- This topic is empty.
-
AuthorPosts
-
May 4, 2006 at 3:50 pm #691108
Anonymous
InactiveHi Dean,
Had this happen to me a while ago. Did you delete the config.php afer new installation? If not, they can access it again and again. Also, seems they have htaccess to you. IS that possible?
May 4, 2006 at 3:52 pm #691109Anonymous
InactiveThis happened to my Politics Forum which runs on phpbb also, last year.
I had to restore the entire forum and db from the previous nights backup.
I also use a mod called ctracker on my phpbb forums now. It seems quite neat, touch wood
May 4, 2006 at 4:22 pm #691112Anonymous
InactiveQuote:Did you delete the config.php afer new installation? If not, they can access it again and again. Also, seems they have htaccess to you. IS that possible?I deleted the install directory as per every update but the config is required for phpbb to work. htaccess is doubtful.
Gotta go to bed, depressed and blurry eyed and will dream of hackers on stakes…I revoke my 46 years as a non violent individual!
May 4, 2006 at 5:03 pm #691119Anonymous
InactiveIt happened to me a few weeks ago. Log into your admin control panel and check if they created a new forum/category. They might have named it with a blank space in an attempt hide it. If they did, it’s pretty easy to fix.
All you have to do is erase that new column from the database (it wont let you delete it from the admin control panel).
May 4, 2006 at 5:12 pm #691125Anonymous
InactiveI know you may have tried but….
Have you tried to post this at the
http://www.phpbb.com/phpBB/ ???They even have a team that will help you clean it up…they want to know about this sorta thing….
http://www.phpbb.com/phpBB/viewtopic.php?t=348138Sorry…if you have already been there done that…:bigsmile:
May 5, 2006 at 2:36 am #691191Anonymous
InactiveAnother webmaster running vbulletin was also hit and got it narrowed to a vulnerability in fclick a click tracking program and I found one of these has been hacked on my server namely the cfg.php file…removing the entries and restoring does not stop the redirect however.
In his instance they put up pictures of dead and blown up babies!
May 5, 2006 at 2:43 am #691193Anonymous
Inactivedeaning do you have the redirect to the malicious hacker? greek39
May 5, 2006 at 2:49 am #691194Anonymous
InactiveIf you have the script i would like to see it. Malicous hackers always leave their signature, a trophy signal. greek39
May 5, 2006 at 3:13 am #691196Anonymous
InactiveHi,
I don’t have the script all I have found is they are replacing fclicks cfg.php with a meta refresh and must be getting in through some other vulnerability…on one forum I found nothing in the fclick but it still redirect to these bozos:
xhttp://kadooooooo.sitemynet.com/kadoo.htmI was told “they are/were getting in via insecure permissions with wget, lynx and cURL and exploiting a security hole in Fclick” So I guess there is something, a worm on the server?
Ah what a fun day this is turning out to be…my tech guy is not available for another 5 hours. I have changed the permission on all my sites fclick trackers as they are all 666 and have set to 644
May 5, 2006 at 3:17 am #691197Anonymous
InactiveKadoo is a small time malicious hacker out of istanbul. I say small time because the shit head needs a out house of server to conduct his work.
Look it up on google hacker kadoo. the realyy bad one s have no tracks. I am confident you will have this clear up in no time. greek39
May 5, 2006 at 3:30 am #691198Anonymous
InactiveFrom what I know from the dark side. Some malious hackers are coming very close to an new exploit for linux. They are testing it out everywhere. I would have to agree there is an worm on the server. I don’t know your arrangement of things are, but get some sleep I don’t think this person has access to your DB.
There has been an upsurge in attacks on servers lately. I wish I could help more I hate seeing this shit happen.greek39
May 5, 2006 at 3:49 am #691205Anonymous
InactiveMUCH appreciated Greek!
May 5, 2006 at 6:08 am #691208Anonymous
InactiveHmmm I had the hosting company run a rootkit whatsy thing to check for a worm and nada.
Buggered if I can find where they are running the redirect from. Is it possible to not affect the timestamp of a file? The one compromised one I found had no recent modification date that would have given an instant clue.
This is getting annoying. What’s the weather like in Instanbul this time of year?
May 5, 2006 at 6:38 am #691209Anonymous
InactiveI’m sooo clueless, but 4flush helped me get back up and running, then my hosting guy helped me add a patch. The redirect on my forum was just added into a forum post. Second time around, I learned to update my mySQL database..
I’m using IPB though ..
PS .. it royally sucked, and was frustrating as hell.. and felt like the end of the world at the time
.. sorry it happened, seems to be happening rather frequently lately.~LadyH
May 5, 2006 at 8:14 am #691218Anonymous
InactiveThe redirect in my board was added as a description in the new forum they created. You should check (in the admin control panel) to see if they did the same thing. It only takes a sec.
I went crazy looking for it on every file on the server but it wasn’t there. It’s so easy we overlook it.
-
AuthorPosts