• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Help! My forum hacked!

ray_gillespie

OSNN Veteran Addict
Political User
#1
Hi,
I've got a forum that uses phpbb software, and it has been hacked twice in a week. We're using a pretty good password (i.e. numbers/cases etc) but it's still being hacked, and we can't go on using this software if it is so open to hacking. Can anyone suggest either a remedy or a replacement as it's driving me crazy! Reps for anyone that can help, thanks :nervous:
 

SPeedY_B

I may actually be insane.
#5
American Zombie said:
Are you sure that whoever is placing the password on the forum does not have a keylogger or rootkit on their PC?
I highly doubt it. phpBB is known for utter crap security, new exploits are quite often and frequently unearthed for it.

I'd second the notion to use vBulletin.

Alternatively, some free options I've previously used, are Phorum and PunBB.
 
#6
Numbers and cases are inadequate. You need to add punctuation and use the longest password possible. Even then a brute forcer on an AMD 64 will be able to get it eventually.

Do you have security set properly?
-Disable a login ID after 3 tries?
-Are you sure you have killed all the default passwords and logins?
-Are you positive there is not a rootkit on the server or your admin's systems?
-Are you using unsecure wireless to change the password? You could be getting intercepted. Use a (yuk) dial up line or DSL to change the password. Cable and wifi are very insecure.
-When you set the password are you using an encrypted connection?
 

X-Istence

*
Political User
#7
GoNz0 said:
vBulletin Version 3.5.2

got to pay, but its good :)
No, it is not good. When it gets any load to it at all, it starts to slow down tremendously as it's SQL queries are badly formed, and in general could be made a lot better so that there are faster results, as well as less load on MySQL. It is one of the major reasons that I have so many problems running MySQL properly. When asked to optimize, or why a site slows to a crawl in fast hardware all they tell one to do is throw more hardware at it, this works, but it does not scale very well.

IBF handles it a lot better, and makes use of MySQL, but at the same time, has it's queries in such a way that MySQL is not overwhelmed trying to get the information. This makes all the difference. IBF is a lot more friendly to getting stuff optimized as much as possible. They have worked with Neowin in the past to resolve bottle necks, as well as with me personally for another site I administrate for to get their queries so fine tuned that throwing more hardware at the problem is not really an option, it has become a last resort.

SPeedY_B said:
I highly doubt it. phpBB is known for utter crap security, new exploits are quite often and frequently unearthed for it.

I'd second the notion to use vBulletin.

Alternatively, some free options I've previously used, are Phorum and PunBB.
I have used by Phorum and PunBB, both are not really up to par with the others like IBF, vBulletin, and or phpBB when it is not exploited.

Read above for why I don't suggest vBulletin though.

LeeJend said:
Numbers and cases are inadequate. You need to add punctuation and use the longest password possible. Even then a brute forcer on an AMD 64 will be able to get it eventually.

Do you have security set properly?
-Disable a login ID after 3 tries?
-Are you sure you have killed all the default passwords and logins?
-Are you positive there is not a rootkit on the server or your admin's systems?
-Are you using unsecure wireless to change the password? You could be getting intercepted. Use a (yuk) dial up line or DSL to change the password. Cable and wifi are very insecure.
-When you set the password are you using an encrypted connection?
Disable a login ID after 3 tries is not something phpBB has standard, IIRC, if it does, it is a good thing to enable it, but it does not help if it once again is able to be exploited because of an SQL query that is not quoted properly, and thus can be exploited.

I'd like to hear your reasoning as to why cable is not very secure. Cable is just as secure as dialup and or DSL. Wifi is secure as well, if WPA is used. All of them somehow end up on the internet anyways, in plain text, unless the connection is SSL. So using any one of them should not make a difference.
 

melon

MS-DOS 2.0
Political User
#9
If you haven't updated your phpBB version to 2.0.18 (the latest), then you're vulnerable. There's absolutely no beating around the bush. Update now.

And for those who bitch about their security, they've released updates ahead of each massive attack against their software; as such, anyone who has kept up with the updates has not been affected by any of these attacks.

After you update, make sure to check for and remove any users who are not supposed to have administrative access (a vulnerability in obsolete versions of phpBB). Otherwise, you're still screwed.

Melon
 

melon

MS-DOS 2.0
Political User
#11
Well, I don't know enough about SMF one way or another. If they get enough users, I'm sure the hackers will start nitpicking their code too.

My point was just that those who do choose to use phpBB have been provided with timely patches before every major hack attack on those boards. There just happens to be a lot of people who haven't bothered to upgrade until their board is trashed, and their support forums reflect that. Those who have upgraded their board in a timely manner have survived. It's not like it's an unsupported forum software, that's all.

Melon
 

ray_gillespie

OSNN Veteran Addict
Political User
#12
Well, thanks for all the replies. Our webmaster upgraded to the latest version yesterday but accidently wiped the whole thing! So essentially, this will be the best time to look for alternative software. I think we may go with vBulletin, depending on how much it costs, if OSNN uses it then it must be pretty good! Anyway, thanks for all your helpful comments.
 

kcnychief

█▄█ ▀█▄ █
Political User
#13
ray_gillespie said:
Well, thanks for all the replies. Our webmaster upgraded to the latest version yesterday but accidently wiped the whole thing! So essentially, this will be the best time to look for alternative software. I think we may go with vBulletin, depending on how much it costs, if OSNN uses it then it must be pretty good! Anyway, thanks for all your helpful comments.
Uh, if your "webmaster", and I use that term loosely, whiped out your whole DB when doing an upgrade, the FIRST thing you should do is look for a new webmaster. Not sure how much data, if any, you had up there, but that is pathetic. I really hope you aren't paying him much....
 

melon

MS-DOS 2.0
Political User
#14
kcnychief said:
Uh, if your "webmaster", and I use that term loosely, whiped out your whole DB when doing an upgrade, the FIRST thing you should do is look for a new webmaster. Not sure how much data, if any, you had up there, but that is pathetic. I really hope you aren't paying him much....
Yeah. I'd double check to see if he just wiped out the software completely or if he also destroyed the entire MySQL database that drives it. If it was just the software, you could use it to do a fresh phpBB installation or use a converter to change it to another forum format (like vBulletin). If you or the webmaster have any backups of the database (even if they are old), you could, at least, not have to start from scratch.

Melon
 

ray_gillespie

OSNN Veteran Addict
Political User
#15
Oh no, he's not being paid or anything, just doing it voluntarily. We might be able to restore from my copy of the /forum folder but he's not sure, but anyway this is a good excuse to change bb software so we'll probably just leave it :)
How do converters work BTW? If I was gonna use vBulletin, what would i need to convert it?
 

kcnychief

█▄█ ▀█▄ █
Political User
#16
I am toying with phpbb on a very small scale atm, but plan on using it full time eventually. What version were you using when it got "hacked", was it 2.18?
 

X-Istence

*
Political User
#17
ray_gillespie said:
Oh no, he's not being paid or anything, just doing it voluntarily. We might be able to restore from my copy of the /forum folder but he's not sure, but anyway this is a good excuse to change bb software so we'll probably just leave it :)
How do converters work BTW? If I was gonna use vBulletin, what would i need to convert it?

vBulletin comes with a bunch of PHP scripts to convert your phpBB forum to a new format, theirs. You need two MySQL databases, one with your phpBB stuff in it, the other with the new vBulletin stuff in it. If you do purchase vBulletin, you can get support on their forums for help.

I would still personally suggest IPB (http://www.invisionpower.com/ip.dynamic/products/board/index.html).
 

Members online

No members online now.

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,014
Latest member
sanoravies