My forum got hacked

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
Mr. Nissen
Registered User
Posts: 90
Joined: Mon Apr 22, 2002 10:49 pm
Contact:

My forum got hacked

Post by Mr. Nissen »

Hey Gang

I just realized my forum was hacked. It must have happened a few days ago. I'm really not sure where to start with fixing it. Here's the damage

http://www.mrnissen.com/forum/index.php

My forum was hacked but not the rest of my site. I re-uploaded part of the forum but that didn't do any good. I'm guessing they've messed with the actual DB. I'm not sure though. Any suggestions on how to fix it? Oh and I believe I'm running phpBB 2.0.1. Thanks for any help.
Very Bored

User avatar
primedomain
Former Team Member
Posts: 25944
Joined: Sat Dec 15, 2001 10:23 am

Re: My forum got hacked

Post by primedomain »

Mr. Nissen wrote: Oh and I believe I'm running phpBB 2.0.1.
:roll:
your forum wrote: Powered by phpBB 2.0.0

8O

http://www.phpbb.com/phpBB/viewtopic.php?t=55133

Any MODs installed?

Did you make sure to delete upgrade.php, update_to_20x.php as well as install.php after the installation was completed?

Is it possible that someone "guessed" your admin password?
How many admins?
Run the following query (e.g.) in phpmyadmin (modify table prefix if necessary):

Code: Select all

SELECT username FROM phpbb_users WHERE user_level = 1
Do you have access to the server access logs? Do you have a backup of your database? Did you check (e.g. with phpmyadmin) whether or not the tables are still there and contain all data? AFAICS your data are still there, but your index.php has been replaced: http://www.mrnissen.com/forum/search.ph ... Mr.+Nissen

Mr. Nissen
Registered User
Posts: 90
Joined: Mon Apr 22, 2002 10:49 pm
Contact:

Post by Mr. Nissen »

I'm the only admin on the site right now. I'm not familiar with how to check the tables at the moment but my buddy is the Systems Admin where the site's hosted so he should be able to check the tables for me. I'm not running any mods either. It's just the forum with my own template modifications. I'm sure this wouldn't have happened if I wasn't running an old version so I pretty much left myself open for it. Well I'll keep working on it. Thanks for any further tips.
Very Bored

mshowman
Registered User
Posts: 65
Joined: Mon Sep 16, 2002 4:25 am
Location: Denver, CO
Contact:

Post by mshowman »

I looked at your page source and everything is there but they inserted a layer tag into the html which is overlayed on top of the page. Take a look at your index.php or any include pages / templates and look for this....

<div id="Layer1" style="position:absolute; left:0; top:0; width:780; height:590; z-index:1; background-color: #000000; layer-background-color: #000000; border: 1px none #000000">

After that you can see all the crap they inserted. Delete that tag and everything between there and the next </div> tag.

mshowman
Registered User
Posts: 65
Joined: Mon Sep 16, 2002 4:25 am
Location: Denver, CO
Contact:

Post by mshowman »

Actually.. .Do you have html in posts enabled?

It looks like someone changed the title of forum # 8 and added their offending html coding to the description. The title of that forum is now "WINKODER CDA OWNZ". Look in the database under forums and change the forum_desc section of the forum # 8.

Spazz
Registered User
Posts: 178
Joined: Mon Nov 18, 2002 3:14 pm
Location: Langley ... aww crap!
Contact:

Post by Spazz »

Well you know they like Brazil...:roll:

Brandons
I am too lazy to register

Post by Brandons »

i would agree with someone below.

your forum still exists. they didnt get into your administration

they somehow hacked your overall_header.tpl and or page_header.php and inserted a code of theirs.

if you had a links site or a topsites.. its commonly done through that.. where it says url they stick a <div> script into it instead and it cause an automatic forward to another url or an automatic popup

if you had html posts enabled it could have very easliy been done through that. your alternative? go into the admin and try to delete the forum you think they posted it in?

examine all these possiblities. let us know if any of them pertain to you.

Locked

Return to “2.0.x Support Forum”