Okay, the server has been going whack, here is what I have been able to deduce:

Someone was able to make apache download a file called "up" from a specific domain. This file was then RUN as a non-privileged user (www-data). At that time, it wrote a file called mpb.pl to the /tmp directory and then executed it. This starts some sort of IRC server although I don't know exactly what is going on. It is attached to this post.

JonC found a vulnerability in vBulletin that allows arbitrary code to be uploaded and executed, so I have patched to the fixed version. It would be really freaking nice if Jelsoft would freaking email me when a vulnerability comes out

So anyway, if you can deduce what is going on here regarding the attached script, please let me know.

Norton AntiVirus has detected a virus on your computer.

Name object: C:\.... mpb[1].txt
Name virus: IRC.Backdoor.Trojan
Action: Access to the file has been denied

Damn, and I was just getting all excited seeing an attachment on these forums

http://www.partyradio.ca/v3/stat.pl

That one is similar.

The script joins an IRC server and gives a virtual shell to users with certain nicknames. Pretty straightforward. I joined the channel and was banned almost immediately, so I did the fair thing and alerted the server's IRC ops about the channel. At the very least it means all of the server's he's infected so far (looks like about 8 of them) will need to be re-hacked, but it didn't look like he had permission to run a lot of commands he was trying (SIGKILL).
The UNIX security model saves the day yet again.

This guy obviously chose the wrong server to hack.

unfortunatly all 3 users in the stat.pl file are using cloaked hostmasks.

Anyone notice some strange sigs by new(er) users or strange BB code usage lately?

If they're not just a script kiddie (although it looks like they are) they probably used www::mechanize to post via another perl script from another hacked box.

More unfortunately, the domain used to download the script is a Belize TLD registered by a woman in Atlanta, GA, and uses a public/free DNS server. The IRC server used to host the attack is German. The script is commented in Portuguese, which tells me it's probably of Brazilian origin.

All over the place, but I'd guess the guy in question is, in fact, from Brazil.

Haha, Portuguese. Not good bye, just....bye bye.

Highly off topic, but what the hell happened to our hex postcounts? It still shows up if you highlight, but there's no Hex.

$50 says that the patch changed replaced the file with the hexcount script hacked into it, so the code's gone.

Brian.- Are you trying to say we all got a Virus?

No.

No. Someone exploted a vulneraiblity in the forum software we were using.

*cough*cough*vb sucks*cough*cough*

Actually I'm starting to think it's a vuln in phpbb used at commandchamber and jkhub I'm having a hard time finding out where it's coming from.

No Brian the exploit at TACC and most phpBB exploited forums is the phpBB <= 2.0.12 Change User Rights Authentication Bypass "How Dark" exploit and would not affect you at all.

Edit: Both TACC and JKHUB have invunerable(Just to HowDark, I dunno about other exploits) forums, TACC using a newer version of phpBB and JKHUB having edited files preventing the exploit from being possible.

Edit2: There is a phpBB <= 2.0.15 viewtopic.php Remote PHP Code Execution exploit that * might * have been used on JKHUB but I think it is most likely coming from an unknown vBulletin exploit.

phpbb is at version 2.0.17 now, I've just had to update...

however none of the problems listed should have allowed them to screw with the other forums....as far as I can tell from the changelist.

as for them being "invunerable", none are, its just how hard it is to find an exploit, thankfully phpbb has quite a quick turn-around on bug updates and lets you know when updates come out.

[edit] is there a reason why the links to TACC and JKHUB are disabled/link back to massassi...??[/edit]

[QUOTE=James Bond][edit] is there a reason why the links to TACC and JKHUB are disabled/link back to massassi...??[/edit][/QUOTE]Yeah, I am trying to narrow down exactly where this thing is getting in.

thought as much...

Is the SOTD code gone too?

Edit: the "add a link" in the links section isn't the problem, right?

The SotD should be working fine, just people aren't updating it The add a link script probably isn't the problem as it has gone away since I closed down commandchamber.net. I think their forums are vulnerable, I have to talk to Ryan.

But if you click on the SOTD, the recent SOTD's are missing.

Looks to me like an IRC zombie thing. Basically it connects to an IRC server, joins a channel, and lets the hacker use the computer that way. It seems like it's used mostly for remotely portscanning computers. It's probably some Brazilian hacker, there are a lot of Brazillian hacking groups. It can also be used to DCC files to and from the attacked computer. I think it can be used in a denial of service attack against other computers. Also, it looks like the attacker can get shell access. Pretty standard.