Another "relative path" conversion confusion..

Lumpy Burgertushie · Post by **Lumpy Burgertushie** » Sun Jan 20, 2019 2:15 am

there is something strange here. your database is not in a folder of any kind. never has been.
you do not access your database via ftp or any file manager etc.

so, if the hack is simply putting up a page with that message to replace your index.php page then it really has nothing to do with a database.

also, of course the hack would stop if you remove the board since you also removed the offending files that are creating the hack.

this sounds something like the old cpanel hacks from years ago.

seems that someone has access to your server. once they have that access they can do whatever they want with your website.

robert

oshawapilot · Post by **oshawapilot** » Sun Jan 20, 2019 2:33 am

When you run your own SQL server, yes, the database is very much a bunch of files...in a directory. And since the server is sitting in front of me, yes, I can very much access them via a variety of methods, however I don't have any remote access to that server configured short of a VNC server since it's a headless server.

The hack isn't replacing anything whatsoever related to the forum, no index.php or other changes in the related directory. The database was just being deleted (somehow, that's the big question) and then the forum would popup with the typical "cannot find database" SQL error.

I restored the database from my backups, and boom, the forum would be back online in under 30 seconds.

Like I said, I have no reason to believe that someone has gained any access to the server itself. Absolutely positively *nothing* else is being defaced or modified except whats in my db folder. And when phpBB was removed from the equation, everything stopped.

I've spent a week basically troubleshooting this. As much as I hate to say it, like I said in an earlier response, the only commonality I can find to the hack is it only occurs when my phpbb install was running.

Now, I'm not suggesting it wasn't a malicious plugin or something that somehow found it's way onto the phpBB install (it seems the other admin / owner has been doing more than I thought in that regard), but again....phpBB disabled, hack disabled. phpBB restored, hack happens again in short order. This was repeatable across about 4 or 5 days of testing.

I'm lucky that this is such a tiny little forum (on a topic which is basically idled this time of year anyways) so having it down isn't a massive deal in the grand scheme of things.

Post by **Paul** » Sun Jan 20, 2019 9:06 am

stevemaury wrote: ↑Sun Jan 20, 2019 12:57 am
Table 'phpbb_travcoforumlog' is marked as crashed and should be repaired
This is not a phpBB table. The instructions say to clean your database. Look at this again - https://www.phpbb.com/support/docs/en/3 ... /upgrade3/

If the prefix is phpbb_travcoforum (check your config.php) then this is a phpBB table, which should be kept

warmweer · Post by **warmweer** » Sun Jan 20, 2019 10:35 am

Paul wrote: ↑Sun Jan 20, 2019 9:06 am If the prefix is phpbb_travcoforum (check your config.php) then this is a phpBB table, which should be kept

Sharp observation, I think many of us wouldn't have thought about that.
Seeing phpbb_travcoforum automatically makes us think phpbb_ is the table prefix, but the prefix could be phpbb_travcoforum (without the "_") and the phpbb_travcoforumlog would then be the name of the "log"table.

Post by **stevemaury** » Sun Jan 20, 2019 3:28 pm

Paul makes a good point. Do you have a table named "phpbb_travcoforumacl_groups"?

oshawapilot · Post by **oshawapilot** » Sun Jan 20, 2019 3:49 pm

Ok, regrouping.

Yes indeed, the forum prefix is actually indeed phpbb_travcoforum.

In retrospect, I remember why this is - when I configured the board that I did indeed specifically set it up this way. There was a reason - I used to run quite a few different phpBB boards on one server 10 or 15 years back, and at one point when I was working on a database for one of them...I accidentally hosed up a database for the wrong forum, not noticing I had accidentally selected the wrong DB in pypMyAdmin. It wasn't until I got an angry email from another board admin a few hours later that I'd realized my mistake - his forum was down, and the one I'd intended to be working on was actually unchanged.

From that point forward whenever I setup a new DB for a forum I included the forum name in the table prefix's so that there would never be any confusion again. If I was intending to run an SQL query on phpbb_thisforumname and found the table names actually reading phpbb_thatforumname, it gave me a heads up I was in the wrong place.

Anyhow, I am back poking at things again today. I'm going to run the DB cleaner tool anyways before trying the conversion again (just to ensure that the error I experienced wasn't related to something the other admin on the forum actually did) and see what happens. I completely reverted everything to the way it was before I started all this so I can start completely from scratch again, but now I'm just waiting for a new incremental backup to complete..just in case. I'm a big believer in good backups.

oshawapilot · Post by **oshawapilot** » Sun Jan 20, 2019 5:19 pm

Edit: Nevermind, resolved..