Forum Hacked...

[sanji]

When I try to access my forum at http://www.secret-japan.com/forum I get redirected to http://www.secret-japan.com/forum/insta ... l/...(many times).../install/install.php

I checked my files on the server, to see that my config.php file has been changed to the following content :

Code: Select all

HaCeD BY Mr.MeRo

I put a recent copy of my config.php file back to the root of my forum, and the site is back online.

I have several questions :

- Is my old config.php file compromized? My password is written in it, so I am a little bit worried about possible risks...
- How could someone change that file?
- Is is something else I should check?

Thanks for your help, first time this is arriving to me...

sanji

[MWE_001]

Sanji, did you do the fix for the phpBB security backup folder? And you should change all admin passwords on site immediately.

Please make sure your config.php is chmod to 644 not 666

As a safe measure, you could always login to your control panel from your host and chage your database password and reflect it in your current config.php.

Do you happen to know how they got in? And sry I cant find the thread to the fix. For some reason I can no longer search anything here. I get the the word searched for is too common or something like that.

Basically what the fix is, is to rename your backup folder to something out of the ordinary and then go to your phpBB security settings and reflect the folder name change in there. And there is something that should be added to the hta file as well. I'll go do some searching real fast and if I find what it is, I will come right back and post the hta contents.

[sanji]

No, I did not apply that fix. I am not using the backup protocol at all - backups are done directly by my host daily.

I found files that were not supposed to be there.

In pafiledb/images/screenshots I have the following files :

sym4.php
sql.php
sniper4.txt
rr57.php
MERO3.php
ishak2.php
is.php
index.htm
backdoor.pl
.htaccess

by accessing the sym4.php file (now deleted), the hacker could get a small script called
-=[Symlink Tools to bypass user]V.3 =-

On that page - I can forward to whole folder to an admin here on integramod if this is needed - there are couple of tools, including a script that give for result :
[code]<br><b>Warning</b>]

I guess this is the vulnerability.

I have deleted the whole folder, but have a copy if needed...

sanji

[MWE_001]

yeah this has been a problem in the past with this particular folder. I have been hit with it as well as many other websites that I know of. An easy way around this is, if you do not allow or use screenshots in the description for downloads on your site, simply chmod the folder back to 755.

I had another issue with a folder once and I chmod it to 000 and never again did I ever have any issues. But the choice is yours. I currently only have 1 IM 1.4.1 board installed and it is a test site so I do not have the hta info at my finger tips. I'll go do a quick search and come up with what it needs to have on it.

[MWE_001]

Here is one thread that I found REAL handy for this very purpose we are discussing now.

I tried it and the results were great. No php script could be executed. I was able to upload a php file anyhow, but could not execute it as others have mentioned as well.

http://integramod.com/forum/viewtopic.php?f=53&t=4204

I hope this helps you some. As for the other stuff I was looking for, I have to dash out to get my dog to the Groomers so I have not the time to search. Look for the phpBB Security fix Helterskelter has posted about and you will find more valuable info there as well for a .hta file that will work in other files as well.

[.QUACK.Major.Pain]

I checked my folder and again same thing.
Files added to all my sites.

1 is me.php

open it and find

<h1>ViRuS_HiMa</h1>

[MWE_001]

If you add the info to your .hta file in that folder, a person can upload the doc for sure, BUT it will NOT let them execute it. did you chmod the folder as suggested?

[.QUACK.Major.Pain]

Yea - the folder was already chmoded and the folder was empty.
When I went back to check the folder, there was about 6-8 files in it.
I deleted them again.
Seems to still put stuff there.

[sanji]

I also changed the folder to 755. Seems to be OK so far, no new files added even before changing the authorization.

sanji

[MWE_001]

Thats great. Hope it works out for you. I had a problem once with the blog mod. I actually had to chmod a folder to 000 an no more problems ever again

[Helter]

use the cookie mod to set your cookies. If you cookies are incorrectly set, your forum is more vulnerable to certain types of cross site scripting attacks and a script kiddie can hijack your session and do anything that your account can do.