phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

phpbb2 site attacked... posts unreadable

Goto page 1, 2  Next
 
Search this topic... | Search General Support... | Search Box
Register or Login to Post    Index » General Support  Previous TopicPrint TopicNext Topic
Author Message
Citrix
Board Member



Joined: 19 Feb 2012

Posts: 42



PostPosted: Sun Feb 19, 2012 11:31 am 
Post subject: phpbb2 site attacked... posts unreadable

Our site is under attacked. Someone inserted stars '**********' in each post after each word. Same for the topic titles.
The database is not affected. But when one opens a Category, all the titles contains the star string *********.
We ran querry on the database directly to view the post. And there are no ******** in it.
This is phpbb2 version 19.
Any suggestion to how to fix this attack and get all those ****** out of all posts?
thanks.
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 656
Location: North West UK


flag
PostPosted: Sun Feb 19, 2012 11:41 am 
Post subject: Re: phpbb2 site attacked... posts unreadable

My guess is that someone has had a go at your word censor. You know how you can use wildcards so something like this

Replace * with ***********************
That would be to replace any letter or symbol with a string of stars.
Clearly not exactly like that bur similar. Take a look.

Jim
Back to top
Citrix
Board Member



Joined: 19 Feb 2012

Posts: 42



PostPosted: Sun Feb 19, 2012 11:51 am 
Post subject: Re: phpbb2 site attacked... posts unreadable

thanks.. just looked at the word censor list.. Don't see anything I didn't put in myself...
This is crazy.
Here is what a post looks like:

*****of***** *****the***** *****world*****'*****s***** *****oil***** *****exports***** *****pass***** *****would***** *****be***** #****

looks like ***** ***** is what is inserted.. it's everywhere.. in the posts.. and the topic title.
but not in the database.
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 656
Location: North West UK


flag
PostPosted: Sun Feb 19, 2012 11:56 am 
Post subject: Re: phpbb2 site attacked... posts unreadable

Do you have a database backup made just before this happened? If so then restore it.

Also with any page open view the page source and see if there is any unusual looking code in there.

Jim
Back to top
Citrix
Board Member



Joined: 19 Feb 2012

Posts: 42



PostPosted: Sun Feb 19, 2012 12:14 pm 
Post subject: Re: phpbb2 site attacked... posts unreadable

the host has a backup.. But I am not sure this will solve the issue, since I have no clue how the attacker is adding these stars.
I just changed the passwords... while investigating...
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 656
Location: North West UK


flag
PostPosted: Sun Feb 19, 2012 12:20 pm 
Post subject: Re: phpbb2 site attacked... posts unreadable

If the backup is restored and the problem goes away then it is something in the database that the attacker changed.
If the problem is still there then it is either in the files or has been done by making changes to your OS.

Did you check out the Source code for the page?

Jim
Back to top
Citrix
Board Member



Joined: 19 Feb 2012

Posts: 42



PostPosted: Sun Feb 19, 2012 12:22 pm 
Post subject: Re: phpbb2 site attacked... posts unreadable

thanks Jim for giving me hope.. yes it's the viewtopic.php page.
I have looked and can't see anything new.. I'll keep parsing it. They got to be something, unless he is inserted the ******** from a different site.
He is intercepting the messages before they are posted. Because the database looks clean.
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 656
Location: North West UK


flag
PostPosted: Sun Feb 19, 2012 12:37 pm 
Post subject: Re: phpbb2 site attacked... posts unreadable

No.
If the problem is not in the database and the boards files have not been changed then the chances are that the hacker has screwed around with Apache.

If that was my site I would make a simple test.
I would create a new database and do a fresh install of phpBB 2.23. Takes but about 10 minutes. Then I would make a post and see if the problem was also with the new site. If so then it is in the OS and you would need to get your host involved.
I know that phpBB is now on version phpBB3 but you are 4 versions out of date with your install. Most changes to the core code are due to exploits that have been found. It was/is very important to keep board software up to date.

