Has my phpBB been hacked?

Question

I have a phpBB 3.0.5 installed on a linux server: (oovium.com/forums/). I noticed two days ago someone using an autogenerated email address from China created a new account without having read a single message. The email address they used was listed on http://stopforumspam.com. I deleted the account.

Yesterday, the same (or similar) email address created another account, but this time they posted a message complaining about having trouble with registration and posted their registration link.

I stupidly clicked the link and it took me back to my forum. I then deleted the account and its message.

The message is deleted so I don't know exactly what the URL that I clicked was.

So my questions: 1. Is there a way to hack a phpBB 3.0.5 by having an admin user click a link? 2. Is there a way to determine if the message board has been hacked? 3. Is there any way to retrieve that deleted message so I can determine precisely what the URL was?

Answer 1

1) In principle, yes. By clicking on links, the admin is performing actions. Specially crafted links can be created to perform undesirable actions.

2) Review the logs. Check file integrity. Determining if you've been hacked is not a trivial problem.

3) Accessed urls can be retrieved through the server logs. Deleted messages might be available in the SQL database that backs phpBB.

Best of luck

Answer 2

the apache access logs will show you the link you clicked, if you can remember roughly when you clicked it and what IP you were using, you can minimize your search.

also, you should be checking your logs for unusual activity, now, to see if you have indeed been exploited in some way.

apache's logs are usually stored in /var/log/httpd/ or /var/log/apache depending on your server's configuration, the log directory should be listed in your web server's configuration file.

Answer 3

One thing to test... I would register yourself a fake user and get the registration email with the link. Take it and paste it into the address bar and change a few characters to make it fake. If it just redirects you back like the link he posted did, more than likely he just linked the original link he received upon the first registration and phpBB just routes you to a predefined page if the validation link is not valid.