homepage Welcome to WebmasterWorld Guest from 54.204.90.135
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
Forum Library, Charter, Moderators: rogerd

Community Building and User Generated Content Forum

This 46 message thread spans 2 pages: 46 ( [1] 2 > >     
Important phpBB security upgrade
phpBB 2.0.11 released
encyclo




msg:1562500
 4:11 pm on Nov 20, 2004 (gmt 0)

Just a quick heads-up to all of you running a phpBB forum: there is a very serious security vulnerability in all versions of phpBB up to and including version 2.0.10.

The latest version (2.0.11) is now available from phpbb.com which corrects the problem, so you need to update your installation as soon as possible.

If you can't update straight away, at least apply the fix as described here:

[phpbb.com...]

If you don't update and you subsequently have problems, don't say we didn't warn you ;)

 

eaden




msg:1562501
 11:36 pm on Nov 24, 2004 (gmt 0)

Yep very very serious. I missed this one, thankfully they didn't wipe my server ( yes thats how serious ). I'd guess almost every php webserver has at least one copy of phpbb installed. I think this should go frontpage, because of the seriousness, if this doesn't get done there could be a load of zombies out there waiting to do a lot of damage.

Slade




msg:1562502
 11:51 pm on Nov 24, 2004 (gmt 0)

I'm digging through their website right now, but does anyone know how to tell if your board's already been hacked?

androidtech




msg:1562503
 11:51 pm on Nov 24, 2004 (gmt 0)

Be careful, some of the hacked forum owners had their config.php files scanned giving the hacker access to the root MySQL database username and password for their account.

Thanks.

eaden




msg:1562504
 12:17 am on Nov 25, 2004 (gmt 0)

search through your logfiles for lines with "viewtopic" and "system" in them, and a whole bunch of characters like 252echr(110)%252echr(97)%252echr(109)%252echr(101))%252e%25

On one of my forums I've had 318 different attempts. Now I have to work out what they did, and how to clean it up.

eaden




msg:1562505
 12:26 am on Nov 25, 2004 (gmt 0)

Found 2 different shellkits so far. If you are just hosting on someone else's server, get your hosting provider to check their server if you see those lines in your logs, as if you do not have root access it is out of your hands.

encyclo




msg:1562506
 1:03 am on Nov 25, 2004 (gmt 0)

eaden, I don't think you're the only one: there are hacking attempts galore going on at the moment. The patch came out last Thursday, but despite supposing to be on the release mailing list I wasn't notified and only happened upon it by chance last Saturday.

If your board was hacked, it's probably better to disable the board and reinstall from scratch, patching a known good backup at least. I don't know how much the database could be affected, but at worst you'll have to roll back to a backup from last week even if that means losing a week's postings. androidtech's right also: I would certainly change the database name and password too.

Good luck!

eaden




msg:1562507
 1:08 am on Nov 25, 2004 (gmt 0)

the problem is, on a shared host using a standard/common configuration, if anyone on your host is running phpbb, and you have any database driven site, your database passwords could be revealed by looking at config files.

Also, the person who notified me about this said patching is NOT enough, and you must install the full 2.0.11.

encyclo




msg:1562508
 1:37 am on Nov 25, 2004 (gmt 0)

patching is NOT enough

Just doing the one-line patch as described in the link in my original message is a short-term fix, but not a long-term solution. The full patch file downloadable from the phpbb.com website is however sufficient for fully fixing the hole, as it includes all the file changes from the full 2.0.11 version.

It is true that on a shared server there may be additional difficulties, but that is a file permission problem more than anything, and it depends on how the server is set up. If the hacker manages to get root access, then the phpBB passwords are the least of your (or the hosting company's) problems.

eaden




msg:1562509
 1:43 am on Nov 25, 2004 (gmt 0)

It is true that on a shared server there may be additional difficulties, but that is a file permission problem more than anything, and it depends on how the server is set up. If the hacker manages to get root access, then the phpBB passwords are the least of your (or the hosting company's) problems.

The expoits being used gain a shell as the web server user. It's not a permissions issue as if you have a shell as the web server user you can read any file in the web directories. The web server *has* to be able to read all the web files else php can't open them.

EliteWeb




msg:1562510
 2:26 am on Nov 25, 2004 (gmt 0)

Yah think of it like this, a user can become admin and wammo download your database then create a site based off your content, or spam your users... so fix it and fast ;)

Robert Charlton




msg:1562511
 3:01 am on Dec 10, 2004 (gmt 0)

A software support phpBB board was hacked while I was posting... a strange and sad experience. When I tried to post, I got a message that the thread did not exist, and, when I checked further, it didn't. In fact, all threads on the board had disappeared.

There was a note on the board... that it had been "hacked by Frosty-E"... with one thread for members to discuss how the board had been hacked. Really disgusting.

It occurred that a warning to the phpBB community might be in order. I don't know whether this is old news or not, but I thought I'd share it just in case

rogerd




msg:1562512
 3:39 am on Dec 10, 2004 (gmt 0)

There was a thread about an important phpBB security upgrade [webmasterworld.com] not long ago... no doubt there are plenty of boards that haven't patched yet.

Slade




msg:1562513
 3:42 am on Dec 10, 2004 (gmt 0)

There was a vulnerability found in at least one version of phpbb last week or so.

I didn't know about it either until after i noted something odd in my logs.

