Icy Phoenix

     
 


Post new topic  Reply to topic 
Page 1 of 1
 
 
Reply with quote Download Post 
Post Hackers (meant Lammers) Looking For Us!! 
 
Hile, neighbours and friends!!!

I've realized that in the past 2 days I have 52 people that reached my web looking for "powered by phpBB XS". So probably some of them really want to see how XS looks like, but I think most of them are looking for the way to hack our forums...
 




____________
Icy Phoenix Latest 2.0 (working pending)
Style: Aphrodite and MG_Themes
Site: Spanish Stephen King fan forum
Mods: Medal System Mod. BBAntispam 1.2. Several own BBcodes.
 
XusquiSend private messageVisit poster's website  
Back to topPage bottom
Icy Phoenix is an open source project, you can show your appreciation and support future development by donating to the project.

Support us
 
Reply with quote Download Post 
Post Re: Hackers (meant Lammers) Looking For Us!! 
 
Xusqui wrote: [View Post]
Hile, neighbours and friends!!!

I've realized that in the past 2 days I have 52 people that reached my web looking for "powered by phpBB XS". So probably some of them really want to see how XS looks like, but I think most of them are looking for the way to hack our forums...


I've been hacked three times, so I think it's the second possibility.  
 



 
magmaSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Hackers (meant Lammers) Looking For Us!! 
 
Did you modify the HTACCESS as suggested?

Code: [Download] [Hide]
  1. ##################################  
  2. # Block Hacking Attempts - BEGIN #  
  3. ##################################  
  4. ##################################  
  5. # CONDITIONS  
  6. ##################################  
  7. # STRICT CONDITION  
  8. #RewriteCond %{QUERY_STRING} ^.*(phpbb_root_path|album_root_path|module_root_path|mx_root_path|upi2db_file_path).*$  
  9. # LESS STRICT CONDITION  
  10. RewriteCond %{QUERY_STRING} ^.*(phpbb_root_path=|album_root_path=|module_root_path=|mx_root_path=|upi2db_file_path=).*$  
  11. ##################################  
  12. # REWRITE  
  13. ##################################  
  14. # FORBIDDEN  
  15. #RewriteRule ^.*$ - [F,L]  
  16. # REDIRECT TO LOCALHOST  
  17. RewriteRule ^.*$ http://127.0.0.1/ [redirect,last]  
  18. ##################################  
  19. ##################################  
  20. # Block Hacking Attempts - END   #  
  21. ################################## 

 




____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON
 
Mighty GorgonSend private messageSend e-mail to userVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Hackers (meant Lammers) Looking For Us!! 
 
Yes, I've just been hacked now, by a group calling themselves DevilInside. Heres a copy of their changes to my index.php file (not index.html):

Code: [Download] [Hide]
  1. <html>  
  2. <head>  
  3. <meta http-equiv="Content-Language" content="es">  
  4. <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">  
  5. <title>Defaced By ....::::DevilInsideTk::::.... <Guatemala> - Latin American Defacer`s</title>  
  6. </head>  
  7. <body text="#FF0000" bgcolor="#333333">  
  8. <p align="center"><b><font size="6"><font color="#FFFFFF">Owned By</font> <a href="mailto:devilinsidetkt@gmail.com">  
  9. <span style="text-decoration: none"><font color="#FFFFFF">DevilInsideTk</font></span></a>  
  10. <p align="center"><font color="#3333FF">GUA</font><font color="#FFFFFF">TEM<font color="#3333FF">ALA </font><font color="#FFFF00">DEFACER</font></font></b></p>  
  11.  
  12. <p align="center"><b><font size="5" color="#FFFFFF">&quot;Saludos a todos los amigos Chapines...&quot;</font></b></p>  
  13. <div align=center>  
  14. <p>  
  15. <img border="0" src="http://www.worldworx.tv/im/regional/flags/an/americas/north/central-america/Guatemala.gif" width="200" height="116"></p>  
  16. <p>  
  17. <font size="10" color="#FFFFFF">Staff L.A.D</font></p>  
  18. <p>  
  19. <font size="5" color="#FFFFFF">NaPsTeR, MataSanoS, VannoVaX & J4ibeR</font></p>  
  20. <p>  
  21. <font size="6">Contrata Hackers para tu seguridad!!!</font></p>  
  22. <p align="center">&nbsp;  
  23. <div id=vpdiv>  
  24.  
  25.     <embed style="FILTER: xray" name="RAOCXplayer" autoplay="true" hidden=true src="http://www.lexenesis.com/lexenesis/Paginas/historia/media/sonidos/himno.mp3" type="application/x-mplayer2" width="300" height="64" ShowControls="1" ShowStatusBar="0" AutoSize="true" loop="true" EnableContextMenu="0" pluginspage="http://www.microsoft.com/Windows/Downloads/Contents/Products/MediaPlayer/"></embed></div><a href="" target="blank">  
  26. </div></a></p>  
  27. </p>  
  28. <p align="center">&nbsp;</p>  
  29. <p align="center">&nbsp;</p>  
  30. </body>  
  31. </html> 
This has prompted me to hurry up and switch back to using phpBBsecurity. I've never trusted cracker tracker!
 



