Another one bites the dust!

darkside76 · Post by **darkside76** » Mon Jan 30, 2006 10:56 pm

Our forum was recently "hacked" and upon further investigation, this is a rather widespread issue:

source

There are thousands of sites affected. Any insight would be appreciated.

Thanks, -DS

m3zzr · Post by **m3zzr** » Mon Jan 30, 2006 10:59 pm

if you are running an older version of the forum, then you should have updated to the latest version..

darkside76 · Post by **darkside76** » Mon Jan 30, 2006 11:53 pm

m3zzr wrote: if you are running an older version of the forum, then you should have updated to the latest version..

Agreed... unfortunately, I am not in charge of the site in question.

darkside76 · Post by **darkside76** » Mon Jan 30, 2006 11:57 pm

Bobble · Post by **Bobble** » Tue Jan 31, 2006 12:00 am

Your site will need to be upgraded and traces of the hack removed. There are plenty of posts with advice on how to do this here so it really shouldn't be too much of a problem. Just get whoever admins the board to pay us a visit here and we'll sort things.

The script kiddies who do this sort of thing are in it for the 'fame'. As you have just posted there name over this board you have really made their day. As it really makes no difference which idiot attacked the board please consider editing your posts to remove their name.

darkside76 · Post by **darkside76** » Tue Jan 31, 2006 12:10 am

Apologies for the dupe comments... having some hiccups on my end it seems. I will inform the owner of the site. I will also :edit: as suggested. We are one of thousands of affected sites so I probably should not have created a new thread. Please delete or move as you wish.

Thanks!
-DS

Lumpy Burgertushie · Post by **Lumpy Burgertushie** » Tue Jan 31, 2006 6:55 am

for anyone who cares, all of those sites that were hit by this were several versions out of date, like 8 or 10 versions out of date.

robert

Niner · Post by **Niner** » Wed Feb 22, 2006 10:33 pm

Hi

I have been hacked by the same hacker, I would be glad if somebody could link to "There are plenty of posts with advice on how to do this" as bobble writes above.

Niels

Jim_UK · Post by **Jim_UK** » Wed Feb 22, 2006 10:37 pm

Niner wrote: Hi

I have been hacked by the same hacker, I would be glad if somebody could link to "There are plenty of posts with advice on how to do this" as bobble writes above.

Niels

Please complete a report http://www.phpbb.com/support/incidents/add_report.php

Jim

kustomrydes · Post by **kustomrydes** » Mon Mar 27, 2006 12:38 pm

well I am another one who get hit by ayyildiz team (ayyildiz-team.org) sometime after I went to bed last night.

I have been meaning to upgrade but never took the time to do so.
Version 2.0.8

http://car-sho.com/phpBB2/index.php

If someone could point me out to which file I need to modify to remove the large image off the front, I would appreciate it. Once I do that I could probably figure out the rest but it is hard to see what has changed because it takes up the entire screen.

karlsemple · Post by **karlsemple** » Mon Mar 27, 2006 12:46 pm

the code generating the image is not likely to be in a file, but more likely to be i the database. It is most likely to be in the phpbb_config table, or more likely to be in the forum descriptions in phpbb_forums table. go through them in phpmyadmin and look for any entries which contain code which should not be there, chances are it will be javascript so anything like <script language="Javascript"

kustomrydes · Post by **kustomrydes** » Mon Mar 27, 2006 2:11 pm

thanks karlsemple.
I will give it a try.
I had enough problems installing it the first time and never worked with php since.

TimCanty · Post by **TimCanty** » Tue Mar 28, 2006 3:18 pm

The car-sho.com forum seems to be in pretty good shape. I can navigate around in it by using the php code directly. It looks to me like these guys are just hacking the subSilver tpl files. In particular overall_header, index_body and admin/page_header.tpl.

I would restore all the subSilver files and see what happens. I would also create a .htaccess file and put www.ulkuocaklari.org.tr (213.243.1.126) in it. Also 72.36.251.84. Like this:
.htaccess contents,
-------------------------------------------
Options -Indexes

order allow,deny
deny from 72.36
deny from 213.243
allow from all
------------------------------------------
Note that 72.36 blocks any ip of 72.36.*.*.*
The Options -Indexes prevents getting an index listing of directories.

They have stored their image at:
http://www.geocities.com/ilkhan147258369/aytt.jpg and I have reported this to geocities abuse.

You can find info on htaccess and a tool to generate code at:

http://www.clockwatchers.com/htaccess_tool.html

Very helpful. I personally have added several bad guys to htaccess file as I'd just as soon they not be able to puruse any part of my site. I don't care about any one from Turkey or Russia. I use the security mod to identify multiple location abusers.

Of course you should also byte the bullet and get on the latest level of phpBB asap.

Regards,
Stan Douglas

dskowron · Post by **dskowron** » Wed May 10, 2006 12:43 am

How do these guys get data into the database? There must be some code they're using because I can't imagine that they have my password and username.

TimCanty · Post by **TimCanty** » Wed May 10, 2006 2:16 am

I'm not sure how. They get into the phpBB code using some type of exploit and once there they can get at the config stuff for your database I suppose.

Either that or they get admin privilages and then can wreck havic in the database and modify phpBB files to display their religious hatred.

At any rate the guys and gals that work on the phpBB2 code have provided fixes for the known exploits and that's why it's important to keep on the latest release.

I for one, update to the latest release within 24 hours of receiving notice.

SD

advertisements