Forum Hacked by someone

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
WayneRooney
Registered User
Posts: 1
Joined: Sun Nov 21, 2004 7:07 pm

Forum Hacked by someone

Post by WayneRooney »

Hello All,

It seems that someone hacked my forum. He only changed my Index, I still have all my messages etc. What should I do to put my index back? And how to trace this guy?
bico
Registered User
Posts: 385
Joined: Thu Aug 12, 2004 6:39 pm
Location: Stockholm, Sweden.
Contact:

Post by bico »

I'm sorry to hear that your board has been hacked.

If your index is the original phpBB index.php then just reupload it.
CaptSpike
Registered User
Posts: 50
Joined: Fri Feb 20, 2004 11:07 pm

Me too

Post by CaptSpike »

As of this morning when you go to our index page Virus scan alerts of a trojon having been deleted.
How do I fix this and how do I prevent it in the future?
I do have a .tar back up. Can I fix it using that without losing posts?
Thanks,
Mark
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

What version of phpBB were you using? If you have a clean backup, that you know is clean before the attack, reupload that, and immediately move to 2.0.11 if you haven't already. Also, can you pm me the url to your site?
Proven Offensive Security Expertise. OSCP - GXPN
CaptSpike
Registered User
Posts: 50
Joined: Fri Feb 20, 2004 11:07 pm

Virus

Post by CaptSpike »

I downloaded fresh back ups of my site and the bb. I extracted both to a folder and scanned the files for virus'. Said non found. So where is this virus coming from? My Host? It only alerts on my index page of the forums board no where else.
Thanks, for any help.
Mark
Saint Keith
Registered User
Posts: 56
Joined: Sat Aug 09, 2003 8:19 pm
Contact:

Post by Saint Keith »

I've had the same problem. The coding was hiding in my forum description. Go into your admin, then forum management and general forum settings and check for unwanted code in your forum descriptions. If it's there, delete it.

how it got there, I'll leave to the techies to work out.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

As I told Saint Keith in his topic, CaptSpike has the same problem, exact same injected code. Once cleaned up and verified, immediately update to 2.0.11. This is imperative.
Proven Offensive Security Expertise. OSCP - GXPN
SSIN
Registered User
Posts: 10
Joined: Sun Nov 21, 2004 9:12 pm
Location: Ottawa, Ontario, Canada
Contact:

Post by SSIN »

I have the same problem too. From what I can figure it happened sometime last night. I am receiving several emails from my forum members (those running McAfee) complaining that they are receiving several pop-ups and it is freezing their internet.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

SSIN wrote: I have the same problem too. From what I can figure it happened sometime last night. I am receiving several emails from my forum members (those running McAfee) complaining that they are receiving several pop-ups and it is freezing their internet.
Check the forum description for viewforum.php?f=1 in the admin panel. There you will find the code to remove. Then immediately update to 2.0.11 and run (and tell your users to run) a full manual virus scan on their pc's.
Proven Offensive Security Expertise. OSCP - GXPN
EGL-Anubis
Registered User
Posts: 140
Joined: Wed Nov 10, 2004 4:24 pm
Location: Sarcoughagus
Contact:

Post by EGL-Anubis »

You might not be able to find this using virus scanners....might wana get adware and spyware systems checking too...Trojan Horses these days are extremely difficult to get rid of...you can never been to careful.

I suggest considering Pest Patrol....no..its not free....but it works extemrely well.
===============================
Eclipse Gaming League
http://www.eclipsegamingleague.net
EGL - Web Hosting Services
EGL-Anubis
anubis@eclipsegamingleague.net
===============================
Saint Keith
Registered User
Posts: 56
Joined: Sat Aug 09, 2003 8:19 pm
Contact:

Post by Saint Keith »

Correct, it doesn't show up on virus scans. I downloaded my entire site and scanned it (not the database) and it came up clean.

It was just by blind luck that I checked the forum description in admin and found it there.

I'm using spybot and immunizing IE meant that I personally wasn't getting the trojan infecting my PC, but many of my users were.

I also think its fair to say that Firefox has got itself hundreds, if not thousands of new users in the past week. The Trojan does not work on FireFox
EGL-Anubis
Registered User
Posts: 140
Joined: Wed Nov 10, 2004 4:24 pm
Location: Sarcoughagus
Contact:

Post by EGL-Anubis »

Well well.....all i can say is..

THANK YOU MICROSHAFT

I was really tempted to point out that the other browsers...notably Firefox and i think Safari..are imune to the frame injection vunerability...but i wasnt to sure..guess my inital assumption was correct.

At least for firefox.
===============================
Eclipse Gaming League
http://www.eclipsegamingleague.net
EGL - Web Hosting Services
EGL-Anubis
anubis@eclipsegamingleague.net
===============================
SSIN
Registered User
Posts: 10
Joined: Sun Nov 21, 2004 9:12 pm
Location: Ottawa, Ontario, Canada
Contact:

Post by SSIN »

Techie-Micheal wrote:
SSIN wrote:I have the same problem too. From what I can figure it happened sometime last night. I am receiving several emails from my forum members (those running McAfee) complaining that they are receiving several pop-ups and it is freezing their internet.
Check the forum description for viewforum.php?f=1 in the admin panel. There you will find the code to remove. Then immediately update to 2.0.11 and run (and tell your users to run) a full manual virus scan on their pc's.


I am so sorry to waste your time, but is the Admin Panel through Vdeck? The gentleman that was looking after my Forum, etc. decided to go on to bigger and better things and other than the passwords, I am at a loss to find my way around in PHPbb yet. Again, please forgive my lack of knowledge.

Leslie
Saint Keith
Registered User
Posts: 56
Joined: Sat Aug 09, 2003 8:19 pm
Contact:

Post by Saint Keith »

If you are logged onto your forum as the Admin, then the link "Go to adminstration panel" will appear at the bottom of every page as you view the forum.

Click on that link

On the left hand side, click on "management" under the Forum Management menu

Then click on "Edit" against the first forum on your list.

It should then show your general forum settings with Forum Name, Description, Category, Pruning, and Forum Status. The virus code should be hiding in your forum description as a serious of numbers. Delete them all and hit the "update" button.
CaptSpike
Registered User
Posts: 50
Joined: Fri Feb 20, 2004 11:07 pm

Post by CaptSpike »

What is everyones host company? I wonder if we are all hosted by the same? Mine is Ipower.web.
Anyone else?
Mark
Locked

Return to “2.0.x Support Forum”