SitePoint Sponsor

User Tag List

Results 1 to 19 of 19

Thread: forums hacked

  1. #1
    I am obstructing justice. bronze trophy fatnewt's Avatar
    Join Date
    Jul 2002
    Location
    Ottawa, Canada
    Posts
    1,766
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    forums hacked

    Ok, I'm upset. Seems someone thought it'd be funny to break into my phpBB forums on Galbadia X and
    1. Remove styles and make veeeeeery small fonts with a black background
    2. Delete all posts
    3. Put up a new post (as me) claiming the forum had moved to another site, which featured nothing but a very grotesque image.
    I'm pretty upset about this, obviously. Anyone have any brilliant ideas? GoDaddy will roll back to a previous version of the database, for a $150 fee.

    Whether I do or not, any advice on protecting myself in the future?
    Colin Temple [twitter: @cailean]
    Web Analyst at Napkyn


  2. #2
    SitePoint Guru Marubozo's Avatar
    Join Date
    Mar 2005
    Location
    Near South Bend, Indiana
    Posts
    657
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    To protect yourself:

    1. Don't use free software
    2. If you do use free software, make sure you update ASAP when a new update is released
    3. See 1 and 2

    The only thing you can really do when running platforms like phpBB, phpNuke, etc... is to update almost immediately when a new update is out. These script kiddies simply google for forums with the version number that is exploitable, and go to town. Even with the more commercial software this is the case, but it happens less frequently. The bottom line is, you need to be aware of the versions of all the software you are running, and be notified when updates/patches are released and act on them.

  3. #3
    SitePoint Wizard HarryR's Avatar
    Join Date
    Dec 2004
    Location
    London, UK
    Posts
    1,376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The only thing I can say in this situation is: you really should have been aware that phpBB has had a fairly large and highly publicised security vulnerabilty for several months..

    Keep yourself subscribed to whichever securityfocus.com discussion lists you can (some are high traffic, others aren't as their more specialized) and make sure that you pay attention to anything you're running that appears there.

    A generally good practice is to make sure you keep up with software updates anyway - if you're site is entirely oritentated around a forum wouldn't you be watching for updates anyway?

    Regards,
    Harry

    P.S. I think this post should be moved into the Program Your Site -> Web Security forum.

    <edit>

    Marubozo: don't get on the wrong side of an open source vs. closed source argument with me :P

  4. #4
    SitePoint Wizard gold trophysilver trophybronze trophy dc dalton's Avatar
    Join Date
    Nov 2004
    Location
    Right behind you, watching, always watching.
    Posts
    5,431
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Agree with the other posts AND

    Get a host that doesnt charge STUPID prices for rollbacks! (Thats just assinine!)

  5. #5
    I am obstructing justice. bronze trophy fatnewt's Avatar
    Join Date
    Jul 2002
    Location
    Ottawa, Canada
    Posts
    1,766
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sorry, this probably wasn't the best forum.

    My site isn't entirely focused around the forum, actually. And fortunately no other content was affected.

    Ugh. Ah well, live and learn.
    Colin Temple [twitter: @cailean]
    Web Analyst at Napkyn


  6. #6
    I am obstructing justice. bronze trophy fatnewt's Avatar
    Join Date
    Jul 2002
    Location
    Ottawa, Canada
    Posts
    1,766
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dc dalton
    Agree with the other posts AND

    Get a host that doesnt charge STUPID prices for rollbacks! (Thats just assinine!)
    Yeah, I'm not paying for that. If I spend a dime on this disaster, it'll be for vBulletin, probably.
    Colin Temple [twitter: @cailean]
    Web Analyst at Napkyn


  7. #7
    SitePoint Member mcreal's Avatar
    Join Date
    Mar 2005
    Location
    BrisVegas
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Another suggestion would be to frequently backup your db so that if another problem happens you don't have to fork out for a rollback.

