*Security Warning*

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
richardyork
-


Joined: 22 Jun 2004
Posts: 390
Location: United Kingdom

PostPosted: Mon Jan 03, 2005 7:20 pm    Post subject: *Security Warning* Reply with quote

I believe my computer has has been hacked! I dont know how but i am warning everyone!! i found a php script called "php1.php" in my htdocs folder along with an executable file called "Open.exe"! i opened this file and found it very disturbung, people could view and change all of my files! (so far i have only found my tutorials page deleted, but it would be possible for them to delete my whole site)! the name of the program/script is "PhpSpy Ver 2005" and is mainly in Chineese. i have password protected this file for the moment because i want to under go more of an investigation into this script. if Aprelium would like to take a closer look at this file, please contact me and i will provide you with the password.

if ANYONE can provide more information on this matter, could you please post it here or email me!!

Please Please help me with this one....i need it!!
_________________
Please SEARCH the forums BEFORE asking questions!
Back to top View user's profile Send private message Visit poster's website
Axis
-


Joined: 29 Sep 2003
Posts: 336

PostPosted: Mon Jan 03, 2005 8:07 pm    Post subject: Reply with quote

Hello richardyork--

What version of phpBB are you using? Anything before 2.0.11 is *very* vulnerable to a new exploit.

Could that be it?

Regards,
Axis
Back to top View user's profile Send private message
richardyork
-


Joined: 22 Jun 2004
Posts: 390
Location: United Kingdom

PostPosted: Mon Jan 03, 2005 8:12 pm    Post subject: Reply with quote

no, this dosn't have anything to do with phpBB but i know where you are coming from. than you for your reply!

this seems to give the hacker the ability to delete and even modify any file on your hard disk!! for example, i was checking it out just and as it is mainly chineese i accidently deleted my tutorials page! this is a very serious issue and i urge all members to check their htdocs for the files mentioned in my first post!

Please, any more help of anyone would be much appreciated!

Thank You!
_________________
Please SEARCH the forums BEFORE asking questions!
Back to top View user's profile Send private message Visit poster's website
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Mon Jan 03, 2005 8:37 pm    Post subject: Reply with quote

How do you know it has nothing to do with your phpbb forum? The fact that you actually ran a random file you found in your htdocs folder boggles the mind - what if it had been set up to simply wipe everything on your hd when loaded?

I tried to check what version you're running but although your site is up your forum is down... Is that intentional?
Back to top View user's profile Send private message
richardyork
-


Joined: 22 Jun 2004
Posts: 390
Location: United Kingdom

PostPosted: Mon Jan 03, 2005 8:43 pm    Post subject: Reply with quote

yes it is intentional! i have viewed the source of the php document then viewed it in internet explorer. that is how i know what it does. as for the "Open.exe", i havn't and wouldn't touch that! anonymoose, if you would like to check it out i will give you the password, just PM me!

Thank You!
_________________
Please SEARCH the forums BEFORE asking questions!
Back to top View user's profile Send private message Visit poster's website
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Mon Jan 03, 2005 9:10 pm    Post subject: Reply with quote

I'll certainly take a look at it. Can you confirm exactly what PHP and phpBB versions you were running prior to the file appearing ?
Back to top View user's profile Send private message
richardyork
-


Joined: 22 Jun 2004
Posts: 390
Location: United Kingdom

PostPosted: Mon Jan 03, 2005 9:30 pm    Post subject: Reply with quote

php 4.3.10 and phpbb 2.0.8 but i am currently updating!

anonymoose, are you on MSN?

Thank You
_________________
Please SEARCH the forums BEFORE asking questions!
Back to top View user's profile Send private message Visit poster's website
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Mon Jan 03, 2005 9:40 pm    Post subject: Reply with quote

Nope, but you can PM me any details you wish - just zip the files up and stick them on your server somewhere. I am 99% certain that you'll find the problem has come from your phpBB board - although the initial Santy worm * was fairly harmless, there are a huge number of variants now circulating attempting to drop various files for remote access to the server.

* http://securityresponse.symantec.com/avcenter/venc/data/perl.santy.html
Back to top View user's profile Send private message
Axis
-


Joined: 29 Sep 2003
Posts: 336

PostPosted: Mon Jan 03, 2005 10:29 pm    Post subject: Reply with quote

http://64.233.167.104/search?q=cache:SNfn2l_Zj-EJ:www.insightbb.com/pcsecurity/detail.aspx%3Fpage%3D7+open.exe&hl=en

???

Regards,
Axis
Back to top View user's profile Send private message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 956

PostPosted: Mon Jan 03, 2005 10:41 pm    Post subject: Re: *Security Warning* Reply with quote

This can be also caused by the security issues that were dicovered in PHP <= 4.3.9 which allow a variety of remote control hacks and code injection.

