3.0.8 hacked

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Suggested Hosts
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
ffermer
Registered User
Posts: 2
Joined: Tue Feb 01, 2011 12:30 am

3.0.8 hacked

Post by ffermer » Tue Feb 01, 2011 1:14 am

Yesterday my forum and server was hacked: phpBB 3.0.8. No any MODs installed.

I have cleared:

1. in root phpbb directory appear strange file *.index.php
2. exploit got control of sshd, exim and some other programs of server

Now, exploit killed, but I want to find vulnerability in phpbb 3.0.8

I am study apach log (all other logs destroyed) and I see: hacker repeatedly attempted to /posting.php?mode=post. After last attempt (I suppose succesfull hack attempt) was called *.index.php and main exploit code uploaded. Some information about exploit found here: http://justinelze.wordpress.com/2010/10/10/kippo/

Were is vulnerability ? Help me please.

User avatar
xiteloft
Registered User
Posts: 25
Joined: Wed Aug 12, 2009 9:46 am

Re: 3.0.8 hacked

Post by xiteloft » Tue Feb 01, 2011 1:42 am

It's clearly that it's not in phpBB. "Hacker", but we better call him someone who had your password(s) played around with your hosting account, or in case if you're hosted on a VPS/Dedicated, with your root.

Just change all passwords, check through all dirs, re-upload phpBB files in case if he backdoored some of them, or if he left the php shell (upload script) somewhere. So that's basically it.

ffermer
Registered User
Posts: 2
Joined: Tue Feb 01, 2011 12:30 am

Re: 3.0.8 hacked

Post by ffermer » Tue Feb 01, 2011 2:26 am

Thank for your reply. Really, I'm hosted on VPS and I'm sure that no anywhere has my passwords. Attack was on phpbb forum immediately. File '*.index.php' was upload into phpbb root directory and run here.

Passwords changed immediately sure, but I believe, attack will be again.

User avatar
darcie
Community Team Member
Community Team Member
Posts: 5541
Joined: Thu Jul 27, 2006 9:52 am
Location: Davis, California
Name: Darcie Griffin
Contact:

Re: 3.0.8 hacked

Post by darcie » Tue Feb 01, 2011 3:29 am

There are no known vulnerabilities in phpBB 3.0.8, but we always ask that you submit to our Incident Investigation Team to find the source of the issue. Please see:
http://www.phpbb.com/community/viewtopi ... 543171#iit
My board has been hacked, what do I do? #
Please do the following before making any modifications to your board (this includes changing passwords, editing files, running the admin toolkit, etc.):
1) Save a copy of the files (simply create a local copy of the files on the server).
2) Save a copy of the database.
3) Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
4) File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
phpBB on Facebook | Site Rules | Former Community Team leader

elphreaker
Registered User
Posts: 1
Joined: Thu Apr 28, 2011 10:21 pm

Re: 3.0.8 hacked

Post by elphreaker » Thu Apr 28, 2011 10:40 pm

I had another hacking issue today. Someone managed to change the prosilvers main logo image. Checking the raw logs I can see access to some ".js" functions related to the themes.

Anyone knows anything about this?

I add:
I saw this "hack" in the admin panel (as well as on my main page) as it registered that a normal user changed an "admin setting". Permissions are right as far as I know. That user never had access to admin panels.

Thanks in advance!

Drakken
Registered User
Posts: 144
Joined: Thu Jun 12, 2003 6:59 pm
Contact:

Re: 3.0.8 hacked

Post by Drakken » Fri Apr 29, 2011 1:20 am

I'm assuming you gave your passwords to someone? I would think any serious hacker would do something more malicious than change an image.

User avatar
t_backoff
Former Team Member
Posts: 6995
Joined: Thu Jun 04, 2009 1:41 am
Location: cheerleading practice
Name: Tabitha Backoff

Re: 3.0.8 hacked

Post by t_backoff » Fri Apr 29, 2011 1:55 am

Please read darcie's post.
darcie wrote:There are no known vulnerabilities in phpBB 3.0.8, but we always ask that you submit to our Incident Investigation Team to find the source of the issue. Please see:
http://www.phpbb.com/community/viewtopi ... 543171#iit
My board has been hacked, what do I do? #
Please do the following before making any modifications to your board (this includes changing passwords, editing files, running the admin toolkit, etc.):
1) Save a copy of the files (simply create a local copy of the files on the server).
2) Save a copy of the database.
3) Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
4) File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
Closing.

Locked

Return to “[3.0.x] Support Forum”

Who is online

Users browsing this forum: Feneck91, twm49 and 56 guests