Page 1 of 2

Someone mangled my site...help please

Posted: Fri Oct 27, 2006 12:53 am
by bobturkee
Hello phpbb community. I have been using the forums for several years now and have been avidly dodging anything too serious until now. Someone has changed my site links so that under certain circumstances a feature will redirect the visitor to another site.

I am running the most recent version of phpbb.

If you visit the site and go to the search feature and search for anything at all it will redirect you to some other website which wants to install adware. I would love any feedback on how to fix this situation or if you've had a similar experience.

Please visit the site: removed/solved

My primary website is in really bad shape with the same kind of issue, but on a larger scale.

Please help...many members will be appreciative.

Bob Turkee

Posted: Fri Oct 27, 2006 1:02 am
by Marshalrusty
Please do the following before making any modifications to your board (this includes changing passwords, running the admin toolkit, etc.). Get a copy of the post hack files, database and server access logs and store them in a safe place to provide to the incident investigation team upon request. The files backup is just a copy of the phpBB folder on your server; the database backup can be created with phpMyAdmin by following the instructions in the first section of the article here; the server access logs may be available in a 'logs' folder on the server or in your host's control panel.

Posted: Fri Oct 27, 2006 8:40 am
by Taipo
The only pattern I can pick up is that it redirects to other websites if there is a presence of a referer: URL that is not the url of your website.

Simply entering the URL into the address line, or clicking around your forum even returning to that link, works fine.

Posted: Fri Oct 27, 2006 1:09 pm
by bobturkee
I can still access aspects of my site if I cut and paste the URL into the address bar, but I don't want my visitors who view a forum or thread to have to do that. They should be able to use the phpbb as it is designed.

I haven't found anything in the coding of the pages that suggests manipulation. I suspect that the alteration was done in the php database and somehow it has redefined the URL; although, it seems to respond very inconsistently, but by going to the search page and searching for something it always occures.

Also on my main page removed/solved you can see that many of the images are now not functioning and that any link on the left will redirect you to that same website.

Again any feedback would be great,

Bob Turkee

Posted: Fri Oct 27, 2006 1:24 pm
by Brf
Weird. It looks as if you follow any link, it redirects you. That includes the link in the first post of this thread. If I copy and pasted the link, it takes me to your site, but if I click the link, it redirects.

Maybe you have a hostile htaccess file or something....

Posted: Fri Oct 27, 2006 1:34 pm
by bobturkee
I looked on my server settings information to see if something was strange or altered, but didn't notice anything in particular. It's really a super frustraiting issue that's causing me to want to drive to Alberta, Canada and find the company who these links redirects to.

I am about to make a standard html page to see if the links on it redirect as well.

Update: Brf, yes that is percisely the problem...it happened on a standard html page as well.

BT

Posted: Fri Oct 27, 2006 1:45 pm
by Jim_UK
If you have an option in cpanel to cause redirects I would have a look to see if it has been got at.

Jim

Posted: Fri Oct 27, 2006 1:51 pm
by bobturkee
I'm guessing you mean on my server CP. I checked there and it's ok...at least it seems that it is ok. If there is a redirect on the phpbb forum CP I may have missed that.

Posted: Fri Oct 27, 2006 2:00 pm
by Jim_UK
Yes the server control panel. A lot of hosts provide one called cpanel and amongst the many options is one the you can create redirects. For instance I have one that redirects from the domain to domain/phpBB2/portal.php

If I look in the root of my webspace there is a .htaccess file that has been created to do this. Brf has already suggested that this may be the case.
Go to your server with ftp and if there is a .htaccess file in the root of your webspace, download it to your desktop and open it in Notepad. See if it contains some sort of redirect to the site in question. If so remove it.

Jim

Posted: Fri Oct 27, 2006 2:15 pm
by bobturkee
Thanks Jim didn't think of that...I'll provide feedback as the issue unfolds.

BT

Posted: Fri Oct 27, 2006 2:23 pm
by Acorn
Not a helpful comment, I'm afraid, but as soon as I clicked on your website link (in your op) I went straight to this system doctor thing, and it was quite persistent.

Don't know if it's just a nuisance or a bit more sinister, but I wouldn't advise people to click on that link if they don't need to.

Good luck. :?

Posted: Fri Oct 27, 2006 2:26 pm
by karlsemple
i can not even access your urls, i get popups and the site never comes up. I do not have any spyware on my system, this only happens with your links...... have you tried backing up the forums and installing them on your computer locally to see if they work and that it is not something hosting related :)

Posted: Fri Oct 27, 2006 2:34 pm
by bobturkee
If you copy the URL and paste it into your address bar the site will come up. Ya please don't fall for the decoy that the hacker has tried to insert.

I think I have narrowed it down to something on the host side...I am working with them right now to resolve the problem. Maybe.

Posted: Fri Oct 27, 2006 2:35 pm
by Brf
If you copy his links and paste it into your address-box, it will take you there OK.... It is only when you actually click on a link that it redirects. That is why I thought it might be htaccess or something.

Posted: Fri Oct 27, 2006 2:37 pm
by karlsemple
bobturkee wrote: If you copy the URL and paste it into your address bar the site will come up. Ya please don't fall for the decoy that the hacker has tried to insert.

I think I have narrowed it down to something on the host side...I am working with them right now to resolve the problem. Maybe.


As i said in my last post the way to be sure is to back up your forums completely and then restore on locally on your home system, if it works fine you know that it is something to do with the host and not the forums :)