MY 2.0.21 still gets hacked

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
richey
Registered User
Posts: 616
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

MY 2.0.21 still gets hacked

Post by richey »

Hello,

do we already know which security hole the "Hacked by gizlit*rkler.com" hack uses?

I have updated my 2.0.19 to 2.0.21, but still get hacked once every day... I really have to fix that, but removing all mods from the board is definitely not a solution. It would be of great help if someone could PM or reply me telling which security hole they are using so that I can search my code including all installed MODs for related holes.

thanks!
richey
Last edited by richey on Wed Oct 11, 2006 7:47 pm, edited 1 time in total.
.

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51936
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Post by Brf »

There are no security holes in 2.0.21. It is probably one of your mods.

richey
Registered User
Posts: 616
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Post by richey »

Brf, I guess so.

But as said, removing all MODs is really no good option for me. It would be of great help to know which security holes these hackers (I guess it's simply a script circulating on certain websites or so) are using so that I can remove all related stuff from the installed MODs as well.

thanks
r.
.

User avatar
Jim_UK
Former Team Member
Posts: 18478
Joined: Tue Oct 12, 2004 5:36 pm
Location: Darwen N.West UK

Post by Jim_UK »

Have you filed a report here http://www.phpbb.com/support/incidents/add_report.php ?
I know of no exploits of phpBB2.0.21 to date.
When you updated did you check for rogue admin accounts, extra files on the server that you did not put there?
Did you change all your passwords?
The most likely explanation if you did those things is an out of date mod being exploited.
Have you checked the Attachment mod or any other mod that allows uploads is up to date. This includes any PHP chatroom mods

Jim
The truth is out there.
Unfortunately they will not let you anywhere near it!

User avatar
Lumpy Burgertushie
Registered User
Posts: 67247
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie »

install this:
Admin Toolkit

run the security scan
check for admins that shouldn't be there,

then, start checking all your MODs , look for updated versions of them.

post a list here, maybe we will see one that is known for problems.

bottom line, if you want to keep your board safe, you may have to start fresh and reinstall MODs one at a time until you find the culprit.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.3 Styles by PlanetStyles.net

If nobody is in the forest, does a tree really fall?

richey
Registered User
Posts: 616
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Post by richey »

Hello,

I have changed the admin password(s) after each time the board was hacked.
I run the Admin Toolkit security check and it didn't complain about anything.
There are no new files on the FTP server.
The config file is unmodified.
Lumpy wrote: bottom line, if you want to keep your board safe, you may have to start fresh and reinstall MODs one at a time until you find the culprit.

same idea here, but I really hope someone knows about the leaks the currently circulating hack (see 1st post) is making use of so that I can look for related holes in the code of the site.

thanks,
r.
.

User avatar
Lumpy Burgertushie
Registered User
Posts: 67247
Joined: Mon May 02, 2005 3:11 am
Contact:

Post by Lumpy Burgertushie »

richey wrote: Hello,

I have changed the admin password(s) after each time the board was hacked.
I run the Admin Toolkit security check and it didn't complain about anything.
There are no new files on the FTP server.
The config file is unmodified.
Lumpy wrote:bottom line, if you want to keep your board safe, you may have to start fresh and reinstall MODs one at a time until you find the culprit.

same idea here, but I really hope someone knows about the leaks the currently circulating hack (see 1st post) is making use of so that I can look for related holes in the code of the site.

thanks,
r.


can you give us a link to your board, you should always give a link to the board.

I can't find it anywhere on the website you have listed in your sig.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.3 Styles by PlanetStyles.net

If nobody is in the forest, does a tree really fall?

richey
Registered User
Posts: 616
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Post by richey »

http://www.psychotherapiepraxis.at

PLEASE DON'T QUOTE the URL, so that I can remove the link at a later time.

thanks!
Last edited by richey on Thu Oct 12, 2006 9:00 pm, edited 2 times in total.
.

