Help! My forum hacked!

Discussion in 'Web Design & Coding' started by ray_gillespie, Dec 26, 2005.

  1. ray_gillespie

    ray_gillespie Moderator Staff Member Political User

    Messages:
    1,692
    Location:
    Birmingham, UK
    Hi,
    I've got a forum that uses phpbb software, and it has been hacked twice in a week. We're using a pretty good password (i.e. numbers/cases etc) but it's still being hacked, and we can't go on using this software if it is so open to hacking. Can anyone suggest either a remedy or a replacement as it's driving me crazy! Reps for anyone that can help, thanks :nervous:
     
  2. GoNz0

    GoNz0 NTFS Stoner

    Messages:
    2,781
    Location:
    the year 2525
    vBulletin Version 3.5.2

    got to pay, but its good :)
     
    ray_gillespie likes this.
  3. American Zombie

    American Zombie Moderator Staff Member Political User

    Messages:
    2,933
    Location:
    Seattle
    Are you sure that whoever is placing the password on the forum does not have a keylogger or rootkit on their PC?
     
    ray_gillespie likes this.
  4. ray_gillespie

    ray_gillespie Moderator Staff Member Political User

    Messages:
    1,692
    Location:
    Birmingham, UK
    Yeah, I've done it myself and a friend has too, both times been hacked :(

    How much is it? How much less likely is it to get hacked?
     
  5. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    I highly doubt it. phpBB is known for utter crap security, new exploits are quite often and frequently unearthed for it.

    I'd second the notion to use vBulletin.

    Alternatively, some free options I've previously used, are Phorum and PunBB.
     
    ray_gillespie likes this.
  6. LeeJend

    LeeJend Moderator

    Messages:
    5,291
    Location:
    Fort Worth, TX
    Numbers and cases are inadequate. You need to add punctuation and use the longest password possible. Even then a brute forcer on an AMD 64 will be able to get it eventually.

    Do you have security set properly?
    -Disable a login ID after 3 tries?
    -Are you sure you have killed all the default passwords and logins?
    -Are you positive there is not a rootkit on the server or your admin's systems?
    -Are you using unsecure wireless to change the password? You could be getting intercepted. Use a (yuk) dial up line or DSL to change the password. Cable and wifi are very insecure.
    -When you set the password are you using an encrypted connection?
     
    ray_gillespie likes this.
  7. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    No, it is not good. When it gets any load to it at all, it starts to slow down tremendously as it's SQL queries are badly formed, and in general could be made a lot better so that there are faster results, as well as less load on MySQL. It is one of the major reasons that I have so many problems running MySQL properly. When asked to optimize, or why a site slows to a crawl in fast hardware all they tell one to do is throw more hardware at it, this works, but it does not scale very well.

    IBF handles it a lot better, and makes use of MySQL, but at the same time, has it's queries in such a way that MySQL is not overwhelmed trying to get the information. This makes all the difference. IBF is a lot more friendly to getting stuff optimized as much as possible. They have worked with Neowin in the past to resolve bottle necks, as well as with me personally for another site I administrate for to get their queries so fine tuned that throwing more hardware at the problem is not really an option, it has become a last resort.

    I have used by Phorum and PunBB, both are not really up to par with the others like IBF, vBulletin, and or phpBB when it is not exploited.

    Read above for why I don't suggest vBulletin though.

    Disable a login ID after 3 tries is not something phpBB has standard, IIRC, if it does, it is a good thing to enable it, but it does not help if it once again is able to be exploited because of an SQL query that is not quoted properly, and thus can be exploited.

    I'd like to hear your reasoning as to why cable is not very secure. Cable is just as secure as dialup and or DSL. Wifi is secure as well, if WPA is used. All of them somehow end up on the internet anyways, in plain text, unless the connection is SSL. So using any one of them should not make a difference.
     
    ray_gillespie likes this.
  8. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    which version of phpBB are you running then
     
  9. melon

    melon MS-DOS 2.0 Political User

    Messages:
    854
    Location:
    Ásgarðr
    If you haven't updated your phpBB version to 2.0.18 (the latest), then you're vulnerable. There's absolutely no beating around the bush. Update now.

    And for those who bitch about their security, they've released updates ahead of each massive attack against their software; as such, anyone who has kept up with the updates has not been affected by any of these attacks.

    After you update, make sure to check for and remove any users who are not supposed to have administrative access (a vulnerability in obsolete versions of phpBB). Otherwise, you're still screwed.

    Melon
     
    ray_gillespie likes this.
  10. vern

    vern Dominus Political User Folding Team

    Messages:
    1,571
    Location:
    Minnesota, USA
    phpBB has security holes all over the place. We switched from phpBB to SMF at istorya.net/forums.

    SMF - www.simplemachines.org

    They have a convertor from phpBB to SMF and converting is painless.
     
    ray_gillespie likes this.
  11. melon

    melon MS-DOS 2.0 Political User

    Messages:
    854
    Location:
    Ásgarðr
    Well, I don't know enough about SMF one way or another. If they get enough users, I'm sure the hackers will start nitpicking their code too.

    My point was just that those who do choose to use phpBB have been provided with timely patches before every major hack attack on those boards. There just happens to be a lot of people who haven't bothered to upgrade until their board is trashed, and their support forums reflect that. Those who have upgraded their board in a timely manner have survived. It's not like it's an unsupported forum software, that's all.

    Melon
     
  12. ray_gillespie

    ray_gillespie Moderator Staff Member Political User

    Messages:
    1,692
    Location:
    Birmingham, UK
    Well, thanks for all the replies. Our webmaster upgraded to the latest version yesterday but accidently wiped the whole thing! So essentially, this will be the best time to look for alternative software. I think we may go with vBulletin, depending on how much it costs, if OSNN uses it then it must be pretty good! Anyway, thanks for all your helpful comments.
     
  13. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Uh, if your "webmaster", and I use that term loosely, whiped out your whole DB when doing an upgrade, the FIRST thing you should do is look for a new webmaster. Not sure how much data, if any, you had up there, but that is pathetic. I really hope you aren't paying him much....
     
  14. melon

    melon MS-DOS 2.0 Political User

    Messages:
    854
    Location:
    Ásgarðr
    Yeah. I'd double check to see if he just wiped out the software completely or if he also destroyed the entire MySQL database that drives it. If it was just the software, you could use it to do a fresh phpBB installation or use a converter to change it to another forum format (like vBulletin). If you or the webmaster have any backups of the database (even if they are old), you could, at least, not have to start from scratch.

    Melon
     
  15. ray_gillespie

    ray_gillespie Moderator Staff Member Political User

    Messages:
    1,692
    Location:
    Birmingham, UK
    Oh no, he's not being paid or anything, just doing it voluntarily. We might be able to restore from my copy of the /forum folder but he's not sure, but anyway this is a good excuse to change bb software so we'll probably just leave it :)
    How do converters work BTW? If I was gonna use vBulletin, what would i need to convert it?
     
  16. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    I am toying with phpbb on a very small scale atm, but plan on using it full time eventually. What version were you using when it got "hacked", was it 2.18?
     
  17. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA

    vBulletin comes with a bunch of PHP scripts to convert your phpBB forum to a new format, theirs. You need two MySQL databases, one with your phpBB stuff in it, the other with the new vBulletin stuff in it. If you do purchase vBulletin, you can get support on their forums for help.

    I would still personally suggest IPB (http://www.invisionpower.com/ip.dynamic/products/board/index.html).
     
  18. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    I'm switching to IPB myself, it seems great so far :)