{"id":391,"date":"2005-10-30T20:55:39","date_gmt":"2005-10-30T12:55:39","guid":{"rendered":"http:\/\/www.nargalzius.com\/blog2\/http:\/www.nargalzius.com\/blog2\/archives\/2005\/10\/2005_10_30_2055.php"},"modified":"2005-10-30T20:55:39","modified_gmt":"2005-10-30T12:55:39","slug":"friendly-reminder-for-phpbb-users","status":"publish","type":"post","link":"http:\/\/nargalzius.com\/blog\/archives\/2005\/10\/30\/friendly-reminder-for-phpbb-users","title":{"rendered":"Friendly reminder for PhpBB users"},"content":{"rendered":"<p>Thanks to some <a href=\"http:\/\/www.bukaspalad.com\" title=\"Visit BukasPalad\">BP Onliners<\/a>&#8216; messages, I was able to make sure I backed up our site&#8217;s database <em>just in case.<\/em><\/p>\n<p>Apparently, our sister site <a href=\"http:\/\/www.hangad.com\" title=\"Visit Hangad's website\">Hangad<\/a>&#8216;s discussion board has been hacked. From the look of it, either of two things happened. It&#8217;s a HTML\/CSS hack, or the an administrative (or super moderator) account was compromised. I would have to go with the former based on the source code I saw.<\/p>\n<!--more-->\n<p>Fortunately, it&#8217;s limited to the discussion board&#8230; because if the <em>hosting\/server account<\/em> was compromised, then it would mean that the whole site would be in trouble.<\/p>\n<p>Checking the source, everything else was intact, no themes were altered. So this strongly suggests that code has been injected (and not that the board was compromised), which is a common method for these types of hacks <span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_391_1('footnote_plugin_reference_391_1_1');\" onkeypress=\"footnote_moveToReference_391_1('footnote_plugin_reference_391_1_1');\" ><sup id=\"footnote_plugin_tooltip_391_1_1\" class=\"footnote_plugin_tooltip_text\">1 <\/sup><\/a><span id=\"footnote_plugin_tooltip_text_391_1_1\" class=\"footnote_tooltip\">Remember the news about the guy who hacked MySpace? Probably done the same way.<\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_391_1_1').tooltip({ tip: '#footnote_plugin_tooltip_text_391_1_1', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top right', relative: true, offset: [10, 10], });<\/script><\/p>\n<p>Here&#8217;s the offending injected code:<\/p>\n<pre>\n&lt;span class=\"forumlink\"&gt; &lt;a href=\"viewforum.php?f=48&amp;sid=a57b4b316b6581a48011c0ecf9388692\" class=\"forumlink\"&gt;:: Hacked By Yusuf KARA :: -= Yusuf Ownz Your Security ! ! !=--&lt;\/a&gt;&lt;br \/&gt;\n&lt;\/span&gt; &lt;span class=\"genmed\"&gt;&lt;body topmargin=\"0\"&gt;&lt;tr bgcolor=\"#F3F3F3\"&gt;\n&lt;td valign=top align=right&gt;&lt;font size=\"2\"&gt;Pesan :&lt;b&gt; &lt;\/b&gt;&lt;\/font&gt;&lt;\/td&gt;\n&lt;td colspan=\"2\"&gt;&lt;font size=\"2\"&gt;\n&lt;\/DIV&gt;&lt;DIV align=left&gt;&lt;BR&gt;&lt;DIV id=Layer1 style=\"BORDER-RIGHT: #000000 1px; BORDER-TOP: #000000 1px; Z-INDEX: 1; LEFT: 0px; BORDER-LEFT: #000000 1px; WIDTH: 1250px; BORDER-BOTTOM: #000000 1px; POSITION: absolute; TOP: 0px; HEIGHT: 30000px; BACKGROUND-COLOR: #000000; layer-background-color: #000000\"&gt;\n&lt;\/font&gt;\n&lt;center&gt;&lt;span style=\"font-weight: 400\"&gt;\n&lt;img border=\"0\" src=\"http:\/\/polat.sitemynet.com\/owned.jpg\" width=\"755\" height=\"530\"&gt;&lt;\/font&gt;&lt;\/span&gt;\n\n&lt;script language=\"JavaScript\"&gt;\n&lt;!--\nvar left=\"[\";\nvar right=\"]\";\nvar msg=\"  - - :: Hacked By Yusuf KARA :: -= Yusuf Ownz Your Security ! ! !=-- - -  \";\nvar speed=200;\n\nfunction scroll_title() {\ndocument.title=left+msg+right;\nmsg=msg.substring(1,msg.length)+msg.charAt(0);\nsetTimeout(\"scroll_title()\",speed);\n}\nscroll_title();\n\n\/\/ End --&gt;\n&lt;\/script&gt;\n&lt;BGSOUND src=\"http:\/\/www.sempatim.com\/yusuf.mp3\"\nloop=infinite&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;\n<\/pre>\n<p>Now you&#8217;d see that it&#8217;s kind of masquerading as a forum link. And when you navigate to the said said link you&#8217;ll see <a href=\"http:\/\/hangad.org\/discussions\/viewforum.php?f=48&amp;sid=9b6545a56c94b40336bc37bff1e1a92e\" title=\"see link\">this