pbpbb v.2.0.13 ---> HACKED

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
PhySc0
Registered User
Posts: 141
Joined: Sun Feb 20, 2005 1:57 pm

pbpbb v.2.0.13 ---> HACKED

Post by PhySc0 » Sat Apr 09, 2005 3:45 pm

Whilst using phpbb v.2.0.13 since I opened my board (3 weeks ago) I can confirm that it was hacked last night. My site was amongst a few hit in the same comminity.

So having had some faith and confidence in 2.0.13 I have nearly lost it all and ask that something be done about this secrity breach as a matter of urgeny.

want to see what the site looks like after its been hacked?

try here: www.yahoo-secrets.com (that WILL be fixed very soon) if it looks normal then I have fixed the issue, probably started agian from scratch! :roll:

So BE WARNED - there are security holes in v.2.0.13 and they have been discovered....

nurhendra
Registered User
Posts: 144
Joined: Mon Feb 28, 2005 5:03 pm
Location: Jakarta

Re: pbpbb v.2.0.13 ---> HACKED

Post by nurhendra » Sat Apr 09, 2005 3:59 pm

PhySc0 wrote: My site was amongst a few hit in the same comminity.


Not defending that phpbb is unhackable, etc, but from what you were saying, it is still possible that the one got hacked is your community server. Maybe someone else is using old version of something, which allow the hacker to enter the system directly to change stuff, including yours.
So, beware of any backdoors that the hacker might planted somewhere outside your forum space. If this happened, then didn't matter what phpbb version you are going to use (2.0.14 to 2.0.100), the hacker can still access the shared space and do bad things to your space.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Sat Apr 09, 2005 4:03 pm

So BE WARNED - there are security holes in v.2.0.13 and they have been discovered....


While you may be right, all of the attacks I've read about so far require more than "just" PHPBB 2.0.13 to be successful.

Example: the "admin_styles.php" vulnerability refered to in several threads here requires that the attacker obtain admin rights by some method, and that the template directory permissions be set incorrectly, or the attack fails. The default install for PHPBB sets the permissions correctly, and the instructions include an admonition to verify those permissions.

Another attack requires that you have installed an insecure MOD, or the attack fails.

Still another requires that the admin password be subject to a dictionary attack, which will work against anything that has an insecure password.

And one published attack vector even includes the changes necessary to close the hole (two lines added to sessions.php). I suspect that just making sure that userID 2 isn't an administrator would blow up that attack, too.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

Kamejoko
Registered User
Posts: 6
Joined: Sun May 30, 2004 9:06 pm
Contact:

Re: pbpbb v.2.0.13 ---> HACKED

Post by Kamejoko » Sat Apr 09, 2005 4:07 pm

PhySc0 wrote: Whilst using phpbb v.2.0.13 since I opened my board (3 weeks ago) I can confirm that it was hacked last night. My site was amongst a few hit in the same comminity.

So having had some faith and confidence in 2.0.13 I have nearly lost it all and ask that something be done about this secrity breach as a matter of urgeny.

want to see what the site looks like after its been hacked?

try here: www.yahoo-secrets.com (that WILL be fixed very soon) if it looks normal then I have fixed the issue, probably started agian from scratch! :roll:

So BE WARNED - there are security holes in v.2.0.13 and they have been discovered....


Do you have any proof that the hole is in phpBB (access log, secure log, ftp log...)?
That would make it much easier to find out the method of the attack, where the security hole really is any how to fix it.

PhySc0
Registered User
Posts: 141
Joined: Sun Feb 20, 2005 1:57 pm

Post by PhySc0 » Sat Apr 09, 2005 4:13 pm

When I say "in our community" I simply refer to the target userbase for the websites... the 3 websites that were hit last night all serve the same purpose, and are only connected through the people that using the websites, they are not part of the same network.

So, can anyone advise on the steps I need to take in order to get the site back up?

It would be apparent the hacker has access my database somehow?
When you load up my forum all you see it a plain black screen, and the page caption has been chaged to advertise who did this (or who the hacker wanted blamed for who did this) either way, anything you try to access inside the phpbb directory shows this same black screen...

What should I do ?

