| 11:36 pm on Nov 24, 2004 (gmt 0)|
Yep very very serious. I missed this one, thankfully they didn't wipe my server ( yes thats how serious ). I'd guess almost every php webserver has at least one copy of phpbb installed. I think this should go frontpage, because of the seriousness, if this doesn't get done there could be a load of zombies out there waiting to do a lot of damage.
| 11:51 pm on Nov 24, 2004 (gmt 0)|
I'm digging through their website right now, but does anyone know how to tell if your board's already been hacked?
| 11:51 pm on Nov 24, 2004 (gmt 0)|
Be careful, some of the hacked forum owners had their config.php files scanned giving the hacker access to the root MySQL database username and password for their account.
| 12:17 am on Nov 25, 2004 (gmt 0)|
search through your logfiles for lines with "viewtopic" and "system" in them, and a whole bunch of characters like 252echr(110)%252echr(97)%252echr(109)%252echr(101))%252e%25
On one of my forums I've had 318 different attempts. Now I have to work out what they did, and how to clean it up.
| 12:26 am on Nov 25, 2004 (gmt 0)|
Found 2 different shellkits so far. If you are just hosting on someone else's server, get your hosting provider to check their server if you see those lines in your logs, as if you do not have root access it is out of your hands.
| 1:03 am on Nov 25, 2004 (gmt 0)|
eaden, I don't think you're the only one: there are hacking attempts galore going on at the moment. The patch came out last Thursday, but despite supposing to be on the release mailing list I wasn't notified and only happened upon it by chance last Saturday.
If your board was hacked, it's probably better to disable the board and reinstall from scratch, patching a known good backup at least. I don't know how much the database could be affected, but at worst you'll have to roll back to a backup from last week even if that means losing a week's postings. androidtech's right also: I would certainly change the database name and password too.
| 1:08 am on Nov 25, 2004 (gmt 0)|
the problem is, on a shared host using a standard/common configuration, if anyone on your host is running phpbb, and you have any database driven site, your database passwords could be revealed by looking at config files.
Also, the person who notified me about this said patching is NOT enough, and you must install the full 2.0.11.
| 1:37 am on Nov 25, 2004 (gmt 0)|
Just doing the one-line patch as described in the link in my original message is a short-term fix, but not a long-term solution. The full patch file downloadable from the phpbb.com website is however sufficient for fully fixing the hole, as it includes all the file changes from the full 2.0.11 version.
It is true that on a shared server there may be additional difficulties, but that is a file permission problem more than anything, and it depends on how the server is set up. If the hacker manages to get root access, then the phpBB passwords are the least of your (or the hosting company's) problems.
| 1:43 am on Nov 25, 2004 (gmt 0)|
|It is true that on a shared server there may be additional difficulties, but that is a file permission problem more than anything, and it depends on how the server is set up. If the hacker manages to get root access, then the phpBB passwords are the least of your (or the hosting company's) problems. |
The expoits being used gain a shell as the web server user. It's not a permissions issue as if you have a shell as the web server user you can read any file in the web directories. The web server *has* to be able to read all the web files else php can't open them.
| 2:26 am on Nov 25, 2004 (gmt 0)|
Yah think of it like this, a user can become admin and wammo download your database then create a site based off your content, or spam your users... so fix it and fast ;)
| 3:01 am on Dec 10, 2004 (gmt 0)|
A software support phpBB board was hacked while I was posting... a strange and sad experience. When I tried to post, I got a message that the thread did not exist, and, when I checked further, it didn't. In fact, all threads on the board had disappeared.
There was a note on the board... that it had been "hacked by Frosty-E"... with one thread for members to discuss how the board had been hacked. Really disgusting.
It occurred that a warning to the phpBB community might be in order. I don't know whether this is old news or not, but I thought I'd share it just in case
| 3:39 am on Dec 10, 2004 (gmt 0)|
There was a thread about an important phpBB security upgrade [webmasterworld.com] not long ago... no doubt there are plenty of boards that haven't patched yet.
| 3:42 am on Dec 10, 2004 (gmt 0)|
There was a vulnerability found in at least one version of phpbb last week or so.
I didn't know about it either until after i noted something odd in my logs.
I can't recall if it was brought up on this board or not, but I did see it somewhere else. It is known, but given that not everyone is registered on the anouncement list(I'm still not), it can be overlooked.
| 4:16 am on Dec 10, 2004 (gmt 0)|
Thanks much Robert Charlton. I was away when this occurred and was discussed initially, so I'm very glad you posted! In process of downloading 2.0.11 right now, already installed the temp fix....
| 10:42 pm on Dec 10, 2004 (gmt 0)|
Hey, folks... I'm freaked. It's just happened again, while I was posting to another forum. I logged onto the forum and was composing my message offline. When I clicked the post link, I got a 404.
