# Website infection



## Xearoveg (Dec 6, 2005)

I have a forum on my webserver and it recently got attacked by some russian hackers.

I have another thread about what happens when someone views the phpbb forum in IE. They generally get infected with a virus of sorts that causes this: http://forums.techguy.org/security/582855-hjt-log-generic-host-process.html#post4800559

I wiped all domains on my webserver and reuploaded phpbb from scratch, then my templates, and then my db backup. It then is re-infected within 1-2 days. When I don't put in the db backup it seems it won't get infected.

So my question is, is there a way to clean or sort through my database backup and be able to salvage it? There is a lot of posts and such I don't want to lose. I can post it if needed. I don't know if there is anything in it I should not post or sensor, like pws or something hidden in there.


----------



## Xearoveg (Dec 6, 2005)

bump


----------



## Xearoveg (Dec 6, 2005)

I'm going to upgrade and convert my forums to phpbb3 and see if that does the trick. Sounds promising.


----------



## cpscdave (Feb 25, 2004)

I dont know of any examples specifically but I have heard in 2-3 different locations that there are security holes in phpbb. Best bet is to upgrade to lateset version (like you say you are going to) otherwise they'll just keep on exploiting the security hole and changing your stuff.


----------



## Xearoveg (Dec 6, 2005)

Thanks, I think it'll work too. Glad someone finally posted to at least one of my threads.


----------



## cpscdave (Feb 25, 2004)

Hehehe sometimes it takes a while others it goes quickly.  

*just another note: 

To anyone who uses open source items/frameworks whatever. You should always keep the code up-to-date as anyone can see the code they have a lot easier time finding vulnerbilities in the code. 

Oh... AND ALWAYS ALWAYS ALWAYS change the default password


----------



## Xearoveg (Dec 6, 2005)

Wow it didn't work, they hacked it again.


----------



## aewarnick (Sep 3, 2002)

They must have something against you.
What is the link to your site?
Are you sure it's phpbb they're exploiting?
Is your site running on Linux or Windows?


----------



## dragjack (Jul 20, 2005)

I can't seem to be able to post in your other thread over at the security forum... 
BUT
have you tried formatting and reinstalling? After all, if your pc is infected, you will probably not be doing yourself any favours by simply uploading a backup. 

is your webserver hosted on your own machine? or another hosting company? if the latter, you could contact them and let them know of the problem. They might be in a better position to sort it out.

if it's on your own machine - format reinstall and setup everything again. Maybe the hackers don't like the fact that you're using "l33t" as part of your company's name????


----------



## Sequal7 (Apr 15, 2001)

If you are restoring to an earlier version of your database, IE; before the hack, then you should be ok temporarily.

You obviously need to tighten your installation by at least moderating posts or moderate users to stop the "hackers" (although they are not hacking your server, they are simply exploiting a security flaw in your software) 
And as futile as it seems, ban their IP and username or email address (and keep banning the oclets they use) or they will continue to damage your site.

There is no need to format your computer and I see that your forums are hosted by a webserver, so you shouldnt worry much, they would let you know if your site was causing damage to their server promptly by banning or suspending your site.

In as far as your security post, allow the process to connect, it is required as part of the Windowz XP OS and zonealarm should allow the connection. BTW, no one can post in that thread (except the members who are certified) so you can bump all you want to and you may not get an answer for quite some time,


----------

