Help! My forum hacked!

ray_gillespie

OSNN Veteran Addict
Political Access
Joined
21 Mar 2002
Messages
1,693
Hi,
I've got a forum that uses phpbb software, and it has been hacked twice in a week. We're using a pretty good password (i.e. numbers/cases etc) but it's still being hacked, and we can't go on using this software if it is so open to hacking. Can anyone suggest either a remedy or a replacement as it's driving me crazy! Reps for anyone that can help, thanks :nervous:
 
Are you sure that whoever is placing the password on the forum does not have a keylogger or rootkit on their PC?
 
Yeah, I've done it myself and a friend has too, both times been hacked :(

GoNz0 said:
vBulletin Version 3.5.2

got to pay, but its good :)

How much is it? How much less likely is it to get hacked?
 
American Zombie said:
Are you sure that whoever is placing the password on the forum does not have a keylogger or rootkit on their PC?
I highly doubt it. phpBB is known for utter crap security, new exploits are quite often and frequently unearthed for it.

I'd second the notion to use vBulletin.

Alternatively, some free options I've previously used, are Phorum and PunBB.
 
Numbers and cases are inadequate. You need to add punctuation and use the longest password possible. Even then a brute forcer on an AMD 64 will be able to get it eventually.

Do you have security set properly?
-Disable a login ID after 3 tries?
-Are you sure you have killed all the default passwords and logins?
-Are you positive there is not a rootkit on the server or your admin's systems?
-Are you using unsecure wireless to change the password? You could be getting intercepted. Use a (yuk) dial up line or DSL to change the password. Cable and wifi are very insecure.
-When you set the password are you using an encrypted connection?
 
GoNz0 said:
vBulletin Version 3.5.2

got to pay, but its good :)

No, it is not good. When it gets any load to it at all, it starts to slow down tremendously as it's SQL queries are badly formed, and in general could be made a lot better so that there are faster results, as well as less load on MySQL. It is one of the major reasons that I have so many problems running MySQL properly. When asked to optimize, or why a site slows to a crawl in fast hardware all they tell one to do is throw more hardware at it, this works, but it does not scale very well.

IBF handles it a lot better, and makes use of MySQL, but at the same time, has it's queries in such a way that MySQL is not overwhelmed trying to get the information. This makes all the difference. IBF is a lot more friendly to getting stuff optimized as much as possible. They have worked with Neowin in the past to resolve bottle necks, as well as with me personally for another site I administrate for to get their queries so fine tuned that throwing more hardware at the problem is not really an option, it has become a last resort.

SPeedY_B said:
I highly doubt it. phpBB is known for utter crap security, new exploits are quite often and frequently unearthed for it.

I'd second the notion to use vBulletin.

Alternatively, some free options I've previously used, are Phorum and PunBB.

I have used by Phorum and PunBB, both are not really up to par with the others like IBF, vBulletin, and or phpBB when it is not exploited.

Read above for why I don't suggest vBulletin though.

LeeJend said:
Numbers and cases are inadequate. You need to add punctuation and use the longest password possible. Even then a brute forcer on an AMD 64 will be able to get it eventually.

Do you have security set properly?
-Disable a login ID after 3 tries?
-Are you sure you have killed all the default passwords and logins?
-Are you positive there is not a rootkit on the server or your admin's systems?
-Are you using unsecure wireless to change the password? You could be getting intercepted. Use a (yuk) dial up line or DSL to change the password. Cable and wifi are very insecure.
-When you set the password are you using an encrypted connection?

Disable a login ID after 3 tries is not something phpBB has standard, IIRC, if it does, it is a good thing to enable it, but it does not help if it once again is able to be exploited because of an SQL query that is not quoted properly, and thus can be exploited.

I'd like to hear your reasoning as to why cable is not very secure. Cable is just as secure as dialup and or DSL. Wifi is secure as well, if WPA is used. All of them somehow end up on the internet anyways, in plain text, unless the connection is SSL. So using any one of them should not make a difference.
 
If you haven't updated your phpBB version to 2.0.18 (the latest), then you're vulnerable. There's absolutely no beating around the bush. Update now.

And for those who bitch about their security, they've released updates ahead of each massive attack against their software; as such, anyone who has kept up with the updates has not been affected by any of these attacks.

After you update, make sure to check for and remove any users who are not supposed to have administrative access (a vulnerability in obsolete versions of phpBB). Otherwise, you're still screwed.

Melon
 
phpBB has security holes all over the place. We switched from phpBB to SMF at istorya.net/forums.

SMF - www.simplemachines.org

They have a convertor from phpBB to SMF and converting is painless.
 
Well, I don't know enough about SMF one way or another. If they get enough users, I'm sure the hackers will start nitpicking their code too.

My point was just that those who do choose to use phpBB have been provided with timely patches before every major hack attack on those boards. There just happens to be a lot of people who haven't bothered to upgrade until their board is trashed, and their support forums reflect that. Those who have upgraded their board in a timely manner have survived. It's not like it's an unsupported forum software, that's all.

Melon
 
Well, thanks for all the replies. Our webmaster upgraded to the latest version yesterday but accidently wiped the whole thing! So essentially, this will be the best time to look for alternative software. I think we may go with vBulletin, depending on how much it costs, if OSNN uses it then it must be pretty good! Anyway, thanks for all your helpful comments.
 
ray_gillespie said:
Well, thanks for all the replies. Our webmaster upgraded to the latest version yesterday but accidently wiped the whole thing! So essentially, this will be the best time to look for alternative software. I think we may go with vBulletin, depending on how much it costs, if OSNN uses it then it must be pretty good! Anyway, thanks for all your helpful comments.

Uh, if your "webmaster", and I use that term loosely, whiped out your whole DB when doing an upgrade, the FIRST thing you should do is look for a new webmaster. Not sure how much data, if any, you had up there, but that is pathetic. I really hope you aren't paying him much....
 
kcnychief said:
Uh, if your "webmaster", and I use that term loosely, whiped out your whole DB when doing an upgrade, the FIRST thing you should do is look for a new webmaster. Not sure how much data, if any, you had up there, but that is pathetic. I really hope you aren't paying him much....

Yeah. I'd double check to see if he just wiped out the software completely or if he also destroyed the entire MySQL database that drives it. If it was just the software, you could use it to do a fresh phpBB installation or use a converter to change it to another forum format (like vBulletin). If you or the webmaster have any backups of the database (even if they are old), you could, at least, not have to start from scratch.

Melon
 
Oh no, he's not being paid or anything, just doing it voluntarily. We might be able to restore from my copy of the /forum folder but he's not sure, but anyway this is a good excuse to change bb software so we'll probably just leave it :)
How do converters work BTW? If I was gonna use vBulletin, what would i need to convert it?
 
I am toying with phpbb on a very small scale atm, but plan on using it full time eventually. What version were you using when it got "hacked", was it 2.18?
 
ray_gillespie said:
Oh no, he's not being paid or anything, just doing it voluntarily. We might be able to restore from my copy of the /forum folder but he's not sure, but anyway this is a good excuse to change bb software so we'll probably just leave it :)
How do converters work BTW? If I was gonna use vBulletin, what would i need to convert it?


vBulletin comes with a bunch of PHP scripts to convert your phpBB forum to a new format, theirs. You need two MySQL databases, one with your phpBB stuff in it, the other with the new vBulletin stuff in it. If you do purchase vBulletin, you can get support on their forums for help.

I would still personally suggest IPB (http://www.invisionpower.com/ip.dynamic/products/board/index.html).
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back