Forum Hacked by someone

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
Dark Side
Registered User
Posts: 21
Joined: Sun Jun 13, 2004 1:08 am
Location: Southeast, U.S.

Post by Dark Side »

Thank you very much for your time Graham. It worked. Now, do you have any smilies around here that emulate a dunce hat? :oops: Guess it was one of those "hiding in plain site" things. Again, thank you. Seeing as it is getting late around your side of the pond, I'll bid you a good night!

Bikerboy, all I did was to re-upload the update_to_2011.php file to a directory I named "install" under my phpBB directory. Then went to my browser and typed in the path to it and hit GO. It worked...
Dark Side

User avatar
bikerboy1
Registered User
Posts: 61
Joined: Tue Nov 30, 2004 12:13 am
Location: Vancouver, Canada

It worked

Post by bikerboy1 »

Dark Side wrote: Thank you very much for your time Graham. It worked. Now, do you have any smilies around here that emulate a dunce hat? :oops: Guess it was one of those "hiding in plain site" things. Again, thank you. Seeing as it is getting late around your side of the pond, I'll bid you a good night!

Bikerboy, all I did was to re-upload the update_to_2011.php file to a directory I named "install" under my phpBB directory. Then went to my browser and typed in the path to it and hit GO. It worked...


Dark Side: Have you checked to make sure the BB works properly? I'm just concerned that if some files are not there when it runs, that something will get messed up.

Dark Side
Registered User
Posts: 21
Joined: Sun Jun 13, 2004 1:08 am
Location: Southeast, U.S.

Post by Dark Side »

Yup...working like a charm. :wink:
Dark Side

User avatar
bikerboy1
Registered User
Posts: 61
Joined: Tue Nov 30, 2004 12:13 am
Location: Vancouver, Canada

OK THANKS

Post by bikerboy1 »

Dark Side wrote: Yup...working like a charm. :wink:


Here I go... I'll try it.

Dark Side
Registered User
Posts: 21
Joined: Sun Jun 13, 2004 1:08 am
Location: Southeast, U.S.

Post by Dark Side »

I PM'd you so let me know how it goes, ok?
Dark Side

User avatar
bikerboy1
Registered User
Posts: 61
Joined: Tue Nov 30, 2004 12:13 am
Location: Vancouver, Canada

Re: running script

Post by bikerboy1 »

bikerboy1 wrote:
Graham wrote:From what I can see you didn't run the file, but opened it in an editor.

TO run it, you need to point your browser at www.domain.tld/phpBB2/install/update_to_2011.php
(substitute the correct path to the file)

Running this file will make the required changes whatever version you are on.


Graham, I did not use the text editor from V-deck, I clicked on the icon to PREVEIW my page. Would that not be the same as opening it in my browser? Other modifications such as visual confirmation have appeared on my new version. Does that not indicate that the script had run? How can we know if the script ran?


ANYONE else trying to use iPowerWeb's V-Deck to run the upgrade script may as well know that it does NOT work the same as running it from your browser! I just uploaded the INSTALL files again and ran the script again and now my version number has changed. I also saw the results of the script rather than the script code this time.

Thanks to all who helped this newbie with his upgrade. It was not that difficult to do, but it had to be done just right, and the instructions were more for people who had some idea of what they were doing.

Best of luck to everyone else who is new to this stuff.

User avatar
Olezhik
Registered User
Posts: 18
Joined: Thu May 20, 2004 5:08 pm

Post by Olezhik »

I guss its time to move on.

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

Olezhik wrote: I guss its time to move on.
That wasn't a very productive post ... Care to elaborate?
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
bikerboy1
Registered User
Posts: 61
Joined: Tue Nov 30, 2004 12:13 am
Location: Vancouver, Canada

anyone still getting virus attacks?

Post by bikerboy1 »

I just ran adAware and see that I've been hit with the VX2 virus a second time! I don't know how to track where it came from, and I read that iPowerWeb users were being hit with virus attacks. AVG never noticed it sneeking in, so I have no idea how long it has been there. I noticed instability in my browser only today, so I suspect I got infected today. I'm wondering if this is from iPowerWeb or some other site. I've only been on 5 sites today, so I'm going to visit each one with a scan between each. Then again, it could have come in on an e-mail.

VX2 is malware that tracks users viewing habits, can install software, can capture personal information, and may cause browser instability.

EDIT: OK, I just ran through all the sites and no VX2 showed up???? I'm stumped. I even logged into iPowerWeb's V-deck and came out clean.

