Page 1 of 1

DB phpbb_users deleted, possibility of having been hacked

Posted: Tue May 07, 2002 12:44 pm
by xtcdj
Hello everyone.

Seems I got hacked on MYSQL. Database phpbb_users has been deleted. I cannot access my forum. This is pissing me off. I have a backup that i created with phpbb2. How can I use this file to refix it. Please if anyone could help i'd appreciate it!

[edit] subject edited by AL [/edit]
[edit] and again by Homebrew after it was changed back to README NOW PLEASE! [/edit]

Posted: Tue May 07, 2002 12:49 pm
by zoid
Which version of phpbb2 are you running?

Alexander

Posted: Tue May 07, 2002 12:51 pm
by - szo2 -
Are you sure you are hacked? MySQL itself is almost impossible to hack... If it is phpBB that's hacked, that'd be a big issue. Can you post more details here? What phpBB version are you using? How many users had you board had?

For how to restore database:
Go into phpMyAdmin, click on your database at the left panel, cut & paste all the code to the textfield marked "Run SQL query/queries on table" on the right. Then click on "Go".

Posted: Tue May 07, 2002 2:23 pm
by Wert
Also, are you using shared hosting? And if so, do other people now what server you're on? If so, it's childs play to get your mysql info and p/w from your config file.

Note, this only applies to other people on your shared server and should hopefully be fixed when apache 2.0 comes out.

Posted: Tue May 07, 2002 9:15 pm
by xtcdj
Well finally I got hacked. thank god I had a backup. They drop my whole users data table. I went on and it was dissapeared. I am running PHPBBv.2 final.

Posted: Tue May 07, 2002 9:41 pm
by primedomain
You might check your log files (if you have access to them)...

Posted: Tue May 07, 2002 10:28 pm
by trancepriest
The same thing happened to me... read below:

I'm hosting phpbb 2.0 on Windows 2000 Advance Server with all security patches updated. Running mysql 3.23.47-nt and php 4.2. Since May 6th all forums, messages and users have been deleted. Whenever I load the back up, it gets deleted too. I changed the database username and password and for almost 18 hours no forums or users were deleted. Then on today May 7th everything was deleted again. I've checked my server for any viruses and reinstalled phpbb 2.0. No success with preventing the board from being deleted. I checked my IIS logs and I don't see any hack attempts. Could this be a problem in the script... by the way I have pruning turned off. And I'm running my server on a stand alone system.

my board: http://myscene.urbanrave.com
It always post this message when the board gets deleted: This is an example post in your phpBB 2 installation. You may delete this post, this topic and even this forum if you like since everything seems to be working!

Any help would be appreciated.

Posted: Tue May 07, 2002 11:12 pm
by AL
sounds like someone is reinstalling it behind your back... but in order to do that they would have to edit/delete the config.php file. after you get it back in working order try renaming install.php to something else, or delete it since it's not needed any more. also you can delete upgrade_to_FINAL.php

also i'd suggest making config.php file read only.

if someone is still getting in and changing stuff then sounds like your computer/server got hacked, and they got your ftp password (just a guess)

Posted: Tue May 07, 2002 11:39 pm
by trancepriest
Thank you for the advice... I believe that your right. I have made the changes deleted install.php and the upgrade file. I have a little problem making the config.php a read only file... damn computer won't allow it... but I'm sure I will figure that out.

OK... with the install.php and upgrade file on the server like it was before... how's it still possible for someone to screw up my board... don't they still need the user name and password? Just wondering.

Posted: Wed May 08, 2002 12:05 am
by trancepriest
2002-05-07 16:56:12 67.234.71.40 - 208.63.225.102 80 GET /install.php - 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)

2002-05-07 16:56:18 67.234.71.40 - 208.63.225.102 80 POST /install.php - 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)

It seems that you were correct. I just noticed these two lines in my log file. I did a trace route on the IP and found out it was coming from Dallas, Texas. Strange coincidence since my competitor is in Dallas, Tx.

Posted: Wed May 08, 2002 2:08 am
by eXplosive
trancepriest wrote: It always post this message when the board gets deleted: This is an example post in your phpBB 2 installation. You may delete this post, this topic and even this forum if you like since everything seems to be working!
You should remove the install.php file and any other files related to installing and upgrading after you have installed your board.