I can't recall if it was brought up on this board or not, but I did see it somewhere else. It is known, but given that not everyone is registered on the anouncement list(I'm still not), it can be overlooked.

vkaryl




msg:1562514
 4:16 am on Dec 10, 2004 (gmt 0)

Thanks much Robert Charlton. I was away when this occurred and was discussed initially, so I'm very glad you posted! In process of downloading 2.0.11 right now, already installed the temp fix....

Robert Charlton




msg:1562515
 10:42 pm on Dec 10, 2004 (gmt 0)

Hey, folks... I'm freaked. It's just happened again, while I was posting to another forum. I logged onto the forum and was composing my message offline. When I clicked the post link, I got a 404.

I don't think that I could be transmitting any sort of Spyware, but I'm not sure. I'm in the process of moving over to a new machine, so I've been lax about updating Spybot... and I'm using a dial-up until I build my new machine, so don't yet have a firewall.

Since I run PocoMail and have Active-X disabled, with several levels of email virus screening, I've figured I can't do much harm. I promise I won't visit your phpBB boards.

Just coincidence, or could something else be going on? Am about to update Spybot right now.

eurotrash




msg:1562516
 12:07 am on Dec 11, 2004 (gmt 0)

A local community activism one went down here in Edinburgh as well yesterday.

Robert Charlton




msg:1562517
 2:34 am on Dec 11, 2004 (gmt 0)

Freshly updated Spybot Search and Destroy says I'm clean, and report from one board owner suggests it wasn't connected to my log-on. I'm guessing there must be a lot of hacks going on right now. This is either an epidemic or a very weird coincidence.

Maybe the original thread should get moved to the home page. Half the people I've talked to with phpBB boards have already gotten hit.

fcharrua




msg:1562518
 7:37 am on Dec 11, 2004 (gmt 0)

I have a solution to this problem. Build your own software and stop depending on 3rd party stuff. It's not like I'm asking people to build entire OS' from scratch. I'm talking web applications. Programmers make computer languages that are more accessible, and people turn around and get lazier...

my 2 cents

lawman




msg:1562519
 11:03 am on Dec 11, 2004 (gmt 0)

Hello fcharrua:

Welcome to Webmaster World. BTW, if someone asks you for the time, do you build them a clock? :)

lawman

surfgatinho




msg:1562520
 12:18 pm on Dec 11, 2004 (gmt 0)

Does anyone know if this effects phpBB on PostNuke and PHPNuke installations?

mikeD




msg:1562521
 12:21 pm on Dec 11, 2004 (gmt 0)

when i installed phpbb it got hacked everytime, which was maybe 5 times

not good

ronin




msg:1562522
 12:58 pm on Dec 11, 2004 (gmt 0)

fcharrua's solution is the ideal but also idealistic.

I would be happy to use phpBB but can't at present since my site is hosted on a Win2K box. Instead I am using a third-party hosted BB which is backed up by the company which provides it.

Furthermore if it ever gets hacked - it was once - it's their server that gets hacked not mine.

The obvious downside though is that it's not free, it's a subscription service.

jwarren93




msg:1562523
 2:54 pm on Dec 11, 2004 (gmt 0)

Does anyone know if this effects phpBB on PostNuke and PHPNuke installations?

I believe it does, came across a thread on the phpbb forum about it days ago. Better to be safe than sorry, upgrade!

fcharrua




msg:1562524
 4:41 pm on Dec 11, 2004 (gmt 0)

Welcome to Webmaster World. BTW, if someone asks you for the time, do you build them a clock? :)

I would say: If you asked someone for the time on a regular basis, and on occasions, that person gives you the wrong time of day, would you go out and buy your own watch? ~_^

AhmedF




msg:1562525
 10:52 pm on Dec 11, 2004 (gmt 0)

My own simple solution is to disable wget except for root. I was hit before with another exploit, and what many do is they wget a remote file to exploit your system. As long as you block wget from being used it blocks a lot of their crap :)

lawman




msg:1562526
 11:07 pm on Dec 11, 2004 (gmt 0)

Sorry fcharrua, my bad. I should have said "when someone asks you for the time, do you tell them to build their own clock." :)

wheel




msg:1562527
 5:38 pm on Dec 12, 2004 (gmt 0)

My forum was hacked a couple of weeks ago using this. Could'a been serious (5-10K users, 750K posts, dedicated server). Instead all they did was post a thread with my userid title 'HACKED' and pointed a URL to the fix. They made their point :).

As a result, along with a couple of other changes I'm:
- moving to vbulletin
- starting with a freshly wiped server and simply upgrading the database to the new forum program

carneddau




msg:1562528
 8:16 pm on Dec 12, 2004 (gmt 0)

Hi,

I've found a number of attempts in my log files coming from a few different IPs. However it doesn't look like anything's been changed. I've applied the patch now and will upgrade to the latest version asap.

What's the worst that could happen from this? a wiped forum db? Root access?

Cheers

helenp




msg:1562529
 9:54 pm on Dec 12, 2004 (gmt 0)

Seems very serious,
today I received this e-mail from my host:

[Summary: Due to phpBB exploits that could crash the server running phpBB, the host is suspending accounts running phpBB until the software is upgraded for each account.]

[edited by: rogerd at 7:12 pm (utc) on Dec. 13, 2004]
[edit reason] e-mail quote [/edit]

This 46 message thread spans 2 pages: 46 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved