Hacker hacking me off

[rkennedy]

YaBB SE Version: 1.5.4
PHP Version: 4.3.0
MySQL Version: 3.23.x
Server Platform: Unix, Linux, or BSD
Link to Forum:

Problem Description:
For almost two weeks now, I've been manually going out to my site and reloading all the files for our club's YaBB SE message board.  Once a day, all of the source files are deleted (except for the YaBBHelp and YaBBImages directory).

My thinking is that it's an automated process that trees down the directory structure searching for YaBBSE boards because I installed two boards under different directory names, and they were both removed the next day.

I feel confident in saying that they don't know the username/password to the account; otherwise, they would do more damage than this.  This also continued even after I changed the password to the account for Telnet/FTP.

Does anyone know of any security breaches at this time or has anyone else been experiencing these problems over the past couple of weeks?  I don't feel like I'm being singled out, but it's becoming annoying.

Please provide help before I end up switching to a different message board completely!  

[Shadow's Pawn]

If this was an issue with the board itself, I can almost guarantee you that it would be an issue with other boards as well.

Have you talked to your host?  Checked your server logs?

[rkennedy]

I contacted the host provider a few days after it happened and had them to increase the access-log limit since they were only storing that last 6K for me.  I didn't notice anything out of sorts, but I did discover an IP address hitting the site from Germany which seemed a little odd.  Our site is a local cycling club, so I didn't think it would be anything interesting for someone over there to be viewing.

Here's another odd thing about the problem.  Most of the time, I'll hit the site, and I'll receive an error to the effect of "file not found"; however, there are times, when the board will load except for the icons.  This generally cues to me that the board has been hacked because if I click on anything on the board after receiving this screen, then I receive the "file not found" error.  It's almost as if by me accessing the site that I've destroyed the files myself, but how?

I'll watch the access logs closer and try to supply more specifics tomorrow.  Like I said earlier, this happens once a day, so I'll have to wait for the information...

[Douglas]

http://www.yabbse.org/community/index.php?thread=15904

Make DAMN sure that you're doing this, okay.  

[rkennedy]

I've already reviewed this document a couple of days ago before posting.  I honestly don't feel like it's anyone infiltrating the system via an username/password.  None of the database data is deleted or manipulated...just the source code files are gone.  My thinking is that someway...somehow...there's a process using one of the PHP files to deliberately remove directories and source code files.

[Douglas]

Download your entire FTP area to your hard drive, and put things back one at a time, after checking to make sure that you know what that file does.  Best way to make sure it's not anything within your FTP area.

[David]

Ask your host for ftp login logs.  Also what control panel do they use on the server and do they offer ssh access?  If they do not use a jailshell then anyone else on your server could theoretically see and delete any of your files.  Considering YaBB SE has no means to delete files I don't see it as being their point of entry.