 
Last edited by moreteavicar on Thu 14 Sep, 2006 12:59; edited 1 time in total 
moreteavicarSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Hackers (meant Lammers) Looking For Us!! 
 
Unfortunately mod rewrite doesn't work on my site although it is supposed to be enbabled. I've tried doing modrewrites on the root directory, but again no success.
 



 
moreteavicarSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Hackers (meant Lammers) Looking For Us!! 
 
moreteavicar, try applying the patch I have suggested to these files:

  • functions.php
  • bbcb_mg.php
  • adm/admin_album_config_clown.php


Add on top of those files:
Code: [Download] [Hide] [Select]
if ( !defined('IN_PHPBB') )
{
    die("Hacking attempt");
}


A final note: which version of XS are you running?
 




____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON
 
Mighty GorgonSend private messageSend e-mail to userVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Hackers (meant Lammers) Looking For Us!! 
 
I'm using an "updated" version of XS049, most of the security patches were in place. Fortunately, they only edited the index.php file, which I may have left with 777 permissions, and also being 777, the upload directorys of album_mod, pafiledb, and /files got wiped...

Also I found these files in the files directory, which I don't think belong there!:

c99sh_backconn.843.pl
c99sh_bindport.584.pl
c99sh_datapipe.61.pl
c99sh_ftpquickbrute_14.09.2006_01_58_16.log
laf.php

Checking c99sh_ftpquickbrute_14.09.2006_01_58_16.log only shows their last visit: FTP Quick Brute (called c99shell v. 1.0 pre-release build #16) started at 14.09.2006 01:58:19
It doesn't show my recent visits.

laf.php looks interesting (now included as attachment, sorry about that... didn't look that long in tswebeditor earlier!)

laf.zip
Description: sneaky amateurs 
Download
Filename: laf.zip
Filesize: 13.54 KB
Downloaded: 499 Time(s)

 



 
Last edited by moreteavicar on Thu 14 Sep, 2006 19:43; edited 2 times in total 
moreteavicarSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Respuesta: Hackers (meant Lammers) Looking For Us!! 
 
Mighty Gorgon wrote: [View Post]
Did you modify the HTACCESS as suggested? (...)


Well, actually I don't remember if I updated the .htacces or if I didn't. Anyway I have register_globals turned off in php.ini

Also safe_mode is on, so I think no directive can be changed through files, isn't it? Anyway I've just uploaded the .htaccess

Can the ones who have been hacked post which version of Cracker Tracker they have installed?

I have 5.0.1, which is, I think, too agressive, but, up to now, my web is safe...

Greetz!!
 




____________
Icy Phoenix Latest 2.0 (working pending)
Style: Aphrodite and MG_Themes
Site: Spanish Stephen King fan forum
Mods: Medal System Mod. BBAntispam 1.2. Several own BBcodes.
 
XusquiSend private messageVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Hackers (meant Lammers) Looking For Us!! 
 
This also reminds me to install IP logger...

As for cracker tracker... 4.(something). I never updated the version number in database, but its been about 2 months since I last touched it, around the time phpxs.com disappeared. Regardless of that, I am still going to put phpBBsecurity back in.
 



 
moreteavicarSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Hackers (meant Lammers) Looking For Us!! 
 
