Page 1 of 1

Our PHPBB3 site was hacked by bot and Gonzo

Posted: Mon Oct 23, 2017 3:03 pm
by hoarybat
Small site running phpbb3 for years and we were shut down by our host Hostmonster due to malware bot infection. Host said nothing they can do and referred me/us to Site-lock costing $600> to clean us up and purchase their security which our small community can't afford. Is all hope lost? We're a nonprofit hobbyist bat house forum. Thanks to all who have helped us here over the years and to our 200 or so members on our forum: bathouseforum.org. Malware confirmed on Virustotal.com scan of bathouseforum.org

Malware.txt scan from partially disabled Hostmonster CPANEL:

Code: Select all

/home4/bathouse/public_html/import.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/index.php: SL-PHP-FILEHACKER-tg.UNOFFICIAL FOUND
/home4/bathouse/public_html/wp-asyncio.php.suspected: SL-PHP-FILEHACKER-hr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/config/index.php: SL-PHP-FILEHACKER-iy.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/index.php: SL-PHP-FILEHACKER-rj.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/ext/index.php: SL-PHP-FILEHACKER-qp.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/ext/mediaembed/parsing.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/images/avatars/gallery/pnzkgmsh.php: HG.Shell.14.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/includes/functions_transfer.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/includes/acp/info/acp_profile.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/includes/acp/acp_search.php: SL-PHP-EVAL_REQUEST-avhr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/mediaembed/config/favicon_18ae87.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/store/index.php: SL-PHP-FILEHACKER-iy.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/cache/twig/c3/ptrjveiu.php: SL-PHP-EVAL_REQUEST-avra.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/cache/twig/e5/e5561ac89c0f40c90685e2c5ff4e8733e9383aeba657a196c1ed159639fdc736.php: SL-PHP-EVAL_REQUEST-avhr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/install-new/index.php: SL-PHP-FILEHACKER-tg.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/phpbb/class_loader.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/phpbb/lock/favicon_d0feb1.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/phpbb/captcha/plugins/qa.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/phpbb/db/driver/sqlite.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/phpbb/passwords/helper.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/assets/javascript/zdghnzxz.php: SL-PHP-BACKDOOR-GENERIC-yz.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/adm/index.php: SL-PHP-FILEHACKER-rj.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/download/index.php: SL-PHP-FILEHACKER-tg.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-preupdate-to-3.2/files/index.php: SL-PHP-FILEHACKER-qp.UNOFFICIAL FOUND
/home4/bathouse/public_html/includes/acp/info/licence.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/store/mods/index.php: SL-PHP-FILEHACKER-tg.UNOFFICIAL FOUND
/home4/bathouse/public_html/store/mods/omkostgv.php: SL-PHP-BACKDOOR-GENERIC-yz.UNOFFICIAL FOUND
/home4/bathouse/public_html/geothermal/install-done/index.php: SL-PHP-FILEHACKER-qp.UNOFFICIAL FOUND
/home4/bathouse/public_html/geothermal/index.php: SL-PHP-FILEHACKER-qp.UNOFFICIAL FOUND
/home4/bathouse/public_html/oXILLxR/web.config: SL-HTML-GENERIC-md5-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/oXILLxR/.htaccess: SL-HTACCESS-GENERIC-md5-dee.UNOFFICIAL FOUND
/home4/bathouse/public_html/account.php: SL-PHP-BACKDOOR-GENERIC-apm.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/config/index.php: SL-PHP-FILEHACKER-rj.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/index.php: SL-PHP-FILEHACKER-rp.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/ext/index.php: SL-PHP-FILEHACKER-iy.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/includes/ucp/ucp_auth_link.php: SL-PHP-EVAL_REQUEST-avhr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/store/index.php: SL-PHP-FILEHACKER-iy.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/store/favicon_6840c8.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/phpbb/exception/favicon_d97ce3.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/install-3.2/index.php: SL-PHP-FILEHACKER-qp.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/install-3.2/convert/favicon_1e53c4.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/install-3.2/convert/favicon_3f5d45.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/vendor/symfony/http-kernel/HttpKernelInterface.php: SL-PHP-EVAL_REQUEST-avhr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/vendor/marc1706/favicon_c5d0a2.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/favicon_220fa9.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/adm/index.php: SL-PHP-FILEHACKER-qp.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/language/en/migrator.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/download/index.php: SL-PHP-FILEHACKER-qp.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-3.2-broken/files/index.php: SL-PHP-FILEHACKER-iy.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/feed.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/config/index.php: SL-PHP-FILEHACKER-rj.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/index.php: SL-PHP-FILEHACKER-rj.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/ext/index.php: SL-PHP-FILEHACKER-tg.