*ugh*

I have been working on a website for the last week with a new ISP Server (pweb.info) and also been contributing to the forum http://macforum.pweb.info/. Recently we have had a bot run thru the system and destroy *almost* every site that was on the server. This means that the macforums site AND most of everyone else (including pweb's OWN forums) sites had their PHP MySQL Databases erased. Most people did not have backups, or if they did on the server that they used for their site, it was wiped too.

I was not hit nearly as hard as the other sites (i didn't use PHP on my site) and Ultimate's was not hit very much.

if you don't know what pweb is, it's a free webserving company that allows you to serve your own webpage for free, with every technology you can cram on the site. And best of all, it's Free!. But... Macforums has been hacked (which was one of the first sites on pweb) several times. Most of them were just the local site. this time, a hacker bot went thru MacForums into the backbone of the server, and as it moved through the server, it deleted PHP databases one-by-one until it had killed every site that was on the server rack.

Even right now, the server is under heavy load as several IP addresses are doing a DDoS on the system. so, the server memory and CPU are red-lineing it.
We are trying to clean up from the aftermath, but are having a hard time. The people who do the serving are really upset and are trying to deal with it. This hacker bot has been moving thru image URL's (i think) to get into the backbone of the system and has been hitting a lot of sites.
(note to applefritter users, if you use mysql/php, you might want to contact me as I can get you additional info on this bot. I talk with the server admins. and *might* be able to get the IP address's of the bot routes)

I will update if anything new happens. Please keep the site servers in your thoughts, as well as the admins that pay for this, as this is a new thing to be serving websites for free WITHOUT ads, and letting people explore site creation without restraints.

Comments

BDub's picture

I'm assuming that if it's an actual PHP or SQL vulnerability you've informed the relevant developers? Or is it a specific web application vulnerability. The amount of information you've included here is basically useless.

Do you know if they're running PHP in safe mode?

coius's picture

i should have more data by tomorrow. I will inform you thru PM. Right now, I all i know is that it entered thru avatars

coius's picture

well... we were using PHP 4 (phpbb) with mysql 5, and we had a user FuntKlakow that had entered the site thru reg access. He then used a virus to gain access thru the "post reply' function, where is got into the server system. It also entered access thru a "post Poll" system, where instead of the poll that the server was doing (the script for it) it executed the script on the post reply file and ran it in the MySQL Database. Once in, it went thru the server (all the sites for pweb is hosted in a data center and is on a rackmount setup) systems.
this may not pertain to you, but I suggest placing and autoban on Funtklakow, as it is just a bot that is running on the net. once it exectutes, another server that has been "zombified" does a DDoS placing a lot of strain on the servers. If you use PHP for the systems here, remain on high alert. As the bot has targeted a LOT of sites, and some of them are pretty secure. This is a link on some of the hacking the bot has been doing:
PHP Mass hacking

Area51, whois funtklakow

BDub's picture

I think you're confusing the app phpBB and the actual PHP executable. Sounds like a security flaw in phpBB itself. Correct me if I'm wrong.

Given that it managed to run through all the sites on one server, I'm doubting that the server was correctly setup to host multiple accounts.

phpBB users should probably disable any 'funtklakow' accounts, or register one to make sure a bot isn't able to.

coius's picture

so this probably doesn't pertain to you. I didn't know, so I was just giving the heads up. The bot does MASS registering, and register's on 100's of sites a day. MacForum's has been hit the worst, as it seems the bot has been modified to do more than just spamming the forums that it used to be doing. NOW it is doing malicious activity on the php databases. I'm sorry if I can't give more info, as I am only repeating what I have heard.

It's not just running thru one server, but it seems to use other servers to hack into one (or just doing the DDoS thru other servers.) It also likes to change permissions on website files, as I have experienced with my site (it set almost *all* of my files to allow NO access to them, and I couldn't do FTP access thru it.) So, it's probably not hitting the custom build forums. Right now, the macforums site is in the middle of a transfer to the Olympus phpBB system. Hopefully all goes well. But be AWARE, the bot has mutated several times, and is hitting in more ways than one. We just happened to get the first of the new mutation. So the guy seems to be finding other exploits, and not just in phpbb. It seems to be hitting thru other gateways.
It has evolved a lot since first released, so the guy seems to be watching what it is doing, and is exploiting new ways. There was one sight on the pwebsystem that was not using phpbb and it still got hit. It just seems to wipe the sql databases once it enters. I'm pretty sure this is not the last adaptation of it.
I would just like to wring the neck of the person that made the bot/virus. It has caused so many problems to forum systems

Sorry for sounding amateurish, but how is IP spoofing done?