Forum Hacked by someone

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
videocrafter
Registered User
Posts: 3
Joined: Sat Dec 04, 2004 12:39 am
Location: Louisville, Kentucky
Contact:

Post by videocrafter »

I'm sorry to bother you all, but I'm at a loss. I've read through the first 8 pages of this thread and decided I needed to go ahead and upgrade from version 2.06 to 2.11.

I'm on Ipower web. I think it all went okay, at least I can access my board, but it still says it's using version 2.06.

I did allmost everything the instructions said to do. I used an FTP program to delete all existing phpbb files under my /bb folder and I uploaded the new files. The then uploaded my old config.php file and tried to access my board.

I COULDN'T FIGURE OUT HOW TO RUN "INSTALL/UPDATE_TO_211.PHP" I mean I know where the file is, but how do I "RUN" it? I then tried to access my board and it told me to "Please delete the "INSTALL" and "CONTRIB" folders. Once I deleted those folders, I was able to access my board. Everying seems okay, all my members are there and I can access my admim panel, but it still shows I'm using version 2.06

my board is loacated at http://videocrafter.com/v-web/bulletin/bb/index.php

I don't know how I got this message up here 3 times. It wont let me delete this one, just edit it?
Last edited by videocrafter on Sat Dec 04, 2004 5:46 pm, edited 1 time in total.
Web Cam Now On-Line
Ron- Chat Room - Web Site
Digital Creations Video Productions - Louisville, KY

cyberCrank
Registered User
Posts: 68
Joined: Wed Jan 21, 2004 4:10 am
Location: Ethereal Bliss

Post by cyberCrank »

Locksmiff -- do not sync (synchronize) means to make all related passwords for your site be different passwords (i.e., passwords for phpBB admins, FTP login, host server login, MySQL database login, etc.). Having different usernames also helps to mitigate security breaches.

videocrafter -- just "view" the upgrade file with your browser; it is in the /install directory, but delete any of those files when you finish with any install or upgrade.

Good Luck!
Help, at least do no harm

User avatar
bikerboy1
Registered User
Posts: 61
Joined: Tue Nov 30, 2004 12:13 am
Location: Vancouver, Canada

Help with upgrade

Post by bikerboy1 »

videocrafter wrote: I'm sorry to bother you all, but I'm at a loss. I've read through the first 8 pages of this thread and decided I needed to go ahead and upgrade from version 2.06 to 2.11.

I'm on Ipower web. I think it all went okay, at least I can access my board, but it still says it's using version 2.06.


Start here and read back a couple of pages. It is all explained. Except for what to do about the missing logo... I still have not got an answer to that question myself. Good luck. You can pm me if you really get stuck, but I'm a dummy here myself. :?
By the way... I bookmarked your site. I think the board is a great idea! I'll have to look for tips every so often, as I am an amateur videographer.

Dark Side
Registered User
Posts: 21
Joined: Sun Jun 13, 2004 1:08 am
Location: Southeast, U.S.

Post by Dark Side »

videocrafter - to run the install file (or execute it) you must type it into your browser like so: (except all together w/ no spaces)

http: // www .your site.com/forum/install/update_to_2011.php

Change out "yoursite" and "forum" for whatever you named yours like phpBB or boards, etc.

Then, after it runs (and hopefully shows "completed") you then go in and delete the install folder.

bikerboy - you still don't have the logo back? That's odd..
Dark Side

Zarkow
Registered User
Posts: 75
Joined: Sat Sep 14, 2002 5:21 pm

Post by Zarkow »

Was hit some day ago, updated to 2.0.11 and thought everything was going to be fine.

Was hit some 20 minutes ago, by the same guy (same tag).

Have gone through DB, no new users with strange IDs or levels. (via phpMySQL)

Have manually gone through the ftp ( http://www.phpbb.com/phpBB/viewtopic.ph ... 62#1333262 ) and couldn't find any files that didn't look like they should (all files have the correct timestamps since a move earlier this year, and a spoofed file cannot timestamp exactly on minute AFAIK unless the attacker would know in advance the exact time all the files was uploaded).

So, I'm out of clues.

The attacker goes by the nick 'salut' and I found some 5 other sites currently (as I type) being disabled due to admins trying to restore everything, via google-search. So I know I'm not alone.

Anyone know what the most common styles of entry is by this fellow or others?

How do I track it down and remove it?

Added: if it helps, the 'only' things happened sofar is that configuration and section-names have been altered. Not sure if this is of lack of access by the hacker or because he only wants to deface all sites.
phpbb_config and phpbb_categories are the only databases being affected 'sofar'.

If he notices he can still altered those (and others) when he comes back the following evening (he seems to be following US time btw) he might to more harm.

User avatar
bikerboy1
Registered User
Posts: 61
Joined: Tue Nov 30, 2004 12:13 am
Location: Vancouver, Canada

running the install file

Post by bikerboy1 »

Dark Side wrote: videocrafter - to run the install file (or execute it) you must type it into your browser like so: (except all together w/ no spaces)

http: // www .your site.com/forum/install/update_to_2011.php

Change out "yoursite" and "forum" for whatever you named yours like phpBB or boards, etc.

Then, after it runs (and hopefully shows "completed") you then go in and delete the install folder.
.