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/images/favicon_3a7166.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/includes/message_parser.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/store/index.php: SL-PHP-FILEHACKER-tg.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/cache/twig/2f/2fe9cd4e703965c92c089b98de60d11bcbaf6d0dd43af468a67efe1854e287c4.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/phpbb/request/favicon_7d5a38.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/phpbb/cron/task/wrapper.php: SL-PHP-EVAL_REQUEST-avhr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/phpbb/cron/favicon_c10906.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/phpbb/avatar/driver/remote.php: SL-PHP-EVAL_REQUEST-avhr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/install-temp/index.php: SL-PHP-FILEHACKER-rp.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/adm/index.php: SL-PHP-FILEHACKER-rj.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/styles/latte/favicon_ba456e.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/download/index.php: SL-PHP-FILEHACKER-iy.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/files/index.php: SL-PHP-FILEHACKER-qp.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum-backup-10-14-16/s9e/favicon_782378.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/guest.php.suspected: SL-PHP-BACKDOOR-GENERIC-md5-bdwq.UNOFFICIAL FOUND
/home4/bathouse/public_html/wp-assign.php.suspected: SL-PHP-BACKDOOR-GENERIC-md5-bdwq.UNOFFICIAL FOUND
/home4/bathouse/public_html/New-invoice-96525863256/CR-XVBFR/2017-13-Oct-17/web.config: SL-HTML-GENERIC-md5-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/New-invoice-96525863256/CR-XVBFR/2017-13-Oct-17/.htaccess: SL-HTACCESS-GENERIC-md5-dee.UNOFFICIAL FOUND
/home4/bathouse/public_html/language/en/favicon_85c6eb.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/language/en/acp/edit.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/walqcua.php: HG.Shell.14.UNOFFICIAL FOUND
/home4/bathouse/public_html/umil/index.php: SL-PHP-FILEHACKER-qp.UNOFFICIAL FOUND
/home4/bathouse/public_html/umil/style/index.php: SL-PHP-FILEHACKER-tg.UNOFFICIAL FOUND
/home4/bathouse/public_html/umil/language/sv/sceinbcb.php: HG.Shell.14.UNOFFICIAL FOUND
/home4/bathouse/public_html/umil/language/sv/licence.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/umil/language/ar/zpftfhbp.php: SL-PHP-EVAL_REQUEST-avra.UNOFFICIAL FOUND
/home4/bathouse/public_html/umil/error_files/index.php: SL-PHP-FILEHACKER-qp.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/config/index.php: SL-PHP-FILEHACKER-iy.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/index.php: SL-PHP-FILEHACKER-rp.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/ext/index.php: SL-PHP-FILEHACKER-qp.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/includes/acp/info/user.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/includes/utf/functions.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/store/index.php: SL-PHP-FILEHACKER-tg.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/cache/twig/fb/fb1a03352c6f7e3c8f27a96d3caa4207a2b9a3d068ea98ac9d55ef12036d40a5.php: SL-PHP-EVAL_REQUEST-avhr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/install-3.1huh/index.php: SL-PHP-FILEHACKER-qp.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/install-3.1huh/update/old/posting.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/phpbb/console/command/fixup/licence.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/phpbb/console/command/tools.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/phpbb/extension/exception.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/phpbb/lock/favicon_967046.ico: SL-PHP-FILEHACKER-hk.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/phpbb/captcha/vwmrrpcx.php: SL-PHP-BACKDOOR-GENERIC-yz.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/phpbb/di/pass/vuykvrgm.php: SL-PHP-FILEHACKER-ho.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/phpbb/auth/edit.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/phpbb/db/log_wrapper_migrator_output_handler.php: SL-PHP-BACKDOOR-GENERIC-adr.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/vendor/twig/image.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/vendor/symfony/config/Symfony/update.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/vendor/symfony/dependency-injection/functions.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/vendor/composer/tools.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/adm/index.php: SL-PHP-FILEHACKER-rp.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/styles/prosilver_se/hysuwixa.php: HG.Shell.16.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/styles/latte/theme/config.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/styles/latte/tools.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/styles/prosilver/theme/edit.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/download/index.php: SL-PHP-FILEHACKER-tg.UNOFFICIAL FOUND
/home4/bathouse/public_html/forum/files/index.php: SL-PHP-FILEHACKER-qp.UNOFFICIAL FOUND
/home4/bathouse/public_html/ioncube/licence.php: SL-PHP-EVAL_REQUEST-avyq.UNOFFICIAL FOUND
/home4/bathouse/public_html/rwenvo.php: HG.Shell.14.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 2002280
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 2877
Scanned files: 18327
Infected files: 111
Data scanned: 181.81 MB
Data read: 947.19 MB (ratio 0.19:1)
Time: 72.358 sec (1 m 12 s)


