My phpbb forum got hacked???

krishmk · 03-10-2007, 11:48 PM

My forum was working fine as usual until I tried to login to my administration panel today.

I found some strange things going on. It started redirecting... (within my domain)
a blank page with 40 to 50 random characters like "sdafafjlfllahjllhlhjlj"

Suddenly it displayed

"Page can not be displayed. IE only. Add site to Trusted zone.
Internet Options/Security/Trusted sites/Sites/switch off https/Add
Please download help file - help.zip"

At the first instance I thought my browser (firefox) is being hijacked. Later I tried with Opera, but to my surprise I saw the same result.

I logged into my ftp account and found in the "admin folder" some irrelevant files such as "a.asp", "a.php" "help.zip (which contains .hta file), "a.pl".
????: NamePros.com http://www.namepros.com/website-development/303601-my-phpbb-forum-got-hacked.html

index.php and .hta files have some kind of javascript. (see in txt format)

I have entirely deleted the admin folder and replaced with the genuine one.
Also changed my ftp, hosting and domain control password. Should I need to do something more. (plz. dont suggest to change from phpbb, lol.........)

Crusader · 03-11-2007, 03:09 AM

Do you update phpBB?

sdsinc · 03-11-2007, 04:22 AM

phpbb has a history of hacks... if you want to stick with it you need to make sure your version is always up to date.
I would suggest downloading the latest release and starting anew with a fresh install.
Good thing that you changed all your passwords.
If you have a backup of the DB check the user table thoroughly: it's possible that the hacker has left a ghost administrator account in it so he can come back later and do some malevolent stuff like access your admin panel or download your DB

tanfwc · 03-11-2007, 05:17 AM

First thing you need to do is to backup your backup. Delete all your current phpBB files from your web server.

Then restore and reconnect back your phpBB. Login to your phpMyAdmin and execute this query to check is there any other admin created on your forum by the hacker.
????: NamePros.com http://www.namepros.com/showthread.php?t=303601

Quote:

SELECT * FROM `phpbb_users` WHERE `user_rank`=2

Good Luck!

krishmk · 03-11-2007, 06:11 AM

Hi, thanks for your advice.

I checked the tables in the database ("php_users")
I dont find a user rank= 2, but I do see a row for anonymous user (user id = -1).

Is this normal, or should I delete this?

McDot · 03-11-2007, 06:19 AM

I would say your server was hacked and not phpBB.
A phpBB hack would not write files into the admin folder, unless your server allows it.

Keep your phpBB up to date.
Keep your server safe.
Make sure your passwords are safe.

tanfwc · 03-11-2007, 06:27 AM

Originally Posted by krishmk

Hi, thanks for your advice.
????: NamePros.com http://www.namepros.com/showthread.php?t=303601

I checked the tables in the database ("php_users")
I dont find a user rank= 2, but I do see a row for anonymous user (user id = -1).

Is this normal, or should I delete this?

Don't delete that. It is require for phpBB to operate for guest.

Run the query, don't locate manually.

Btw, you should have one user that have rank 2 if not how do you login as admin ?

krishmk · 03-11-2007, 06:35 AM

Oops, I think you are right. It seems to be a server hack.

I find these files in almost all of my folders. (shared hosting)

a.asp
a.php
a.pl
help.zip (.hta file)

BTW, for admin, it shows user rank as 1

03-11-2007, 03:09 AM	#2 (permalink)
Crusader Senior Member Join Date: Aug 2003 Location: Canada Posts: 1,257	Do you update phpBB? __________________ Near Fantastica \| Matthew Good - Vancouver TS Design Group - Vancouver, BC based Graphic Design >> Do you Frawlik? <<

03-11-2007, 04:22 AM	#3 (permalink)
sdsinc Domains my Dominion Join Date: Aug 2005 Location: Web 1.0 Posts: 9,963	phpbb has a history of hacks... if you want to stick with it you need to make sure your version is always up to date. I would suggest downloading the latest release and starting anew with a fresh install. Good thing that you changed all your passwords. If you have a backup of the DB check the user table thoroughly: it's possible that the hacker has left a ghost administrator account in it so he can come back later and do some malevolent stuff like access your admin panel or download your DB __________________ NameNewsletter.com - free lists of available domain names ZoneFiles.net (beta) - ccTLD and gTLD droplists

03-11-2007, 06:11 AM	THREAD STARTER #5 (permalink)
krishmk NamePros Regular Join Date: Oct 2006 Posts: 848	hi Hi, thanks for your advice. I checked the tables in the database ("php_users") I dont find a user rank= 2, but I do see a row for anonymous user (user id = -1). Is this normal, or should I delete this? __________________ SEO Directory \| My Computer is slow \| Travel

03-11-2007, 06:19 AM	#6 (permalink)
McDot NamePros Regular Join Date: Sep 2006 Location: Germany Posts: 387	I would say your server was hacked and not phpBB. A phpBB hack would not write files into the admin folder, unless your server allows it. Keep your phpBB up to date. Keep your server safe. Make sure your passwords are safe. __________________ My Domain Blog - German Webdesign Forum Spanish Domaincenter: Villa Dominio Domains for sale: SoSay.com - SocialLinkbuilding.com - SEOTechnician.com - Favorizer.com Spanish Domains: Aspiradoras.es - Tarantula.es - Chikas.es - Buey.es - Besitos.es

03-11-2007, 06:35 AM	THREAD STARTER #8 (permalink)
krishmk NamePros Regular Join Date: Oct 2006 Posts: 848	It seems to be a server hack Oops, I think you are right. It seems to be a server hack. I find these files in almost all of my folders. (shared hosting) a.asp a.php a.pl help.zip (.hta file) BTW, for admin, it shows user rank as 1 __________________ SEO Directory \| My Computer is slow \| Travel Last edited by krishmk; 03-11-2007 at 06:46 AM.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)