The forum, which runs on the popular phpBB3 software, was hit by a phishing attempt in the last few hours. Around 2000 private messages were sent by hundreds of newly registered users. It’s not clear how this automated attack got past our own spam hammer protection that bars new users from sending private messages. Apologies for the annoying messages and thanks to everyone for the reports.
Here is the SQL we used to clear out the scammers and their messages in case this post turns up search results.
SELECT * FROM `phpbb_privmsgs` left join phpbb_users on author_id=user_id WHERE `message_subject` LIKE '%We are deleting inactive accounts! Confirm your ac%'
First, backup your database!
Second, run this query to review what will get deleted. Replace “We are deleting inactive accounts! Confirm your ac” with the subject the phishers used. Could also be a line in the post or a URL.
DELETE `phpbb_users`, `phpbb_privmsgs` FROM phpbb_privmsgs left join phpbb_users on author_id=user_id WHERE `message_subject` LIKE '%We are deleting inactive accounts! Confirm your ac%' AND user_id NOT IN (x,x,x,x)
If users responded to the phisher (ours had some choice words…) they will also get deleted because of the reply subject. Replace x in the NOT IN () clause with the user_id of any legit users that should not be deleted (or omit it if there are none).
Run the query to delete the messages and the users. There is no going back (you did a backup right?).
Image of global phishing incident reports by <a href=”htp://commons.wikimedia.org/wiki/User:Offnfopt” title=”User:Offnfopt”>Offnfopt</a>.