Last look at my log files and I was hit a total of 421 times by 278 different IPs. It seems to be moving rather quickly as these were from the last 2 days. Good luck to those who have not patched yet. Alvin Packard, CWNA www.networksecuritytech.com On 22 Dec 2004 04:34:59 -0000, ycw1bh302@xxxxxxxxxxxxxx <ycw1bh302@xxxxxxxxxxxxxx> wrote: > In-Reply-To: <Pine.LNX.4.61.0412212325470.1764@xxxxxxxxxxxxxxxxxxxxxxx> > > Forgive me if this is a newbie question, but a site I help run was hit by > this, and I'm trying to understand it to protect against future worms. > > The worm exploits the phpBB highlight vulnerability. It uses PHP to run Perl > to write the Perl script file, then executes it. The script then proceeds to > traverse the entire directory structure, overwriting .php, .htm, .shtm, > .phtm, and on our server, .ssi files, and then spreads itself. Correct? > > I have two questions: > > 1. Why has the worm been as effective on Windows servers as on *nix servers? > At the very least, shouldn't the difference in file and directory naming > cause a problem? I looked at the decoded Perl script, but I'm not a Perl > expert, so I couldn't understand all of it. And what about the difference in > file permissions? > > 2. More importantly, why wasn't the worm's destructive ability limited by > file permissions, especially on *nix servers? If, for example, an HTML file > on the server was uploaded by user bob, and has permissions of 755, how can > the Perl script delete that file? Shouldn't the Perl script be created with > the Perl process's permissions, which was invoked by PHP, which should have > the Web server's permissions, which should be, at least on most *nix servers, > the nobody user? > > This is a big issue on shared servers, or virtual hosts, whatever you want to > call them. Our site is on a shared server, and our site does not even run > phpBB, but most of our HTML files were replaced with the worm's content. > Obviously, then, another site on the server must have an old version of > phpBB. But why could the worm, coming in through another site, modify files > created by other users? Even if the worm's script ran as the owner of the > vulnerable viewtopic.php file, how could it then modify non-world-writable > files created by other users? > > I have long been concerned with the security of PHP scripts, especially on > shared servers. Since PHP almost always runs as an Apache module, and Apache > usually runs as nobody, one must make files and directories world-writable > for PHP scripts to be able to write to them. But that means that any process > on the server, including anyone's PHP script, can modify the files. > > Thanks for any insights. > > Adam Porter >