According to a statement recently released by the phpBB development team, an unknown attacker replaced the official download link for the forum software phpBB.
Hackers attack only for two download links, namely phpBB 3.2.2 complete installation package and phpBB 3.2.1 -> 3.2.2 automatic upgrade package. This is the latest version of phpBB released on January 7 this year.
According to the phpBB development team, the downloaded download link was only valid for 181 minutes, but they did not reveal the exact details of the attacker’s replacement for the download link, only said that the entry point was a third-party site, and in this attack phpBB Both .com and phpBB software are not used.
phpBB’s staff found the link immediately after removing the malicious files. Michael Cullum of the phpBB management team said malicious code in the modified package tries to load JavaScript code from remote sources and is currently also controlling the domain name hosting the JavaScript source to make the code harmless.
Michael Cullum tells us that malware packages can only be valid for up to 3 hours due to an infrastructure team being able to react quickly and based on their calculations it is estimated that the total number of downloads affected will be no more than 500 and it is expected that in production environments Use a much smaller number.
Therefore, the official website of the download link is currently safe. However, it is recommended that users who recently downloaded phpBB 3.2.2 software package from the official website verify the SHA256 file hash of the file with the official provided checks to ensure that it is safe and sound.
phpBB is a very popular PHP-based discussion board, according to W3Techs, currently used by 0.2% of all sites on the Internet.
Source: bleepingcomputer
