The Bad Astronomer wrote:
OK then, that's gotta be it, at least in some cases.
If your board is under this attack, then you must
look for that file. What's going on is that the hacker is using it to change files on your site.
The file can be named anything. In my case, it was newsletter.php, which was pretty evil, because I have several newsletter files [edited to add: I didn't even find the file: my webhost, BlueVirtual, found it when I enlisted their help]. I also found an identical file named functions_topic.php. I downloaded (but didn't install) the entire phpBB 2.0.11 file structure to check, and saw no files named newsletter.php or functions_topic.php, so I knew I had it.
You can find the files if you have direct access to them via a shell. Once I found one of the files, I searched in it for a line that was unique enough to distinguish it from other files. By searching all my files for that line, I was able to find the second copy.
If you have shell access to your files, then go to your top html directory (not just your top phpBB directory!), and type this:
grep -R eregi * | grep unix
This will search through all your directories, going through the files and looking for the word "eregi"; then when it finds it it looks for the word "unix" (since "eregi" appears in legitimate files, looking for "unix" nails it).
Any file you find doing this is likely to be the backdoor file
. If you find any files, then look at the first few lines. Here is what the evil file's first lines look like:
header("Content-disposition: attachment; filename=\"$download\";");
$copyr = "<center><a href=http://nst.e-nex.com
target=_blank>nsTView $ver<br>o... Network security team ...o</a>";
If you see this, then delete the file! It's allowing the hacker access to your files. If you feel uncomfortable deleting it, then send it to Graham
or one of the other admins for confirmation.
If you don't have shell access to your files, then maybe you can gzip them up, transfer them to your home computer and look at them there. Use the "search" function to look through them for those words.
Note: just upgrading to 2.0.11 will not solve your problem if you still have copies of this file on your system!
I cleaned off my files yesterday, and have not had any problems since. I upgraded to 2.0.11 and changed my passwords, just to be safe. I suggest you do too.
Finally, I'll note that this may not be everyone's problem, but it was certainly mine, and it looks like EternalOne's
as well. So maybe this will help some folks.