Topic: Forum Intrusion
Our forum was "hacked" 16/Mar/2005:04:24 by some scriptkid.
Since this is a corporate server FBI has been contacted and sent all the details about this hack.
The clueless hacker didn't use a proxy or anything, so his IP was easy to spot.
The first sign of attempt:
188.8.131.52 - - [16/Mar/2005:04:24:36 +0100] "GET /phpBB2/admin/index.php?sid=c39d8d5416a82e28a654b2b03269dc01 HTTP/1.1" 200 638 "http://tinymce.moxiecode.com/phpBB2/" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1"
This is a known exploit in phpBB2, we didn't have the latest version of phpBB2, some critical update was released a while ago.
What happens is that you go to the phpBB2 forum, at that a cookie is made on your computer, if you edit this cookie and insert a certain string you can get admin access, this is cause the actual default admin user in phpBB2 is made in a certain way (always has ID 1 or 2 in database).
The only access he got was to the admin panel of phpBB2.
If you (the scriptkid) contact us "spam (at) moxiecode (dot) com" and appologize for this I will withdraw the FBI complaint.
You have 24 hours to respond, after that, your entire IP range will be blocked at our firewall.
Some more details about the intruder:
(The 1652 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet 80/tcp open http 1023/tcp filtered netvenuechat 1025/tcp filtered NFS-or-IIS 8081/tcp open blackice-icecap 8082/tcp open blackice-alerts No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=3.50%P=i686-pc-linux-gnu%D=3/16%Time=4237ECBB%O=22%C=1) TSeq(Class=TR%IPID=RD%TS=2HZ) T1(Resp=Y%DF=N%W=109%ACK=S++%Flags=AS%Ops=MENWNNT) T2(Resp=N) T3(Resp=N) T4(Resp=Y%DF=N%W=7D78%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=7D78%ACK=O%Flags=R%Ops=) T7(Resp=N) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=15C%RID=F%RIPCK=0%UCK=0%ULEN=134%DAT=E) Uptime 25.962 days (since Fri Feb 18 10:16:36 2005) TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) IPID Sequence Generation: Randomized Nmap run completed -- 1 IP address (1 host up) scanned in 153.923 seconds