DB phpbb_users deleted, possibility of having been hacked

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
xtcdj
Registered User
Posts: 49
Joined: Wed Feb 27, 2002 4:37 pm

DB phpbb_users deleted, possibility of having been hacked

Post by xtcdj » Tue May 07, 2002 12:44 pm

Hello everyone.

Seems I got hacked on MYSQL. Database phpbb_users has been deleted. I cannot access my forum. This is pissing me off. I have a backup that i created with phpbb2. How can I use this file to refix it. Please if anyone could help i'd appreciate it!

[edit] subject edited by AL [/edit]
[edit] and again by Homebrew after it was changed back to README NOW PLEASE! [/edit]
.:::[ XTCDJ ]:::.
Web: www.djforum.com
Mail: admin@djforum.com

zoid
Registered User
Posts: 743
Joined: Fri Oct 12, 2001 6:29 am
Location: $SCRIPT_NAME
Contact:

Post by zoid » Tue May 07, 2002 12:49 pm

Which version of phpbb2 are you running?

Alexander
Whatever you want to know, please do a Image Search before asking :).

Run your own Chatcommunity
>> PINO - Client/Server Chat for Windows <<

- szo2 -
Registered User
Posts: 538
Joined: Tue Apr 30, 2002 3:29 pm
Location: Hong Kong
Contact:

Post by - szo2 - » Tue May 07, 2002 12:51 pm

Are you sure you are hacked? MySQL itself is almost impossible to hack... If it is phpBB that's hacked, that'd be a big issue. Can you post more details here? What phpBB version are you using? How many users had you board had?

For how to restore database:
Go into phpMyAdmin, click on your database at the left panel, cut & paste all the code to the textfield marked "Run SQL query/queries on table" on the right. Then click on "Go".

Wert
Former Team Member
Posts: 3676
Joined: Tue Jul 03, 2001 8:33 pm
Location: Sacramento, CA
Name: Chris Aguilar

Post by Wert » Tue May 07, 2002 2:23 pm

Also, are you using shared hosting? And if so, do other people now what server you're on? If so, it's childs play to get your mysql info and p/w from your config file.

Note, this only applies to other people on your shared server and should hopefully be fixed when apache 2.0 comes out.
Chris Aguilar - AKA "Wert"

xtcdj
Registered User
Posts: 49
Joined: Wed Feb 27, 2002 4:37 pm

Post by xtcdj » Tue May 07, 2002 9:15 pm

Well finally I got hacked. thank god I had a backup. They drop my whole users data table. I went on and it was dissapeared. I am running PHPBBv.2 final.
.:::[ XTCDJ ]:::.
Web: www.djforum.com
Mail: admin@djforum.com

User avatar
primedomain
Former Team Member
Posts: 25944
Joined: Sat Dec 15, 2001 10:23 am

Post by primedomain » Tue May 07, 2002 9:41 pm

You might check your log files (if you have access to them)...

User avatar
trancepriest
Registered User
Posts: 40
Joined: Sat Dec 08, 2001 12:06 pm
Location: Ft. Lauderdaler, Florida
Contact:

Post by trancepriest » Tue May 07, 2002 10:28 pm

The same thing happened to me... read below:

I'm hosting phpbb 2.0 on Windows 2000 Advance Server with all security patches updated. Running mysql 3.23.47-nt and php 4.2. Since May 6th all forums, messages and users have been deleted. Whenever I load the back up, it gets deleted too. I changed the database username and password and for almost 18 hours no forums or users were deleted. Then on today May 7th everything was deleted again. I've checked my server for any viruses and reinstalled phpbb 2.0. No success with preventing the board from being deleted. I checked my IIS logs and I don't see any hack attempts. Could this be a problem in the script... by the way I have pruning turned off. And I'm running my server on a stand alone system.

my board: http://myscene.urbanrave.com
It always post this message when the board gets deleted: This is an example post in your phpBB 2 installation. You may delete this post, this topic and even this forum if you like since everything seems to be working!

Any help would be appreciated.

AL
Registered User
Posts: 442
Joined: Tue Jul 03, 2001 10:21 pm
Location: Texas Ya'll

Post by AL » Tue May 07, 2002 11:12 pm

sounds like someone is reinstalling it behind your back... but in order to do that they would have to edit/delete the config.php file. after you get it back in working order try renaming install.php to something else, or delete it since it's not needed any more. also you can delete upgrade_to_FINAL.php

also i'd suggest making config.php file read only.

if someone is still getting in and changing stuff then sounds like your computer/server got hacked, and they got your ftp password (just a guess)
"A nerd is someone whose life is focused on computers and technology, but a geek is someone whose life is focused on computers and technology and LIKES it that way."

User avatar
trancepriest
Registered User
Posts: 40
Joined: Sat Dec 08, 2001 12:06 pm
Location: Ft. Lauderdaler, Florida
Contact:

Post by trancepriest » Tue May 07, 2002 11:39 pm

Thank you for the advice... I believe that your right. I have made the changes deleted install.php and the upgrade file. I have a little problem making the config.php a read only file... damn computer won't allow it... but I'm sure I will figure that out.

OK... with the install.php and upgrade file on the server like it was before... how's it still possible for someone to screw up my board... don't they still need the user name and password? Just wondering.

User avatar
trancepriest
Registered User
Posts: 40
Joined: Sat Dec 08, 2001 12:06 pm
Location: Ft. Lauderdaler, Florida
Contact:

Post by trancepriest » Wed May 08, 2002 12:05 am

2002-05-07 16:56:12 67.234.71.40 - 208.63.225.102 80 GET /install.php - 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)

2002-05-07 16:56:18 67.234.71.40 - 208.63.225.102 80 POST /install.php - 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)

It seems that you were correct. I just noticed these two lines in my log file. I did a trace route on the IP and found out it was coming from Dallas, Texas. Strange coincidence since my competitor is in Dallas, Tx.

eXplosive
Registered User
Posts: 368
Joined: Mon Mar 04, 2002 4:03 am
Contact:

Post by eXplosive » Wed May 08, 2002 2:08 am

trancepriest wrote: It always post this message when the board gets deleted: This is an example post in your phpBB 2 installation. You may delete this post, this topic and even this forum if you like since everything seems to be working!
You should remove the install.php file and any other files related to installing and upgrading after you have installed your board.

Locked

Return to “2.0.x Support Forum”