Page 1 of 1

My Forum is Hacked - Please Help - Urgent!!!

Posted: Fri Jan 13, 2006 6:31 pm
by sunilvarma
hi all

my forum (2.0.19) is hacked

i dont know how - but someone managed to delete the attachments from

the posts, put a few ........... in the topic title and in the post body

now i closed the forum and found 2 ips which caused the havoc

i tried to ban the ips range

will it take place immidiately or will it take some time?

can i open my forum now or should i keep it closed?

how actually can anyone do that??

any bug or a hole in the code??

please help - its urgent...........

:cry:

Posted: Fri Jan 13, 2006 6:34 pm
by cfbmedia
The bannings will take place immediately.

Best bet is if they hacked it the only thing you would have to do is re-copy the "index.php" file back in your phpbb folder or whatever folder your forum is located.

(happened to me once, and that is all i had to do)

Posted: Fri Jan 13, 2006 6:37 pm
by sunilvarma
they didnt hack my index page

they are just editing all the posts with attachments

i m gettin really tensed....

Posted: Fri Jan 13, 2006 6:38 pm
by cfbmedia
sunilvarma wrote: they didnt hack my index page

they are just editing all the posts with attachments

i m gettin really tensed....


okay, something i havent dealt with...I am not a PHPBB guru by anymeans though...good luck.

Posted: Fri Jan 13, 2006 6:46 pm
by RCP
are you sure it is a hack? Because anyone that would hack it, would destroy it. Maybe the upgrade to .19 did not go according to plan? and files are currupt or damaged/missing ?

Posted: Fri Jan 13, 2006 6:52 pm
by zlisiecki
what phpbb version do you use ? the exact knowlegde is important for the community.

if somebody is writting your files and you don't have controll over it the best thing to do is reformat the disk !!!
yet before reformating make an exact copy, or just buy a new disk.
1. install www server (apache) chrooted
2. install mod_security
3. edit php.ini and exclude unneccessary functions
4. install newest phpbb version
5. ask users to change passwords
6. analyse the method of hacking
7. observe new forum and report here
8. disconnect dangerous IPs like some networs from china, taiwan, etc

Posted: Fri Jan 13, 2006 6:55 pm
by sunilvarma
i updated to 2.0.19 a week ago

so thats not the prob

i just had this issue yesterday

but didnt observe it

today more damage was done - so i realised

and one more thing

in the forum permissions - i set edit status to REG

does that mean all regd user can edit or only the poster can edit?

please help...

thanks in advance

:(

Posted: Fri Jan 13, 2006 6:59 pm
by RCP
only the poster can edit a post. It sounds like a bad sql table, or a problem with the way something was copied or a mod gone wrong. I very much doubt it is hacked sorry to say. I can understand how you think so. Try replacing the files that are damaged, and reopen it. Keep the ips banned if it pleases you but i imagine you will be ok.

what is your forum, or what is the screen shots of the problems

Posted: Fri Jan 13, 2006 7:05 pm
by Jim_UK
zlisiecki wrote: what phpbb version do you use ? the exact knowlegde is important for the community.

if somebody is writting your files and you don't have controll over it the best thing to do is reformat the disk !!!
yet before reformating make an exact copy, or just buy a new disk.
1. install www server (apache) chrooted
2. install mod_security
3. edit php.ini and exclude unneccessary functions
4. install newest phpbb version
5. ask users to change passwords
6. analyse the method of hacking
7. observe new forum and report here
8. disconnect dangerous IPs like some networs from china, taiwan, etc


What is all this about?
Reformat the disk! Buy a new disk!

Please ignore this advice and read this http://www.phpbb.com/phpBB/viewtopic.php?t=343745

Jim

Posted: Fri Jan 13, 2006 7:06 pm
by sunilvarma
thanks a lot Jim_UK

i posted a support request to the IIT

hope this helps...

Posted: Fri Jan 13, 2006 7:12 pm
by Jim_UK
Please read this http://www.phpbb.com/phpBB/viewtopic.php?t=343745
For users that believe their boards have been compromised there is a new team that investigates.

Jim

Posted: Fri Jan 13, 2006 7:15 pm
by igeoffi
8. disconnect dangerous IPs like some networs from china, taiwan, etc

umm
actually
the more well noted hackers are from europe and russia :)
no need to be racist

Posted: Fri Jan 13, 2006 7:18 pm
by Jim_UK
The correct advice has been given in my previous post(s) There is now an incident investigation team.

Locked