on 2.0.11. Still hacked? What is the problem?

[huiben]

I already upgraded to 2.0.11 as advised. But my site is still exploited accroding to my ISP record. they say hacker can run 'back' and 'passwd' via my insecured site.

Is there any solution to that? What exactly is the bug? How do I track the problem down?

My ISP keeps bugging me and I don't know what to react.. please help

the ISP send me this

Code: Select all

-rw-r--r-- 1 myaccount myaccount 1082 Feb 8 01ᚨ back

Fri Feb 8 01ᚲᚩ 2005 user myaccount pid 8827 passwd

[Infected]

Tell your ISP you don't know what that means. They'll help you.

[huiben]

they cannot tell me what it means. I think they just have a batch process that scan for potential exploits. and when they get a positive hit, they just email me and say my site is a problem and warn to shut my site down.

is there any additional patch I can install? Is there anything I need to do manually to fix it? I can do some php programing if the right instruction is given.

ben

[Mr.Jester]

Those permissions have nothing to do with phpBB. Those are file system related. Notice the -rw-r--r--. Looks to me like the account "myaccount" is the problem.

[Joe User]

If you chmod any folder to 777, then it's your problem. Else your ISP has to harden their systems...

[huiben]

'myaccount' is actually my account ID in the ISP. I just replace it with 'myaccount' .
So if 'myaccount' is a problem, that it is my problem. But what is the problem? Is there a bug in my phpBB or phpnuke? Is there any patch that I can apply?

My ISP says the 'back' and 'passwd' are typical indication of security exploit and they think it is because of my insecured website that allow hacker to run those malicious script.

(Note: I already have chatserv patch)

thanks
ben

Those permissions have nothing to do with phpBB. Those are file system related. Notice the -rw-r--r--. Looks to me like the account "myaccount" is the problem.

[Graham]

OK, if you are definitely running 2.0.11 then there are no know security issues with it.

What you should do however is make sure that you indeed have 2.0.11 - compare your key files (eg viewtopic.php) with those from a clean download. Most claims to be hacked on 2.0.11 are from either not upgrading correctlt, or are files that date from before you upgraded - in which case you need to take a good look at your sire for any backdoors.

[Mr.Jester]

In the *nix world, passwd is used to change your password. Maybe you have a weak password.

The back thing I have no ideas about and this is one of those times that google can't help.

[huiben]

since I am using phpnuke, it is not easy to tell. what I did was to install phpnuke 7.5, then install BBToNuke 2.0.11. when I compare viewtopic.php, I see that this line is the same between BBToNuke 2.0.11 and a clean phpBB 2.0.11

* $Id: viewtopic.php,v 1.186.2.37 2004/11/18 17:49:39 acydburn Exp $

I also see that BBToNuke has been patched by chatserv for I can see his signature.

there could be some old version php files that left behind. if this could be a problem, how do I spot for the backdoor? is there any code pattern that I can search by?

thanks
ben

OK, if you are definitely running 2.0.11 then there are no know security issues with it.

What you should do however is make sure that you indeed have 2.0.11 - compare your key files (eg viewtopic.php) with those from a clean download. Most claims to be hacked on 2.0.11 are from either not upgrading correctlt, or are files that date from before you upgraded - in which case you need to take a good look at your sire for any backdoors.

[kjcdude]

I HIGHLY doubt this is a bug in phpbb.

It's most likely PHP-Nuke.
There are SOOOOOOOOOO many security holes in NUKE that there is no way to guarantee your site safe.