PhpBB forum vandalised

Last week, a phpBB forum I administer, was vandalised.
Postings had been changed, and, worryingly, a posting had been made as admin. I was so stupid not to look for the IP address of the poster before deleting it, so I had to go through the log files in order to discover more.

It turned out they had turned on word censoring on some key topics of the forum, changed forum description and admin e-mail. With Textpad , I searched through the access_log file for admin_words.php. Requests to this file had come from 2 ip adresses, but by extracting the lines with the user-agent of these requests (user-agent “Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.6) Gecko/20050226 Firefox/1.0.1”) I got the list of requests from this user, starting with the forum home page where

http://www.google.be/search?q=index.php+forum&hl=nl&lr=lang_nl&start=90&sa=N

was given as referer, so the vandal found the forum by searching on Google for “index.php” and “forum”!

Half a minute later the request is repeated:
216.148.246.149 – – [09/Mar/2005:20:44:35 +0100] “GET /index.php HTTP/1.0” 200

And 3 seconds later he has gotten hold of a session id he could use to log in as forum-admin!
216.148.246.149 – – [09/Mar/2005:20:44:44 +0100] “GET /admin/index.php?sid=c2d4a6256590d2333425e1e83e0c416b HTTP/1.0”
216.148.246.154 – – [09/Mar/2005:20:44:45 +0100] “GET /admin/index.php?pane=right&sid=c2d4a6256590d2333425e1e83e0c416b
216.148.246.151 – – [09/Mar/2005:20:44:45 +0100] “GET /admin/index.php?pane=left&sid=c2d4a6256590d2333425e1e83e0c416b

And so on… I could see all POSTs and GETs and at reconstruct the scenario from 20:44:01 till 21:08:16 on March 9.

All IP-addresses (range 216.148.246.149 – 216.148.246.156) came from the proxy proxyche07.sj4.marketscore.com. If I understand their website correctly, they’re a company collecting surfing behavior by letting people surf from behind a proxy – the one the intruder had hidden behind. I have sent an e-mail with the relevant log to their abuse account as indicated, but haven’t received any answer so far.

And the vulnerability? A quick search on phpBB forums gave me the needed bugfix for the version 2.0.12 I was running… Well, you’re right, I should have subscribed to their rss feed in the first place!

2 Responses to “PhpBB forum vandalised”

  1. Notes, links and conversation » Blog Archive » PhpBB forum vandalised (2) Says:

    […] m vandalised (2) I got a reply back from Marketscore on my complaint about their proxies being used to vandalise a phpBB forum. Dear Mr. Van Hec […]

  2. James Says:

    I would like ask a question that can we locate the exact location of the visitor by using the proxy? Can we do this? I am looking forward for the answer. Thanks
    http://www.Gogetmlm.com