The Forum Is Back

Published on December 8, 2011 by niLotiCus

What happened? The forum started to behave oddly yesterday. At first many users didn't notice it, but for some people bothersome things started to occur. The first time I realized everything was not okay was when I clicked on a thread on the Show unread posts list. Every time I was taken to a suspicious website that has a domain ending with .ru. Then it was certain that some malware has gotten into critical systems. But exactly what, and where?

Until this evening, I was pretty sure the source of the malicious stuff lied in the source code of the PhpBB forum system. Other users also started to notify me of URL redirections, and eventually I had to put the forum down to investigate the problem and prevent any nasty stuff from doing more harm. Not having much experience in these kind of cases, I tried to look for some suspicious JavaScript funtions in the source code, and also see if there was something wrong with the PHP. Well, starting to lose hope, I googled for error clan and tested if I could access the page normally. Well, I discovered that all the search results were redirected to a .ru URL!

Therefore the right place to look was the .htaccess file. .htaccess files are used to manage web server configurations, for example, to define a start page other than the default one. Anyway, if it's used malicuously, it can cause a lot of harm. It turned out that the .htaccess file in the root folder was infected, and some unwanted code was added in it. It's still unknown for me how anything could have accessed and edited it, since for example permissions were ok. Now everything is fine again, but looks like some cautiousness is needed.

I installed the forum at a new location, the address is now, as it should have been in the first place. All the posts, users, groups etc. have been restored. Welcome back and sorry for the inconvenience.