phpbb worm affecting another server

Secret Agent · #1 26th December 2004, 04:00 AM

I received an email from anonymous...

"A worm using a phpbb vulnerability is trying to infect my system coming from IP xx...."

Well, I ran rkhunter and chkrootkit and both came back fine. Are there any others I can run to check for such a worm?

Specs:
RHE 3.3
Cpanel 9.9.9 R-14
PHP v 4.3.1.0

I believe the worm is running as nobody. I did notice a high load in server status for nobody user.

Code:

User Domain %CPU %MEM Mysql Processes 
nobody  95.24 14.34 0.0 
Top Process %CPU 96.3 /hsphere/shared/apache/bin/httpd -DSSL 
Top Process %CPU 96.2 /hsphere/shared/apache/bin/httpd -DSSL 
Top Process %CPU 96.0 /hsphere/shared/apache/bin/httpd -DSSL

Kernel Info:
Linux server.myserver.com 2.4.21-4.0.1.ELsmp #1 SMP Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux
Please give me a hand here.

Woad_Warrior · #2 26th December 2004, 04:27 AM

http://www.phpbb.com/phpBB/viewtopic.php?t=248046
they're basically reccomending updating your php software to latest version and checking to make sure someone isn't hacking you.

Secret Agent · #3 26th December 2004, 04:28 AM

My CPU load is going insane because of this

the process is:
/hsphere/shared/apache/bin/httpd -DSSL

running as nobody

how do I stop this?

Woad_Warrior · #4 26th December 2004, 04:33 AM

well, for starters, until you resolve the issue, i'd shut down the phpbb.

Secret Agent · #5 26th December 2004, 04:35 AM

I don't think you comprehend what is happening here. Read my first and second post.

The process is running as nobody and it does not say phpbb in anyway. I only mentioned that "someone" sent me the email. I am checking to see if it is phpbb or not and what is causing the spikes in CPU usage. I cannot shut down phbb because obviously i have no idea who is running it nor proof that phpbb is causing it.

Woad_Warrior · #6 26th December 2004, 04:46 AM

sorry. my mistake. what ver apache and hsphere you running?