Which version are you running? If you hadn't updated to the latest, make sure you do that before going back online. Remember to always update your forums as soon as an update appears, you'll avoid most issues with that.

You already avoided mistake #1, not making a backup, so it's not that bad.

You'll want to check with your hoster that nothing else was done, if it was just defaced, nothing else probably happened, but you never know.

Change your hoster account access password, make sure to make it a real password: r4G2jJ9q for example, not something 'easy to remember'. Change your admin password, make sure no new user accounts were added with mod or admin privileges, if they were, delete them.

Hi 2by4,

Thank you for the reply and encouragement.

I can restore the system at any time. My concern is how much access will the hacker have to the rest of the site and if I should expect a breach on a regular basis since now they have a hidden key to get in somewhere.

Has anyone here had a similar hacking experience?

If you were running less than version 2.0.17 your forums had vulnerabilities.

Before going back online with them, you'll need to update everything, first restore the db, then do the update to the phpbb if you were running an older version.

If you are running 2.0.17 and they still got in, you should report it on phpbb.com forums immediately.

Assume the worst, make sure on your hosting account no new accounts or users were added as well. Change your hoster password now.

Go through all the recent new users and make sure none of them have escalated forum user privileges.

If you're using anything like jpg/gif uploading, get rid of it right away, until you figure out what the problem is.

If you were running an older phpbb version, less than 2.0.17, don't ever slack on updating the stuff, update it the day the patch is released if you can.

Hi 2by4,

I am following your advise. I'm not sure about the version yet because I have disabled the hacked version.

I will have to keep it hush until I have secured the site.

I will post the results.

Thank you for your support. It is very much appreciated.

Just one other tip: If your phpbb forum displays the version number at the bottom of the page (or anywhere else), remove it. Hackers will often learn a technique for a certain script version then search for it.

a1call, if you don't know your phpbb version number, it's pretty safe to guess that you were running an older version.

There's no big danger in that case, just put in your backup db, then update the forum software to the latest version, that should probably cover you fine.

Once you've done that, make sure to check the recent new users like I said, they could have cracked this a while ago, it's hard to say for sure.

Hi,
Here are some info:
*The version was not 2.0.17
*There appears to be no ftp style breach, as none of the actual phpbb files were altered
* the breach seems to have been to the data base:
In the phpbb_config table site name and description where altered so that they would run a script on an external URL.
The URL is from a free host and I have complained to them.
* the result was that any page showing the site name(all pages) would run the script that would redirect to a flash page showing hacked by ...
* Haven't found the mechanics on how they have managed to change the database entry.
* I have dis-privileged the default phpbb user

As mentioned by keyplyr it is a very good idea to remove the version info as this makes it easy to find the vulnerable versions using SEs.

Will post more if i have more info.

Shared hosting?

You really never know how secure the server you're on is. Well, unless you know what you're doing and feel like testing it. Or if you're root, and many of those guys don't know, either.

Hi,
Felt good to finally post to my updated forum.
Here is my hypothesis:

The Automated phpbb installation generates a generic (non-random)default user name and hopefully random password.

I think that the hacker has figured out the username and probably used some algo to figure out the short password that is generated.

I renamed the database, user name and password to long random strings and updated this info in config.php

I believe this measure should prevent future hacks. We will see.:)

No problems so far.

The latest version does not have the version number in the footer, but has copyright dates.

I wonder if it is against the TOS to modify these entries without removing the name and the link of course.

Hi,

To the mods:

Please use your discretion to delete this thread or edit some technical info in it.
This to eliminate the chance of copycats.
My Issue seems resolved.

Thanks