page<\/a> <span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_391_1('footnote_plugin_reference_391_1_2');\" onkeypress=\"footnote_moveToReference_391_1('footnote_plugin_reference_391_1_2');\" ><sup id=\"footnote_plugin_tooltip_391_1_2\" class=\"footnote_plugin_tooltip_text\">2 <\/sup><\/a><span id=\"footnote_plugin_tooltip_text_391_1_2\" class=\"footnote_tooltip\">the link by the way is: <a href=\"http:\/\/hangad.org\/discussions\/viewforum.php?f=48&#038;sid=9b6545a56c94b40336bc37bff1e1a92e\"><span class=\"footnote_url_wrap\">http:\/\/hangad.org\/discussions\/viewforum.php?f=48&#038;sid=9b6545a56c94b40336bc37bff1e1a92e<\/span><\/a><\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_391_1_2').tooltip({ tip: '#footnote_plugin_tooltip_text_391_1_2', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top right', relative: true, offset: [10, 10], });<\/script> Which means that the rest of the board is working fine.<\/p>\n<p>Truth be told, <em>both<\/em> <strong>guestbooks<\/strong> in nargalzius.com and bukaspalad.com can easily be hacked with simple HTML\/CSS tricks if I only enable HTML tag support&#8230; which I obviously don&#8217;t&#8230; anymore at least. <span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_391_1('footnote_plugin_reference_391_1_3');\" onkeypress=\"footnote_moveToReference_391_1('footnote_plugin_reference_391_1_3');\" ><sup id=\"footnote_plugin_tooltip_391_1_3\" class=\"footnote_plugin_tooltip_text\">3 <\/sup><\/a><span id=\"footnote_plugin_tooltip_text_391_1_3\" class=\"footnote_tooltip\">YES, it&#8217;s because I&#8217;ve been victim of such attacks in the past<\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_391_1_3').tooltip({ tip: '#footnote_plugin_tooltip_text_391_1_3', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top right', relative: true, offset: [10, 10], });<\/script><\/p>\n<p>It is to be noted that while boards aren&#8217;t rock solid, pulling something like this also takes some creative thinking. Boards are aware of HTML\/CSS\/Javascript exploitability which is the reason why boards have the option to turn off HTML\/Scripting support, and are updated all the time because of security patches. So normally, the code you see above can&#8217;t just be simply &#8220;posted.&#8221; To achieve such malice, you need to know the board engine you&#8217;re working on. In this case it&#8217;s PhpBB, which is a very popular board, so it&#8217;s not surprising why there are hacks similar to this hanging about. Knowing the engine you&#8217;re working with can do a lot of things&#8230; take the whole <a href=\"http:\/\/namb.la\/popular\/tech.html\" title=\"how was it done?\">MySpace hack<\/a> for instance.<\/p>\n<p>I guess what it boils down to today is that it&#8217;s simply an unfortunate event. I&#8217;m sure the webmaster has secured the board (and site) as much as he\/she can, and any security hole was in the software itself and not configuration (if it <em>was<\/em> configuration error, then at least I&#8217;m sure he\/she&#8217;d learn from this experience). Only advice I guess is to update their PhpBB script and hope that the security hole has been patched on the newer version.<\/p>\n<p>We&#8217;re lucky that BP uses a different board&#8230; so it would take a different approach to crack it. I just hope that the hackers don&#8217;t take notice and focus their energies on it. But just in case, I&#8217;m backing the site up \ud83d\ude42 Maybe I should check out for updated versions of our board too while I&#8217;m at it.<\/p><div class=\"speaker-mute footnotes_reference_container\"> <div class=\"footnote_container_prepare\"><p><span role=\"button\" tabindex=\"0\" class=\"footnote_reference_container_label pointer\" onclick=\"footnote_expand_collapse_reference_container_391_1();\">Notes<\/span><span role=\"button\" tabindex=\"0\" class=\"footnote_reference_container_collapse_button\" style=\"display: none;\" onclick=\"footnote_expand_collapse_reference_container_391_1();\">[<a id=\"footnote_reference_container_collapse_button_391_1\">+<\/a>]<\/span><\/p><\/div> <div id=\"footnote_references_container_391_1\" style=\"\"><table class=\"footnotes_table footnote-reference-container\"><caption class=\"accessibility\">Notes<\/caption> <tbody> \r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_391_1('footnote_plugin_tooltip_391_1_1');\"><a id=\"footnote_plugin_reference_391_1_1\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8673;<\/span>1<\/a><\/th> <td class=\"footnote_plugin_text\">Remember the news about the guy who hacked MySpace? Probably done the same way.