I don't think that I could be transmitting any sort of Spyware, but I'm not sure. I'm in the process of moving over to a new machine, so I've been lax about updating Spybot... and I'm using a dial-up until I build my new machine, so don't yet have a firewall.
Since I run PocoMail and have Active-X disabled, with several levels of email virus screening, I've figured I can't do much harm. I promise I won't visit your phpBB boards.
Just coincidence, or could something else be going on? Am about to update Spybot right now.
| 12:07 am on Dec 11, 2004 (gmt 0)|
A local community activism one went down here in Edinburgh as well yesterday.
| 2:34 am on Dec 11, 2004 (gmt 0)|
Freshly updated Spybot Search and Destroy says I'm clean, and report from one board owner suggests it wasn't connected to my log-on. I'm guessing there must be a lot of hacks going on right now. This is either an epidemic or a very weird coincidence.
Maybe the original thread should get moved to the home page. Half the people I've talked to with phpBB boards have already gotten hit.
| 7:37 am on Dec 11, 2004 (gmt 0)|
I have a solution to this problem. Build your own software and stop depending on 3rd party stuff. It's not like I'm asking people to build entire OS' from scratch. I'm talking web applications. Programmers make computer languages that are more accessible, and people turn around and get lazier...
my 2 cents
| 11:03 am on Dec 11, 2004 (gmt 0)|
Welcome to Webmaster World. BTW, if someone asks you for the time, do you build them a clock? :)
| 12:18 pm on Dec 11, 2004 (gmt 0)|
Does anyone know if this effects phpBB on PostNuke and PHPNuke installations?
| 12:21 pm on Dec 11, 2004 (gmt 0)|
when i installed phpbb it got hacked everytime, which was maybe 5 times
| 12:58 pm on Dec 11, 2004 (gmt 0)|
fcharrua's solution is the ideal but also idealistic.
I would be happy to use phpBB but can't at present since my site is hosted on a Win2K box. Instead I am using a third-party hosted BB which is backed up by the company which provides it.
Furthermore if it ever gets hacked - it was once - it's their server that gets hacked not mine.
The obvious downside though is that it's not free, it's a subscription service.
| 2:54 pm on Dec 11, 2004 (gmt 0)|
|Does anyone know if this effects phpBB on PostNuke and PHPNuke installations? |
I believe it does, came across a thread on the phpbb forum about it days ago. Better to be safe than sorry, upgrade!
| 4:41 pm on Dec 11, 2004 (gmt 0)|
|Welcome to Webmaster World. BTW, if someone asks you for the time, do you build them a clock? :) |
I would say: If you asked someone for the time on a regular basis, and on occasions, that person gives you the wrong time of day, would you go out and buy your own watch? ~_^
| 10:52 pm on Dec 11, 2004 (gmt 0)|
My own simple solution is to disable wget except for root. I was hit before with another exploit, and what many do is they wget a remote file to exploit your system. As long as you block wget from being used it blocks a lot of their crap :)
| 11:07 pm on Dec 11, 2004 (gmt 0)|
Sorry fcharrua, my bad. I should have said "when someone asks you for the time, do you tell them to build their own clock." :)
| 5:38 pm on Dec 12, 2004 (gmt 0)|
My forum was hacked a couple of weeks ago using this. Could'a been serious (5-10K users, 750K posts, dedicated server). Instead all they did was post a thread with my userid title 'HACKED' and pointed a URL to the fix. They made their point :).
As a result, along with a couple of other changes I'm:
- moving to vbulletin
- starting with a freshly wiped server and simply upgrading the database to the new forum program
| 8:16 pm on Dec 12, 2004 (gmt 0)|
I've found a number of attempts in my log files coming from a few different IPs. However it doesn't look like anything's been changed. I've applied the patch now and will upgrade to the latest version asap.
What's the worst that could happen from this? a wiped forum db? Root access?
| 9:54 pm on Dec 12, 2004 (gmt 0)|
Seems very serious,
today I received this e-mail from my host:
[Summary: Due to phpBB exploits that could crash the server running phpBB, the host is suspending accounts running phpBB until the software is upgraded for each account.]
[edited by: rogerd at 7:12 pm (utc) on Dec. 13, 2004]
[edit reason] e-mail quote [/edit]
| This 46 message thread spans 2 pages: 46 (  2 ) > > |