Board Problem -- Possible Exploit? Please Read!

1642 Views 6 Replies 6 Participants Last post by Michele McAtee, May 14, 2006

Mike Schoonbrood

Discussion Starter · May 5, 2006

OK this is absolutely impossible.

The way this boards search feature works is that every word you type into a post adds an entry into a special search table that references which post that particular word was entered in, its supposed to make searcing more efficient, but it tends to take up alotta space since every word in a post is seperately indexed. However, this table is the one that keeps running full and it's abnormal. At first I wasn't noticing it to be a huge problem, but 2 days ago the database hit the 150MB mark... that's 150MB since the board first started... then today, only 2 days later, that same table ran full again hitting 250MB!!!!!!!. That's absolutely impossible, there is no way there's been enough posts here in 2 days to increase the space by 100MB, which is almost as much as all the posts combined since the board first opened!

I was looking around the table to see what data was being entered and it all looked way too chronological compared to the "legitimate" entries from a month ago that were somewhat randomly numbered.

So it's become very apparent to me that someone malicious (and obviously bored) asshole has decided to sabotage this forum, which explains why it's been so slow, because the database is running full steam ahead to process their exploit rather than processing board posts.

I'm assuming it is in fact a malicious 3rd party, I could be wrong, but I doubt it. I cleared the table in the database that deals with searches, so the search feature will not work for anything posted from day 1 till today...

I may have to disable the search feature entirely.

Save

1 - 7 of 7 Posts

Connie Sutherland

· #2 · May 5, 2006

Mike Schoonbrood said:
OK this is absolutely impossible.

The way this boards search feature works is that every word you type into a post adds an entry into a special search table that references which post that particular word was entered in, its supposed to make searcing more efficient, but it tends to take up alotta space since every word in a post is seperately indexed. However, this table is the one that keeps running full and it's abnormal. At first I wasn't noticing it to be a huge problem, but 2 days ago the database hit the 150MB mark... that's 150MB since the board first started... then today, only 2 days later, that same table ran full again hitting 250MB!!!!!!!. That's absolutely impossible, there is no way there's been enough posts here in 2 days to increase the space by 100MB, which is almost as much as all the posts combined since the board first opened!

I was looking around the table to see what data was being entered and it all looked way too chronological compared to the "legitimate" entries from a month ago that were somewhat randomly numbered.

So it's become very apparent to me that someone malicious (and obviously bored) asshole has decided to sabotage this forum, which explains why it's been so slow, because the database is running full steam ahead to process their exploit rather than processing board posts.

I'm assuming it is in fact a malicious 3rd party, I could be wrong, but I doubt it. I cleared the table in the database that deals with searches, so the search feature will not work for anything posted from day 1 till today... I may have to disable the search feature entirely.

We'll live, Mike! Thanks for the tedious work, BTW.

Save

Selena van Leeuwen

· #3 · May 5, 2006

I hope we can find out who´s responsible...

*idioten, klootzakken, driedubbelomgedraaidelullen*

calling names in dutch :wink:

Save

Tim Martens

· #4 · May 5, 2006

mike,

i read somewhere that the was a phbb exploit with regard to a certain username. i'll research to try and find it....

Save

Tim Martens

· #5 · May 5, 2006

i found it...

Bot Herders Ready Attack Against Message Forums
http://www.informationweek.com/news/showArticle.jhtml?articleID=1
83701152&subSection=Breaking+News

The SANS Institute's Internet Storm Center noted that a bot going by the name "FuntKlakow" has registered on thousands of phpBB forums.

Botnet controllers may be planning a large-scale attack against message forums, TechWeb has learned.

The SANS Institute's Internet Storm Center (ISC) noted that a bot going by the name "FuntKlakow" has registered on thousands of phpBB forums. Speculating, ISC analyst Marcus Sachs noted that the bot's owner(s) may be preparing to exploit a zero-day vulnerability against the popular php bulletin board software.

"We might be chasing a ghost here but it's always good to be on the lookout for something like this," wrote Sachs in an alert on the ISC site Sunday.

Sachs linked to the original posting about the attack possibility. That posting added that on most boards the FuntKlakow bot had only registered, but that it was capable of posting messages.

A Google search for "FuntKlakow" suggested that the bot may have created accounts on more than 36,000 forums. Some of the forums show messages such as "Oh, how nice" and "Wow, I didn't think of that."

"Next time the phpBB announces a critical vulnerability, the bot would have everything ready (just a post click away) from attacking thousands of sites/forums," the original post read.

U.K.-based security and Web measurement company Netcraft added in a Monday alert that the phpBB software has been hit with several security problems, including a January hack of Advanced Micro Devices' (AMD) php-driven support forums that planted malicious code on visitors' machines.

**********************************

don't know if that helps or not...

See less See more

Save