That looks fine to me. And the code that you saw on your index was a basic uploader. Usually when you see something like that, it's because they use an exploit to inject malicious code into your templates, which they then use to upload a shell. Shells give them access to everything; database, your filesystem, etc.
somebody hacked my forum?
- Thread starter fa5_r
- Start date
iPhonefreak
Paragon
I never saw code on my actual index, it was in the acp area.
And they did inject a shell into my site.
I do have more suspicious code, but it's really long. I'll just have my tech admin look at it.
Now that he appears to be done, it's time to get my members posting again!
And they did inject a shell into my site.
I do have more suspicious code, but it's really long. I'll just have my tech admin look at it.
Now that he appears to be done, it's time to get my members posting again!
iPhonefreak
Paragon
They just crack the password. The only way to keep them out is to have strong passwords.
Dennis said:
I believe so. A similar thing happened an year or so before. Those people don't have a life and mess with others.
@iPhonefreak:
Doesn't phpBB have an option of x numbers of login attempts?
@fa5_r:
Send me the code and i will help you find what it does.
Just got a response from PHPBB incident response team. Exactly what I thought in these suspicious files.
The style_cacher.php file is a root shell that allows an attacker to run various commands on the server. As long as the file exists, the attacker can continue to write files to the server and change your password in the database.
register.php allows the attacker to run custom PHP code on the server.
Your modestus and metro styles' overall_header.html files have malicious code added at the top that allows an attacker to upload arbitrary files to your server. (The <!-- PHP --><!-- ENDPHP --> block)
Those rogue .php files need to be deleted and the code in the two styles files needs to be removed.
Most likely, your initial password was guessed and then the attacker proceeded to use the ACP's style editor to add in malicious code.
If you provide the entire set of forum files and the access logs, I can look through them to make sure there isn't anything else.
The style_cacher.php file is a root shell that allows an attacker to run various commands on the server. As long as the file exists, the attacker can continue to write files to the server and change your password in the database.
register.php allows the attacker to run custom PHP code on the server.
Your modestus and metro styles' overall_header.html files have malicious code added at the top that allows an attacker to upload arbitrary files to your server. (The <!-- PHP --><!-- ENDPHP --> block)
Those rogue .php files need to be deleted and the code in the two styles files needs to be removed.
Most likely, your initial password was guessed and then the attacker proceeded to use the ACP's style editor to add in malicious code.
If you provide the entire set of forum files and the access logs, I can look through them to make sure there isn't anything else.
iPhonefreak
Paragon
kavin said:
Kinda. It has a catchpa pop up but you don't even need that if you get the right password.
iPhonefreak
Paragon
When he injected the I-47 shell on our index you could log in and the usename was derp and the pass was derp.
iPhonefreak
Paragon
I'd like to strangle him, TBH.
On my site, he had a hitler video and a Homer Simpson video, 2 different hacks of course
On my site, he had a hitler video and a Homer Simpson video, 2 different hacks of course
CyberFreak
Legendary Typer
I have seen MyBB forums also. I am 99.9% sure we know who is behind it. It was a member here who was banned for this kind of behaviour. It is also the same user who set up a fake login page of this site to try and steal users logins a few weeks back. I am pretty sure all these attacks are linked to him gaining access to a site recording users login details and trying them on other sites. Once he gets in, he can then upload what he wants.
Affiliates
