[mod-security-users] phpbb strange attack

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I use modsecurity in my servers and it stops a lot of attacks.
Yesterday one PHPbb forum was cracked on one server, but was strange,=20
because in logs there wasn't any typical attack sign. These are the logs:

201.127.65.149 - - [01/Jun/2006:23:31:52 +0200] "GET=20
/forum/viewtopic.php?p=3D222&sid=3D845f9490d4da28a7ab7d9fc8586b0caa=20
HTTP/1.1" 200 12760=20
"http://www.altavista.com/web/results?itag=3Dody&q=3Dpowered+by+phpbb+2.0=
.6&kgs=3D1&kls=3D0&stq=3D10"=20
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

(some .gifs...etc)

201.127.65.149 - - [01/Jun/2006:23:38:56 +0200] "GET=20
/forum/admin/index.php?sid=3D719ed2e4e45fe8a763555a0ea46b5b48 HTTP/1.1"=20
200 638 "http://www.domain.com/forum/" "Mozilla/4.0 (compatible; MSIE=20
6.0; Windows NT 5.1; SV1)"

As you see, he search in altavista for "powered by phpbb 2.0.6" and=20
then, viewed a post and directly he loged into admin.
Any idea? XSS attack perhaps?

Thanks for help|ideas :)

Regards,

--=20
Alvaro Mar=EDn Illera
Hostalia Internet
www.hostalia.com