Trend Micro is reporting that a massive attack has been launched against web sites using old or poorly configured PHPBB installations.

This compromise is almost similar to the mass compromises that they and others have reported on earlier this year — visiting a compromised site leads to a series of redirections, which eventually causes the downloading of malware.

In this particular case, TROJ_ZLOB.CCW is on the tail-end. “In true ZLOB fashion, this variant poses as a video codec installer”, and appears as the graphic at left.

For more information, check out the Trend Micro Blog.

If you have PHPBB installed on your web site, take action now to make sure that it’s up to date and patched, and not being compromised. We seem to have a particular issue at times with folks trying out the software, and not using it – leaving it hanging out in an ignored subdirectory mis-configured, un-patched, and totally vulnerable because it’s still public and malicious folks can still find it. Unpatched and unused bulletin board systems often become a playground for hackers as they post spam after spam in your forgotten board, taking up resources on the server as well as putting your account and anyone who stumbles onto the unused software at risk.

Never leave unmaintained software hanging out in a public directory – if you are going to periodically play with new software but can’t give it adequate attention frequently or immediately, put it in a password protected directory so that it’s not available to the general public just in case you forget about it.

If anything in your directories are public, always make sure that they are patched, current, and maintained – and if you can’t use the most current version of a software for compatibility issues, make sure that the version you are using is not compromised. A simple Google search for the software name, version, and security advisory is usually enough to turn something up if there is one.

We will be doing an audit of the servers to find PHPBB versions subject to this risk, and will take them offline if we find them, so if you’re using it, get there before us and patch it.