1

Topic: Forum Intrusion

Our forum was "hacked" 16/Mar/2005:04:24 by some scriptkid.

Since this is a corporate server FBI has been contacted and sent all the details about this hack.

The clueless hacker didn't use a proxy or anything, so his IP was easy to spot.

The first sign of attempt:

58.8.0.251 - - [16/Mar/2005:04:24:36 +0100] "GET /phpBB2/admin/index.php?sid=c39d8d5416a82e28a654b2b03269dc01 HTTP/1.1" 200 638 "http://tinymce.moxiecode.com/phpBB2/" "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1"

This is a known exploit in phpBB2, we didn't have the latest version of phpBB2, some critical update was released a while ago.

What happens is that you go to the phpBB2 forum, at that a cookie is made on your computer, if you edit this cookie and insert a certain string you can get admin access, this is cause the actual default admin user in phpBB2 is made in a certain way (always has ID 1 or 2 in database).

The only access he got was to the admin panel of phpBB2.

If you (the scriptkid) contact us "spam (at) moxiecode (dot) com" and appologize for this I will withdraw the FBI complaint.

You have 24 hours to respond, after that, your entire IP range will be blocked at our firewall.
Some more details about the intruder:

(The 1652 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
22/tcp   open     ssh
23/tcp   open     telnet
80/tcp   open     http
1023/tcp filtered netvenuechat
1025/tcp filtered NFS-or-IIS
8081/tcp open     blackice-icecap
8082/tcp open     blackice-alerts
No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.50%P=i686-pc-linux-gnu%D=3/16%Time=4237ECBB%O=22%C=1)
TSeq(Class=TR%IPID=RD%TS=2HZ)
T1(Resp=Y%DF=N%W=109%ACK=S++%Flags=AS%Ops=MENWNNT)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=N%W=7D78%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=7D78%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=15C%RID=F%RIPCK=0%UCK=0%ULEN=134%DAT=E)

Uptime 25.962 days (since Fri Feb 18 10:16:36 2005)
TCP Sequence Prediction: Class=truly random
                         Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Randomized

Nmap run completed -- 1 IP address (1 host up) scanned in 153.923 seconds
Afraithe
TinyMCE Developer

2

Re: Forum Intrusion

His IP range has been blocked in firewall. Through logs I could see that he has seen the above message.

Afraithe
TinyMCE Developer