Site Hacked...

**savage** · 10-11-2005, 07:21 PM

Hi All,
Earlier today the site was hacked, and all pages were being redirected to a site that said our site had been hacked

.

Luckly I found out this morning that it was only a few fields within the DB that were causing the redirection, but it was not until this evening that I worked out how to get the forums back online ( I should have paid more attention in that PHPBB lecture ).

At the moment we are still vunerable to an attack so if there is anyone who is a PHPbb guru, could you please let me know who easy it is to upgrade the PHPbb files from our current version ( which is buggy ) to the newer one. Also keep in mind that I don't want to break anything WILL as customised.

So I appologies for the down-time and thanks again for your patience while this problem was sorted.

Dominique.

LP · 10-11-2005, 07:38 PM

I've noticed "quick hack fix" while the forum was closed.
Perhaps you should update the forum to the newest PhpBB version (I have also heard there was some vulnerability in image tags for IE, but I think this is not related).

**JernejL** · 10-11-2005, 08:32 PM

i suggest this:

1. backup site
2. apply newest phpbb files (all but skins)
3. look how it looks, is it is still broken restore backup and call will.

**tux** · 10-11-2005, 08:36 PM

might be time to upgrade phpbb

**sardaukar** · 10-11-2005, 09:08 PM

DPG CAN TAKE IT !!!!

**NecroDOME** · 10-11-2005, 09:17 PM

Glad it's back up again

PS. Currently our ste (www.necrosoft.nl) is offline cause some idiot stopt it :|

**Traveler** · 10-11-2005, 09:19 PM

Originally Posted by tux

might be time to upgrade phpbb

Although I agree with this, WILL has made extensive modifications to the current version of phpbb. An upgrade now, will mean the loss of quite a few features. So I would recommend against it at this time.

Did the redirect involve a posting in our forums? If so, theres a good chance the ipnumber has been logged. We can easily ban that.

**Traveler** · 10-11-2005, 09:21 PM

Oh btw, Perhaps its a good idea not to show the current version of phpbb on this board (at the bottom of the screen).

And another point: there's still two 'FIX FOR HACK' texts that need removing.
Both are on the main forum page, at the top.

**savage** · 10-11-2005, 10:37 PM

Hi guys, I was awaiting Traveller's feedback as I am not aware exactly how extensive WILL's customisations have been. Hence also why I was reluctant to just go in there and update things even though it is needed.
He is due back around the 23rd of November so we can crack the whip then

. .

The site provider wanted to restore a back up of the DB from 3rd of Novemeber, but since only 2 tables were affected I didn't want to lose all that posts we had as I knew all the data was there. Anyway backups are done, but not every night. Maybe WILL does something more regularly.

In the mean time, all I think we can hope for is to not to get a worse hacking.

PS. I have removed the phpbb version number as well.

**Almindor** · 10-11-2005, 11:19 PM

I don't wish to sound harsh but it was a long time comming. Don't get me wrong, I know maintaining such big projects among doing other things takes time and energy and that the number of people doing this is very limited. But PHP is simply CRAP. 90% of the PHP forums and other "dynamic" content pages are vulnerable either to XSS or SQL injection(which is what this page was hacked with). It's simply because PHP itself isn't exactly safe and also because most PHP programmers are script kiddies with no proper knowlidge.
See also how Lazarus page was hacked. Basicly same thing. Old version of forum software and again PHP.(IMHO the new ones aren't much safer, just their vulnerabilities aren't so known).

Ok now for some solutions..

If you have access to the sources, please have a look in the SQL parts. Make sure ALL SQL input is FILTERED for all SQL sensitive chars. This is the basic. If you can fix it custom(as I understand you can't simply update). Also make sure to check these things if you can even after you update. You never know if the script kiddies actualy did things right this time.

Please don't get me wrong. I'm not criticizing you. Doing this page in different thing is probably too troublesome(I did some CGI in FPC and it's quite a PITA for example) and I certainly understand the reasons. It's just that people don't want to hear the truth and these hacks are multiplying over PHP pages mostly forums too much to be ignored..