Fix phpBB
Since it is now become a common problem for shared hosts having to "deal" with phpBB exploits I thought I could create a simple how-to find and fix any out-dated phpBB forums located on your server. Please understand before starting though, that it is really down to the client to resolve these issues, not yourself.
Attached at the bottom I thought I should add a few of the older scripts I created/used which where used to fix the exploits at that time.
How to find outdated installs:
While people may find this hard its the easiest part of the whole process. Firstly go find out the latest version of phpBB from phpbb.com, then proceede to the phpbb forums and into the announcements area - Direct link can be located here
http://www.phpbb.com/phpBB/viewforum.php?f=14
Find the post that matches the latest version being released at the time of writing this would be 2.0.17 -
http://www.phpbb.com/phpBB/viewtopic.php?t=308490
In here it announces the quick fix, which is what we will use to search. What you have to do is find a piece of the fix that will only exist in old installations. In this case I used "t<]*)#is" which will only be in versions below 2.0.17. Now we have what we are going to search for we have to think of how we are going to search best way would be to use the find command in linux. You can research more about this by executing `man find`
The file the "exploit" exists in on this case was bbcode.php so all we have to do is build a command to search.
find /home/ -name "bbcode.php" -exec grep 't<]\*)#is' {} \; -print
Would be the command, where
/home/ = the directory to start searching.
bbcode.php = the file we want to search in.
't<]\*)#is' = What we want to search for, note the \ before the * so it searches properly.
All you have to do is run this command and it will show all vulnrable install paths.
How to "fix" outdated installs:
This is all dependant on yourself, my personal recommendation is that you temporarily disable the vulnrable forum and notify your customer to update it immediately. It may indeed be harsh but you have other users to think about when it comes down too it.
OR
You can update it for them, also remember they may have mods installed which is going to cause real problems while updating, hence why they should do it. The easiest way is to go to
www.phpbb.com and then get the patch files only from the downloads page.
Inside the patch will have multiple files to update from lots of versions to the latest. You can find out the version the user is running by either looking threw there files or by getting it from the database, under phpbb_config or whatever the users prefix is.
I strongly advise you let your customer upgrade themself to prevent any loss of files.
-----
This is not much good anymore but here is what I used for older versions.
find /home/ -name "viewtopic.php" -exec grep "highlight_match) . " {} \; -print
This was for 2.0.16
---
#!/bin/bash
EXSED=/bin/sed
EXDIFF=/usr/bin/diff
EXRM=/bin/rm
EXMV=/bin/mv
EXSEND=/bin/mail
MAILTOUSR=no-spam@hostgeekz.com
MAILSUB="Security warning from $0"
DATE=$(date)
FILES=(`find /home -name viewtopic.php`)
for a in ${FILES[*]}
do
$EXSED "s/urldecode(\$HTTP_GET_VARS\['highlight'])/\$HTTP_GET_VARS['highlight']/g" $a > $a.tmp
CHKDIFF=$($EXDIFF -u $a $a.tmp)
if [ -z $CHKDIFF ]; then
$EXRM -rf $a.tmp
else
$EXRM -rf $a
$EXMV $a.tmp $a
echo "$0 scanned file: $a which was bogus and replaced on $HOSTNAME at $DATE" | $EXSEND -s "$MAILSUB" $MAILTOUSR
fi
done
---
Was a bash script I created which fixes the old exploit, I could not even begin to tell you the version number because it was so long ago, infact I belive this may have been during the perl sanity worm "outbreak"
Anyway thats enough of my quick guide, hope it helps. I suggest you install mod_security asap if you have not already done so.
Written by HostGeekZ.com
Updated version can be found
Here
Linear Mode
