Hile, neighbours and friends!!!

I've realized that in the past 2 days I have 52 people that reached my web looking for "powered by phpBB XS". So probably some of them really want to see how XS looks like, but I think most of them are looking for the way to hack our forums...

____________
Icy Phoenix Latest 2.0 (working pending)
Style: Aphrodite and MG_Themes
Site: Spanish Stephen King fan forum
Mods: Medal System Mod. BBAntispam 1.2. Several own BBcodes.

Xusqui wrote: [View Post]

Hile, neighbours and friends!!!

I've realized that in the past 2 days I have 52 people that reached my web looking for "powered by phpBB XS". So probably some of them really want to see how XS looks like, but I think most of them are looking for the way to hack our forums...

I've been hacked three times, so I think it's the second possibility.  

Did you modify the HTACCESS as suggested?

____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON

Yes, I've just been hacked now, by a group calling themselves DevilInside. Heres a copy of their changes to my index.php file (not index.html):

This has prompted me to hurry up and switch back to using phpBBsecurity. I've never trusted cracker tracker!

Unfortunately mod rewrite doesn't work on my site although it is supposed to be enbabled. I've tried doing modrewrites on the root directory, but again no success.

moreteavicar, try applying the patch I have suggested to these files:

• functions.php
  
• bbcb_mg.php
  
• adm/admin_album_config_clown.php

Add on top of those files:


A final note: which version of XS are you running?

____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON

I'm using an "updated" version of XS049, most of the security patches were in place. Fortunately, they only edited the index.php file, which I may have left with 777 permissions, and also being 777, the upload directorys of album_mod, pafiledb, and /files got wiped...

Also I found these files in the files directory, which I don't think belong there!:

c99sh_backconn.843.pl
c99sh_bindport.584.pl
c99sh_datapipe.61.pl
c99sh_ftpquickbrute_14.09.2006_01_58_16.log
laf.php

Checking c99sh_ftpquickbrute_14.09.2006_01_58_16.log only shows their last visit: FTP Quick Brute (called c99shell v. 1.0 pre-release build #16) started at 14.09.2006 01:58:19
It doesn't show my recent visits.

laf.php looks interesting (now included as attachment, sorry about that... didn't look that long in tswebeditor earlier!)

Mighty Gorgon wrote: [View Post]

Did you modify the HTACCESS as suggested? (...)

Well, actually I don't remember if I updated the .htacces or if I didn't. Anyway I have register_globals turned off in php.ini

Also safe_mode is on, so I think no directive can be changed through files, isn't it? Anyway I've just uploaded the .htaccess

Can the ones who have been hacked post which version of Cracker Tracker they have installed?

I have 5.0.1, which is, I think, too agressive, but, up to now, my web is safe...

Greetz!!

____________
Icy Phoenix Latest 2.0 (working pending)
Style: Aphrodite and MG_Themes
Site: Spanish Stephen King fan forum
Mods: Medal System Mod. BBAntispam 1.2. Several own BBcodes.

This also reminds me to install IP logger...

As for cracker tracker... 4.(something). I never updated the version number in database, but its been about 2 months since I last touched it, around the time phpxs.com disappeared. Regardless of that, I am still going to put phpBBsecurity back in.

Mighty Gorgon wrote: [View Post]

moreteavicar, try applying the patch I have suggested to these files:

• functions.php
  
• bbcb_mg.php
  
• adm/admin_album_config_clown.php

...

Thanks
adm/admin_album_config_clown.php already had die('Hacking attempt');, as most of the other adm/album_*_*.php but I notice that the following have define('IN_PHPBB', true);:
admin_album_cat.php
admin_album_auth.php
admin_album_personal.php

and non-album:
admin_attach_cp.php
(plus a few more)

Which is supposed to be ok if these are "user facing" files... as this useful phpBB article says...

I've identified some other files in the /includes directory which don't use the php constant. Although not meant to be neccessary (and some functions are harmless), it seems good practice to, so I'm going to add the to them as well, and see what happens. These files (probably you know already MG) are:
functions_admin.php
emailer.php
functions_bookmark.php
functions_dbmtnc.php
functions_jr_admin.php (which doesn't even use standard phpBB code layout template!)
functions_kb.php (Your favorite MG!)
functions_kb_mx.php
functions_mg_http.php
functions_mg_ranks.php
functions_mods_settings.php
functions_modules.php (or functions_stat_modules.php as it says in the header!)
functions_profile_fields.php
functions_rate.php
functions_search.php
function_selects.php
function_separate.php
functions_stats.php
functions_validate.php
function_xs_admin.php
function_xs_useless.php
optimize_database_cron.php
phpbb_template.php
rss_funtions.php (also doesn't quite follow phpBB layout guidlines!)
sessions.php
smtp.php
sql_parse.php
template.php (the XS modded one)

*Edit* Oops, I guess this is what Kuka was saying here...

Try to update to the latest DEV package. It uses CT5 which has changed ALOT. Much more features then the old CT4.

____________
No support via PM or E-Mail!
FAP 3, yeah baby, yeah!

Unfortunately latest Dev has some features which don't work properly - see for e.g. my last posts there. I also don't like some of the other changes, for e.g. to IMPortal configuration. Also, as said on phpBBXS.com before its demise, I found that cracker tracker doesn't have as many hacking patterns as phpBBsecurity (e.g. DdoS variants), and this situation does not appear to have changed. I also ran a check on captcha session vulnerability a while back using http://www.puremango.co.uk/acdc_breakcaptcha.php - the phpBBsecurity website blocked headers (with a phpBB security message, and IP being logged), whilst cracker tracker protected sites revealed all the info. That situation seems to have changed a little bit now, e.g. I just tried it on phpBBXS.eu, and I got a 301 header. That may be more a result of other security changes than cracker tracker I suspect.

However, regardless of all that, I think that the title of this topic suggests a very simple solution that should help avoid sites being a magnet in the first place, and prevention is always better than cure.


Replace "Powered by phpBB XS 2 based on phpBB © phpBB Group" with an image, and store it in a newly created directory like /images/footer/. Remember to copy there an index.html file from one of the other image directories (or else you own with a redirect in) to prevent directory listing. Use something like the password generator here to name the image file, and then replace the text in the overall_footer.tpl with "<img src="/images/footer/randomly_generated_filename">". THis should then stop undesirable types doing a google search on phpBBXS. Might also want to do the same for the cracker tracker logo/text.