  8. #8
    I am obstructing justice. bronze trophy fatnewt's Avatar
    Join Date
    Jul 2002
    Location
    Ottawa, Canada
    Posts
    1,766
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah.. I was pretty dumb about that. Just noticed phpBB's backup feature.
    Colin Temple [twitter: @cailean]
    Web Analyst at Napkyn


  9. #9
    SitePoint Guru Marubozo's Avatar
    Join Date
    Mar 2005
    Location
    Near South Bend, Indiana
    Posts
    657
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by HarryR
    T

    Marubozo: don't get on the wrong side of an open source vs. closed source argument with me :P
    Oh, this has nothing to do with open source vs. other software. I use a majority of open source products myself. But my point was, if you use free software, it is almost always one of the easiest for these "hackers", to use the term loosely to pick apart and exploit.

    So, if you do use open source products, you should be even more aware of the current exploits and updates for the software as opposed to many commercial offerings, which typically have less frequent exploits uncovered

  10. #10
    SitePoint Wizard HarryR's Avatar
    Join Date
    Dec 2004
    Location
    London, UK
    Posts
    1,376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Good point.. sorry i'm just soo used to people randomly mixing 'free software' and 'open source software'. The bottom line is, you should be tracking software updates anyway.

  11. #11
    SitePoint Addict
    Join Date
    Nov 2004
    Location
    sea ranch
    Posts
    266
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think both phpbb and cpanel have a backup feature. Just keep that in mind for the future.

  12. #12
    SitePoint Enthusiast eF.'s Avatar
    Join Date
    Apr 2005
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try using vBulletin instead much more secure than phpBB phpBB is usally easily exploitable.

  13. #13
    Shiver me timbers!! anthony_irl's Avatar
    Join Date
    Aug 1999
    Location
    Dublin, Ireland
    Posts
    495
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by eF.
    phpBB is usally easily exploitable.
    Thats a bit of a generalisation eF. Sure phpBB has had its problems in the past but so have many forum systems.
    Anthony - How's tings?

    24 hours in a day, 24 beers in a case. Coincidence? I think not.
    Contact me by: PM ¦ Email ¦ NEW! Carrier Pigeon

  14. #14
    The Mind's I ® silver trophy Dark Tranquility's Avatar
    Join Date
    Sep 2003
    Location
    KSA - UAE
    Posts
    9,457
    Mentioned
    8 Post(s)
    Tagged
    1 Thread(s)
    I am sorry about this
    what was the version of phpBB ? I got one of my boards hacked while it was in version 2.0.12 ! u have to upgrade and wait for the Olympus to come out ! also switch to a new host that won't ask you for such fees I suggest to try hostgator.com they are very very good
    Also you may want to back up your forums DB from time to time by yourself using phpBB Admin panel or your phpMyadmin
    good luck

  15. #15
    I am obstructing justice. bronze trophy fatnewt's Avatar
    Join Date
    Jul 2002
    Location
    Ottawa, Canada
    Posts
    1,766
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It was only 2.0.11. I was pretty negligent in upgrading it.
    Colin Temple [twitter: @cailean]
    Web Analyst at Napkyn


  16. #16
    SitePoint Enthusiast eF.'s Avatar
    Join Date
    Apr 2005
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Instead of having to worry about upgrading all the time, you can just get vBulletin and only upgrade like every few months

  17. #17
    I am obstructing justice. bronze trophy fatnewt's Avatar
    Join Date
    Jul 2002
    Location
    Ottawa, Canada
    Posts
    1,766
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's the plan. But I'll need to scrounge up some spendable cash first.
    Colin Temple [twitter: @cailean]
    Web Analyst at Napkyn


  18. #18
    The Mind's I ® silver trophy Dark Tranquility's Avatar
    Join Date
    Sep 2003
    Location
    KSA - UAE
    Posts
    9,457
    Mentioned
    8 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by eF.
    Instead of having to worry about upgrading all the time, you can just get vBulletin and only upgrade like every few months
    Vbulletin has upgrades too and needs some care, also it has its own security gaps, I am not saying that phpBB is better than VB, I am sure that VB is better, but also it is not free ! and for small sommunities you won't need all the features offered by VB...So

  19. #19
    I am obstructing justice. bronze trophy fatnewt's Avatar
    Join Date
    Jul 2002
    Location
    Ottawa, Canada
    Posts
    1,766
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    vBulletin also charges for upgrades after 1 year if you own the license.
    Colin Temple [twitter: @cailean]
    Web Analyst at Napkyn



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •