Jump to content

Recommended Posts

Posted

Some friends of mine had their website defaced today.

 

Here's what the pages said:

 

-------------

 

This site is defaced!!!

NeverEverNoSanity WebWorm generation 10.

 

--------------

 

Problem is, I can't find anything on Google or anywhere else about the defacer or the tool. So what on earth is this? And who's the proper party to report it to in case we find evidence of what was done?

 

All index files were replaced, as well as all php files. That included a little script I'd hidden in a password protected directory!!!!

 

They're running phpBB. Don't know if that's significant. They'll work with the webhost (not TCH) on figuring it out, but as one who's been on the receiving end of this sort of joke before, I'd like to DO SOMETHING!

 

sniff...

Posted

There is nothing you can do except make sure your own web hosting account is as secure as it can be.

 

Bottom line is this. The only way to fully protect your site, is to unplug the server it resides on.

 

Web Sites get hacked, defaced and much more. Plenty of smart people on the internet thats for sure.

 

Stick one in the cap for them and move on.

 

Just make sure your keeping all your code up to date and so on.

 

Bill

Posted (edited)
They're running phpBB. Don't know if that's significant. They'll work with the webhost (not TCH) on figuring it out, but as one who's been on the receiving end of this sort of joke before, I'd like to DO SOMETHING!

 

As Bill said, the main thing is they just need to make sure they keep their software up to date. There have been a couple of vulnerabilities disclosed recently that affect phpBB. The first was in phpBB itself for versions prior to 2.0.11, and the other was in PHP versions prior to 4.3.10 which phpBB (among many other packages) was also affected by.

 

So they just need to make sure their phpBB (and all modules) is up to date, and their provider's PHP is up to date (as well as any other software used).

 

[Moving to appropriate forum...]

Edited by TCH-MikeJ
Posted

This is really weird! The forum was starting to work again. Then another friend IM's me and tells me he gets that message again after 'View your posts'.

 

I checked last modified date on web root when I first saw the defacement, and now again, and the time doesn't match. But it DID match when I rechecked it before the forum stopped working.

 

Logic bomb or the hacker redefaced?

Posted

By now they've figured this thing out and the news reports are coming hard and fast.

 

Upgrade to phpBB 2.0.11 and you'll be fine if you haven't already been hit. Renaming the forum while you do might be a good idea, so you won't get hit while working on it.

 

If your blog isn't in Google, you should be safe. I have a friend who's got two phpBB forums on one server. One's hit, the others' not. The one that wasn't hit wasn't in Google. Then there are others who've been lucky so far, but there's a lot of pain in the webworlf today...

Posted

Yah, there is a major security issue with the last release of phpbb, I would recommend upgrading to the latest version straight away. Hackers are able to access the config.php file, which is bad news.

 

Adam!

Posted
Yah, there is a major security issue with the last release of phpbb, I would recommend upgrading to the latest version straight away.  Hackers are able to access the config.php file, which is bad news.

 

phpBB versions prior to 2.0.11 are vulnerable to multiple methods of compromise, as noted here.

 

The compromise that allows access to config.php actually uses a vulnerability in PHP (the language, not phpBB) versions prior 4.3.10. TCH has already upgraded to 4.3.10 to protect against those attacks.

 

While we are on the subject of phpBB, I'd also like to note again that there is a vulnerability in the widely used Attachment Module for phpBB that you should be aware of if you use that module.

Posted

My local TextTV reported that the internet could break down today because of Santy.A!

 

Come online early, to find out F-secure had heard from Google that they're filtering the queries from the worm, and now it's stopped!

 

But upgrading is still not negotiable. You never know when the next yokel has a good idea!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...