Mighty Gorgon wrote: [View Post]
moreteavicar, try applying the patch I have suggested to these files:

  • functions.php
  • bbcb_mg.php
  • adm/admin_album_config_clown.php

...


Thanks
adm/admin_album_config_clown.php already had die('Hacking attempt');, as most of the other adm/album_*_*.php but I notice that the following have define('IN_PHPBB', true);:
admin_album_cat.php
admin_album_auth.php
admin_album_personal.php

and non-album:
admin_attach_cp.php
(plus a few more)

Which is supposed to be ok if these are "user facing" files... as this useful phpBB article says...
 



 
moreteavicarSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Hackers (meant Lammers) Looking For Us!! 
 
I've identified some other files in the /includes directory which don't use the php constant. Although not meant to be neccessary (and some functions are harmless), it seems good practice to, so I'm going to add the
Code: [Download] [Hide]
  1. if (!defined('IN_PHPBB'))  
  2. {  
  3.     die('Hacking attempt');  
to them as well, and see what happens. These files (probably you know already MG) are:
functions_admin.php
emailer.php
functions_bookmark.php
functions_dbmtnc.php
functions_jr_admin.php (which doesn't even use standard phpBB code layout template!)
functions_kb.php (Your favorite MG!)
functions_kb_mx.php
functions_mg_http.php
functions_mg_ranks.php
functions_mods_settings.php
functions_modules.php (or functions_stat_modules.php as it says in the header!)
functions_profile_fields.php
functions_rate.php
functions_search.php
function_selects.php
function_separate.php
functions_stats.php
functions_validate.php
function_xs_admin.php
function_xs_useless.php
optimize_database_cron.php
phpbb_template.php
rss_funtions.php (also doesn't quite follow phpBB layout guidlines!)
sessions.php
smtp.php
sql_parse.php
template.php (the XS modded one)

*Edit* Oops, I guess this is what Kuka was saying here...
 



 
Last edited by moreteavicar on Fri 15 Sep, 2006 02:17; edited 1 time in total 
moreteavicarSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Hackers (meant Lammers) Looking For Us!! 
 
Try to update to the latest DEV package. It uses CT5 which has changed ALOT. Much more features then the old CT4.
 




____________
No support via PM or E-Mail!
FAP 3, yeah baby, yeah!
 
TomSend private messageVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Hackers (meant Lammers) Looking For Us!! 
 
Unfortunately latest Dev has some features which don't work properly - see for e.g. my last posts there. I also don't like some of the other changes, for e.g. to IMPortal configuration. Also, as said on phpBBXS.com before its demise, I found that cracker tracker doesn't have as many hacking patterns as phpBBsecurity (e.g. DdoS variants), and this situation does not appear to have changed. I also ran a check on captcha session vulnerability a while back using http://www.puremango.co.uk/acdc_breakcaptcha.php - the phpBBsecurity website blocked headers (with a phpBB security message, and IP being logged), whilst cracker tracker protected sites revealed all the info. That situation seems to have changed a little bit now, e.g. I just tried it on phpBBXS.eu, and I got a 301 header. That may be more a result of other security changes than cracker tracker I suspect.
 



 
moreteavicarSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Hackers (meant Lammers) Looking For Us!! 
 
However, regardless of all that, I think that the title of this topic suggests a very simple solution that should help avoid sites being a magnet in the first place, and prevention is always better than cure.


Replace "Powered by phpBB XS 2 based on phpBB © phpBB Group" with an image, and store it in a newly created directory like /images/footer/. Remember to copy there an index.html file from one of the other image directories (or else you own with a redirect in) to prevent directory listing. Use something like the password generator here to name the image file, and then replace the text in the overall_footer.tpl with "<img src="/images/footer/randomly_generated_filename">". THis should then stop undesirable types doing a google search on phpBBXS. Might also want to do the same for the cracker tracker logo/text.
 



 
moreteavicarSend private message  
Back to topPage bottom
Post new topic  Reply to topic  Page 1 of 1
 


Display posts from previous:    

HideWas this topic useful?

Link this topic
URL
BBCode
HTML




 
Permissions List
You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You can download files
You cannot post calendar events