Author |
Message |
cif Board Member
Joined: 13 Jul 2010
Posts: 2
|
Posted: Tue Jul 13, 2010 12:15 pm Post subject: 2.0.23 forum hacked, now what? |
|
|
Hi,
My forum was hacked and it seems that no harm was done to it.
Now my problem is to understand how and why it was hacked and what to do to "close it down".
Of course I will upgrade right now to phpbb 3, but I would like to understand what went wrong.
Does someone know any popular 2.0.23 exploit or something like that? (my password is quite strong and not used anywhere else) |
|
Back to top |
|
|
Jim_UK Board Member
Joined: 19 Nov 2008
Posts: 656 Location: North West UK
|
Posted: Tue Jul 13, 2010 2:32 pm Post subject: Re: 2.0.23 forum hacked, now what? |
|
|
As far as I am aware there are no exploits of 2.0.23 but it may be that you have an out of date mod that is allowing access.
You have not said what form the hack took - doing so may well have given an insight into how they did it.
I take it you do not allow html in posts!!!
How strange for a hack to do no harm. Please describe the result of the hack.
Remember that a server can be hacked giving access to all sites on that server. I had one such hack that placed a redirect to a phishing site onto all sites on the server. That hack was via an outdated cpanel and not phpBB2.
More info please.
Also be sure to check your install for any files or folders that have been recently uploaded. Do not just assume that the hack has gone.
Jim |
|
Back to top |
|
|
dogs and things Board Member
Joined: 18 Nov 2008
Posts: 628 Location: Spain
|
Posted: Tue Jul 13, 2010 6:27 pm Post subject: Re: 2.0.23 forum hacked, now what? |
|
|
As Jim says,
Please give more details about what happened? _________________ phpBB2 will never die, I hope! |
|
Back to top |
|
|
cif Board Member
Joined: 13 Jul 2010
Posts: 2
|
Posted: Wed Jul 14, 2010 10:43 am Post subject: Re: 2.0.23 forum hacked, now what? |
|
|
I don't know many more details.
I know someone took over my admin account and from my investigations there are some php web shells installed in my images/avatar folder.
I allow users to upload avatars. Was there any exploit for phpbb that allowed the user to upload a php file instead of an image file or something like that? |
|
Back to top |
|
|
Salvatos Board Member
Joined: 19 Feb 2009
Posts: 449 Location: Québec
|
Posted: Wed Jul 14, 2010 2:58 pm Post subject: Re: 2.0.23 forum hacked, now what? |
|
|
I had a friend of a friend check for possible hacks on my board last year and he said he could upload a PHP file instead of an avatar by tricking the software into thinking it was an image file. He told me that if he uploaded the file from his computer instead of entering a URL, he got this elseif for verification (line 92 of includes/usercp_avatar.php):
Code: | else if ( ( file_exists(@phpbb_realpath($avatar_filename)) ) && preg_match('/\.(jpg|jpeg|gif|png)$/i', $avatar_realname) ) |
Which doesn't check the Content-Type of the file. If I remember correctly, copying these lines from includes/usercp_avatar.php somewhere into the elseif on line 192 and beyond was all it took to fix. For some reason I didn't actually do it, maybe because I was keeping it for later because of my wrists. From line 155:
Code: | if (!preg_match('#Content-Length\: ([0-9]+)[^ /][\s]+#i', $avatar_data, $file_data1) || !preg_match('#Content-Type\: image/[x\-]*([a-z]+)[\s]+#i', $avatar_data, $file_data2))
{
$error = true;
$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['File_no_data'] : $lang['File_no_data'];
return;
} |
If it's in the avatar folder, I guess that's how they may have done it. |
|
Back to top |
|
|
lumpy burgertushie Board Member
Joined: 18 Nov 2008
Posts: 266
|
Posted: Thu Jul 15, 2010 12:07 am Post subject: Re: 2.0.23 forum hacked, now what? |
|
|
that seems way to easy to not have been used before and therefore it would have been known about by now.
I doubt that it is a valid vulnerability.
to the original poster:
please provide a link to your board and maybe post the contents of one of those files here in code box for us to look at.
robertt |
|
Back to top |
|
|
Slackervaara Board Member
Joined: 01 Jan 2009
Posts: 70
|
Posted: Thu Jul 15, 2010 12:22 am Post subject: Re: 2.0.23 forum hacked, now what? |
|
|
If you know what time you were hacked you could look in the access logs for your site and it can reveal how the site was hacked. However, sometimes the hackers uses keyloggers that are on your own PC and then they can get the log in details for ftp to the site and compromise the site with malware. |
|
Back to top |
|
|
Acaria Board Member
Joined: 20 Feb 2009
Posts: 238
|
Posted: Thu Jul 15, 2010 7:30 am Post subject: Re: 2.0.23 forum hacked, now what? |
|
|
I just tested that vulnerability you posted Salvatos and it doesn't work on my vanilla installation. I made a simple echo statement and changed the file extension to .png, but it still checked the filetype. I don't know how it worked for your friend, but it assuredly didn't work for me. |
|
Back to top |
|
|
Salvatos Board Member
Joined: 19 Feb 2009
Posts: 449 Location: Québec
|
Posted: Thu Jul 15, 2010 12:33 pm Post subject: Re: 2.0.23 forum hacked, now what? |
|
|
Then I guess he was wrong. Or maybe you can do it if you also change the first bits of the file. |
|
Back to top |
|
|
lumpy burgertushie Board Member
Joined: 18 Nov 2008
Posts: 266
|
Posted: Mon Jul 19, 2010 3:32 am Post subject: Re: 2.0.23 forum hacked, now what? |
|
|
I am pretty sure he was simply wrong about it.
there have always been people that say that phpbb has vulnerabilities that prove to be incorrect.
phpbb3 has not been hacked yet and I don't think phpbb 2.0.24 has either.
robert |
|
Back to top |
|
|
dogs and things Board Member
Joined: 18 Nov 2008
Posts: 628 Location: Spain
|
Posted: Mon Jul 19, 2010 6:52 am Post subject: Re: 2.0.23 forum hacked, now what? |
|
|
I agree,
If this was due to a vulnerability this would have been done a long time ago, repeatedly, on many other boards, and it would have been fixed. _________________ phpBB2 will never die, I hope! |
|
Back to top |
|
|
Sylver Cheetah 53 Board Member
Joined: 17 Dec 2008
Posts: 426 Location: Milky Way
|
Posted: Tue Jul 20, 2010 9:40 pm Post subject: Re: 2.0.23 forum hacked, now what? |
|
|
I know that there are bins programs, that can put another file into a jpg one. _________________ Image link
My Forum || My Blog
phpBB2 forever! |
|
Back to top |
|
|
|