We have found a reference of PhpSpy 2005 on http://www.4ngel.net/project/phpspy.htm . This is in chinese but it seems that it corresponds to what you describe in your post.

Is there native chinese speaker here to translate the description of PhpSpy?
Back to top View user's profile Send private message
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Mon Jan 03, 2005 10:42 pm    Post subject: Reply with quote

After unpacking and analysing the file that Richard had, it doesn't seem to be that open.exe...
Back to top View user's profile Send private message
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Mon Jan 03, 2005 10:46 pm    Post subject: Reply with quote

http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.4ngel.net/project/phpspy.htm&prev=/search%3Fq%3Dphpspy%2B2005%2B4ngel%26hl%3Den%26lr%3D%26ie%3DUTF-8%26safe%3Doff%26client%3Dfirefox%26rls%3Dorg.mozilla:en-US:unofficial%26sa%3DG

It's not a great translation but it makes enough sense to understand what it does. As far as I can see, PHPSpy and the open.exe are two separate attacks, or rather PHPSpy has been used to install open.exe, but open.exe is not supplied with PHPSpy.
Back to top View user's profile Send private message
richardyork
-


Joined: 22 Jun 2004
Posts: 390
Location: United Kingdom

PostPosted: Mon Jan 03, 2005 11:04 pm    Post subject: Reply with quote

I don't know what is going on but has certainly got me worried!! How can I find out what has been infected etc and what can I do to stop this from happening again? :-(

Thank You All!
_________________
Please SEARCH the forums BEFORE asking questions!
Back to top View user's profile Send private message Visit poster's website
richardyork
-


Joined: 22 Jun 2004
Posts: 390
Location: United Kingdom

PostPosted: Mon Jan 03, 2005 11:31 pm    Post subject: Reply with quote

Going to bed now and running a virus scan over night. I'll be online all day tomorrow. See Ya!

Thank's For Everyone's Help!

p.s.
Keep me informed if you find something useful!
_________________
Please SEARCH the forums BEFORE asking questions!
Back to top View user's profile Send private message Visit poster's website
richardyork
-


Joined: 22 Jun 2004
Posts: 390
Location: United Kingdom

PostPosted: Tue Jan 04, 2005 3:58 pm    Post subject: Reply with quote

Has anyone else got any ideas on this matter as I am getting very worried about my online security! Is there a program that I can use to scan my computer's ports etc?

Thank You!
_________________
Please SEARCH the forums BEFORE asking questions!
Back to top View user's profile Send private message Visit poster's website
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Tue Jan 04, 2005 5:45 pm    Post subject: Reply with quote

Get a decent firewall that shows in a concise way which ports are open and what programs are listening, or use ActivePorts.

The only virus scanner detected a problem with Open.exe (of the 10 it was tested against) was Kaspersky, so I'd recommend getting hold of a trial version of that for a start and scanning your system again.

However, once you have allowed yourself to be compromised like this, there is no real way you can trust your system without a reinstall. There are plenty of pieces of backdoor software that have a legitimate use and so are not detected by virus scanners, and plenty of ways to hide files on your system if you have full control as this hacker had.

It's up to you, you can either do a full rescan with Kaspersky and check your ports manually with Activeports with no guarantees that all malware has been found, or reinstall a clean copy of Windows and be completely sure your system is no longer a threat.

As I said to you in PM, now would also be a very good time to change *all* your passwords, not just for Abyss but for any online services, email accounts etc etc. You have no easy way of detecting exactly what has been compromised.

To avoid it in future? Keep up to date versions of all the software you are running installed and keep an eye on their websites for any critical security alerts. There is no way in the current climate that you could run the versions of PHP and phpBB you were running and expect to remain secure.
Back to top View user's profile Send private message
senshi
-


Joined: 05 Nov 2003
Posts: 385
Location: UK

PostPosted: Thu Jan 06, 2005 5:07 pm    Post subject: Reply with quote

Anonymoose wrote:
...of the 10 it was tested against...