Jim
Back to top
Citrix
Board Member



Joined: 19 Feb 2012

Posts: 42



PostPosted: Sun Feb 19, 2012 5:15 pm 
Post subject: Re: phpbb2 site attacked... posts unreadable

I installed a new phpbb2 to test.
I posted a message. And all looks fine. no nasty **** ****
So I think we can eliminate the OS.
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 656
Location: North West UK


flag
PostPosted: Sun Feb 19, 2012 5:22 pm 
Post subject: Re: phpbb2 site attacked... posts unreadable

Ok.
Now restore your database from the attacked site to the new one and see if the posts are corrupted.
If so the problem is in the database and you could ask the host to restore an earlier database to your site.
However if the hacker got in once they can do so again.
Update your site to version 2.0.23 or alternatively if you have no mods installed then do a fresh install (safest in the event that the hacker might have done something to a file(s)

Jim
Back to top
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 729
Location: Texas


flag
PostPosted: Mon Feb 20, 2012 1:29 pm 
Post subject: Re: phpbb2 site attacked... posts unreadable

Have you posted a link to the board?
_________________
phpBBDoctor Blog
Back to top
Citrix
Board Member



Joined: 19 Feb 2012

Posts: 42



PostPosted: Tue Feb 21, 2012 1:51 pm 
Post subject: Re: phpbb2 site attacked... posts unreadable

hello,
no I have not.. trying not to attrack more attacks. They are bad guys out there looking for phpbb2 forums. icon_smile.gif
Back to top
Citrix
Board Member



Joined: 19 Feb 2012

Posts: 42



PostPosted: Tue Feb 21, 2012 2:01 pm 
Post subject: Re: phpbb2 site attacked... posts unreadable

Jim_UK wrote:
Ok.
Now restore your database from the attacked site to the new one and see if the posts are corrupted.
Jim
Yes, that's the first thing I did. But because I am not using the subsilver template, I had to add my template (template/Athena). .
I should have modified the config of the old database to switched to the Subsilver template. icon_sad.gif
instead, I loaded my corrupted site's template to the new test forum. (template/Athena). That was dumb.

And yes, once I copied over the old template, and opened the topics, the junk was all over.

I think to make sure it's not the database, I have to look at the board from subSilver template, with the database from the attacked site.
I'll do that tonight when I get home.

for a quick fix now, I edited viewtopic and viewforum to str_replace() the junk characters by blank, after each call to preg_replace(). The forum looks fakely clean. But if I comment out the str_replace(), the junk is there.

thanks for your support guys.. this is nasty. I did a lot of reading... That's how I found out that preg_replace can be used to call a function that can do nasty stuff to a site.
Back to top
Citrix
Board Member



Joined: 19 Feb 2012

Posts: 42



PostPosted: Tue Feb 21, 2012 4:47 pm 
Post subject: Re: phpbb2 site attacked... posts unreadable

I can't really use SubSilver because over the years, since I don't think I was ever going to use it, i have hard coded some template paths. icon_smile.gif /template/Athena/......., instead of using the board_template variable.
It's probably a good idea to correct all that one day, when I have time.
Back to top
Citrix
Board Member



Joined: 19 Feb 2012

Posts: 42



PostPosted: Tue Feb 21, 2012 9:25 pm 
Post subject: Re: phpbb2 site attacked... posts unreadable

Latest breaking news: lol
I removed my old Athena theme and replaced it with a brand new one I just downloaded.
So now the only thing old on the new test forum is the database I copied from the site currently under attack.

I opened the messages and all the junks are there.
but still, when I query directly the dbase to read the message, all of them are clean.
I'll welcome all suggestions, and will keep you up-to-date.
thanks
Back to top
Display posts from previous:   
Register or Login to Post    Index » General Support  Previous TopicPrint TopicNext Topic
Page 1 of 2 All times are GMT - 4 Hours
Goto page 1, 2  Next
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0615 seconds using 16 queries. (SQL 0.0163 Parse 0.0011 Other 0.0441)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo