PhpBB folder compromised
I received an e-mail that attempted to (in Spanish) getting me to log in somewhere. The link was fake, and pointed somewhere else than it appeared to.
It pointed to an exe file (haven’t tested the exe file) in a folder that turned out to be the docs folder in a phpBB installation. A 2.0.x version. That folder had obviously been compromised, and a lot of scripts had been placed there. The forum appears to have been installed September 2006, but the phpBB files were last modified a year later. Some of the files have dates before that, but probably were uploaded in such a way the original file date was preserved?
I’ve notified the site admin, so let’s see if he responds and tells us what happened. I assume this is a vulnerability that’s been fixed in newer versions of phpBB?
December 29th, 2007 at 7:58 am
SpamHuntress I posted you a nice message on
http://spamhuntress.com/2007/04/24/project-honey-pot-tracking-comment-spammers/
It had a few urls in it, and I think your WordPress filter, by defult set to flag for moderation more than two urls.
So my comment was flagged..:) It is not Spam trust me..:)
Thank you,
Igor
December 31st, 2007 at 5:37 am
hey im a gilmartin i was doing some research on the net looking up my last name and i ran across yer websight kinda sounds like you need to get off the computer and get laid lol im a alchoholic from america and i think im irish thats about all i can gather and my falmily is from new york and im drunk as shit righ t now but im pretty sure you are wicked smart at computers love so pleasse dont hack me and God Bless have a happy new year and yer name is mary if yer my uncle richie that would be ironic i hear hes gay and speaks 7 languages well thts about it peace and good luck may God hold you i the palm of his hand
December 31st, 2007 at 8:38 am
To drg:
You must be drunk, because Mary Gilmartin stopped by here months ago and commented a few times, but has nothing to do with this blog.
So if you’re researching your family tree, kindly get it right the next time…
January 3rd, 2008 at 3:00 pm
I recieved an email from fanbox .com someone ask me to answer a question called sweetcheeks can you tell me how to stop this?
January 3rd, 2008 at 3:08 pm
Supposedly you can opt out of e-mails from them. There’s a link in the e-mail you received with an opt-out. I haven’t used it myself - I didn’t receive more than two e-mails from them. But then I notified the person whose e-mail address they used, so presumably that person got it stopped?
January 25th, 2008 at 1:33 pm
I had a similar attempt to compromise my site. I thought it was to add a link to my guestbook (and tried to elaborate about it as such) but I think now it was something similar to what you are describing here: an attempt to compromise a phpbb setup (strange, since I don’t have a forum). I wrote about it in my blog, but I don’t think I got it very well described. Anyhow, the payload EXE file in my case was a Vulnerability Scanner that phoned home with details of the visiting system’s OS and installed software.