Which 10 was that?
Back to top View user's profile Send private message
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Thu Jan 06, 2005 7:53 pm    Post subject: Reply with quote

The multiple engine scan service provided by Virustotal.com

* ClamAV (ClamWin)
* Computer Associates (Iris, Vet)
* Doctor Web, Ltd. (DrWeb)
* Eset Software (NOD32)
* FRISK Software (F-Prot)
* H+BEDV (AntiVir)
* Kaspersky Lab (AVP)
* Norman (Norman Antivirus)
* Panda Software (Panda Platinum)
* Softwin (BitDefender)
* Sybari (Antigen)
* Symantec (Norton Antivirus)

I would have expected NOD32 and F-Prot to pick something up myself, but with the file being a telnet server, it is most likely classed as non-malware by those engines...
Back to top View user's profile Send private message
ScrappyDog
-


Joined: 30 Dec 2004
Posts: 13
Location: Canada

PostPosted: Sat Jan 15, 2005 7:10 pm    Post subject: Hacker Attack Reply with quote

I also think I had an attack on my server. It was about 430am, and my computer started to play error mp3's that go with the windows error messages that pop up with the Red Xs. There were about a dozen of them by the time I got out of bed to figure it out. I turned off my modem and went back to bed, but unfortunately, I wasn't thinking a closed the error windows without reading them carefully. I did a ad-ware and virus scan, but nothing showed up, and there were no weird or unexplained files that I could find in htdocs.

I don't think it's happened since, but I don't really know for sure. Any ideas?

Thanks!
Back to top View user's profile Send private message Send e-mail Visit poster's website
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Sat Jan 15, 2005 7:16 pm    Post subject: Reply with quote

Do you run any other server software on your PC? eg. mailserver/ftp/dc hub
Have you checked the Abyss access log for any odd looking requests on or around 4:30am ?
Are you using a router and / or software firewall?
Back to top View user's profile Send private message
k1ll3rdr4g0n
-


Joined: 04 Jul 2004
Posts: 609

PostPosted: Sat Jan 15, 2005 7:17 pm    Post subject: Reply with quote

Hmm...well either I must be the luckiest person here or no one wants to hack my server, cause I have it on 24/7 every port forwareded through router. I even enabled WAN requests. O.o? I think im going to cry I feel so unworthy to hack :(.
_________________
Back to top View user's profile Send private message AIM Address
ScrappyDog
-


Joined: 30 Dec 2004
Posts: 13
Location: Canada

PostPosted: Sat Jan 15, 2005 8:03 pm    Post subject: Reply with quote

Anonymoose wrote:
Do you run any other server software on your PC? eg. mailserver/ftp/dc hub
Have you checked the Abyss access log for any odd looking requests on or around 4:30am ?
Are you using a router and / or software firewall?


I'm also running ArgoSoft Email Server. I use a D-Link router, and Win XP pack 2 firewall.

No, I hadn't thought of checking the log, but I will keep that in mind in case it happens again. I don't really know how to read the log. It's obvious that some are requests to see my webpages, and some are stuff I've done, and some are also my email server serving up it's pages. I don't think I'd know what a hack or attempted hack would look like in the log.
Back to top View user's profile Send private message Send e-mail Visit poster's website
senshi
-


Joined: 05 Nov 2003
Posts: 385
Location: UK

PostPosted: Sat Jan 15, 2005 9:50 pm    Post subject: Reply with quote

Yes, DC HUB is a securit issue.

I had no end of issues with people intentionally trying to gain access, the number of times I found my system was bombarded and the firewall was recording hits at the HUB port aand also multiple hits were recorded in the router as software firewall ran at the router.

Also mail servers are always being abused, plenty of spammers want to spam mail people from open proxys, always run your smtp & pop server with authentication and preferably through a recognised ISP, I have used Argosoft mail server and its prety good and uncomplicated unlike some I have tried.

You are relying on windows XP firewall, no wonder your being or have been hacked, that wont stop owt for toffee. Kill it off completely and install a 3rd party firewall like zonealarm, which actually represents the least trouble setting up, if you take a little time to poke about ans understand what your doing.

If your router has the machine in the DMZ then take it out of the DMZ and start forwarding ports and generally sitting down and configuring your router, if that has some firewall capabilities then invoke them.

You can do allot security wise and you really should try AVG6 or AVG7 from www.grisoft.com as it is a very good Anti-virus scanner and removal tool with a good track record. It has saved me a few times from web sites trying to take advantage of exploits in browsers. You could have picked this up by simply browsing...

Run some scanning software like...

Ad-aware from www.lavasoft.de and grab the Adaware SE
Spywareblaster from www.javacoolsoftware.com
Spybot Search & Destroy from www.safer-networking.org

and they will clear your system, thay all have proven track records and do not put any spyware on your system as some spyware removal tool competitors claim, they do however clearout allot of nasty stuff, especially after being run for the first time, be in for a shocker. my first time cleared out opened my eyes.
Back to top View user's profile Send private message
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3719
Location: USA, GA

PostPosted: Sun Jan 16, 2005 2:45 am    Post subject: Reply with quote

Can this exploit only happen when someone uploads the file to you , if that
is the case , you can always get a upload program that restricts file types :/
_________________
Computer Programmer & Networking Specialist

Back to top View user's profile Send private message Visit poster's website MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group