pbpbb v.2.0.13 ---> HACKED

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sat Apr 09, 2005 6:45 pm

Psycho, the same exact thing happened to me... Even guests were able to post on my board, which i had disabled.. I wasnt even an admin anymore..

O well, im installing a fresh new version of 2.0.13 now..prolly will get hacked again...and these guys will probably continue to say 2.0.13 is safe.

Keith W
Registered User
Posts: 1025
Joined: Mon Dec 13, 2004 6:14 pm

Post by Keith W » Sat Apr 09, 2005 6:47 pm

Didn't you use a data base saved from a pre 2.0.13 and uploaded it to a fresh 2.0.13 PGPBB?

CLee
Registered User
Posts: 511
Joined: Fri Nov 23, 2001 2:42 pm

Post by CLee » Sat Apr 09, 2005 10:01 pm

Mike, since you are completely unwilling to provide the log files to the developers for them to check through, you should stop complaining. They won't have a clue where to begin until they see those log files and what you have been doing is utterly irresponsible.
Carlos Myers
A+, Network+
Member - Star Wars Roleplaying Club

User avatar
Anon
Former Team Member
Posts: 7019
Joined: Fri Jan 02, 2004 7:33 am
Location: Christchurch, New Zealand

Post by Anon » Sat Apr 09, 2005 10:11 pm

It's also highly likely that if you are on a shared server, another user has an insecure install running, and they hacked through that to attack every user. PHP is also running on your server. There was a security hole found in that, therefore that could be the issue. As has been said, until you provide some hard proof that phpBB was at fault, we will continue to disbelieve you. Simple as that

CLee
Registered User
Posts: 511
Joined: Fri Nov 23, 2001 2:42 pm

Post by CLee » Sat Apr 09, 2005 10:15 pm

Anon wrote: As has been said, until you provide some hard proof that phpBB was at fault, we will continue to disbelieve you. Simple as that

Actually, hard proof should go to the security tracker instead.
Carlos Myers
A+, Network+
Member - Star Wars Roleplaying Club

User avatar
Anon
Former Team Member
Posts: 7019
Joined: Fri Jan 02, 2004 7:33 am
Location: Christchurch, New Zealand

Post by Anon » Sat Apr 09, 2005 10:19 pm

By hard proof I mean logs etc :)

To anyone who got attacked: You aren't running the Download or calender MOD are you?

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sat Apr 09, 2005 11:15 pm

FRESH new install with NO modifications at all installed.. My own server with latest versions of PHP, MYSQL and PHPBB2 installed :

2.0.13

http://www.socom3.com/phpBB2/index.php

its running ok at the moment...but last time i said this on here..i was hacked 5 minutes later...lets see if it happens again...then all of u guys can shut up and agnolige 2.0.13 is very hackable..

Im also in IM contact currently with several other people who have been hacked with 2.0.13 also.

Seems like the "Black Label Crew" is hacking all the 2.0.13

confirmation :

http://www.socomcodes.com/vb/showthread ... socom3.com

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sun Apr 10, 2005 12:05 am

I was just hacked again.. he changed the Title and Description by himself.. but was nice enough not to delete the database.

Im AOL IM'n him now.. His screenname is Socom ZiNg

talk to him if u wish..

him and the rest of the Black Label Crew are hacking sites with 2.0.13 installed left and right.

I installed a FRESH new copy...new passwords and everything...still got in..i've had enough.

i've had enough of this... Is there a script out there to convert my PHPBB2 database from PHPBB2 to Vbulletein?

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sun Apr 10, 2005 12:18 am

I have some additional info guys...

This hack occured IMMEDIATELY after i added my banner to the bottom of the overall_header.tpl file. My forum and title description were altered immediately after... I think this is where the hack is coming from.. I also talked to other that have 2.0.13 hacked..and they also had banners in that file..

I removed the Banner...and put the title and description back to what it was..and havent been rehacked yet...

This could be what needs to be patched.

