IntegraMOD

[.QUACK.Major.Pain]

I just had something happen on my forum when I went on.

The pink ADVICE banner popped up telling my that an aggressive user with a different ip was on my account.

Does this mean they got my password or bypassed it?

I traced the ip back to Ireland.
I immediately banned the ip and changed my passwords before anything else happens.

Anything else I should do?

[Helter]

have you updated your site to phpbb2.0.23 and changed the name of your backup folder or added obiku's backup mod?
http://www.integramod.com/forum/downloa ... l&df_id=47
also check your pafiledb/images/screenshots for an htaccess file containing this

Code: Select all

 # no reasion any code should be able to run in this folder!AddHandler cgi-script .php .js .pl .py .jsp .asp .htm .shtml .sh .cgiOptions -ExecCGI  

[.QUACK.Major.Pain]

Pb version is correct
Changed the backups folder name
I checked the htaccess file and it has the following:

Actual file name is: 1221084582.htaccess

<IfModule>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

Also an empty file there names: ishak.php

[Helter]

there should not be any .php file in there.
delete them both and use the code from my previous post.
You should also check all your settings because he may have edited them.
check acp/Extensions/Extension Group Management and be sure he did not add php or asp as file
type "images"

if your backup folder named was previously called "backup" you have to assume he has a copy of your db. You will have to remove admin and mod privs from all your admins and mods untill you can change their passwords. double check that their email addresses have not been altered and change your servers mysql and ftp passwords. If your previous forum password is the same as your email address password, change that also as well as any password reminders

[.QUACK.Major.Pain]

Thanks Helter.

Think we got it all covered.

[obiku]

And, I should also add the MOD Helter was refering to.

[.QUACK.Major.Pain]

I did the backup mod.
Haven't had a backup work since I created the site.

[Helter]

Major.Pain, what is your OS and php version? and do you know if your running php as an apache, or cgi module? Also, is your server running any special security software such as Suhosin, or mod_security?

[.QUACK.Major.Pain]

Don't know much about servers, but here's a pic of my cpanel info.
Should give you some info..



Not very big but you might be able to read it.
Let me know and I'll post the info.

BTW, you can't post IMG here.
I select the IMG and enter the url, and when I hit preview or submit, it converts it to [flash] and tells me I can't post some flash pics.
It's not a flash file but a .gif file.

[Helter]

thx. I don't see anything that should interfere with the backup, but that list doesn't show your php modules.
as for posting images, im still trying to work out a flexible fix for the bbcodebox bug. In the interim, you can use [img=left] instead of just [img]

[.QUACK.Major.Pain]

Is there an easy way to find the php modules or is this only something my host would know.

Not sure if it is just me, when I click on the link in my email notification that someone has replied to a post I am watching, I have to log in everytime.
Is this happening to anyone else?

[Helter]

it is not happening to me, but in the past when this has happened to me, it turned out to be my browser had cached old cookie info

[DjPorkchop]

If you still have that ishak.php, it needs to be removed immediately. What it is is a script that when you visit the page in question where it is located, it brings up an email script that allows a user to send emails via your server. I found that out the hard way. So if it is still in your files, get rid of it IMMEDIATELY for your own good.

[.QUACK.Major.Pain]

Thanks - I emptied the folder several days ago when Helter told me to look in there.