<\/td><\/tr>\r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_391_1('footnote_plugin_tooltip_391_1_2');\"><a id=\"footnote_plugin_reference_391_1_2\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8673;<\/span>2<\/a><\/th> <td class=\"footnote_plugin_text\">the link by the way is: <a href=\"http:\/\/hangad.org\/discussions\/viewforum.php?f=48&#038;sid=9b6545a56c94b40336bc37bff1e1a92e\"><span class=\"footnote_url_wrap\">http:\/\/hangad.org\/discussions\/viewforum.php?f=48&#038;sid=9b6545a56c94b40336bc37bff1e1a92e<\/span><\/a><\/td><\/tr>\r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_391_1('footnote_plugin_tooltip_391_1_3');\"><a id=\"footnote_plugin_reference_391_1_3\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8673;<\/span>3<\/a><\/th> <td class=\"footnote_plugin_text\">YES, it&#8217;s because I&#8217;ve been victim of such attacks in the past<\/td><\/tr>\r\n\r\n <\/tbody> <\/table> <\/div><\/div><script type=\"text\/javascript\"> function footnote_expand_reference_container_391_1() { jQuery('#footnote_references_container_391_1').show(); jQuery('#footnote_reference_container_collapse_button_391_1').text('\u2212'); } function footnote_collapse_reference_container_391_1() { jQuery('#footnote_references_container_391_1').hide(); jQuery('#footnote_reference_container_collapse_button_391_1').text('+'); } function footnote_expand_collapse_reference_container_391_1() { if (jQuery('#footnote_references_container_391_1').is(':hidden')) { footnote_expand_reference_container_391_1(); } else { footnote_collapse_reference_container_391_1(); } } function footnote_moveToReference_391_1(p_str_TargetID) { footnote_expand_reference_container_391_1(); var l_obj_Target = jQuery('#' + p_str_TargetID); if (l_obj_Target.length) { jQuery( 'html, body' ).delay( 0 ); jQuery('html, body').animate({ scrollTop: l_obj_Target.offset().top - window.innerHeight * 0.2 }, 380); } } function footnote_moveToAnchor_391_1(p_str_TargetID) { footnote_expand_reference_container_391_1(); var l_obj_Target = jQuery('#' + p_str_TargetID); if (l_obj_Target.length) { jQuery( 'html, body' ).delay( 0 ); jQuery('html, body').animate({ scrollTop: l_obj_Target.offset().top - window.innerHeight * 0.2 }, 380); } }<\/script>","protected":false},"excerpt":{"rendered":"<p>Thanks to some BP Onliners&#8216; messages, I was able to make sure I backed up our site&#8217;s database just in case. Apparently, our sister site Hangad&#8216;s discussion board has been hacked. From the look of it, either of two things happened. It&#8217;s a HTML\/CSS hack, or the an administrative (or super moderator) account was compromised. &hellip; <p class=\"link-more\"><a href=\"http:\/\/nargalzius.com\/blog\/archives\/2005\/10\/30\/friendly-reminder-for-phpbb-users\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Friendly reminder for PhpBB users&#8221;<\/span><\/a><\/p><\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[5,13],"tags":[517,528],"class_list":["post-391","post","type-post","status-publish","format-standard","hentry","category-internet","category-technology","tag-hack","tag-hangad"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/posts\/391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/comments?post=391"}],"version-history":[{"count":0,"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/posts\/391\/revisions"}],"wp:attachment":[{"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/media?parent=391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/categories?post=391"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/tags?post=391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}