Since you are on iPowerWeb, here is the actual line to type into your browser. Remember to remove the extra spaces. You can copy this then paste it into your browser and make the required changes. You do not need to put www in front of your domain name.

http :// videocrafter.com/v-web/bulletin/bb/install/update_to_2011.php

Locksmiff
Registered User
Posts: 104
Joined: Sat Nov 20, 2004 5:51 am

Post by Locksmiff »

Zarkow wrote: So, I'm out of clues.
The only thing I can think of, well 2. If you have a 2.11 and you know you have cleaned yourself of all possible way in, etc. Then I am wondering can a MOD possibly reintroduce it again...........or there is another hole somewhere, in 2.11
The internet is in the hands of idiots......

Zarkow
Registered User
Posts: 75
Joined: Sat Sep 14, 2002 5:21 pm

Post by Zarkow »

Locksmiff wrote:
Zarkow wrote:So, I'm out of clues.
The only thing I can think of, well 2. If you have a 2.11 and you know you have cleaned yourself of all possible way in, etc. Then I am wondering can a MOD possibly reintroduce it again...........or there is another hole somewhere, in 2.11


Perhaps. I think the fact that only categories (names) and config-info (e-mail message-row) was altered might be a clue as to what is still open.

Just to be sure I have de-moted all Admins to mods until they are all back online and can change their passwords (it's 7am and I have been up since midnight with this). Changed my password too, incase my account has been compromised.

Have also downloaded all files from the ftp-server and done several scans with utils to find any 'fingerprints' that has been reported here, and I have come up with nothing.

cybrid3
Registered User
Posts: 1358
Joined: Sun Aug 22, 2004 4:25 am
Location: Midwest somewhere, I think...
Contact:

Post by cybrid3 »

Check other files and folders other than phpbb?

Could be hiding somewhere else on your site for a backdoor....
--Never leave home without a towel and peril sensitive sunglasses!!

Zarkow
Registered User
Posts: 75
Joined: Sat Sep 14, 2002 5:21 pm

Post by Zarkow »

cybrid3 wrote: Check other files and folders other than phpbb?

Could be hiding somewhere else on your site for a backdoor....


Just manually went through all files to check them and found nothing.

I have also, now, renamed the directory containing phpMyAdmin, since it can be used to direct access to the database incase the attacker found the forum/config.php

Now is feels like a waiting-game...to see if there comes an axe in my back or not...


Added: Had issues with having to re-enter the admin-pages (being sent back to the forum) a lot, and just noticed that "Session length:" was set to "1". Put it back to 3600 (seconds) now - maybe this have been the case for some others that have had that issue lately (saw a few posts about porblems loggin in under 2.0.11).

User avatar
bikerboy1
Registered User
Posts: 61
Joined: Tue Nov 30, 2004 12:13 am
Location: Vancouver, Canada

Post by bikerboy1 »

Zarkow wrote: Added: Had issues with having to re-enter the admin-pages (being sent back to the forum) a lot, and just noticed that "Session length:" was set to "1". Put it back to 3600 (seconds) now - maybe this have been the case for some others that have had that issue lately (saw a few posts about porblems loggin in under 2.0.11).


How exactly do you check and change the session length if you only have 1 second to do it?

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

bikerboy1 wrote:
Zarkow wrote: Added: Had issues with having to re-enter the admin-pages (being sent back to the forum) a lot, and just noticed that "Session length:" was set to "1". Put it back to 3600 (seconds) now - maybe this have been the case for some others that have had that issue lately (saw a few posts about porblems loggin in under 2.0.11).


How exactly do you check and change the session length if you only have 1 second to do it?
phpMyAdmin is generally the easiest way. :)
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Post by tanrek »

Techie-Micheal wrote: phpMyAdmin is generally the easiest way. :)


I hardly dare to mention it: You know that also phpMyAdmin had severe security holes? Please use only 2.6.0-pl3.

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

tanrek wrote:
Techie-Micheal wrote:phpMyAdmin is generally the easiest way. :)


I hardly dare to mention it: You know that also phpMyAdmin had severe security holes? Please use only 2.6.0-pl3.
That's the user's responsibility. phpBB and phpMyAdmin are seperate. Now, if we were developing phpMyAdmin here, that'd be different. ;) I'm not trying to be rude, but that really has no bearing here.
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
tanrek
Registered User
Posts: 219
Joined: Mon Sep 27, 2004 1:46 pm
Location: Germany, Offenbach
Contact:

Post by tanrek »

Techie-Micheal wrote:
tanrek wrote:I hardly dare to mention it: You know that also phpMyAdmin had severe security holes? Please use only 2.6.0-pl3.
I'm not trying to be rude, but that really has no bearing here.


Then let me explain it more precisely: If hackers got access to your webspace using the phpBB highlight exploit they might have analyzed your phpMyAdmin configuration. This means that even if you upgraded phpBB to 2.0.11, changed all your passwords, removed all backdoors and cleaned your files and database you are still vulnerable if you use an old phpMyAdmin before 2.6.0-pl3. Perhaps this could explain why some people notice manipulations of their webspace even after upgrading phpBB.
Last edited by tanrek on Sun Dec 05, 2004 8:31 pm, edited 1 time in total.

Locked

Return to “2.0.x Support Forum”