User avatar
camm15h
Former Team Member
Posts: 4981
Joined: Wed Jul 30, 2003 1:02 am
Location: Hull, UK
Name: Paul Cammish

Post by camm15h »

richey wrote: forum link

Am i going blind or is there no phpbb copyright here?

richey
Registered User
Posts: 616
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Post by richey »

Don't worry, I just removed the footer strings containing "phpbb" from the simple_ & overall_footer source a few days ago (and left "phpbb" there but obscured it a little) to avoid it being searchable via search engines. As it seems, that didn't help at all. :?
Last edited by richey on Wed Oct 11, 2006 8:53 pm, edited 1 time in total.
.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

What "Forums-Chat" are you using? Several of them have had security holes reported (and most fixed) recently.

Does your host provide Cpanel to sites? There is a security hole in all but the most recent versions (as in released since 25 September 2006) that allows someone to replace files and otherwise manipulate any site on the server, so long as they have an account on it.

Have you checked the pages for other MODs you have, to make sure there have not been any security holes recently discovered? In May, one of my sites was compromised through a hole in the Knowledge Base MOD that had not been announced. After I diagnosed what happened and patched mine, the authors came up with their own fix... and found that the same flaw existed in another MOD. Both have had updates... but few people know about them, unless they visit the support site on a regular basis.

ANY MOD that takes user input is suspect. ANY MOD that opens files while relying upon variable data it doesn't scrub first to locate those files is suspect, too (this is what caused the problems in KB).
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

richey
Registered User
Posts: 616
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Post by richey »

It's Smartor's chat, heavily modified. There was no update since months, so there should be no problem with it?

Other mods I'm using are:

referer
printerfriendly
similar topics
How Search Engines Find You
merge messages
canned messages
favorite topics
savi101
contact list
author hyperlink
remoteavatarsize
default avatar
wrong ICQ url
MSN Profile
Skype
GTalk
searchuserspostsatviewtopic v1.20
report post
online/offline
topics i've started
author wildcard search
search title only
search locked topics only
gorgon full album pack (disabled already)
limited post edit time
resend activation
referer
at a glance
smartfeed
.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

Currently, Secunia.org doesn't have any listings for any Smartor stuff, and I don't recall the 3.x version of his Chat having anything outstanding.

When the script kiddie attacks, what do they change? Files? Forum descriptions? Changing files is not something that can be done through PHPBB in the last year. Most of the attacks have been through sites that enable HTML, and inserting "bombs" for admins who use Internet Explorer to trip over, revealing their login information to attackers. The attackers can then access the site as admins, depending upon what information they can get IE to reveal. The need to log in a second time to access the ACP was put in to deflect that sort of attack, and additional checks were inserted on automatic logins to deflect attacks based upon stolen cookies (this is why a lot of people updating from older versions have to run the "cookie fix" after updating).
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

richey
Registered User
Posts: 616
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Post by richey »

Hi,

I don't use IE (beware! :lol:)
Thanks for the hint regarding smartor's chat - the way I modified it makes it useful for me, but after all your suggestions I will check it for security holes.

@Espicom: they just changed the forum names and the board name.

A few days ago, the board was hacked with the same replacement text, but that first time, they additionally replaced the 1st rank name and deleted the anonymous user! Also, one record of another (phpbb unrelated) MySQL table was replaced. Immediately after that, I updated everything to 2.0.21. Since then, there were 2 more hacks, 1 every day at about the same time of the day.

Just a few minutes ago, I INDEED found a trojan in one of my logfiles (produced by some logged form submission text).
Name: PHP/C99Shell.C Trojan
8O
I guess that might be the REAL reason... I immediately removed all text logging stuff from the site and hope I can give you a success message in a few days!

thanks for all your help, guys
r.
.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom »

One suggestion. If you have phpmyadmin, disable your board temporarily. Using phpmyadmin, rename each table to have a different table prefix than the default, "phpbb_" (assuming you didn't do this during the install). Maybe "praxis_" would be the one to use, but it could be anything other than "phpbb_" for what I'm recommending here. Do the config table LAST.

Once all the tables have the new prefix, edit your config.php script to have the new prefix, then re-enable your board.

Most script kiddies are too stupid to find out what the prefix is before launching their attacks, so their scripts are hard-coded with "phpbb_". Just changing the prefix makes them impotent.
Jeff
Fixing 1016/1030/1034 Errors | (obsolete link) | MySQL 4.1/5.x Client Error | phpBBv2 Logo in ACP
Support requests via PM are ignored!
"To be fully alive is to feel that everything is possible." - Eric Hoffer

Locked

Return to “2.0.x Support Forum”