Baffled

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
yzf-r1
Registered User
Posts: 46
Joined: Fri Sep 10, 2004 4:38 pm

Baffled

Post by yzf-r1 »

Hi Folks,

Upgraded from 2.0.11 to 2.0.13 and all was well.
Then i logged back online a few hours later to find this offending code on my index.php which uses the phpbb fetchall mod as follows in the head:

<style>#forumbbot {display:none;}</style><div id=forumbbot><a href=http://www.elite-charms.com/>italian charms</a></div>

I appologise for posting this issue here as im aware fetchall is not supported here but can anybody tell me where this code or bot? could be hidden in my root?

I have deleted the servers phpbb files and re uploaded my local copy of my phpbb forum. I have also delted and replaced the language folder along with all the fetchall folders.

Can anybody help me please?

Many thanks in advance.

yzf-r1
Registered User
Posts: 46
Joined: Fri Sep 10, 2004 4:38 pm

Post by yzf-r1 »

Oh meant to add.

The code is displayed like this at the top of the page as you see it online and i cannot find it in code view using any editors.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

Check your phpbb_config table, rather than the code. Sounds like someone had access to your database.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

HSQB
Registered User
Posts: 1
Joined: Sun Mar 13, 2005 1:24 am

Post by HSQB »

I am having this same problem, and if you google for "forumbbot" you will find that it is on numerous phpBB installations. epsicom, can you explain what checking that table entails, and what I'm looking for, exactly?

On my site, the code doesn't display anything to site users on Firefox or IE but there is a link labeled "italian charms" and going to elite-charms.com, a site that uses spam registration bots, when I view my site from a barebones cell-phone browser, and I see the same code that yzf-r1 posted when I view the source of the forum index, but I can't figure out what php file it's coming from. I'm puzzled as to how user registrations might be connected to this.

filbert
Registered User
Posts: 2
Joined: Wed Mar 16, 2005 12:58 am

Post by filbert »

The same thing has happened to my site today.

The spam link has somehow been added to the site description, so it will display anywhere the site description is shown.

To remove it just go to configuration, in the admin panel and edit the site description.


I have the latest version of PHPBB so presumably this is a new vulnerability that's being exploited.


yzf-r1
Registered User
Posts: 46
Joined: Fri Sep 10, 2004 4:38 pm

Post by yzf-r1 »

As espicom kindly replied:

The code was placed in the database in the sites descrition, but i had to scroll way down low to find it.

Must add btw that overwriting the overall_header made no difference. It was all database hacking.
Need to learn now how to encript my database username and password lol

custmguru®
Registered User
Posts: 233
Joined: Wed Apr 10, 2002 6:06 pm
Location: Somewhere, Over the rainbow
Contact:

Post by custmguru® »

it got me too. i spent 20 minutes scrolling through the code and couldn't see where it was coming from. I was in the database and happened to notice it.

skuipers
Registered User
Posts: 648
Joined: Sun Jan 16, 2005 9:53 pm
Location: Delft, The Netherlands

Post by skuipers »

Please investigate your phpmyadmin security. Quite often this is a loophole to enter the database.

Locked

Return to “2.0.x Support Forum”