hacked again

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
dfwsbr
Registered User
Posts: 4
Joined: Mon Oct 02, 2006 7:59 pm

hacked again

Post by dfwsbr » Tue Oct 03, 2006 7:39 pm

Hey guys, I run the following board:

www.dfwsbr.com/mb

Yesterday I was hacked, ran starfoxtj admin toolkit and it cleaned it up in a click of a button.

Today, not so lucky. It was hacked again, as you can see if you click the link above.

Where in all of the files or myphpadmin do I remove the code they stuck on my board? I spent about 45 minutes looking through different files via ftp and on myphp admin. Can't find it, however if I view source on the current hacked page I find this :
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="Content-Style-Type" content="text/css">

<link rel="top" href="./index.php" title="</title><p align="left"><hi>HaCKeD By BeLa & BodyguarD -- Fuck PaPa--<noscript>:: </title></p> Forum Index" />
<link rel="search" href="./search.php" title="Search" />
<link rel="help" href="./faq.php" title="FAQ" />
<link rel="author" href="./memberlist.php" title="Memberlist" />

<title></title><p align="left"><hi>HaCKeD By BeLa & BodyguarD -- Fuck PaPa--<noscript>:: </title></p> :: Index</title>
<link rel="stylesheet" href="templates/Boyz/Boyz.css" type="text/css">
<style type="text/css">
</style>


obviously I didn't copy it all. . .

Thanks for the assistance :)

Adam

User avatar
flashweb
Registered User
Posts: 309
Joined: Sun Apr 20, 2003 4:15 pm
Location: India
Contact:

Post by flashweb » Tue Oct 03, 2006 7:46 pm

If you hacked, delete all files from your server and start with a fresh copy of files. If this is not possible, make sure no files belong to hacker is present in your site. Most hackers keep some backdoors, so they can get back even if the door is closed.

After you make sure no hacker files are on your site, change your MySQL database password. Then check all users with ADMIN privelage, change all ADMIN users passwords and email address (better make only one ADMIN for now) so hacker will not able to login as admin even if he have the password or already changed email address to his email id.

User avatar
Jim_UK
Former Team Member
Posts: 18478
Joined: Tue Oct 12, 2004 5:36 pm
Location: Darwen N.West UK

Post by Jim_UK » Tue Oct 03, 2006 7:46 pm

When you had removed the hack yesterday did you:-
1) Check that there where no rogue admin accounts
2) Check that there were no extra unfamiliar files on the server
3) Update to the latest version of phpBB2 (2.0.21)
4) Change your Admin password and also database password.
5) Complete an incident report http://www.phpbb.com/support/incidents/add_report.php

If you can answer yes to all of those I will be very surprised

Jim
The truth is out there.
Unfortunately they will not let you anywhere near it!

dfwsbr
Registered User
Posts: 4
Joined: Mon Oct 02, 2006 7:59 pm

Post by dfwsbr » Tue Oct 03, 2006 7:54 pm

1. Yes, only 2 admin accounts, checked 3x
2. As far as unfamiliar files on server, how do you cross check?
3. I updated to 2.0.21 yesterday
4. Did not change admin pw or DB password.. didn't know i needed to
5. Did not make a report. The board over the past few years has been pretty low maintenance from a hackers standpoint. Lots of fake accounts have attempted to join, I just spend time deleting them on a daily basis.

Any idea how I can at least get the board back up and get rid of the code? I searched through index.php, but don't see anything referencing it.

User avatar
flashweb
Registered User
Posts: 309
Joined: Sun Apr 20, 2003 4:15 pm
Location: India
Contact:

Post by flashweb » Tue Oct 03, 2006 8:44 pm

dfwsbr wrote: 2. As far as unfamiliar files on server, how do you cross check?


Not easy to do. There are few things you can do

1. Check files for recenly updated.
2. If you have SSH access, you can search content of file for specific words like exec (most php ssh clients have this).

dfwsbr wrote: Any idea how I can at least get the board back up and get rid of the code? I searched through index.php, but don't see anything referencing it.


You need to check the phpbb_config table and phpbb_forums tables, chances are hacker added his code in these tables, not on index.php

dfwsbr
Registered User
Posts: 4
Joined: Mon Oct 02, 2006 7:59 pm

Post by dfwsbr » Tue Oct 03, 2006 8:51 pm

Found it in the title. Simple html page start end. :roll:

Changing DB | Admin | cpanel passwords as we speak.

Thanks guys.

Adam

User avatar
Jim_UK
Former Team Member
Posts: 18478
Joined: Tue Oct 12, 2004 5:36 pm
Location: Darwen N.West UK

Post by Jim_UK » Tue Oct 03, 2006 8:59 pm

Don't forget that you will also need to change the password in config.php
Also you should be aware that some outdated mods may allow hackers access.
Be sure you are using the latest version of any mods installed - particularly any that allow file uploads/access to the database

Jim
The truth is out there.
Unfortunately they will not let you anywhere near it!

dfwsbr
Registered User
Posts: 4
Joined: Mon Oct 02, 2006 7:59 pm

Post by dfwsbr » Tue Oct 03, 2006 9:44 pm

Jim_UK wrote: Don't forget that you will also need to change the password in config.php
Also you should be aware that some outdated mods may allow hackers access.
Be sure you are using the latest version of any mods installed - particularly any that allow file uploads/access to the database

Jim


Thank you for the fast response. I do have a question however. Since I've changed several web hosts in the last few years, I am forced to do the updates manually. I don't have any "mods" however I am using a different "Style" (called Boyz) that I force on the board and all the members.

One feature I wanted to take advantage of on the new version of PHPBB is the image box for new user registration. However this is NOT an option with my custom style. When I switch back to SubSilver, I can see the option, select it, but when I save the changes, it reverts back to not being an option. Yes, i forced everyone back to sub silver to test. Even tried registering as a new usermyself. Still standard registration :?

I'm worried the update I performed isn't taking 100% or perhaps I'm overlooking some files during the install.

Here is how I did the update :
1. copied the entire folder via ftp (for backup)
2. downloaded the fresh full copy of 2.0.21 full package
3. Unzipped it locally, deleted "contrib folder" and "config.php"
4. Uploaded the folder in place of the one on the website. Overwriting anything existing.
5. Ran the install/update_to_latest.php and it came back with no errors
6. deleted the install folder


Sorry if it seems like a n00b question, however I have printed out 3 differnet ways to update phpbb, and none of them made sense, except what I had above. I don't have shell access, however I could obtain it. BUT, I am not familiar with using it, so I figure I'm better off not using it.

Before I switched my first web host, I was able to perform the update via cpanel and a drop down box. That is no longer an option as with the new webhost, it doesn't allow me to auto update since I didn't install it from their Cpanel. Does this make sense? I was considering doing a full backup, installing via their cpanel, and importing the data back in via myphp. I think I did this one other time. However I had to manually split up the DB as it only suppored Xmb upload per file. Maybe this isn't the case anymore.

Thanks again for all your help.

Adam

User avatar
Lumpy Burgertushie
Registered User
Posts: 66342
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie » Wed Oct 04, 2006 5:57 am

instaling or updating from the control panel of your host is never a good idea. the versions there are rarely up to date and often are corrupted.

stick with the filies you get from here.

as far as your visual confirmation problem, your boyz style is out of date.

you can get an up to date version at phpbbhacks.com or just copy;
subSilver/profile_add_body.tpl
subSilver/admin/board_config_body.tpl
subSilver/admin/confirm_body.tpl
subSilver/confirm_body.tpl ( yes, twice)

to your boyz folder.

luck,
robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

Locked

Return to “2.0.x Support Forum”