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sun Apr 10, 2005 12:36 am

The bottom of the overall_header.tpl file normally looks like this :



<img src="templates/subSilver/images/icon_mini_login.gif" width="12" height="13" border="0" alt="{L_LOGIN_LOGOUT}" hspace="3" />{L_LOGIN_LOGOUT}</a>&nbsp;</span></td>
</tr>
</table></td>
</tr>
</table>

<br />



As soon as i switched it to this :
<img src="templates/subSilver/images/icon_mini_login.gif" width="12" height="13" border="0" alt="{L_LOGIN_LOGOUT}" hspace="3" />{L_LOGIN_LOGOUT}</a>&nbsp;</span></td>
</tr>
</table></td>
</tr>
</table>

<br />

<center>

<!-- START RICH-MEDIA BURST! CODE -->
<script language="JavaScript">
rnum=Math.round(Math.random() * 100000);

document.write('<scr'+'ipt src="http://www.burstnet.com/cgi-bin/ads/ad8 ... /scr'+'ipt>');

</script><noscript><a href="http://www.burstnet.com/ads/ad8894c-map ... A|728x90A/" target="_top">
<img src="http://www.burstnet.com/cgi-bin/ads/ad8 ... A|728x90A/" border="0" alt="Click Here"></a>
</noscript>
<!-- FINISH RICH-MEDIA BURST! CODE -->


</center>

<br>



I was immediately hacked .. Thats the code for my advertising banner by the way...

How could just adding a banner to this file cause my title and description to be hacked? maybe the javascript coding?
Last edited by mikeinjersey on Sun Apr 10, 2005 12:37 am, edited 1 time in total.

nurhendra
Registered User
Posts: 144
Joined: Mon Feb 28, 2005 5:03 pm
Location: Jakarta

Post by nurhendra » Sun Apr 10, 2005 12:37 am

That's a better start. Now we (believers and unbelievers) can narrow the bug hunt. :)

I'm just a bit confused. I thought adding an image banner to overall header is just adding an <IMG SRC=""> that points to local image, right? Is phpbb do some image decoding when adidng tpl to the php page?

Or is it pointing to a shared ads/whatever from server generated image somewhere else? If so, then maybe the hacker is actually using that server image to insert some backdoor codes? Thus, they actually need to hack the image server first, then reapt the benefit (other sites) later?

Sorry for the (maybe) basic questions. I'm not that expert regarding these stuff.

-edit-
Oops. Asked too soon. Thank's for the code comparison. :)
Last edited by nurhendra on Sun Apr 10, 2005 12:44 am, edited 1 time in total.

flogger12
Registered User
Posts: 14936
Joined: Tue Nov 25, 2003 2:13 am

Post by flogger12 » Sun Apr 10, 2005 12:43 am

well, isn't that just amazing, seems that the hacker was getting in becasue of something you did to the phpbb code, not because .13 is vulnerable.


how can anyone expect the developers to be able to cover the possibility that someone will insert javascript or other things into the phpbb code that makes it open to hacking.


I believe I would contact whoever that ad script came from about this.


robert

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sun Apr 10, 2005 12:45 am

flogger, is it possible that could of been how the hacker got in? realistically?

That is the default banner for Burst Media... Very popular advertising company.

nurhendra
Registered User
Posts: 144
Joined: Mon Feb 28, 2005 5:03 pm
Location: Jakarta

Post by nurhendra » Sun Apr 10, 2005 12:51 am

Realistically, yes. It is possible. Very popular doesn't mean very secure. :)
I am guessing the hack came from a weakness in the cgi script they are using. Because their script is not open source, thus we can't see what's wrong.

So, joy to the phpbb, we are still pretty safe, for now.. :)
Unless, if without that external banner, your site still got hacked.. :(

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sun Apr 10, 2005 12:52 am

he just hacked me again....without the banner installed... maybe after he got in initially, he was able to get in everytime afterwards no matter what i had up?

Locked

Return to “2.0.x Support Forum”