Author |
Message |
gbhughs
Regular
Joined: Sep 11, 2004
Posts: 84
|
Posted:
Sat May 06, 2006 10:26 am |
|
There was another exploit against my site again today.
This second round of attack was a Phishing exploit script installed into my directory.
This time the exploit file contained a link to a url that includes several hacks against software such as PHPNuke, PHPBB, and others. The list of hacks this site offers is at [ Only registered users can see links on this board! Get registered or login! ] The newest exploit file (from that website) can give someone the ability to create new admin level accounts in the affected software (PHPBB and Wordpress among them).
The first round of attacks on my site was..
1) Setup an htaccess file which created a custom "error document" directive (i.e. what gets shown when the "page cannot be found").
2) Create the custom error document which contained some encoded URLs to a script which was (seemingly) designed to display some links to a site that would then apparently be paying someone for the traffic.
I am running phpBB 2.0.19, 76v2.02, (nuke sentinel) 2.4.2pl3.
So my question is is there a patch or should I just upgrade to the newest version? Are you guys aware of this?
Thanks in advance |
|
|
|
|
jaded
Theme Guru
Joined: Nov 01, 2003
Posts: 1006
|
Posted:
Sat May 06, 2006 10:40 am |
|
you should consider listing the addons you are using such as galleries, old modules, and anything that allows people to upload to your server. Those are normally the causes. There are also 3.2 patches out from chatserv. |
_________________ Themes BB Skins
[ Only registered users can see links on this board! Get registered or login! ]
Graphic Tees
[ Only registered users can see links on this board! Get registered or login! ]
Paranormal Tees
[ Only registered users can see links on this board! Get registered or login! ]
Ghost Stories & More
[ Only registered users can see links on this board! Get registered or login! ] |
|
|
|
gbhughs
|
Posted:
Sat May 06, 2006 12:37 pm |
|
Right now I can't do anything, my host has shut down the site.
I guess, according to my host, other sites were infected to.
My site being the epicenter of the attack.
The only addons I am using, that didnt come with the package, are NukeC30 and a rss reader. I also created a block with links to the site, for members.
I use a NukeC30 (classifieds) block for recent posts, and recent forum posts block, user info block, and a google adsense block. |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
Posted:
Sat May 06, 2006 3:36 pm |
|
What I do know about this is there is one form of it going around - if you look in your /tmp folder on your server, you will see an "eggdrop" that produces an IRC channel amongst other things. That is where the phishing is coming from, if that's it. The other possibility is that you either have a third party addon that allows uploads that is being exploited or possibly a rootkit on your server. |
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
Posted:
Sat May 06, 2006 5:13 pm |
|
|
|
|
|