UBB.threads PHP Forum Software Community Forums UBB.threads 6 Version 6 Bug Reports Security problem in addpost_newpoll.php

Got fecked over by this a couple of times since the 23rd

[root@box httpd]# grep addpost_newpoll.php net-access_log |wc -l
1060

<img src="https://www.ubbcentral.com/boards/images/graemlins/shocked.gif" alt="" />

Thing is Rick, you knew about the problem early on in may and it only just found its way onto the likes of checksum.org and secuirtyfocus.com in the last couple of days.... If you had a mailing list for errata updates for things like this it might save us all from having to spend a few hours mopping up the various aol and credit card phishing sites that have been installed on our servers.... Just a thought.

now to check for back doors you want to look for any folders that were writable by the user you run your webserver as "apache or httpd usually".. i had /userimages and /attachments. they'll prolly be full of phishing sites now - mine where.

check the contents of /tmp for backdoor proggies.

Then run a 'netstat -npl' to see what ports are accepting connection on your box.

For example i found an "apache" program running on 0.0.0.0:5555 which isn't right.

[root@box httpd]# telnet localhost 5555
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
:Welcome!psyBNC@ArDaN.or.id NOTICE * <img src="https://www.ubbcentral.com/boards/images/graemlins/tongue.gif" alt="" />syBNC2.3.1

more digging found this in /tmp


nice.

Oh and also look at the crontab for the user your web server runs as (usually 'crontab -u apache -e')

mine was calling various scripts every minute (/var/log/cron should show you that too).