phpBB exploit

Can anybody tell me what to look for on the serve side? I may have been hit with this (again).

After the last time I immediately updated two installs of popbb that I couldn’t deactivate (one being active and the other well I neede to access email through that domain) and deactivated everything else that had either phpBB, phpnuke or one of the variations installed on it (and updated a couple of them later when I had more time). By deactivate I mean I went into NodeWorx and deactivated them.

Now I have several sites which do not resolve (most with .org extentions but not all)

awalktorememberonline.org (Drupan and phpBB)
awalktorememberonline.com
awalktorememberonline.net (the last two are pointer domains to the first)

This site got two large hits of bandwidty yestrday afternoon and evening which makes me think this was the phpbb exploit.

michaelwsmithfans.org (Dripal is installed but the current phpBB is in the /forum directory)

followhimbooks.com
followhimbooks.org (separate sites, both of which are empty)

efictionarchive.net (blank . . . I think)
fanlists.net (blank)
liberateamericandemocracy.org (blank)
americanfreedemocracy.org (blank)
bradybunchonline.org (blank site)
savestartrek.org (blank site)
friendsinfaithonline.org (this site was inactive before but has mysteriously shown up as inactive)
annefrankmemorial.org (blank site with moodle installed in the /moodle subdirectory/subdomain)

There are more if anyone wants to know them but this should be enough.

I rebooted my server (had a kernal update last week and it needed it anyway)

I stopped and started my httpd (no errors)

I would try the dns server but am not sire what the service name is.

Chris mentioned that a script was in the /tmp directory the last time and I’ve deleted everything in there)

Anybody have any ideas?

Here’s the results from top

17:37:23 up 53 min, 1 user, load average: 1.43, 0.74, 0.63
148 processes: 147 sleeping, 1 running, 0 zombie, 0 stopped
CPU states: cpu user nice system irq softirq iowait idle
total 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 199.8%
cpu00 0.1% 0.0% 0.0% 0.0% 0.0% 0.0% 99.8%
cpu01 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 100.0%
Mem: 1017328k av, 531244k used, 486084k free, 0k shrd, 101820k buff
356980k active, 23812k inactive
Swap: 0k av, 0k used, 0k free 72332k cached

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
24384 root 15 0 1276 1276 896 R 0.1 0.1 0:00 0 top
1 root 15 0 512 512 452 S 0.0 0.0 0:03 1 init
2 root RT 0 0 0 0 SW 0.0 0.0 0:00 0 migration/0
3 root RT 0 0 0 0 SW 0.0 0.0 0:00 1 migration/1
4 root 15 0 0 0 0 SW 0.0 0.0 0:00 1 keventd
5 root 39 19 0 0 0 SWN 0.0 0.0 0:00 0 ksoftirqd/0
6 root 34 19 0 0 0 SWN 0.0 0.0 0:00 1 ksoftirqd/1
9 root 25 0 0 0 0 SW 0.0 0.0 0:00 1 bdflush
7 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 kswapd
8 root 15 0 0 0 0 SW 0.0 0.0 0:00 1 kscand
10 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 kupdated
11 root 25 0 0 0 0 SW 0.0 0.0 0:00 0 mdrecoveryd
15 root 15 0 0 0 0 SW 0.0 0.0 0:00 1 kjournald

nothing looks that different to me.

Those sites seem to be resolving for me Tim. Was this the only symptom you saw? Btw, Sago was having some issues today and this may be the culprit if this was the only symptom.

Chris

They’re dead for me.

Correction… It’s hit and miss.

Still not working for me. Also I just asked Olaf from the forums here ty try them and they aren’t working for him either

Tim

michaelwsmithfans.org works for Olaf
followhimbooks.com dead for him
followhimbooks.org works
efictionarchive.net dead
fanlists.net works

Why would it be so choosy and all of them are still dead for me.

Tim

The huge spike in bandwidth (twice yesterday) was the only thing I saw, yes. I checked on the /tmp directory and all I found were sess_<long string of numbers> files and I deleted them.

The sess_* files are normal, that’s php session info that many programs use. As for what’s going on I honestly can’t say. All domains resolve and work for me ok. And by “dead” are we talking about no DNS resolution? or the site doesn’t come up but is resolved?

Chris

Mozilla gives me the error

Akert! <domainname> could not be found. Please check the name and try again.

Internet Explorer seems t be loading the page but ends up giving me the same DNS error page it always does.

I’ve put in a ticket with Sago but am not optimistic that they will find the problem since if it’s a network problem they are inside the network.

I am currently able to resolve those domains without issue. Have you checked whether its an issue with the resolver you are using?

That’s what they told me. What “resolver” are they referring to?

I see you are using Sago’s customer DNS servers so I queried both and they are both responding with info on one of the ‘dead’ domains. One thing I did notice is that ns1/2.transwarphosting.net are listed for the domain, but ns1/2.cust.sagonet.com are reported as authoritative. Do you have NS record setup for ns1/2.transwarphosting.net in NodeWorx for the domain?

