The ISP thought he had wiped out the PayPal phisher. But the devil popped back up at another URL using the same exploit to control the victim’s phpBB bulletin board system. That triggered a nasty battle between the ISP and his domain name registrar that shut him down for at least 18 hours.

While researching the exploit on Monday, we discovered that Google blocked searches when “phpbb” was combined with “crack(s)”, “hack(s)”, “vulnerability” or “exploit(s)”, returning only its 403 Forbidden page:

Google Error
We’re Sorry…

…but we can’t process your request right now. A computer virus or spyware application is sending us automated requests, and it appears that your computer or network has been infected.

We’ll restore your access as quickly as possible, so try again soon. In the meantime, you might want to run a virus checker or spyware remover to make sure that your computer is free of viruses and other spurious software.

We apologize for the inconvenience, and hope we’ll see you again on Google.

So we switched to A9 and pursued the story.

Two days later, no problem. All of the terms work fine in Google. However, similar queries on MSN Search result in either a blank page (Firefox) or “You are not authorized to view this page” (Internet Explorer). And searching on “phpbb” with Firefox returns:

We are seeing an increased volume of traffic by some malware software. In order to protect our customers from damage from that malware, we are blocking your query. A few legitimate queries may get flagged, and for that we apologize. Please be assured that we are hard at work on this problem and hope to get it resolved even better as soon as possible.
If you are using phpBB, please check out the phpBB downloads site http://www.phpbb.com/downloads.php and make sure you are not vulnerable.
- MSN Search Team

The same input using Internet Explorer returns the stock HTTP: 403 (Forbidden): “You are not authorized to view this page.”

A9, Dogpile and Gigablast, have dutifully returned results all along.

Turns out F-Secure reported the MSN phenomenon on 9 January, and reported that Google will also deliver the error mentioned earlier if you search for viewtopic.php then hit the Next link a couple of times. We were unable to replicate F-Secure’s Google experience. In December, a number of searchers reported Google blocks. A developer on Lisa Seelye’s blog observed:

I ran into this problem myself yesterday, originally using the search text ‘phpbb2 debug mode’, but found that - depending on which browser I used, and which get-vars I included (hl=en,btnG=Search, etc..) - searches on ‘phpbb2′,’phpbb’ and even ‘php’ would result in the same 403 message

I had some friends do the same searches from different networks, and again, depending on the browser, they would get the 403 - but not using the same combinations as me.. quite strange…

SANS Handlers started picking up some activity back in November. Incidents were reported where bots were again using Google to find exploitable servers running phpBB versions 2.0.10 and under. As our ISP discovered, there are a number of phpBB exploits targeting phpBB versions as late as 2.0.17.

If you’re running phpBB, why not mosey on over to phpBB and download the latest version? Then step through the phpBB tightening suggestions listed in How To Protect Your phpBB Forum Against Hackers. By the time we know exactly what was bugging Google and MSN, you’ll already be safe… and in much better shape than any phpBB supporter who depends on MSN Search.

Have you come across any non-obscene blacklisted search terms? Any insights concerning the current anomalies? Share them with the rest of us.

Email Battles Backgrounder: