Any idea of how a hacker manages to gain access to put malicious code in my header.tpl file?

I have taken out Front page extensions and changed the admin passwords but it still keeps happening.

Any ideas?

Was this an upgrade from a previous version of the software, like an older version of UBB.threads? If so, you may want to make sure that all of the old scripts, besides the redirects have been removed.

Second question would be what are the file permissions on the header.tpl file? You might want to change them to back to something like 644, or not world writeable if it's a windows server, which it sounds like it is, to see if it's being done through some type of web interface or through more direct means.

Also, make sure you review your admin logs in the control panel and check for anything out of the ordinary.

And one last thing. Any other php/cgi scripts on your domain?

and .pl - lots of shell scripts are perl.

Now I have done it - They hacked the file again last night and when I tried to edit it I must have missed something - now the header.tpl shows an error and the forums will not load. I do not have a bakup of the file and my license and password is being rejected in the members area!

Can someone email me a copy of a generic header.tpl contents for 7.1 to admin@rncinternet.com

There is no trace of intrusion in the log files - someone suggested it could be sql injection. Would that be possible?

I believe the license supports sharing of template files - whih version are you running?

He mentions 7.1.

I managed to get into the members area and download the header.tpl - I am now up and running. They did hack the footer.tpl as well. I will try changing the permissions as suggested above.

hmm, you might want to upgrade to the latest (7.2.2) - it's nearly impossible to support older installs against something like this without eliminating the obvious possible issue. A good number of bugfixes were fixed in the last year or so.

Please excuse my lack of prompt replies - I am currently out of town in a remote location - this could not be happening at a worse time.

I did change the permissions on both the header.tpl and footer.tpl files and a little while ago found that the footer.tpl had been hacked again. It may be that it was done right before I changed the permissions - I am not sure. Or it may have been done after the permissions were changed. If that is the case, what am I up against here?

Well, there really are no known security exploits in current UBB.threads code - that's not saying someone hasn't found one tho. First option is to upgrade code to current released code. If you are unable to from your remote location I can do it for you very reasonably. PM me access details and I'll handle it today.

Outside the forum code itself - it really could be anything - if you recently upgraded from an older 6.5 series you could still have shell scripts on your server from the openings back then (prior to v 6.5.5). If there are any other scripts on your server they could be allowing access - anything else installed?

It could be the server software itself - are you running current software? (I would not run on anything less than current generally available versions on my own web sites).

Doug has filled out a support ticket so I was able to get in and at least look at the access logs for the past month. It's definitely not being done by any sort of web access.

Some prankster at the host?

I think I will back up the database using the utility within the UBB control panel this evening and then check tomorrow morning and see if the change of permissions stopped the hacks overnight and when I get back in the city on the weekend I will upgrade to the latest version and contact my host regarding possible pranksters.

Thank you for your help.

Last night I removed all of the old files that were left over from version 6 and had changed the permissions on the header.tpl and footer.tpl files. This morning my site was hacked again - this time they inserted the code into the ubbthreads.php file - my ftp program gave the time the file changed as 4:52 am

Any ideas? Could the shout box be used to gain access? There was some shoutbox activity around 4:52

I have contacted the host and they say they do not see any intrusion from others on the server. The host says this was likely done through one of the files still set to 777 on the server - the majority of those would be UBB files so I guess I can't change those.

Nobody else with server access besides you? Old techy?

I am the only one with access to my account on the server. Never had a "techy" - I am a one man show.

Host says the file was not changed using FTP

can't the host turn on some extended logging to see what is happening?

i'm curious as to what it's hacked into.

is it something obvious or just not what you think it should really be displaying.

I'll review your webserver access log again. I scanned through the past month when I last looked, now that you have an exact time, I can get a better idea.

It just so happens that all of your access logs for the month have conveniently disappeared. Instead of being able to see everything in the past month, I can only see everything starting in the past hour, so it looks like these were purged by someone.

You might want to contact your host and see if there is anywhere else a copy of these might be located as I can't find anything at this point.

Thanks to all for your help in this and especially to Rick for the excellent support and for rescuing my forum!

From what you all mentioned earlier in the post and from what I have subsequently found out - here is my theory of what has happened here...

I still did have all of the old version 6 cgi files on the server and for some reason many were set to 777. I think the intruder used those old files to acquire my account's Cpanel password and changed my files through Cpanel. I had changed the password after a previous incident but because the old files were still on the server he could get the new password.

This guy was even editing and deleting log files to cover his tracks - very persistant!

Last night I removed the old files and today I changed the Cpanel password (after multiple attacks this morning) - so I am hoping my "theory" is correct and that this is over.

We shall see what happens tomorrow I guess.

Actaully, thinking back - Version 6 should not be given a bad rap. Version 6 may have not been the original cause of all this as I was hacked back in July and attributed it to the Front Page extensions that were "on" on my server. They probably originally gained access through Front Page extensions and may have modified some of the old CGI files for later use if needed...

Let's hope you just changed the locks on your backdoor now!

well, there where several file inclusion issues in ubb.t6 for versions prior to 6.5.5

Fingers crossed for you
Hope it settles down for you now.

I guess your hacker could also be a member to watch the show
as it happens from the stands so to speak.

So far so good - usually by this time I have already been hacked. I searched for the perp's IP on Google and found it in several discussions about hacking into community sites - apparently it is a problem all over the web. I assumed that the IP was spoofed but maybe not - that would explain why he was deleteing log files and changing "last login from" files.

In case anyone else suspects they have been hacked - what happens is the hackers place inline frames on your site using encryped code. These frames are invisible and sometimes you may not even realize that you have been hacked - especially on subsequent events.

The worst thing about all of this is that your members think they are getting viruses from visiting your site and traffic (and ad revenue) drops due to the redirects and members avoiding the site.

For me, the easiest way to check if I had been hacked was to click on "Show Hidden Elements" under the Miscellaneous tab on the Webmaster toolbar for Firefox.

Maybe you should try that on your site every once in a while as this issue is rampant on the web right now

There was a hole in cPanel. I read a security notice from 21.6.2007 about attacks with MPack. You are sure that your hoster close the holes in cPanel? This was used in 2006 to prepare lots of webserver with iFrames and now this servers respond to the MPack attack and deliver malicious code to the users.

Thanks for the feedback

Zarzal, after reading up on Mpack, I believe you are correct. It sure irks me that tech support for hosts would not be aware of this issue. Instead they waste my time and ramble on and on about how I must have an insecure script when it is them that is insecure.

This tends to happen sometimes; a webhost installs everything on the server and leaves it there; thinking "well I'm secure, everyone else is fine, so it has to be this guy", why do they do this you ask? They oversell the server, they don't want to maintain it (as it runs "properly" (IE isn't crashing) and they don't upgrade things they had to pay for (like their Control Panel) because they don't feel like dipping into their "profits" to do upkeep to protect their users.

IMO, if you have the misfortune to run into one of these shady operations, you should go elsewhere.