[iworx@rhe3x interworx]$ nslookup
> set q=any
> efictionarchive.net
Server:         68.42.244.12
Address:        68.42.244.12#53

Non-authoritative answer:
efictionarchive.net     nameserver = ns2.cust.sagonet.com.
Name:   efictionarchive.net
Address: 207.150.160.100

Authoritative answers can be found from:
efictionarchive.net     nameserver = ns2.cust.sagonet.com.
ns2.cust.sagonet.com    internet address = 66.118.148.158
> server ns1.cust.sagonet.com
Default server: ns1.cust.sagonet.com
Address: 66.118.128.158#53
> efictionarchive.net
Server:         ns1.cust.sagonet.com
Address:        66.118.128.158#53

efictionarchive.net
        origin = ns1.cust.sagonet.com
        mail addr = .
        serial = 1105139827
        refresh = 16384
        retry = 2048
        expire = 1048576
        minimum = 2560
efictionarchive.net     mail exchanger = 10 mail.efictionarchive.net.
efictionarchive.net     nameserver = ns2.cust.sagonet.com.
Name:   efictionarchive.net
Address: 207.150.160.100
> server ns2.cust.sagonet.com
Default server: ns2.cust.sagonet.com
Address: 66.118.148.158#53
> efictionarchive.net
Server:         ns2.cust.sagonet.com
Address:        66.118.148.158#53

efictionarchive.net
        origin = ns2.cust.sagonet.com
        mail addr = .
        serial = 1105239286
        refresh = 16384
        retry = 2048
        expire = 1048576
        minimum = 2560
efictionarchive.net     mail exchanger = 10 mail.efictionarchive.net.
efictionarchive.net     nameserver = ns2.cust.sagonet.com.
Name:   efictionarchive.net
Address: 207.150.160.100
> set q=ns
> efictionarchive.net
Server:         ns2.cust.sagonet.com
Address:        66.118.148.158#53

efictionarchive.net     nameserver = ns2.cust.sagonet.com.
>
> server ns1.transwarphosting.net
Default server: ns1.transwarphosting.net
Address: 207.150.160.100#53
> efictionarchive.net
Server:         ns1.transwarphosting.net
Address:        207.150.160.100#53

efictionarchive.net     nameserver = ns2.cust.sagonet.com.
> set q=a
> efictionarchive.net
Server:         ns1.transwarphosting.net
Address:        207.150.160.100#53

Name:   efictionarchive.net
Address: 207.150.160.100
> server ns2.transwarphosting.net
Default server: ns2.transwarphosting.net
Address: 207.150.160.100#53
> efictionarchive.net
Server:         ns2.transwarphosting.net
Address:        207.150.160.100#53

Name:   efictionarchive.net
Address: 207.150.160.100
>

I am using ns1. and ns2. transwarphosting.net both at the registrar and in NodeWorx, but the sago one shows up as the RDNS because I never got around to having Sago set the custom RDNS. It’s been this way for almost a uear without problems.

Tim

[iworx@rhe3x interworx]$ nslookup
> set q=any
> efictionarchive.net
Server:         68.42.244.12
Address:        68.42.244.12#53

Non-authoritative answer:
efictionarchive.net     nameserver = ns2.cust.sagonet.com.
Name:   efictionarchive.net
Address: 207.150.160.100

Authoritative answers can be found from:
efictionarchive.net     nameserver = ns2.cust.sagonet.com.
ns2.cust.sagonet.com    internet address = 66.118.148.158
> server ns1.cust.sagonet.com
Default server: ns1.cust.sagonet.com
Address: 66.118.128.158#53
> efictionarchive.net
Server:         ns1.cust.sagonet.com
Address:        66.118.128.158#53

efictionarchive.net
        origin = ns1.cust.sagonet.com
        mail addr = .
        serial = 1105139827
        refresh = 16384
        retry = 2048
        expire = 1048576
        minimum = 2560
efictionarchive.net     mail exchanger = 10 mail.efictionarchive.net.
efictionarchive.net     nameserver = ns2.cust.sagonet.com.
Name:   efictionarchive.net
Address: 207.150.160.100
> server ns2.cust.sagonet.com
Default server: ns2.cust.sagonet.com
Address: 66.118.148.158#53
> efictionarchive.net
Server:         ns2.cust.sagonet.com
Address:        66.118.148.158#53

efictionarchive.net
        origin = ns2.cust.sagonet.com
        mail addr = .
        serial = 1105239286
        refresh = 16384
        retry = 2048
        expire = 1048576
        minimum = 2560
efictionarchive.net     mail exchanger = 10 mail.efictionarchive.net.
efictionarchive.net     nameserver = ns2.cust.sagonet.com.
Name:   efictionarchive.net
Address: 207.150.160.100
> set q=ns
> efictionarchive.net
Server:         ns2.cust.sagonet.com
Address:        66.118.148.158#53

efictionarchive.net     nameserver = ns2.cust.sagonet.com.
>
> server ns1.transwarphosting.net
Default server: ns1.transwarphosting.net
Address: 207.150.160.100#53
> efictionarchive.net
Server:         ns1.transwarphosting.net
Address:        207.150.160.100#53

efictionarchive.net     nameserver = ns2.cust.sagonet.com.
> set q=a
> efictionarchive.net
Server:         ns1.transwarphosting.net
Address:        207.150.160.100#53

