in the tmp directory.
Identity theft
We got a note from a reader regarding a series of phone calls he received with regard to credit applications. He had not filled any out. After questioning the callers (there were several, one was a Honda dealer) he found that they had his name correct but none of his other data.
The pertinent thing here is that he immediately had a fraud alert placed on his account for the next three months. This alert has been set to all three bureaues.
There is excellent information on how to protect yourself at this web site:
http://www.fightidentitytheft.com/flag.html
We wish this reader good luck. It is getting harder to protect yourself.
Alternative browser java exploit
Lastly for now there is now a cross browser exploit for Mozilla browsers. It is written up in the register. The affected page calls a java applet which looks like it is signed with a bogus code signing cert that expired in February. If you click yes the applet launches IE and installs a bunch of spyware nasties.
As far as I can tell it does not penetrate the sandbox directly since user intervention is required, though I could be wrong. The article is here: http://www.theregister.co.uk/2005/03/11/alternative_slimeware/
This is yet another thing for users to look out for, my opinion is that we will see more if this type of cross browser exploit in the future, and that we will start to see it for malware instead of spyware.
opinion
It is beginning to look grimmer on the net. I think I am going to pickup my copy of Handler Ed Skoudis' book "Malware: Fighting Malicious code" and re-read the optimistic conclusion to brighten things up a bit.
Speaking of books, Handler Lenny Zelster's (and others) new book "Inside Network Perimeter Security (second edition) is out now. I got my copy yesterday as one of the technical editors. The authors have taken this book from really good to great! check it out.
Dan Goldberg GCFW
MADJiC Consulting, Inc.
dan at madjic dot net
Keywords:
0 comment(s)
×
Diary Archives
Comments
www
Nov 17th 2022
4 months ago
EEW
Nov 17th 2022
4 months ago
qwq
Nov 17th 2022
4 months ago
mashood
Nov 17th 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
4 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
3 months ago
isc.sans.edu
Dec 26th 2022
3 months ago