IntegraMOD

Hi there,

after the first hack now i got a bigger problem.

Somebody implemented a phishing-Site of an US Bank on my Webspace.

Is there maybe a possibility to check my webspace against all know-security-risks? Maybe a tool?
I got no idea whats possible(necessary) to secure my webspace .. 2 attacks within 2 months - not good.

Hopefully IM3 will be released soon ..

Update:

i have seen this information in ACP-Start-Site

What should i have to do? There are no updates in the download-section?

phpBB Security Status
The newest release is . The version you are using is 1.0.3. So I would have to say you need to upgrade ASAP!

there is no .php file in your pafiledbimages folder.
If you find one, delete it. also check pafiledbimagesscreenshots for any php files and delete them if found.
there is no update for phpBB Security. It is showing that message because the domain hosting the info file for phpBB Security is gone. No worries though, it is still secure.
You should also check your cpanel DNS zone file for your site. It is far more common to hack the servers DNS software to perform a phishing attack.

Thx Helter,

but what you mean with "Check Cpanel DNS" -- don ´t know where to find it - or if i have this.
I only got an "Account" at the webhoster. Configurable with confixx.

Fact is, somebody had the access to upload miscellaneous *.php files on my space hiding in miscellaneous paths of the integramod-installation. Some in the pafiledb-path - some in the AMOD-Path (see info below)

I don ´t know what i can do to get rid of this shit in future. I don ´t think that they made an bruteforceattack on my ftp-login - password is more than 12 characters long - with case sensitive chars + numbers + special characters.

[spoil:oot2032k]Dear Website Administrator,
>
> We are contacting you to report that your website tmhosting.de has been compromised and fraudulent content targeting our client Chase Bank has been placed at:
>
> http://WEBSPACE/Amod/jewels/chase.html
>
> IP Address: 109.xxx.xxx.xxx
>
> A criminal has placed this fake login page for the purpose of credit card fraud and identity theft. Please remove all files related to this attack and take action to secure your website.[/spoil:oot2032k]

What you need to do is go in and set permission to the pafiledb/screenshots folder to 000 if you do not use screenshots. I personally would not.

There is a couple other security measures floating around here that you can take as well like .hta file and dropping a index.html file in all folders.

BUT I agree with Helter, phishing skemes normally are hacked server side and then files dropped in to your folders. Hackers like files that are chmod to 777 because they can easily execute files from that folder.

Definitely look into setting the permission for that screenshots folder though. I got hit 4 times and it was that folder every single time. Also, look for any strange image file extensions. All of them that got dropped on me were like image.php.jpg