Go Back   The Scream! > COMPUTER RELATED > Linux

Reply
 
Thread Tools Display Modes
  #1  
Old 16-June-2007, 21:25
lledwardll
Guest
 
Posts: n/a
Default PHPBB Hacking, Help :(

So I'm fairly new to this forum and the way it works, I found it by random while looking for a way to fix a TCP/IP setting on my network. Anyway, I'm not sure if this is where I am supposed to post this (If Not, sorry) But I was hoping I might be able to get some help with my forums.

Back Story:

I switched web hosts about 8 months ago, from Godaddy.com to IxWebHosting.com.
They provided me with more then godaddy offered and then some, great customer service , server configuration and so on.

Well, randomly while I was tweaking a few of the template file settings, I started to see errors above the page header.

Long drawn out 3 week story short, someone was hacking our forums. And was forcing an SQL ejection.

How ever it was done, once completed all sites (4-5 Separate Domains) were compromised and all index pages had hidden <iFrames> to log site traffic and redirect users to spam sites.
Once Infected, if left alone the infection grows and the hidden <iFrames> turn into a Trojan downloader.

Below is a picture one of our members submitted:


Being so annoyed with this issue, I ended up giving up on the site and am at a complete loss with my members and other administrators.
The site has been down for about a week now.

Below are the following methods used to stop such attacks.
1. Took Site Down.
2. Changed FTP Password
3. Changed Hosting account password
4. Changed Hosting control panel Password
5. Changed SQL Databases User/Passes
6. Cleaned and dropped all tables in SQL databases (Besides Users/Posts)
7. Changed sites dedicated IP
8. Changed sites directory.
9. Only Uploaded forums
10. Removed all Customizations and mods
11. Changed from PHPBB2 to PHPBB3

With nothing in the head directory but the forums, regardless of configuration. 24-48 hours after upload, it would be hacked again.

I'm not sure where to go from this point, should I look into encrypting my php pages, if so how?
Should I look into a new host, maybe its a vulnerability in that?

Like I said I'm at a complete loss, if anyone has even the slightest bit of information in regards to this topic please reply.

Thanks for reading, Edward
Reply With Quote
  #2  
Old 16-June-2007, 22:01
Memfis Memfis is offline
Former TS! Team
 
Join Date: Feb 2002
Location: ex TS! Team Mansion squatter
Posts: 3,894
Default Re: PHPBB Hacking, Help :(

Welcome

I've moved this to Linux, although there is really no right place for this type of thread.

You state other sites where also attacked. Where these your sites or other Hosting Provider's Customers?
Looks to me like you took standard steps to prevent this from happening again, however it has. It could be that the provider hasn't kept the server up to date.
From the speed that it reoccurred it looks like an automated attack. I Presume this has been reported to your provider?

Has Guest posting been disabled on your forum?
All forum administrators changed their passwords?

Unfortunately without Logs it can be quite hard to tell exactly what has happened. And would require far more investigation.
Last resort would be changing hosting provider again, however this might not help if phpBB was at fault.

edit : I've just noticed that you are / the hosting provider is using webalizer. It reports it's version as Version 2.01 however the latest is Version 2.01-10. Is it up to date?

Last edited by Memfis; 16-June-2007 at 22:10.
Reply With Quote
  #3  
Old 16-June-2007, 22:11
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: PHPBB Hacking, Help :(

hacking in that way is illegal in most countries

http://www.cert.org/tech_tips/root_compromise.html

if the compromise is to do with PHPBB then contact them and send them whatever they need to determine the issue

if the hosting you have is shared hosting then it's possible the server itself is compromised (i.e. another site on same server is the entry point / cause of issue) - talk to hosting company perhaps

in short term try another forum http://www.xmbforum.com/ or http://punbb.org/ - something small and simple

anything you are going to wipe from the server you should first take copies of, all files / database dumps etc so you / other ppl can work out what is going on..

Sil

edit xposed with mem
Reply With Quote
  #4  
Old 16-June-2007, 22:16
Memfis Memfis is offline
Former TS! Team
 
Join Date: Feb 2002
Location: ex TS! Team Mansion squatter
Posts: 3,894
Default Re: PHPBB Hacking, Help :(

No Problem Sil,

Good to see we admins think alike
Reply With Quote
  #5  
Old 17-June-2007, 10:51
lledwardll
Guest
 
Posts: n/a
Default Re: PHPBB Hacking, Help :(

Repy, Memfis:
Other Domains I own and host.
Guest Posting was disabled after the first time this issue presented itself.
However, webalizer has not been updated. How much of a difference would that make?

Reply, Silver:
I am on a shared hosting plan. Although I don't think its a fault in PHPb2's scripting, seeing as how we updated to PHPbb3. The 3.0 version was completely rebuilt. The themes no longer run on .tpl files. Even though allot of the header errors we were seeing had to do with 4 specific files php files, more so we were seeing errors in .tpl files aswell.

Auth.php
Sessions.php
Page_Header.php
*Something Users.php

Edit: Server logs show no unauthorized entry or uploading.
Also, Thanks for the welcome. Also, Also, Sorry for the complete randomness of this topic
Reply With Quote
  #6  
Old 19-June-2007, 17:08
Memfis Memfis is offline
Former TS! Team
 
Join Date: Feb 2002
Location: ex TS! Team Mansion squatter
Posts: 3,894
Default Re: PHPBB Hacking, Help :(

This sounds familiar Ifram MPack, although they dont state how the servers are being attacked.
Reply With Quote
  #7  
Old 19-June-2007, 17:52
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default Re: PHPBB Hacking, Help :(

the first thing to work out is the attack vector,. it could be nothing to do with your website at all (shared hosting / server itself is compromised)

if a re-install of the software that is fully patched has not fixed the issue then really there aren't that many options,. you need to understand how the box or website is compromised before you know what to do next

talking to the server owner is probably a good idea

Sil
Reply With Quote
Reply

Tags
bad, company, files, hacked, hacking, make, network, security, settings, software, speed, talk, trojan, web

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Accused of port scanning/ hacking by tiscali bjaudio Tiscali 18 11-June-2007 14:41
phpBB Dub Cat General Software 1 30-October-2003 02:55
phpBB / setting up mysql with user accounts Onslo Linux 30 23-July-2003 09:34
$1m hacking contest NA-RYAN News 3 02-May-2001 04:12


All times are GMT +1. The time now is 20:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
Copyright 1999-2014 The Scream!