----------- SCAN SUMMARY -----------
Known viruses: 2002280
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 4.088 sec (0 m 4 s)


----------- SCAN SUMMARY -----------
Known viruses: 2002280
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 4.163 sec (0 m 4 s)

Re: Our PHPBB3 site was hacked by bot and Gonzo

Posted: Mon Oct 23, 2017 3:38 pm
by JimA
Hi! I'm sorry to hear about that. We have a dedicated Incident Tracker for these incidents where our team can see if there's anything we can do to help you recover your board, see these instructions below.
If your board has been hacked, please do the following before making any modifications to your board (this includes changing passwords, editing files, running the Support Toolkit, etc.):
  1. Save an archive file comprising copies of all the files (this can be done by creating a zip or tarball of the files).
  2. Save a copy of the database.
  3. Save the server access logs for the time of the hack (they may be available in the ???logs??? directory on the server, in your host???s control panel or only by request directly from your host).
  4. File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.

Re: Our PHPBB3 site was hacked by bot and Gonzo

Posted: Mon Oct 23, 2017 4:37 pm
by hoarybat
Thanks, unfortunately I don't know the time of the hack only the day the website went down/closed by hostmonster 2 days ago.

Re: Our PHPBB3 site was hacked by bot and Gonzo

Posted: Tue Oct 24, 2017 9:16 am
by janus_zonstraal
Replacing all the files is a other method.

As long as you have the database and the file folder nothing is lost.

Re: Our PHPBB3 site was hacked by bot and Gonzo

Posted: Tue Oct 24, 2017 1:59 pm
by hoarybat
Thanks I'll delete and replace the forum directory with a backup. Sitelock told me the Malware Bot retrieves the Domain name after a successful hack/infection and will re-infect if protection is not in place.

Re: Our PHPBB3 site was hacked by bot and Gonzo

Posted: Tue Oct 24, 2017 2:12 pm
by RMcGirr83
Then sitelock needs to secure their servers. phpBB doesn't have any vulnerabilities that would allow something like this (injecting scripts into files).

Re: Our PHPBB3 site was hacked by bot and Gonzo

Posted: Tue Nov 07, 2017 6:02 pm
by hoarybat
Deleted all files was up for 2-3 days and got hacked again with .php files mostly. Most in the forum a handful at root of puplic_html. Would changning hosts do anything or am I flagged by Domain name now? Hostmonster keeps us down. I thought this was part of the Sitelock Scam but now I am not so sure. Changed CPANEL password obviously that did nothing.

Re: Our PHPBB3 site was hacked by bot and Gonzo

Posted: Tue Nov 07, 2017 6:13 pm
by Mick
viewtopic.php?f=556&t=2443391#p14852066

You need to post in the incident tracker, no need to reply to this.

Re: Our PHPBB3 site was hacked by bot and Gonzo

Posted: Tue Nov 07, 2017 9:08 pm
by zoldos
So was this due to some kind of vulnerability? Should I be concerned?

Re: Our PHPBB3 site was hacked by bot and Gonzo

Posted: Wed Nov 08, 2017 1:49 am
by Elias
zoldos wrote:
Tue Nov 07, 2017 9:08 pm
So was this due to some kind of vulnerability? Should I be concerned?
RMcGirr83 wrote:
Tue Oct 24, 2017 2:12 pm
Then sitelock needs to secure their servers. phpBB doesn't have any vulnerabilities that would allow something like this (injecting scripts into files).

Re: Our PHPBB3 site was hacked by bot and Gonzo

Posted: Wed Nov 08, 2017 8:19 pm
by zoldos
:mrgreen:

Re: Our PHPBB3 site was hacked by bot and Gonzo

Posted: Wed Nov 08, 2017 11:30 pm
by stevemaury
Not a phpBB vulnerability.