pbpbb v.2.0.13 ---> HACKED

[nurhendra]

Now that's BAD news.
Did you see anything unusual anywhere in di forum directories and database? Probably they planted a backdoor somewhere after their first hack. Check if there exists 777 permission on any of the files/directories.

Maaann.. we need to find the cause asap. If we can point where the entry was, then we can close it.

[dbdummy]

Mike, since you used your previous database. Not exactly a FRESH install...have you made sure that on the attack you had [when you had 2.0.8] that they did not make themselves an admin? use star's admin toolkit..someone here should be able to give you a link to it...at the moment, I am on my own quest for a MOD answer.

I don't doubt this version is hackable...but I think someone had admin rights to your board and you just don't know it. And, since I know you used your previous mysql database, they would still have admin rights.

[CLee]

See what happens when you stop flame baiting and provide information that is useful to solving the problem. You get a lot more cooperation from people.

Other things to check for, scrub your user list of anyone who shouldn't be an admin or moderator. Change your passwords again in the event he/she snagged a copy of your database. Back up config.php, delete all files in the forum directory and install a fresh copy to the server, then check the backed up copy of config.php for anything that sees to not belong there before uploading it back to the server. Make sure that there are not any unknown files or verify every file that has been recently modified anywhere on your website. Actually, if I had a pre-hacked version of the website on backup I would wiping out the entire website and upload the backup copy. And once again, check your webserver logs for any suspicious behavior around the time of all of the attacks. If it appears to involve phpBB, then post those portions of the logs to the security tracker for further evaluation.

[dbdummy]

Actually, whist searching for my mod, I came across the admin toolkit

http://www.phpbb.com/phpBB/viewtopic.php?t=232010

hth

[mikeinjersey]

have you made sure that on the attack you had [when you had 2.0.8] that they did not make themselves an admin? use star's admin toolkit..someone

bah, the last thing i want to do is add another modification when im trying to get arid of this hacking crap..

Isnt there another way to find out who all the admins are? and just make them moderators?

It seems like all he is doing is changing the title and description now.

[mikeinjersey]

My database is like a 100mb's.. Is there a way to analyze the individual database files so i could find out if there are any hidden admins? is there a specific file i should be looking into?

also, if anybody here would be willing to examine my database, i'd be happy to share... aslong as your an admin or something.

Im going to try a fresh new install again soon...

also, is it ok if i leave the 100mb database in place and install the fresh version of PHPBB2 on top?

or do i have to remove the database...except for the empty folder....and then install PHPBB2 ? The first time i did it...i only had the empty database folder..

[flogger12]

not sure what you mean by the database folder, the database is not in the phpbb folder or files. it is completely separate from the phpbb files.


that toolkit from starfox is not a MOD it is a very useful tool to check your database for admins that shouldn't be there, it runs independently of phpbb.

the things you describe are the exact things that version 2.0.13 fixed, that was the only thing that the upgrade from 2.0.12 did , was to close that vulnerablity.

you have to clean up your database before you can get past this, you can install phpbb 100 times but if you don't clean the database and/or the rest of your server, he will continue to get in and hack you.

get rid of every single admin that you find, register with a new name and then make that new name admin, (use a new password) then delete your old admin name and password.l


robert

[who_cares]

Actually, whist searching for my mod, I came across the admin toolkit

http://www.phpbb.com/phpBB/viewtopic.php?t=232010

hth

Give the toolkit a try on your main database.
Aslo create a new db and a fresh install without the banner. If that gets hacked then 2.0.13 in open to attack.
Otherwise You need to backup config.php and your images and re-upload the phpBB files, restore the backups, and comb through your database for security gaps.

[mikeinjersey]

i'll give the toolkit a try...

not sure what you mean by the database folder, the database is not in the phpbb folder or files. it is completely separate from the phpbb files.

What i mean is can i have the 100MB database in place while installing a fresh version of PHPBB2? Or does the MYSQL database have to be removed first before installing PHPBB2?

[who_cares]

does your host let you create multiple databases?

[mikeinjersey]

yea..please answer my first question first though.

[who_cares]

if you can have more than one db then simply create a 2nd db

[nurhendra]

Because the hacker only changed the site title and description, it seems like he/she can only access your site through your account, and not from the hosting because if he/she hacked your host then he/she should be able to just change the .php .tpl files directly.

So, the hacker changed the title/description, either from the ACP and/or from the database itself.

As many already suggested, make sure no one else is admin (use phpmyadmin and do sql: SELECT * FROM 'phpbb_users' WHERE user_level = 1

Also, change the password to your db (the one that shown in config.php). This way, hopefully, the hacker cannot reaccess your db again.
Then, password protect (using .htaccess) your /admin/ directory, with different user/pass. This way, even if the hacker have userlevel admin, then he/she still cannot access ACP.

And lastly, check the board file for strange files, i.e. a PHP file that didn't do anything but just doing sql update for a specific entry.

But importantly, keep us posted of what happened, so everything will be in the clear.

[PhySc0]

Seem's as though this topic I created really took off whilst I have been offline.

The mention of the "Black Label Crew".... Thats the retards that did this! for those of you who mentioned this name, I am assuming your saw the name in the page caption after the site was hacked? Can you tell me if there was another name there? Does anyone recognise "J_a_M_e_S" ?

I have decided to go the long route, and I have completely moved to a new much more secure host. I can tell anyone in detail how this hack occurs if they would like to contact me. I belive I have actually found the source of the hack, its displayed in balck and white on a website for all to see. The hack uses a MySQL injection to the viewtopic.php file, though clearly looking at this site, there is much vulnerablity in 2.0.13 and this is one of many hacks and exploits availible. Almost anyone can make themselves and admin....

What I found happened to my board was that the hacker made himself an admin and then created a new style he so conveniently called "BLAHHHH" which bassically made everything black, very very simple when you look at how its done!

Like I said I have moved to a more secure host/server and have created a new database, and a new version of phpbb installed. I then re-modified all the new files to make home for the MODS and used what I could of the old database to try and salvage my userbase.

[mikeinjersey]

As many already suggested, make sure no one else is admin (use phpmyadmin and do sql: SELECT * FROM 'phpbb_users' WHERE user_level = 1

Nurhendra, so does this mean i dont need to install this toolkit or whatever? I already have phpmyadmin installed.