Last week, a phpBB forum I administer, was vandalised.
Postings had been changed, and, worryingly, a posting had been made as admin. I was so stupid not to look for the IP address of the poster before deleting it, so I had to go through the log files in order to discover more.
It turned out they had turned on word censoring on some key topics of the forum, changed forum description and admin e-mail. With Textpad , I searched through the access_log file for admin_words.php. Requests to this file had come from 2 ip adresses, but by extracting the lines with the user-agent of these requests (user-agent “Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.6) Gecko/20050226 Firefox/1.0.1”) I got the list of requests from this user, starting with the forum home page where
was given as referer, so the vandal found the forum by searching on Google for “index.php” and “forum”!
Half a minute later the request is repeated:
22.214.171.124 – – [09/Mar/2005:20:44:35 +0100] “GET /index.php HTTP/1.0” 200
And 3 seconds later he has gotten hold of a session id he could use to log in as forum-admin!
126.96.36.199 – – [09/Mar/2005:20:44:44 +0100] “GET /admin/index.php?sid=c2d4a6256590d2333425e1e83e0c416b HTTP/1.0”
188.8.131.52 – – [09/Mar/2005:20:44:45 +0100] “GET /admin/index.php?pane=right&sid=c2d4a6256590d2333425e1e83e0c416b
184.108.40.206 – – [09/Mar/2005:20:44:45 +0100] “GET /admin/index.php?pane=left&sid=c2d4a6256590d2333425e1e83e0c416b
And so on… I could see all POSTs and GETs and at reconstruct the scenario from 20:44:01 till 21:08:16 on March 9.
All IP-addresses (range 220.127.116.11 – 18.104.22.168) came from the proxy proxyche07.sj4.marketscore.com. If I understand their website correctly, they’re a company collecting surfing behavior by letting people surf from behind a proxy – the one the intruder had hidden behind. I have sent an e-mail with the relevant log to their abuse account as indicated, but haven’t received any answer so far.
And the vulnerability? A quick search on phpBB forums gave me the needed bugfix for the version 2.0.12 I was running… Well, you’re right, I should have subscribed to their rss feed in the first place!