UBB.threads PHP Forum Software Community Forums UBB.threads 7 Version 7 Support Help - Forum Hacked

Six hours ago my forum was hacked. The config.inc.php was replaced with this text. I replaced that file with a previous file, but now I'm getting "we encountered an error" messages - maybe it was a previous version? How do I fix this error - and how do I prevent the hack from occurring again?

The replacement file looked like this:

----------

<html dir="rtl">

<head>
<meta http-equiv="Content-Language" content="ar-jo">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1256">
<title>SQL Was Here</title>
</head>

<body bgcolor="#000000">

<p align="center">
<img border="0" src="http://i1-news.softpedia-static.com/images/news-700/MySQL-Com-Hacked-by-D35Mond142-Member-Credentials-Leaked.gif" width="650" height="318"></p>
<p align="center"><b><font size="5" color="#FF0000"><span lang="en-us">Mahmoud
SQL    </span></font></b></p>
<p align="center"><b><span lang="en-us"><font size="5" color="#FF0000">For
Contact</font></span></b></p>
<p align="center"><b><span lang="en-us"><font size="5" color="#FF0000">Jordan@hotmail.com</font></span></b></p>
<p align="center"><span lang="en-us"><font size="5" color="#FF0000"><b>
facebook.com/alaqarbawi</b></font></span></p>
<p align="center"> </p>
<p align="center"> </p>
<object width="400" height="40"
classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
codebase="http://fpdownload.macromedia.com/
pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0">
<param name="SRC" value="http://error-404.do.am/50256-h4ck3d.swf">
<embed src="bookmark.swf" width="400" height="40">
</embed>bookmark.swf
</object>
</body>

</html>

The database looks all right - I removed write access from this directory and changed my database passwords. The database content seems intact. However, even replacing the config.inc.php with a valid one, I get UBB message that the database error is only visible to administrators. How do I get to that error?

It could be the database user name and password not being correct.

I think I got an error like that when I set it up locally.

Gutted you have been hacked.
I hope ubb post update advice just so we can all check for possible exploits.

Mark -

One of the first things I did was change both the root and regular user passwords for the database. I then updated that information in the config.inc.php file to match. So those two are in sync. Is there something else I need to change?

How do I get in as an administrator in order to see the actual error? That might help.

The forums are still down, as I try to figure out how to get this to connect again. I put up a placeholder.

We're a charity site - it's frustrating that someone would think it's fun to destroy us like this.

Also, I have the internet user account set to NOT have write access to the main forum directory and they just created a new file there this morning. How are they writing a file into a directory that they shouldn't have write access to?

I'll note that I had FlashChat in with the forums, because originally I had the chat system using the forum logon. I found some hacked files in there. I don't know if they just used that as a convenient dumping place for their files, it seems like they were putting files all over.

I'd appreciate any thoughts on how they are getting in, so I can shut it off.

goto:
http://www.ubbwiki.com/article/view/1/database-error-only-visible-to-forum-administrators.html

Thanks, Ruben. The config file looks fine, so I'm not sure that it would be that.

I turned on showerror and got this:

We encountered a problem. The reason reported was
Script:
Line#:
SQL Error: Access denied for user '***usernameremoved***'@'localhost' (using password: YES)
SQL Error #: 1045
Query: Unable to connect to the database!

Please click back to return to the previous page.

ok my boyfriend lent a hand and spotted a change I had to make - I think the forums are up again now. Now to make sure all the permissions are set properly with the control panel tool.

OK the cache is showing an error with that tool. I'm nervous about allowing write directory access. I set it to IUSR to have write access - that's correct, yes? And that isn't a risk?

My cache folder is set to 777 but that is linux.
Which is read,write,execute for owner,group,public.
Not sure what is comparable to windows.
But there also is a blank index.html file to help stop indexing files.

On Windows, there's an actual setting you have about looking at directories vs not looking at them, and I set that to "not look". So I think that's how Windows handles it.

So it's OK to have it write? Doesn't that mean that people can randomly write things into that directory? Or does it not work like that?

I would set your forums up with normal permissions etc. Thats your working base. As you say passwords have been changed so your ok. Then tweak permissions and see if the forums fall over. Its ok to be paranoid it keeps us all on our toes.

Hope you get it sorted.

Mark

Well the cache builders scripts need permission to write to the cache folder.
Otherwise.the islands will not update.
And if you clear cache they will not be rebuilt at all.

You should have a blank html file in the folder to stop anyone from browsing to the folder to see the files and in my case I have a option in cpanel to turn off indexing completely so even if the html file was missing you can't view the file structure.

flashchat should be removed, ASAP

that has serious security problems that will spill over and invite re-hack

I did remove flashchat. I'll have to find an alternative for our chats. We've had that running for maybe 10 years or so, so it's a shame it had to go.

I would love a utility that verifies that all directories are locked as tight as possible. The current one shows which ones aren't open. I'd like a utility that I run on the system and it verifies everything is as secure as possible.

The pJirc modification at UBBDev is a good replacement; relies on 3rd party IRC servers, so your users may appreciate the ability to utilize their own 3rd party chat clients.

I'm going to test out a cheap ($100) video chat server software that I found, this weekend. I'll let you guys know how it works.

I think I got an error like that when I set it up locally.