hi Guys,

Just a quick note, for all you who have Team websites. Please make sure your security is upto date, i.e. no Flaws, or Holes or anything like this. The T7R website has been tampered with, as you can see, so this is just to inform you all, check your software.

Regards

Fordie

These meddlers are scum of the earth!

Thanks to Lippy, we are back up and running now. The index.php file had been changed, as well as a strange modification date to another file. Again, just a heads up on check your software for updates.

These meddlers are scum of the earth!
Hmm, what's up with your teampage then, Link doesnt work in your sig there...:shrug:

:ices_rofl

Hmm, what's up with your teampage then, Link doesnt work in your sig there...:shrug:

It does :scratchch

It does :scratchch

I think he was refering to p1lots sig :)

I think he was refering to p1lots sig :)

:doh:

Ah, but ours is planned maintenance... Honest :)

Well, at least things are fixed and all fine now :)

Wanna see a hacked teampage, have a look at ours now. :bigeyes2::thumbsdow:mad::bigeye::evil::bananadea
At least the freak spent us a nice picture.

Some people have too much time.

the T7R site says 'hacked by shadow' to me, unlucky lads

Well, at least things are fixed and all fine now :)

I still see a hacked page. Bummer.

it's hacked again.....

Heh, mister shadow has lame html skills; infact, isn't 'MSHTML' MSWord or Frontpage? Haha, 1337 h4xx0r!!!1!oneone

It was fixed earlier, cos I visited it, but it appears you are still vulnerable Fordy.

<HTML><HEAD><TITLE>( PAGE NOT FOUND) ERROR 404</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1106" name=GENERATOR></HEAD>
<BODY bgColor=#000000>
<CENTER>
<P align="center"><IMG height=542 src="http://img225.imageshack.us/img225/9677/shadow2hg.jpg" width=800>
</P>
<P align="center">&nbsp;</P>
<P align="center"><font face="fantasy"><STRONG><FONT color=#666666 size=+4>Hacked By Shadow</FONT></STRONG></font></P>
<P align="center"><font color="#666666" face="fantasy"><STRONG><FONT size=+3>Thanx - Thehacker</FONT></STRONG></font></P>
<div align="center"><br />

</div>

Presuming mister 1337 h4xx0r reads this; I mean, really dude, for a start you could at least use xhtml, and at the absolute minimal close your bloody tags... Where the hell is your closing HTML tag?
Not to mention STRONG and FONT are so 1997. Get with the times mate, go lookup some CSS, and do some research on semantically correct markup.
Sheesh.

I recommend changing all FTP / file management & admin script passwords. Whoever did this is a script kiddie with as much technical ability as my rather tasty spicy chicken wing. If it is a hole phpnuke, upgrade it after changing password and see if the little prat does it again.

Hahaha, and the proper term is "cracked" anyway, not "hacked". Foo.

Heh, mister shadow has lame html skills; infact, isn't 'MSHTML' MSWord or Frontpage? Haha, 1337 h4xx0r!!!1!oneone

It was fixed earlier, cos I visited it, but it appears you are still vulnerable Fordy.

<HTML><HEAD><TITLE>( PAGE NOT FOUND) ERROR 404</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1106" name=GENERATOR></HEAD>
<BODY bgColor=#000000>
<CENTER>
<P align="center"><IMG height=542 src="http://img225.imageshack.us/img225/9677/shadow2hg.jpg" width=800>
</P>
<P align="center">&nbsp;</P>
<P align="center"><font face="fantasy"><STRONG><FONT color=#666666 size=+4>Hacked By Shadow</FONT></STRONG></font></P>
<P align="center"><font color="#666666" face="fantasy"><STRONG><FONT size=+3>Thanx - Thehacker</FONT></STRONG></font></P>
<div align="center"><br />

</div>

Presuming mister 1337 h4xx0r reads this; I mean, really dude, for a start you could at least use xhtml, and at the absolute minimal close your bloody tags... Where the hell is your closing HTML tag?
Not to mention STRONG and FONT are so 1997. Get with the times mate, go lookup some CSS, and do some research on semantically correct markup.
Sheesh.

I recommend changing all FTP / file management & admin script passwords. Whoever did this is a script kiddie with as much technical ability as my rather tasty spicy chicken wing. If it is a hole phpnuke, upgrade it after changing password and see if the little prat does it again.

Cheers Anarchi-H

Anarchi-H,

What do you make of this?

sir, you need to update to latest phpbb
http://nukecops.com/postt44102.html

sir, you need to update to latest phpbb
http://nukecops.com/postt44102.html

Cheers, Lippy is working like a mad man trying to fix it. :thumb:

Thanks for the pointers guys. This is just what you need on a Wednesday!

Would have found the first exploit earlier, but the provider had just rolled the raw access log into the site stats system.

As we have all the data, I'm reading lots to make sure I dont break anything more important to us while upgrading the phpbb stuff.

Lippy

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=348139
There appears to be a new worm on the loose. If your phpBB has been defaced, please do the following:

1. Immediately get full backups of your entire website including phpBB
2. Immediately get full backups of your database
3. Get log files
4. Do not delete anything!
5. Do not use these backups to restore your site.
6. These backups are to be used to send to the Incident Investigation Team, and only the Incident Investigation Team. If the poster asking for logs or backups does not have a Support Team rank, do not do anything they tell you to do.
7. PM NeoThermic or myself to tell us you need assistance. Do not post in support asking for help.
8. Close your website (including phpBB!) until the IIT tells you it is okay to reopen.I guess that affects users of PHP-Nuke too, isn't it based on phpBB?

What do you make of this?Looks like the Ronin-style attack. This file which is part of phpBB allows a user to remotely execute code. Usually they apply a wget command to download a file, and then run it. I cant see this in the provided log extract, but you never know.

Check your server for additional files, rootkits, etc. You can use chkrootkit, and rkhunter for this (presuming its debian, run apt-get install chkrootkit rkhunter, as root, or a user with similar privs). Check the rest of your logs, including syslog. Its also a good idea to run the rootkit checkers on a cron. Also check the currently running processes for anything funny (ps aux).

I believe theres a patch for this.

Edit: A suggestion would be to run a non-standard package to manage your websites. The more popular site management tools do attract crackers, and its easier to look through the code for vulnerabilities. I'm no fan of security through obsecurity, but custom written websites are harder to crack if you dont provide the source.

I believe theres a patch for this.
It's already been said, ver. above 2.0.15 do not have this vulnerability. Most of phpbb hacks are a result of people using code, which is sometimes even several years old.

It's already been said, ver. above 2.0.15 do not have this vulnerability. Most of phpbb hacks are a result of people using code, which is sometimes even several years old.
See, now thats the problem with forums/mailing lists. You read past what everyone says and say the same thing. You dont get that issue with IRC.

:)