My phpbb forum got hacked???

[krishmk]

My forum was working fine as usual until I tried to login to my administration panel today.

I found some strange things going on. It started redirecting... (within my domain)
a blank page with 40 to 50 random characters like "sdafafjlfllahjllhlhjlj"

Suddenly it displayed

"Page can not be displayed. IE only. Add site to Trusted zone.
Internet Options/Security/Trusted sites/Sites/switch off https/Add
Please download help file - help.zip"

At the first instance I thought my browser (firefox) is being hijacked. Later I tried with Opera, but to my surprise I saw the same result.

I logged into my ftp account and found in the "admin folder" some irrelevant files such as "a.asp", "a.php" "help.zip (which contains .hta file), "a.pl".

index.php and .hta files have some kind of javascript. (see in txt format)

I have entirely deleted the admin folder and replaced with the genuine one.
Also changed my ftp, hosting and domain control password. Should I need to do something more. (plz. dont suggest to change from phpbb, lol.........)

 

[Crusader]

Do you update phpBB?

 

[Kate]

phpbb has a history of hacks... if you want to stick with it you need to make sure your version is always up to date.
I would suggest downloading the latest release and starting anew with a fresh install.
Good thing that you changed all your passwords.
If you have a backup of the DB check the user table thoroughly: it's possible that the hacker has left a ghost administrator account in it so he can come back later and do some malevolent stuff like access your admin panel or download your DB

 

[tanfwc]

First thing you need to do is to backup your backup. Delete all your current phpBB files from your web server.

Then restore and reconnect back your phpBB. Login to your phpMyAdmin and execute this query to check is there any other admin created on your forum by the hacker.

SELECT * FROM `phpbb_users` WHERE `user_rank`=2

Good Luck!

 

[krishmk]

hi

Hi, thanks for your advice.

I checked the tables in the database ("php_users")
I dont find a user rank= 2, but I do see a row for anonymous user (user id = -1).

Is this normal, or should I delete this?

 

[McDot]

I would say your server was hacked and not phpBB.
A phpBB hack would not write files into the admin folder, unless your server allows it.

Keep your phpBB up to date.
Keep your server safe.
Make sure your passwords are safe.

 

[tanfwc]

Hi, thanks for your advice.

I checked the tables in the database ("php_users")
I dont find a user rank= 2, but I do see a row for anonymous user (user id = -1).

Is this normal, or should I delete this?

Don't delete that. It is require for phpBB to operate for guest.

Run the query, don't locate manually.

Btw, you should have one user that have rank 2 if not how do you login as admin ? :p

 

[krishmk]

It seems to be a server hack

Oops, I think you are right. It seems to be a server hack.

I find these files in almost all of my folders. (shared hosting)

a.asp
a.php
a.pl
help.zip (.hta file)

BTW, for admin, it shows user rank as 1