Go to there Forums and click on any link and it will say DEFACED!
but they might of fixed it

It's a new worm.

From the ISC:
Santy worm defaces websites using php bug
A worm taking advantage of a phpBB vulnerability has been defacing websites and explains a number of reports we received today regarding deface web servers. The worm is written in Perl and seems to overwrite all writeable asp/php/htm/shtm files on the server.


Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case. The worm exploits the 'highlight' bug in phpBB 2.0.10 and earlier. The current version of phpBB (2.0.11, released Nov. 18th) fixes this problem. Nevertheless, its still a good idea to update php.
We do now have a couple of versions of the code. The virus appears to increment a 'generation' number whenever it infects a site. If you have a copy of a generation < 4, please let us know.
A few more details from a preliminary analysis:
The worm uses Google to search for links to 'viewtopic.php'. This search will return sites that link to phpBB sites, as well as the phpBB sites themselves (plus of course a lot of others). The search includes a random parameter as well. Likely, this should randomize the results
The perl script makes use of Socket.pm to setup the HTTP connections. The headers the script generates are:


GET $res HTTP/1.0
Host: $host
Accept:*/*
Accept-Language: en-us,en-gb;q=0.7,en;q=0.3
Pragma: no-cache
Cache-Control: no-cache
Referer:http://" . $host . $res .
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: close
$host and $res are replaced with the hostname and URL respectively. <P> More details on the Sanity worm are available at:
http://www.viruslist.com/en/weblog
http://www.europe.f-secure.com/weblog/

Public exploit code for the php vulnerability has recently been made available.
If you are unable to update your PHP engine at this time, a workaround for phpBB can be found at
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
In addition to the above workaround, Version 4.3.10 or 5.0.3 can be downloaded from http://www.php.net/downloads.php



If you are infected and are able to extract a copy of the perl script, please submit it via our contact form:http://isc.sans.org/contact.php .

'Results 1 - 10 of about 5,770,000 for "Powered by phpBB".'
Stay tuned ..


Preliminary Snort Signatures

here some preliminary snort signatures. Let us know if they work:


alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "phpBB highlight exploit
attempt"; content: "&highlight=%2527%252Esystem("
alert tcp any any -> any 80 (msg: "Possible Santy.A worm searching google for
targets"; content: "&q=allinurl%3A+%22viewtopic.php%22+%22"



isc dot chris at gee mail dot com

Google to the rescue:

"According to http://news.zdnet.com/2100-1009_22-5500265.html Google has deactivitated queries essential to Santy's propogation, which should lead to it's dying off. This is only a temporary fix, I would imagine, as I'm sure other queries can be crafted and the same exploit code used to relaunch this worm. Time will tell."

If you have a forum running on this code, Google has bought you some time. Have Santa bring you an update.