somebody hacked my forum?

[fa5_r]

http://www.mostwantedtuners.com/forums

The following text was displayed on the page and followed by a Hitler's video.

>this page is brought to you by:
forumpromotion.net!
>enjoy this well-prepared speech
>it's quite inspirational
>and by the time you do that
>15 other Forum Promotion-based sites will become compromised
>because there's over 10 sites
>already infected that feed me


???????

 

[Venom]

WTF????? WTF????? WTF?????

Im scared

This is crazy, First Eternal framed, now this, I hope my sites not infected. 😱

 

[fa5_r]

Well, I replaced my original index file and found a few suspicious files on the site too. Still looking into this issue.

 

[iPhonefreak]

How long ago was this?

Please share with me the details, either here or in PM. I'm going to catch this *******.

I've been hacked 7 times.

 

[Pvcomputers]

That is not good. I would recommend clean out your computer cookies and web browsers, run virus scans, change ftp cpanel passwords to something complex and make sure your forum software is up to date.

 

[fa5_r]

Have you been hacked the same way?<br /><br />-- 04 Apr 2013, 03:01 --<br /><br />

That is not good. I would recommend clean out your computer cookies and web browsers, run virus scans, change ftp cpanel passwords to something complex and make sure your forum software is up to date.

I did everything you said and doing the scan for like 30 mins now. I think the critical part is change your forum admin password as thats where i suspect him changed the code. Im new to PHPBB so Im not sure what he can do in ACP but to me it looks like he went it there.

 

[iPhonefreak]

He's cracking my cPanel. He's not going through passwords, he's breaking in. I've been hacked much worse then you have, by him. He's very good.

 

[fa5_r]

Thats what Im guessing. He was in ACP. I wonder how many of us being hacked like that on this forum.

 

[iPhonefreak]

He did all of that from the ACP?

 

[Pvcomputers]

People having been hacking PHPBB for a longtime as far as I read around the net. I would check attachments and your attachment policy. That is one of the ways of getting files physically on a server through a forum software like PHPBB.

 

[fa5_r]

i have not seen anybody attaching anything on the forum yet. its new so i administer every post. thats a good call. Edit: the forum is back on track now as i believe.

 

[iPhonefreak]

Yeah, cause I got no way of knowing how he got even the right URL for the cPanel. But my site has barely any images.

If anyone has any info on who this guy is, like his forum, please let me know. My tech admin was about ready to rip apart Eternals forum, until I told him the story.

 

[Pvcomputers]

Did he replaced your index.php with his own along with his garbage?

Hey iPhoneFreak,
cPanel is common software. They trying using cpanel.yourdomain.com or yourdomain.com:2082 as they are defaults.

 

[fa5_r]

I got the IP address of this guy. He may be on proxy. Some InfoSec expert maybe can chime in and shed some lights?

his ip 173.0.11.187<br /><br />-- 04 Apr 2013, 03:20 --<br /><br />

Did he replaced your index.php with his own along with his garbage?

Hey iPhoneFreak,
cPanel is common software. They trying using cpanel.yourdomain.com or yourdomain.com:2082 as they are defaults.

Yes thats the most obvious thing he did. But Im worried that he also changed other stuff thats not yet visible and left some backdoor.

 

[iPhonefreak]

I got the IP address of this guy. He may be on proxy. Some InfoSec expert maybe can chime in and shed some lights?

his ip 173.0.11.187

-- 04 Apr 2013, 03:20 --

Did he replaced your index.php with his own along with his garbage?

Hey iPhoneFreak,
cPanel is common software. They trying using cpanel.yourdomain.com or yourdomain.com:2082 as they are defaults.

Yes thats the most obvious thing he did. But Im worried that he also changed other stuff thats not yet visible and left some backdoor.

I reported the IP. I've already had 3 shut down. I told them I want all of the information on this guy.

 

[fa5_r]

I got the IP address of this guy. He may be on proxy. Some InfoSec expert maybe can chime in and shed some lights?

his ip 173.0.11.187

-- 04 Apr 2013, 03:20 --

Did he replaced your index.php with his own along with his garbage?

Hey iPhoneFreak,
cPanel is common software. They trying using cpanel.yourdomain.com or yourdomain.com:2082 as they are defaults.

Yes thats the most obvious thing he did. But Im worried that he also changed other stuff thats not yet visible and left some backdoor.

I reported the IP. I've already had 3 shut down. I told them I want all of the information on this guy.

how did you report an IP? also report this 173.0.2.250. this is the first IP he attempted to log in to ACP.

 

[pandaa]

As always, there are some things you can do help remedy these attacks.

• Run an antivirus and an anti-malware scanner on your computer.
• Change your password to cPanel, FTP, forum/blog account, and any associated emails.
• Search your filesystem for any out of place files (especially PHP files)
• Contact your host and ask if any modules or system packages are out of date, and ask them to upgrade them if necessary.
• Check the CHMOD permissions of your filesystem; there's no need to allow access to core files AT ALL. For example, in MyBB, you can put a 'deny from all' in the /inc/ directory with no side effects.
• Check your templates and default files for malicious content. Most softwares have tools for this.
• NEVER allow an unprotected admin directory.
• Be wary when signing up to new websites, I wouldn't be surprised if that's how this user is harvesting passwords.

Sorry to hear that this is happening. I tried emailing ProXPN a few days back (the proxy this user is using), but I received no reply.

 

[iPhonefreak]

He just hacked my forum once again!

He said "I have had my fun here. See ya"

 

[Pvcomputers]

I sometime wonder why they do that.
Thanks to panda for adding on what I have already said.

Another tip don't leave your FTP session open. FTP is insecure.

 

[pandaa]

I sometime wonder why they do that.
Thanks to panda for adding on what I have already said.

Sorry, I didn't read the whole thread. This is becoming commonplace, which is sad.