Author |
Message |
Citrix Board Member
Joined: 19 Feb 2012
Posts: 42
|
Posted: Sun Feb 19, 2012 11:31 am Post subject: phpbb2 site attacked... posts unreadable |
|
|
Our site is under attacked. Someone inserted stars '**********' in each post after each word. Same for the topic titles.
The database is not affected. But when one opens a Category, all the titles contains the star string *********.
We ran querry on the database directly to view the post. And there are no ******** in it.
This is phpbb2 version 19.
Any suggestion to how to fix this attack and get all those ****** out of all posts?
thanks. |
|
Back to top |
|
|
Jim_UK Board Member
Joined: 19 Nov 2008
Posts: 656 Location: North West UK
|
Posted: Sun Feb 19, 2012 11:41 am Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
My guess is that someone has had a go at your word censor. You know how you can use wildcards so something like this
Replace * with ***********************
That would be to replace any letter or symbol with a string of stars.
Clearly not exactly like that bur similar. Take a look.
Jim |
|
Back to top |
|
|
Citrix Board Member
Joined: 19 Feb 2012
Posts: 42
|
Posted: Sun Feb 19, 2012 11:51 am Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
thanks.. just looked at the word censor list.. Don't see anything I didn't put in myself...
This is crazy.
Here is what a post looks like:
*****of***** *****the***** *****world*****'*****s***** *****oil***** *****exports***** *****pass***** *****would***** *****be***** #****
looks like ***** ***** is what is inserted.. it's everywhere.. in the posts.. and the topic title.
but not in the database. |
|
Back to top |
|
|
Jim_UK Board Member
Joined: 19 Nov 2008
Posts: 656 Location: North West UK
|
Posted: Sun Feb 19, 2012 11:56 am Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
Do you have a database backup made just before this happened? If so then restore it.
Also with any page open view the page source and see if there is any unusual looking code in there.
Jim |
|
Back to top |
|
|
Citrix Board Member
Joined: 19 Feb 2012
Posts: 42
|
Posted: Sun Feb 19, 2012 12:14 pm Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
the host has a backup.. But I am not sure this will solve the issue, since I have no clue how the attacker is adding these stars.
I just changed the passwords... while investigating... |
|
Back to top |
|
|
Jim_UK Board Member
Joined: 19 Nov 2008
Posts: 656 Location: North West UK
|
Posted: Sun Feb 19, 2012 12:20 pm Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
If the backup is restored and the problem goes away then it is something in the database that the attacker changed.
If the problem is still there then it is either in the files or has been done by making changes to your OS.
Did you check out the Source code for the page?
Jim |
|
Back to top |
|
|
Citrix Board Member
Joined: 19 Feb 2012
Posts: 42
|
Posted: Sun Feb 19, 2012 12:22 pm Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
thanks Jim for giving me hope.. yes it's the viewtopic.php page.
I have looked and can't see anything new.. I'll keep parsing it. They got to be something, unless he is inserted the ******** from a different site.
He is intercepting the messages before they are posted. Because the database looks clean. |
|
Back to top |
|
|
Jim_UK Board Member
Joined: 19 Nov 2008
Posts: 656 Location: North West UK
|
Posted: Sun Feb 19, 2012 12:37 pm Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
No.
If the problem is not in the database and the boards files have not been changed then the chances are that the hacker has screwed around with Apache.
If that was my site I would make a simple test.
I would create a new database and do a fresh install of phpBB 2.23. Takes but about 10 minutes. Then I would make a post and see if the problem was also with the new site. If so then it is in the OS and you would need to get your host involved.
I know that phpBB is now on version phpBB3 but you are 4 versions out of date with your install. Most changes to the core code are due to exploits that have been found. It was/is very important to keep board software up to date.
Jim |
|
Back to top |
|
|
Citrix Board Member
Joined: 19 Feb 2012
Posts: 42
|
Posted: Sun Feb 19, 2012 5:15 pm Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
I installed a new phpbb2 to test.
I posted a message. And all looks fine. no nasty **** ****
So I think we can eliminate the OS. |
|
Back to top |
|
|
Jim_UK Board Member
Joined: 19 Nov 2008
Posts: 656 Location: North West UK
|
Posted: Sun Feb 19, 2012 5:22 pm Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
Ok.
Now restore your database from the attacked site to the new one and see if the posts are corrupted.
If so the problem is in the database and you could ask the host to restore an earlier database to your site.
However if the hacker got in once they can do so again.
Update your site to version 2.0.23 or alternatively if you have no mods installed then do a fresh install (safest in the event that the hacker might have done something to a file(s)
Jim |
|
Back to top |
|
|
drathbun Board Member
Joined: 24 Jul 2008
Posts: 729 Location: Texas
|
Posted: Mon Feb 20, 2012 1:29 pm Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
Have you posted a link to the board? _________________ phpBBDoctor Blog |
|
Back to top |
|
|
Citrix Board Member
Joined: 19 Feb 2012
Posts: 42
|
Posted: Tue Feb 21, 2012 1:51 pm Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
hello,
no I have not.. trying not to attrack more attacks. They are bad guys out there looking for phpbb2 forums. |
|
Back to top |
|
|
Citrix Board Member
Joined: 19 Feb 2012
Posts: 42
|
Posted: Tue Feb 21, 2012 2:01 pm Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
Jim_UK wrote: | Ok.
Now restore your database from the attacked site to the new one and see if the posts are corrupted.
Jim | Yes, that's the first thing I did. But because I am not using the subsilver template, I had to add my template (template/Athena). .
I should have modified the config of the old database to switched to the Subsilver template.
instead, I loaded my corrupted site's template to the new test forum. (template/Athena). That was dumb.
And yes, once I copied over the old template, and opened the topics, the junk was all over.
I think to make sure it's not the database, I have to look at the board from subSilver template, with the database from the attacked site.
I'll do that tonight when I get home.
for a quick fix now, I edited viewtopic and viewforum to str_replace() the junk characters by blank, after each call to preg_replace(). The forum looks fakely clean. But if I comment out the str_replace(), the junk is there.
thanks for your support guys.. this is nasty. I did a lot of reading... That's how I found out that preg_replace can be used to call a function that can do nasty stuff to a site. |
|
Back to top |
|
|
Citrix Board Member
Joined: 19 Feb 2012
Posts: 42
|
Posted: Tue Feb 21, 2012 4:47 pm Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
I can't really use SubSilver because over the years, since I don't think I was ever going to use it, i have hard coded some template paths. /template/Athena/......., instead of using the board_template variable.
It's probably a good idea to correct all that one day, when I have time. |
|
Back to top |
|
|
Citrix Board Member
Joined: 19 Feb 2012
Posts: 42
|
Posted: Tue Feb 21, 2012 9:25 pm Post subject: Re: phpbb2 site attacked... posts unreadable |
|
|
Latest breaking news: lol
I removed my old Athena theme and replaced it with a brand new one I just downloaded.
So now the only thing old on the new test forum is the database I copied from the site currently under attack.
I opened the messages and all the junks are there.
but still, when I query directly the dbase to read the message, all of them are clean.
I'll welcome all suggestions, and will keep you up-to-date.
thanks |
|
Back to top |
|
|
|