Yep very very serious. I missed this one, thankfully they didn't wipe my server ( yes thats how serious ). I'd guess almost every php webserver has at least one copy of phpbb installed. I think this should go frontpage, because of the seriousness, if this doesn't get done there could be a load of zombies out there waiting to do a lot of damage.

I'm digging through their website right now, but does anyone know how to tell if your board's already been hacked?

Be careful, some of the hacked forum owners had their config.php files scanned giving the hacker access to the root MySQL database username and password for their account.

Thanks.

search through your logfiles for lines with "viewtopic" and "system" in them, and a whole bunch of characters like 252echr(110)%252echr(97)%252echr(109)%252echr(101))%252e%25

On one of my forums I've had 318 different attempts. Now I have to work out what they did, and how to clean it up.

Found 2 different shellkits so far. If you are just hosting on someone else's server, get your hosting provider to check their server if you see those lines in your logs, as if you do not have root access it is out of your hands.

eaden, I don't think you're the only one: there are hacking attempts galore going on at the moment. The patch came out last Thursday, but despite supposing to be on the release mailing list I wasn't notified and only happened upon it by chance last Saturday.

If your board was hacked, it's probably better to disable the board and reinstall from scratch, patching a known good backup at least. I don't know how much the database could be affected, but at worst you'll have to roll back to a backup from last week even if that means losing a week's postings. androidtech's right also: I would certainly change the database name and password too.

Good luck!

the problem is, on a shared host using a standard/common configuration, if anyone on your host is running phpbb, and you have any database driven site, your database passwords could be revealed by looking at config files.

Also, the person who notified me about this said patching is NOT enough, and you must install the full 2.0.11.

patching is NOT enough

Just doing the one-line patch as described in the link in my original message is a short-term fix, but not a long-term solution. The full patch file downloadable from the phpbb.com website is however sufficient for fully fixing the hole, as it includes all the file changes from the full 2.0.11 version.

It is true that on a shared server there may be additional difficulties, but that is a file permission problem more than anything, and it depends on how the server is set up. If the hacker manages to get root access, then the phpBB passwords are the least of your (or the hosting company's) problems.

It is true that on a shared server there may be additional difficulties, but that is a file permission problem more than anything, and it depends on how the server is set up. If the hacker manages to get root access, then the phpBB passwords are the least of your (or the hosting company's) problems.

The expoits being used gain a shell as the web server user. It's not a permissions issue as if you have a shell as the web server user you can read any file in the web directories. The web server *has* to be able to read all the web files else php can't open them.

Yah think of it like this, a user can become admin and wammo download your database then create a site based off your content, or spam your users... so fix it and fast ;)

A software support phpBB board was hacked while I was posting... a strange and sad experience. When I tried to post, I got a message that the thread did not exist, and, when I checked further, it didn't. In fact, all threads on the board had disappeared.

There was a note on the board... that it had been "hacked by Frosty-E"... with one thread for members to discuss how the board had been hacked. Really disgusting.

It occurred that a warning to the phpBB community might be in order. I don't know whether this is old news or not, but I thought I'd share it just in case

There was a thread about an important phpBB security upgrade [webmasterworld.com] not long ago... no doubt there are plenty of boards that haven't patched yet.

There was a vulnerability found in at least one version of phpbb last week or so.

I didn't know about it either until after i noted something odd in my logs.

I can't recall if it was brought up on this board or not, but I did see it somewhere else. It is known, but given that not everyone is registered on the anouncement list(I'm still not), it can be overlooked.

Thanks much Robert Charlton. I was away when this occurred and was discussed initially, so I'm very glad you posted! In process of downloading 2.0.11 right now, already installed the temp fix....

Hey, folks... I'm freaked. It's just happened again, while I was posting to another forum. I logged onto the forum and was composing my message offline. When I clicked the post link, I got a 404.

I don't think that I could be transmitting any sort of Spyware, but I'm not sure. I'm in the process of moving over to a new machine, so I've been lax about updating Spybot... and I'm using a dial-up until I build my new machine, so don't yet have a firewall.

Since I run PocoMail and have Active-X disabled, with several levels of email virus screening, I've figured I can't do much harm. I promise I won't visit your phpBB boards.

Just coincidence, or could something else be going on? Am about to update Spybot right now.

A local community activism one went down here in Edinburgh as well yesterday.

Freshly updated Spybot Search and Destroy says I'm clean, and report from one board owner suggests it wasn't connected to my log-on. I'm guessing there must be a lot of hacks going on right now. This is either an epidemic or a very weird coincidence.

Maybe the original thread should get moved to the home page. Half the people I've talked to with phpBB boards have already gotten hit.

I have a solution to this problem. Build your own software and stop depending on 3rd party stuff. It's not like I'm asking people to build entire OS' from scratch. I'm talking web applications. Programmers make computer languages that are more accessible, and people turn around and get lazier...

my 2 cents

Hello fcharrua:

Welcome to Webmaster World. BTW, if someone asks you for the time, do you build them a clock? :)

lawman

Does anyone know if this effects phpBB on PostNuke and PHPNuke installations?

when i installed phpbb it got hacked everytime, which was maybe 5 times

not good

fcharrua's solution is the ideal but also idealistic.

I would be happy to use phpBB but can't at present since my site is hosted on a Win2K box. Instead I am using a third-party hosted BB which is backed up by the company which provides it.

Furthermore if it ever gets hacked - it was once - it's their server that gets hacked not mine.

The obvious downside though is that it's not free, it's a subscription service.

Does anyone know if this effects phpBB on PostNuke and PHPNuke installations?

I believe it does, came across a thread on the phpbb forum about it days ago. Better to be safe than sorry, upgrade!

Welcome to Webmaster World. BTW, if someone asks you for the time, do you build them a clock? :)

I would say: If you asked someone for the time on a regular basis, and on occasions, that person gives you the wrong time of day, would you go out and buy your own watch? ~_^

My own simple solution is to disable wget except for root. I was hit before with another exploit, and what many do is they wget a remote file to exploit your system. As long as you block wget from being used it blocks a lot of their crap :)

Sorry fcharrua, my bad. I should have said "when someone asks you for the time, do you tell them to build their own clock." :)

My forum was hacked a couple of weeks ago using this. Could'a been serious (5-10K users, 750K posts, dedicated server). Instead all they did was post a thread with my userid title 'HACKED' and pointed a URL to the fix. They made their point :).

As a result, along with a couple of other changes I'm:
- moving to vbulletin
- starting with a freshly wiped server and simply upgrading the database to the new forum program

Hi,

I've found a number of attempts in my log files coming from a few different IPs. However it doesn't look like anything's been changed. I've applied the patch now and will upgrade to the latest version asap.

What's the worst that could happen from this? a wiped forum db? Root access?

Cheers

Seems very serious,
today I received this e-mail from my host:

[Summary: Due to phpBB exploits that could crash the server running phpBB, the host is suspending accounts running phpBB until the software is upgraded for each account.]

[edited by: rogerd at 7:12 pm (utc) on Dec. 13, 2004]
[edit reason] e-mail quote [/edit]