Get exclusive CAP network offers from top brands

View CAP Offers

Help? PHPBB hacking redirect

[bsa_pro_ad_space id=2]
  • This topic is empty.
Viewing 15 posts - 1 through 15 (of 21 total)
  • Author
    Posts
  • #691108
    Anonymous
    Inactive

    Hi Dean,

    Had this happen to me a while ago. Did you delete the config.php afer new installation? If not, they can access it again and again. Also, seems they have htaccess to you. IS that possible?

    #691109
    Anonymous
    Inactive

    This happened to my Politics Forum which runs on phpbb also, last year.

    I had to restore the entire forum and db from the previous nights backup.

    I also use a mod called ctracker on my phpbb forums now. It seems quite neat, touch wood :)

    #691112
    Anonymous
    Inactive
    Quote:
    Did you delete the config.php afer new installation? If not, they can access it again and again. Also, seems they have htaccess to you. IS that possible?

    I deleted the install directory as per every update but the config is required for phpbb to work. htaccess is doubtful.

    Gotta go to bed, depressed and blurry eyed and will dream of hackers on stakes…I revoke my 46 years as a non violent individual! ;)

    #691119
    Anonymous
    Inactive

    It happened to me a few weeks ago. Log into your admin control panel and check if they created a new forum/category. They might have named it with a blank space in an attempt hide it. If they did, it’s pretty easy to fix.

    All you have to do is erase that new column from the database (it wont let you delete it from the admin control panel).

    #691125
    Anonymous
    Inactive

    I know you may have tried but….

    Have you tried to post this at the
    http://www.phpbb.com/phpBB/ ???

    They even have a team that will help you clean it up…they want to know about this sorta thing….
    http://www.phpbb.com/phpBB/viewtopic.php?t=348138

    Sorry…if you have already been there done that…:bigsmile:

    #691191
    Anonymous
    Inactive

    Another webmaster running vbulletin was also hit and got it narrowed to a vulnerability in fclick a click tracking program and I found one of these has been hacked on my server namely the cfg.php file…removing the entries and restoring does not stop the redirect however.

    In his instance they put up pictures of dead and blown up babies!

    #691193
    Anonymous
    Inactive

    deaning do you have the redirect to the malicious hacker? greek39

    #691194
    Anonymous
    Inactive

    If you have the script i would like to see it. Malicous hackers always leave their signature, a trophy signal. greek39

    #691196
    Anonymous
    Inactive

    Hi,

    I don’t have the script all I have found is they are replacing fclicks cfg.php with a meta refresh and must be getting in through some other vulnerability…on one forum I found nothing in the fclick but it still redirect to these bozos:
    xhttp://kadooooooo.sitemynet.com/kadoo.htm

    I was told “they are/were getting in via insecure permissions with wget, lynx and cURL and exploiting a security hole in Fclick” So I guess there is something, a worm on the server?

    Ah what a fun day this is turning out to be…my tech guy is not available for another 5 hours. I have changed the permission on all my sites fclick trackers as they are all 666 and have set to 644

    #691197
    Anonymous
    Inactive

    Kadoo is a small time malicious hacker out of istanbul. I say small time because the shit head needs a out house of server to conduct his work.

    Look it up on google hacker kadoo. the realyy bad one s have no tracks. I am confident you will have this clear up in no time. greek39

    #691198
    Anonymous
    Inactive

    From what I know from the dark side. Some malious hackers are coming very close to an new exploit for linux. They are testing it out everywhere. I would have to agree there is an worm on the server. I don’t know your arrangement of things are, but get some sleep I don’t think this person has access to your DB.

    There has been an upsurge in attacks on servers lately. I wish I could help more I hate seeing this shit happen.greek39

    #691205
    Anonymous
    Inactive

    MUCH appreciated Greek!

    #691208
    Anonymous
    Inactive

    Hmmm I had the hosting company run a rootkit whatsy thing to check for a worm and nada.

    Buggered if I can find where they are running the redirect from. Is it possible to not affect the timestamp of a file? The one compromised one I found had no recent modification date that would have given an instant clue.

    This is getting annoying. What’s the weather like in Instanbul this time of year?

    #691209
    Anonymous
    Inactive

    I’m sooo clueless, but 4flush helped me get back up and running, then my hosting guy helped me add a patch. The redirect on my forum was just added into a forum post. Second time around, I learned to update my mySQL database..

    I’m using IPB though ..

    PS .. it royally sucked, and was frustrating as hell.. and felt like the end of the world at the time :( .. sorry it happened, seems to be happening rather frequently lately.

    ~LadyH

    #691218
    Anonymous
    Inactive

    The redirect in my board was added as a description in the new forum they created. You should check (in the admin control panel) to see if they did the same thing. It only takes a sec.

    I went crazy looking for it on every file on the server but it wasn’t there. It’s so easy we overlook it.

Viewing 15 posts - 1 through 15 (of 21 total)