Another one bites the dust!

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
darkside76
Registered User
Posts: 4
Joined: Mon Jan 30, 2006 10:52 pm
Location: Bay Area, Ca

Another one bites the dust!

Post by darkside76 » Mon Jan 30, 2006 10:56 pm

Our forum was recently "hacked" and upon further investigation, this is a rather widespread issue:

source

There are thousands of sites affected. Any insight would be appreciated.

Thanks, -DS
Last edited by darkside76 on Tue Jan 31, 2006 12:20 am, edited 4 times in total.

m3zzr
Registered User
Posts: 435
Joined: Tue May 18, 2004 8:53 pm
Location: St. Helens, UK
Contact:

Post by m3zzr » Mon Jan 30, 2006 10:59 pm

if you are running an older version of the forum, then you should have updated to the latest version..

darkside76
Registered User
Posts: 4
Joined: Mon Jan 30, 2006 10:52 pm
Location: Bay Area, Ca

Post by darkside76 » Mon Jan 30, 2006 11:53 pm

m3zzr wrote: if you are running an older version of the forum, then you should have updated to the latest version..

Agreed... unfortunately, I am not in charge of the site in question.

darkside76
Registered User
Posts: 4
Joined: Mon Jan 30, 2006 10:52 pm
Location: Bay Area, Ca

Post by darkside76 » Mon Jan 30, 2006 11:57 pm

...
Last edited by darkside76 on Tue Jan 31, 2006 12:12 am, edited 3 times in total.

Bobble
Registered User
Posts: 3504
Joined: Thu Mar 24, 2005 12:51 pm

Post by Bobble » Tue Jan 31, 2006 12:00 am

Your site will need to be upgraded and traces of the hack removed. There are plenty of posts with advice on how to do this here so it really shouldn't be too much of a problem. Just get whoever admins the board to pay us a visit here and we'll sort things.

The script kiddies who do this sort of thing are in it for the 'fame'. As you have just posted there name over this board you have really made their day. As it really makes no difference which idiot attacked the board please consider editing your posts to remove their name.

darkside76
Registered User
Posts: 4
Joined: Mon Jan 30, 2006 10:52 pm
Location: Bay Area, Ca

Post by darkside76 » Tue Jan 31, 2006 12:10 am

Apologies for the dupe comments... having some hiccups on my end it seems. I will inform the owner of the site. I will also :edit: as suggested. We are one of thousands of affected sites so I probably should not have created a new thread. Please delete or move as you wish.

Thanks!
-DS

User avatar
Lumpy Burgertushie
Registered User
Posts: 66910
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie » Tue Jan 31, 2006 6:55 am

for anyone who cares, all of those sites that were hit by this were several versions out of date, like 8 or 10 versions out of date.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

Niner
Registered User
Posts: 1
Joined: Wed Feb 22, 2006 10:12 pm

Please link to the pages that explains what to do

Post by Niner » Wed Feb 22, 2006 10:33 pm

Hi

I have been hacked by the same hacker, I would be glad if somebody could link to "There are plenty of posts with advice on how to do this" as bobble writes above.

Niels

User avatar
Jim_UK
Former Team Member
Posts: 18478
Joined: Tue Oct 12, 2004 5:36 pm
Location: Darwen N.West UK

Re: Please link to the pages that explains what to do

Post by Jim_UK » Wed Feb 22, 2006 10:37 pm

Niner wrote: Hi

I have been hacked by the same hacker, I would be glad if somebody could link to "There are plenty of posts with advice on how to do this" as bobble writes above.

Niels


Please complete a report http://www.phpbb.com/support/incidents/add_report.php

Jim
The truth is out there.
Unfortunately they will not let you anywhere near it!

kustomrydes
Registered User
Posts: 5
Joined: Thu Aug 19, 2004 4:08 pm

Post by kustomrydes » Mon Mar 27, 2006 12:38 pm

well I am another one who get hit by ayyildiz team (ayyildiz-team.org) sometime after I went to bed last night.

I have been meaning to upgrade but never took the time to do so.
Version 2.0.8

http://car-sho.com/phpBB2/index.php

If someone could point me out to which file I need to modify to remove the large image off the front, I would appreciate it. Once I do that I could probably figure out the rest but it is hard to see what has changed because it takes up the entire screen.

User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK
Contact:

Post by karlsemple » Mon Mar 27, 2006 12:46 pm

the code generating the image is not likely to be in a file, but more likely to be i the database. It is most likely to be in the phpbb_config table, or more likely to be in the forum descriptions in phpbb_forums table. go through them in phpmyadmin and look for any entries which contain code which should not be there, chances are it will be javascript so anything like <script language="Javascript"
Image

kustomrydes
Registered User
Posts: 5
Joined: Thu Aug 19, 2004 4:08 pm

Post by kustomrydes » Mon Mar 27, 2006 2:11 pm

thanks karlsemple.
I will give it a try.
I had enough problems installing it the first time and never worked with php since.

TimCanty
Registered User
Posts: 11
Joined: Mon Mar 27, 2006 3:14 pm

Looks to me like just the tpl files are hacked

Post by TimCanty » Tue Mar 28, 2006 3:18 pm

The car-sho.com forum seems to be in pretty good shape. I can navigate around in it by using the php code directly. It looks to me like these guys are just hacking the subSilver tpl files. In particular overall_header, index_body and admin/page_header.tpl.

I would restore all the subSilver files and see what happens. I would also create a .htaccess file and put www.ulkuocaklari.org.tr (213.243.1.126) in it. Also 72.36.251.84. Like this:
.htaccess contents,
-------------------------------------------
Options -Indexes

order allow,deny
deny from 72.36
deny from 213.243
allow from all
------------------------------------------
Note that 72.36 blocks any ip of 72.36.*.*.*
The Options -Indexes prevents getting an index listing of directories.

They have stored their image at:
http://www.geocities.com/ilkhan147258369/aytt.jpg and I have reported this to geocities abuse.

You can find info on htaccess and a tool to generate code at:

http://www.clockwatchers.com/htaccess_tool.html

Very helpful. I personally have added several bad guys to htaccess file as I'd just as soon they not be able to puruse any part of my site. I don't care about any one from Turkey or Russia. I use the security mod to identify multiple location abusers.

Of course you should also byte the bullet and get on the latest level of phpBB asap.


Regards,
Stan Douglas

dskowron
Registered User
Posts: 4
Joined: Sun Mar 12, 2006 4:34 pm

Post by dskowron » Wed May 10, 2006 12:43 am

How do these guys get data into the database? There must be some code they're using because I can't imagine that they have my password and username.

TimCanty
Registered User
Posts: 11
Joined: Mon Mar 27, 2006 3:14 pm

Database

Post by TimCanty » Wed May 10, 2006 2:16 am

I'm not sure how. They get into the phpBB code using some type of exploit and once there they can get at the config stuff for your database I suppose.

Either that or they get admin privilages and then can wreck havic in the database and modify phpBB files to display their religious hatred.

At any rate the guys and gals that work on the phpBB2 code have provided fixes for the known exploits and that's why it's important to keep on the latest release.

I for one, update to the latest release within 24 hours of receiving notice.

SD

Locked

Return to “2.0.x Support Forum”

cron