User avatar
garble
Registered User
Posts: 129
Joined: Sat Dec 04, 2004 9:57 am

Post by garble »

My forum (version 2.0.8 ) got hacked, I've replaced hacked pages and upgraded to 2.0.11. I went searching through access logs and found one referral from http://www.zone-h.com/en/index . Sure enough I found my website listed there along with the hacker group.

Not that it's of any use to me since I just realised since the hacker group put their name on the hacked pages on my website anyway.

Can anyone recommend a good site or two to start reading if you know nothing about fixing hacked websites? I'm still at the stage of asking dim questions like should I change my passwords?

later, reading on through...
A_Jelly_Doughnut wrote: Maybe I've missed something, but accessing config.php shouldn't be even remotely an issue...

I would be more interested in requests to viewtopic.php?t=(number_here)&highlight=%27(stuff here)%27

That just reminded me, about a week ago my config.php file was replaced with one containing nonsense - and the forum crashed. I just uploaded a backed up version and everything was fine. But would I be correct in thinking that was probably related to the current hack? And do you want more information? And/or access logs?

Graham
Former Team Member
Posts: 8462
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK
Contact:

Post by Graham »

It is quite possible that it was related, yes.

OK, what should you be doing:
1. Make sure you change all your admin passwords, hosting passwords and database passwords
2. Check your site for any suspicious files that you don't recognise. There is a list earlier in this thread of what you should see in the phpBB direcotries
3. Check your forum for anyone with admin permissions who shouldn't have them (you can query the database for anyone with a user_level of 1 as indicated earlier in the thread)

We're happy to help you with analysing the logs, but if you want to have a look at them yourself, all the hack attempts will contain "highlight=%2527"
"So Long, and Thanks for All the Fish"

phpBB Useful Links: Knowledge Base | Userguide | Forum Search | MOD Database | Styles Database
My Links: Blog!

cyberCrank
Registered User
Posts: 68
Joined: Wed Jan 21, 2004 4:10 am
Location: Ethereal Bliss

Post by cyberCrank »

1b. and, for better security, do not sync passwords either to help mitigate collateral damage of related sites, servers, and host systems...
Help, at least do no harm

Locksmiff
Registered User
Posts: 104
Joined: Sat Nov 20, 2004 5:51 am

Post by Locksmiff »

cyberCrank wrote: 1b. and, for better security, do not sync passwords either to help mitigate collateral damage of related sites, servers, and host systems...
Can yuo explain that to me, or what the process is etc. I want to do it.
The internet is in the hands of idiots......

User avatar
garble
Registered User
Posts: 129
Joined: Sat Dec 04, 2004 9:57 am

Post by garble »

Graham wrote: It is quite possible that it was related, yes.

OK, what should you be doing:
1. Make sure you change all your admin passwords, hosting passwords and database passwords
2. Check your site for any suspicious files that you don't recognise. There is a list earlier in this thread of what you should see in the phpBB direcotries
3. Check your forum for anyone with admin permissions who shouldn't have them (you can query the database for anyone with a user_level of 1 as indicated earlier in the thread)

We're happy to help you with analysing the logs, but if you want to have a look at them yourself, all the hack attempts will contain "highlight=%2527"

OK, thanks for your reply...

3. I found one attempt, what do I do with it? Access logs only cover a 24 hr period I think.

2. I deleted a whole bunch already from root/forum.
Presume you mean this topic...
http://www.phpbb.com/phpBB/viewtopic.ph ... 62#1333262
Extra files I have are:
error_log in root/forum and root/forum/admin
forum root/install.php - looks legitimate and is dated Sep 2002.
forum root/update.php and upgrade_to_202.php both from Aug 2002.
Admin, cache, db, docs ok.
images/ranks directory which I had added
images/gallery doesn't exist because I didn't install it,
includes/old versions of sessions.php I left after modifying original,
templates/subsilver/install.tpl from August 2002,
templates/subsilver/old overall_header.tpl because I added some code,
templates/subsilver/images/2 logos I uploaded.

1. Database password? Hmmm, that's the one in config.php right? I think I need to delete a user and recreate one (using cpanel), or do you know if I can do that with phpmyadmin?

User avatar
garble
Registered User
Posts: 129
Joined: Sat Dec 04, 2004 9:57 am

Post by garble »

Locksmiff wrote:
cyberCrank wrote:1b. and, for better security, do not sync passwords either to help mitigate collateral damage of related sites, servers, and host systems...
Can yuo explain that to me, or what the process is etc. I want to do it.

I presume s/he means not to have the same password for different functions/accounts/etc.

Locked

Return to “2.0.x Support Forum”