Name:   efictionarchive.net
Address: 207.150.160.100
> server ns2.transwarphosting.net
Default server: ns2.transwarphosting.net
Address: 207.150.160.100#53
> efictionarchive.net
Server:         ns2.transwarphosting.net
Address:        207.150.160.100#53

Name:   efictionarchive.net
Address: 207.150.160.100
>

I am using ns1. and ns2. transwarphosting.net both at the registrar and in NodeWorx, but the sago one shows up as the RDNS because I never got around to having Sago set the custom RDNS. It’s been this way for almost a uear without problems.

This isn’t an RDNS prob Tim. And while it should work as is I’d make sure that there is an NS record setup for that domain for each of ns1/2.transwarphosting.net.

Regarding it working / not working, as you can see from the output it works fine for me on all fronts. Can you try to do the same via nslookup from your location and paste the output?

Chris

This shouldn’t make a differnce, but I tried something else that has worked before when I’ve had problems getting DNS resolition (I rebooted my PC) but that was nomallywhen NOTHING would resolve. Inany event it didn’t work as expected.

You mean nslookup on my PC, I assume:

Hostname: awalktorememberonline.org
IP Address: Unavailable

Hostname: efictionarchive.net
IP Address: Unavailable

This was from a program called CyberKit

From my server I get

[root@centos root]# nslookup efictionarchive.net
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: efictionarchive.net
Address: 207.150.160.100

[root@centos root]# nslookup followhim.org
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: followhim.org
Address: 207.150.160.100

[root@centos root]# nslookup awalktorememberonline.org
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: awalktorememberonline.org
Address: 207.150.160.100

[root@centos root]# dig efictionarchive.net

; <<>> DiG 9.2.4rc6 <<>> efictionarchive.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33904
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;efictionarchive.net. IN A

;; ANSWER SECTION:
efictionarchive.net. 43151 IN A 207.150.160.100

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 8 21:40:28 2005
;; MSG SIZE rcvd: 53

[root@centos root]# dig awalktorememberonline.org

; <<>> DiG 9.2.4rc6 <<>> awalktorememberonline.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55253
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;awalktorememberonline.org. IN A

;; ANSWER SECTION:
awalktorememberonline.org. 43159 IN A 207.150.160.100

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 8 21:40:57 2005
;; MSG SIZE rcvd: 59

[root@centos root]#

Let me make sure I inderstand you: you think I should have sago set up reecords for those domains to my IP address

eg.

awalktorememberonline.org 207.150.160.100
efictionarchive.net 207.150.160.100

etc.

That’s a lot of domaons (Sorry if I misunderstood you)

Let me make sure I inderstand you: you think I should have sago set up reecords for those domains to my IP address

No, if you go into NodeWorx, and edit the records for each of those domains that you’re using ns1/2.transwarphosting.net on you should have a NS record for ns1/2.transwarphosting.net as well.

Can you try nslookups from from any other boxes. Every one I try works fine :S.

Chris

you may be onto something, Chris

I just looked at awalktorememberonline.org and found

NS ns2.cust.sagonet.com

I’ve been in here before but never noticed this.

I’ve deleted it and added my custom ones.

Now I’m checking some of the others.

Chris,

Many thanks! I think you found the solution! All of the awalktorememberonline domains and efictionarchive michaelwsmithfans etc all have that ns2.cust.sagonet.com NS record.

I’m going to have to go through each of them one by one and change them to my own name servers. Not really sure why this is an issue NOW (especially since some of these were created AFTER I switched to the custom NS solution) but I guess sometimes things on computers do wierd things.

Thanks a ton,

Oh and to answer your question the only Linux box I have access to is my server. My ISP does not give out free shell access anymore unless you pay them $24.95/month instead of the $14.95 I’m paying now.

Just to update everybody: I went through the zone records of most of my domains and edited the ones with the Sago name servers and added my own transwarphosting ones. About two thirds of them have needed editing. Awalktorememberonline and efictionarchive are now working fine.

I only had time to go through about half of them last night (there were 78 or so of them-- one for each SiteWorx account and pointer domain). I’m finishing the rest of them now.

As near as I can tell the ones that I have to edit are all of the ones created before I did the server migration (not after I switched to a custom NS as I previously thought). There’s no way to know for sure but Chris, you may want to keep an eye out for a bug in the restore script (of course if there is one it may already be fixed there is no way to know).

Thanks to Chris, Olaf, and John for your input on this.

I’m finally DONE!

I have a new appreciation for InterWorx’s capabilities. NodeWorx made editing these records easy and even warned me if I entered an invalid entry or a duplicate entry (like two ns1’s something I did more than once).

I can’t imagine editing something like this by had editing 78 individual configuration files (or one really BIG one). Thanks for designing it so wall, guys