Page 1 of 7

NeverEverNoSanity worm

Posted: Tue Dec 21, 2004 11:42 am
by blackpudding
Help!

My forum was hacked yesterday and all the PHP and index.htm files on my site replaced by the NeverEverNoSanity page. I deleted all the files and replaced with backups and checked here for a new version of the forum. This morning I spent a couple of hours upgrading from version 2.0.10 to 2.0.11 (a long job as my forum is heavily modified).

The next thing I know is the forum is disabled at the server and I received this email message from my host's abuse department:
"You have not upgraded phpBB and the result is our server has been breached. We have suspended access to your forum to prevent the hacker re-gaining access.

You must not re-enable this forum as it has serious security holes."

My question is, does version 2.0.11 fix the problem with NeverEverNoSanity worm? My host denies any responsibility for the security breach and I may end up losing the (expensive) hosting that I have for my forum (16500 members). I don't want to risk re-enabling the forum (if I even can?) if it means I lose my host, but I really want to get the site back online...

Not what I wanted for christmas :cry:
BP

Re: NeverEverNoSanity worm

Posted: Tue Dec 21, 2004 12:58 pm
by filosganga
blackpudding wrote: Not what I wanted for christmas :cry:


I can easily imagine that. :(

The phpbb support team could kindly post a short answer?

Posted: Tue Dec 21, 2004 1:11 pm
by battye
I assume it 2.0.11 would resolve that issue unless:

1) There is a new exploit phpBB is unaware of
2) It is the PHP version, in which there are a few security issues (which has nothing to do with phpBB)

What PHP version do you run?

Posted: Tue Dec 21, 2004 4:55 pm
by blackpudding
What PHP version do you run?

My PHP is Version 4.3.4 and my host is now claiming that it isn't possible to upgrade to a later version on their RAQ550 servers! From what I've seen in other posts here version 2.0.11 of the forum still isn't safe with older PHP versions so there is no way I can reopen. I'm looking for another host but it took 2 years to get a reliable one so this is a major headache :?

Cheers,
BP

Re: NeverEverNoSanity worm

Posted: Tue Dec 21, 2004 5:03 pm
by erasethefear
filosganga wrote:
blackpudding wrote: Not what I wanted for christmas :cry:
My exact thoughts when this happened to me... I'm trying to restore mine right now.

Posted: Tue Dec 21, 2004 5:14 pm
by scrxbandit
Ok, I know im an idiot, but my self or none of the other admins on my forum backed up the data base. Is there any way to retain the information on the forum, or is it all lost?

Posted: Tue Dec 21, 2004 5:24 pm
by theirish
Hi guys, let's share this pain... I keep recovering from this disaster at least 8 times a day... my provider says they'll try to do whatever they can since the problem must be the php exploit. Upgrading phpbb to 2.0.11 fixes other bugs, but does not protect you from this damn worm.

Anyway, let's cheer up, IT MUST BE A DAMN GOOD CHRISTMAS! at least.

* * *
www.ciscoforums.it
* * *

Posted: Tue Dec 21, 2004 5:28 pm
by wolfpack1215
Same thing happened to me also. Lost all my pages too. Any suggestions? I take it I shouldn't bother reinstalling right now then....... :(

Posted: Tue Dec 21, 2004 5:30 pm
by brakkums
This is the only info I can find. Anybody seen any more?

http://www.kaspersky.com/news?id=156681162

Posted: Tue Dec 21, 2004 5:37 pm
by ednerd
There's more information at F-Secure's weblog:
http://www.f-secure.com/weblog/

Posted: Tue Dec 21, 2004 5:50 pm
by wolfpack1215
Thanks for the info. It explains alot. Don't these people have hobbies???

BTW, can anyone point me to a more detailed installation guide for a newbie. Someone installed it for me originally and now I'm stuck on the install screen, I keep getting error messages about MySQL. The flash tutorial don't help.

Posted: Tue Dec 21, 2004 5:57 pm
by Steeldogs
blackpudding wrote:
What PHP version do you run?

My PHP is Version 4.3.4 and my host is now claiming that it isn't possible to upgrade to a later version on their RAQ550 servers! From what I've seen in other posts here version 2.0.11 of the forum still isn't safe with older PHP versions so there is no way I can reopen. I'm looking for another host but it took 2 years to get a reliable one so this is a major headache :?

Cheers,
BP


Check your inbox here

Posted: Tue Dec 21, 2004 6:11 pm
by SniperGuy
My provider is running 4.3.10 php. I'm hearing alot of reports of this worm, this worries me greatly. I've got 2.0.8 running, do I need to upgrade? And is there a way to do so without blowing my mods and stuff all to hell? :(

Posted: Tue Dec 21, 2004 6:18 pm
by filosganga
SniperGuy wrote: My provider is running 4.3.10 php. I'm hearing alot of reports of this worm, this worries me greatly. I've got 2.0.8 running, do I need to upgrade? And is there a way to do so without blowing my mods and stuff all to hell? :(


Immediately upgrade to phpbb 2.0.11

Posted: Tue Dec 21, 2004 6:23 pm
by brakkums
Will my site be safe if I just make this change?
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513