[WBEL-users] Severe PHP vulnerability??

Pucky Loucks ploucks@h2st.com
Mon, 20 Dec 2004 12:15:13 -0800 

I just got this 1 hour ago on my production servers using phpbb.  does 
anyone know if this is a full fledge compromise or is this a script 
kitty.  If I can help in any way Mike, just let me know.

thanks,
Pucky
On 20-Dec-04, at 11:51 AM, Mike Staver wrote:

> I sent out an email with an attachment for people to check out, but 
> apparently the list doesn't accept attachments without approval. 
> Basically, I was just saying that I've been comprimised by this new 
> security hole already.  A worm called the NeverEverNoSanity WebWorm 
> generation 9.  I can't find squat on google about this, so all I have 
> done right now is kill apache.  Every php file on my entire system 
> that was web accessible has been replaced with this lovely text:
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML><HEAD>
> <TITLE>This site is defaced!!!</TITLE>
> </HEAD><BODY bgcolor="#000000" text="#FF0000">
> <H1>This site is defaced!!!</H1>
> <HR>
> <ADDRESS><b>NeverEverNoSanity WebWorm generation 9.</b></ADDRESS>
> </BODY></HTML>
>
> So, my point is, updated PHP rpms would be appreciated.  Also, I want 
> to throw time at this to make a contribution to the project - can 
> somebody tell me how to snag the source if any update RH updates 
> exist, and then how to roll them for WBEL?
>
> Johnny Hughes wrote:
>> On Sat, 2004-12-18 at 16:18 -0500, jk42@bitbuckets.com wrote:
>>> Hello all,
>>>
>>> By now I'm sure everyone is aware of the major vulnerability with PHP
>>> versions prior to 4.3.9 or 5.0.2.  There are actually a number of
>>> different problems, but all (except one, which is currently being
>>> exploited) are only problems for hosts which allow users to create 
>>> their
>>> own PHP pages.  The one remotely exploitable attack, which deals 
>>> with the
>>> unserialize() call (and on Athlon64 systems has been demonstrated to
>>> execute shell code with the privileges of the web server process), is
>>> widely used.
>>>
>>> http://www.hardened-php.net/advisories/012004.txt
>>>
>>> What are other WBEL users doing to protect themselves?  The only 
>>> updates I
>>> have found are source code downloads of PHP 4.3.10 or 5.0.3, and 
>>> from what
>>> I hear it's a royal pain to recomple PHP and all the drivers.  WBEL 
>>> has
>>> version 4.3.2.
>>>
>>> Does anyone know of a solution to this, while we wait for RedHat to
>>> release an official RHEL fix?  Does someone know where the 
>>> unserialize
>>> problem is and how to fix it - perhaps I could backport the fix to 
>>> the
>>> 4.3.2 WBEL packages.  I'll do some research and let everyone know.
>> These packages are released, but unsupported for RHEL3:
>> http://people.redhat.com/jorton/Taroon-php/
>> _______________________________________________
>> Whitebox-users mailing list
>> Whitebox-users@beau.org
>> http://beau.org/mailman/listinfo/whitebox-users
>
> -- 
>
>                                 -Mike Staver
>                                  staver@fimble.com
>                                  mstaver@globaltaxnetwork.com
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
>
>