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Sat Apr 09, 2005 4:23 pm

If you have phpmyadmin, go through the config table, looking for invalid information. The important stuff is on the second and third pages. They like to insert meta commands for the host name, etc.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

PhySc0
Registered User
Posts: 141
Joined: Sun Feb 20, 2005 1:57 pm

Post by PhySc0 » Sat Apr 09, 2005 4:39 pm

I currently am completely unable to access my database, my host is working on this issue as we speak. it appears this hack has somehow "locked" my database...

GamersConclave
Registered User
Posts: 2
Joined: Sat Apr 09, 2005 4:31 pm

Post by GamersConclave » Sat Apr 09, 2005 4:46 pm

I think mine was hacked, as well. I currently can't access it as an admin (doesn't recognise my user name or password). So far, all I can see is that all my posts are authored by 'User' and there's some Google click ads in one of the topics.

I have a backup on my harddrive, it's like a text file. How do I use it to restore my forums with?

Yawner
Registered User
Posts: 2161
Joined: Fri Jul 16, 2004 10:19 pm
Location: London, UK
Contact:

Post by Yawner » Sat Apr 09, 2005 4:55 pm

Hey dude... instead of saying there is holes in phpBB... tells us what they are??? Im sure the developers hate to see you guys crying over this but there is not much they can do without help... all of the code they write works... maybe it is insecure in parts but until they are highlighted they have as good a clue as the rest of us...
Alan Kay : "The best way to predict the future is to invent it."
Support the OpenDocument Format!

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sat Apr 09, 2005 4:59 pm

my 2.0.13 was hacked 2 days ago too..and you guys also flamed me for no reason.. I had the latest version of everything installled..and only a few minor mods added that were not hackable. I still got hacked.. The reason we dont have any evidence is because HACKERS ARE NOT THAT STUPID... jesus, you guys are askin noob questions over and over..

My hacked website thread :

http://www.phpbb.com/phpBB/viewtopic.ph ... highlight=

I was actually lucky, i caught my hacker redhanded :

http://www.socom3.com/phpBB2/viewtopic. ... 1e0fdb5806

Yawner
Registered User
Posts: 2161
Joined: Fri Jul 16, 2004 10:19 pm
Location: London, UK
Contact:

Post by Yawner » Sat Apr 09, 2005 5:02 pm

Hey dude... if 2.0.13 is hackable then y hasnt this forum been hacked??? i would have thought that this would be the first one to go....

It has NO MODS and it hasnt been hacked as yet.... Answer This dude...
Alan Kay : "The best way to predict the future is to invent it."
Support the OpenDocument Format!

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sat Apr 09, 2005 5:25 pm

who can i ask to do a vulnerability test on my site now?

since i had 2.0.13 and was still hacked... my forums are back up with ALL passwords changed from server to mysql to admin access..

This way u can find out for yourself..and if you are not able to find a vulnerabilty, and my site is hacked the next day... THEN we will know for sure.

my forums : http://www.socom3.com/phpBB2/index.php

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sat Apr 09, 2005 5:57 pm

i've just been hacked again...fuck

PhySc0
Registered User
Posts: 141
Joined: Sun Feb 20, 2005 1:57 pm

Post by PhySc0 » Sat Apr 09, 2005 6:41 pm

Yawner wrote: Hey dude... instead of saying there is holes in phpBB... tells us what they are??? Im sure the developers hate to see you guys crying over this but there is not much they can do without help... all of the code they write works... maybe it is insecure in parts but until they are highlighted they have as good a clue as the rest of us...


Should we ask the hackers where they security holes are or should we turn on our psychic powers?

All I can tell you is that this somehow involved the hacker making himself admin, a friend of mine saw this right before he eyes. Also just prior to the site going down one of my admins changed to a moderator...

Doesn't take a scientist to work out what happened does it?

Keith W
Registered User
Posts: 1025
Joined: Mon Dec 13, 2004 6:14 pm

Post by Keith W » Sat Apr 09, 2005 6:43 pm

Didn't you use a data base saved from a pre 2.0.13 and uploaded it to a fresh 2.0.13 PGPBB?

Locked

Return to “2.0.x Support Forum”