IntegraMOD

[Joshie]

Your phpBB Version: 2.0.
phpBB Type: IM 141.
MODs: Yes
Your knowledge: Basic Knowledge
Board URL: http://www.killyourboredom.com

PHP Version:
MySQL Version:


What was done before the problem appeared?
Nothing.


What was done to try to solve the problem?




De.scription and Message

Hey.

I got hacked again! Somehow, it seems like they can get into KYB, and my password for cpanel is LONG, so it can't be memorial, hell I can't even memory my password for cpanel but I saved it to my notepad, aside the point.

I got hacked TWICE. So, I am wondering how can I prevent this from someone going through ACP and do something to get hacked?

This time, it said xxx by don jazzzy. That done made me pissed off, I am not in excellent shape. My aunt the one I am very close to, every day passed a way today. Someone hacked my site + My aunt passed away + My family is in such mess because of my aunt = Not good.

[Joshie]

Forgot to say - xxxxxx by don jazzzy was at in viewtopic.php, at the top of the subject link. Even though I have solved it by restoring a data.

[ArangeL]

I'm sure that you have a "PHP Injection". See AL FILES into your web finding a php file that never was before a hack. A PHP Injection is upload a php file that can modifidy, delete or many things utilities in one PHP. The "hacker" upload this file using a bug. The hacker can edit one file to "add" the PHP Injecttion into one PHP normal file from your website. With this injection someone can do allthings with your server. View all files in your server.

[.QUACK.Major.Pain]

Maybe the hacker had something in one of the mods you installed?
Piggy backed the actual mod?

[CaNNon]

Maybe the hacker had something in one of the mods you installed?
Piggy backed the actual mod?

That didn't happen.... major pain, they may have found a flaw in the source though. ArangeL may well be right so make sure uploads of php are disabled.

Go to admin and look at the ct log manager you see what they were trowing at your forum, from the text I would guess a defacing attempt.

xxxxxx by don jazzzy was at in viewtopic.php, at the top of the subject link.

finding it like that means he didn't get all the way as his screen didn't load.

P.S. don't block the reffer from here we can't see to help. <img>

[.QUACK.Major.Pain]

I'm not sure, but I think Joshie was removing the captcha security code.

Would that allow something to hit his site?

[Helter]

i think he disabled as much security as he could

[WAM]

My site worldandme.net was hacked too! Just under my nose...

WAM

[Joshie]

i think he disabled as much security as he could

No. Whenever it prompt as "ctracker" while I was trying to fix, I always set it low, then fix it then went back and change it low to "medium". All of the files are "MEDIUM" and some of the files are "HIGH".

[WAM]

There must be a wide open gate in the .script.

[Joshie]

I'm not sure, but I think Joshie was removing the captcha security code.

Would that allow something to hit his site?

Yeah, I removed captcha.. I don't even think that affect it... Well, hope not.

[CaNNon]

Every little bit you can put up to block will help, If it stops 1 .script from running it was worth it.

[viragotech]

just caught somone tonight, they came in via the links.php from what I can see. I just happen to catch the dude logged in as the main admin, which I don't use.

Didn't get nothin done that I know of and block his whole 3rd world IP range block.

I changed the password for said main admin and disabled that account.

That use to be an old trick. you make a new user to have admin power and use it, then diable the main admin account which hackers target.

IP Address: 85.99.161.93
Location: ANKARA (39.928N, 32.856E)
IP Range: 85.0.0.0 - 85.255.255.255

he found me using this google search

http://www.google.com.tr/search?q=+alli ... t=140&sa=N

I check out http://www.google.com.tr to make sure it used different IP and also block it from my whole hosting account.

[CaNNon]

Looks like google has blocked that search link now so that will help.

what was listed as the USER AGENT ?

[binh.tang]

My site has been hacked a few times now.

I don't know how they got in and I thought I was clever enough to apply as many of the updates and suggestions to try to stop hacking.

They've managed to MODIFY the main files and template files so that when a user goes to that page, they will start to download a .pdf file.

I've found this code embedded into a lot of my files




I don't know what to do because I would reupload the good backed up ones and in a few weeks/months, it would get hacked again. So could it be that they have planted some sort of php file in my dedicated server that is doing this all the time?

I'm going to update to phpBB 2.0.22 for my IntegraMOD (is there a newer version?) so see if that helps but if they've already planted the php file, how can I find out which one is it? I am on a dedicated server so hopefully will have more tools.

Thanks,
Binh

[Helter]

if you did not change the name of your backup folder, it is likely they got a copy of your database and have all your passwords. Youll need to change all your passwords and remove admin permissions from everyone on your board until they change their passwords. Change your server side ftp and mysql passwords. Uninstall all themes except for Integra2. rename your current forum and upload a new clean one. copy over your config.php, includes/def_qbar.php and includes/phpbbsecurity.php
open all of those files and make sure they are clean.
If all is well, copy over your attachments, dl's and album images, restore your forums and reinstall your theme. Be sure you rename your backup folder and set the path to it in acp/security/special
also be sure to set the amount of admins to 1 untill any other admins have changed their login info

[binh.tang]

Thanks HelterSkelter, for your reply.

Does it help that I have no backup files in the "Backup" folder anyway? I disabled it because it wasn't work as my database is abit big. I've got it backed up by a cron job on the server itself instead.

I've changed the FTP username and database password already but they have still been able to get in about 3-4 times more after that. I haven't changed my admin password on the forum though so will give that a go as well.

Is there an upgrade mod to phpBB 2.0.23 for IntegraMOD? I can't seem to run it. I tried the 2.0.22 upgrade but the Private Messages doesn't work.

The fresh install sounds good but I've made a lot of changes to files like the SEO URL and session removal in URL etc that I can't remember which files have been changed and which files hasn't <img>.

Is there any other suggestions to try and STOP them from getting in to do this?

[Helter]

check for any php files inside pafiledb/images/screenshots.
other than any uploaded screenshot images, ther should only be an index.html and an htaccess file. The code in the htaccess file should be this

Code: Select all

# no reasion any code should be able to run in this folder!AddHandler cgi-script .php .js .pl .py .jsp .asp .htm .shtml .sh .cgiOptions -ExecCGI

[binh.tang]

Hi HelterSkelter,

Yes, I already have this file with the same contents in it.

Well, site has been HACKED ONCE AGAIN.

I've done all the password changes, changed the name of the backup folder as well.

[Helter]

does any other user besides your self have admin privleges?

[binh.tang]

Hi HelterSkelter,

No one other than me has admin rights on that server. I'm the only admin for my site and no one has FTP access either.

Does anyone know where I can download the manual patch update for phpBB for IntegraMOD 1.40?

[Helter]

if your running 140, you need this
http://www.integramod.com/forum/downloa ... l&df_id=48
and this
http://www.integramod.com/forum/downloa ... l&df_id=50