I was Hacked

[Solomon]

what versions are u guys runnin, are u not updated like me or what, lets fix this lol

Revealing this can actually compromise a site's security due to exploits are often version specific.

[honie]

No, I did all the updates and still got it

[suicico]

yeah .. i wasnt updated .. indeed ..
but the main problem must been in the chmod of functions_portal.php .. cause thats the one the 1st kidie was attempting to hack .
at one of my files there was a irc channel, and i visit this chanel and at the topic of the channel was the command used at the url, so here is your reason of that many integramod sites xploided today . i would expect more to come.
in any case now im on 2.2.1 and with 'right' chmod i believe the site is safe from this xploied .
In anycase the good news is that they only mess with the php part and not the mysql <img>

[Solomon]

[quote=""suicico";p="14021""]yeah .. i wasnt updated .. indeed ..
but the main problem must been in the chmod of functions_portal.php .. cause thats the one the 1st kidie was attempting to hack .
at one of my files there was a irc channel, and i visit this chanel and at the topic of the channel was the command used at the url, so here is your reason of that many integramod sites xploided today . i would expect more to come.
in any case now im on 2.2.1 and with 'right' chmod i believe the site is safe from this xploied .
In anycase the good news is that they only mess with the php part and not the mysql
Silly Turks! <img>

[suicico]

i wouldnt judge the turks as silly .. BUT
when i tried to log in to my site yesterday and i saw something like
Im a turkish hacker
i fuck greece ..
i thought that yea .. some turkish are braindead .
<img>

[ZacFields]

Well I have not been hacked and thanks to your posts I am making a database backup as we speak, but if you guys are looking for terms on your site that you can remove to prevent being targeted by searches like this, here are a few that I can think of:

-powered by phpbb
-powered by integramod <--- You definitely should change the layout of this in your footer in some way to keep it off those searches. I actually have this one in my referrals right now...but I was not hacked today to my knowlege.
-powered by knowledge base (I keep getting this one...every month)


A good way to prevent hackers is to create your own alteration of the information given in the footer of your site.

I'm digging through my logs right now to see if I have anything to worry about. I also have an extra password setup on my admin panel too which could help (just a popup pass) but looks to me like the hacker didn't go into you guys' admin panels right?

Zac

[suicico]

no they didnt . the most harm they did was to rewrite the config.php
nothing to do with mysql .
about Powered by knowledge base ..
yea i have notice it at my referals aswell but i think the security get it .
And as for the footer . well i always want to keep the copyrights thats why i never mess with em .
But to alter em hmm <img>
something like Powered by integra-mod <<< ?
would that keep me off the search results ?
and if yes .. is it ok with integra ?
anyhow it is a nice idea.

[jwernerny]

I just whiped out musa.php right before you posted. Your asking what hosting service, is this relevant for prevention? In other words, do some hosters block this backdoor script and others do not?

I did some research on musa.php when it first appeared on my site a couple of months ago. If you run the code (it is an interesting app to play with), one of the options it gives is to install a copy of itself into any writable directory you choose. One of the popular ways it is installed is to randomly target writable directories and try to put copies in there. This can only happen on a single machine (or a machine with NFS access to another machine). Once a single user on shared machine is compromised, it is very easy for other users to be compromised.

The reason the host is important is it can help alert other people who might have the same host to watch out for it.

If your find it on your site, you should alert your hosting service so they can check for it on other places.

BTW, some hosting services also have online virus checking for their hosted files. The virus checking does pick this up. I try to run it once every couple of days as a precaution.

I also suggested that the next security_mod look for extra files in known writable directories, but the author of that mod was not sure if he could get it implemented.

- John

[odius]

anyone wanna holla the proper chmod settings??
also found this "includes/cache_tpls/musa.php" (158kb) with a few other files im lookin through..

zh.php,
eLHacKeR1 12 k,
SendTo.php 8 k 0644
httpd 11 k is bullshit too

index.php 5 k 0644 and mailer.php are both the same file in that folder too. foot.php & head.php are part of the mailer too.

i think thats all in that folder.. deleted em all

what should the chmod for that folder be.. it was 777

[Solomon]

2nd time hacked in less than 24hrs.

Little e-peen Team was here !
Fatal error: Call to undefined function: phpbbsecurity_blocks() in /home/xxxxxxx/public_html/forum/common.php on line 392

My phpbb_security.php file contents were deleted and replaced with "Little e-peen Team was here !". This file was set to CHMOD: 666

phpbb 1.0.3 and/or phpBB 2.0.21 have a hole in it?
CHMOD settings are all in tact.
Never had a problem until I did the integraMOD 2.0.21 update.

Future prevention suggestions?

[suicico]

after being hacked more than 5 times in something more than 24 hours, i had deleted some (many files) that look suspicious mine files where at public_html/files/.sec/many files in here
anyhow since my site isnt international i have banned a range of ip from turkey (since those where the ones that hacked me a lot) and banned all users that use proxies .
if you know how just pm me .
since the bans .. all good to me <img>
ps . i dont think it has to do with 2.0.21 either with 1.0.3 since i had 1.0.2 and 2.0.19 when this startted.
a litle note is that they where looking for integra meaning that the hole is in integra and not on phpbb, also the file that they usually attack is functions_portal.php which is integras file .

[Unregistered]

hmm interesting conversation..
anyways, just thought of droping some hints on how to prevent hacking attempts...

ive changed my admin/ dir to something else.. there for am the only one who knows how to get into admin pane.. eg: http://www.domain.com/secret-dir
and create a dummy admin folder and put a directory password..

another thing is, ive deleted all database related files from my admin panel.. even if anyone execute a cmd to remove db via admin pane, then it wont work..

and keep ur secutiry settings at the maximum level..

And ive tested version 141.. it has an aditional security feature, which gives more and more hard time for a hacker to attack..

[Unregistered]

one more thing.. the backup folder you guys talking abt... wel, put a password on that folder as well.. <img>

[suicico]

also i dont know if this help but doing a search on google about functions_portal.php i came to this
http://www.integramod.com/forum/viewtop ... e0e7bfb752
this sounds like a solution i think

[Solomon]

one more thing.. the backup folder you guys talking abt... wel, put a password on that folder as well.. <img>

First hack they used the "backup", "modules", & "/includes/cache_tpls" folders (all CHMOD: 777) to upload their files, second time hacked they used the "files" folder (CHMOD: 777) to upload their files since I deleted the "backup" folder because I dont use the IntegraMOD backup utility.

also i dont know if this help but doing a search on google about functions_portal.php i came to this
http://www.integramod.com/forum/viewtop ... e0e7bfb752
this sounds like a solution i think

I was just looking at that file and wondering why that code was missing.

The IntegraMod_2020_to_2021.txt instructions say:

Code: Select all

#-----[ OPEN ]---------------------------------------------#includes/functions_portal.php  ##-----[ FIND ]---------------------------------------------# Line 22include_once($phpbb_root_path . 'includes/lite.'.$phpEx);  ##-----[ BEFORE, ADD ]---------------------------------------------#if ( !defined('IN_PHPBB') ){     die('Hacking attempt');     exit;}

But the pre-modded file included in the update package does not have this code and is dated: Monday, August 08, 2005, 11:27:08 AM.