homepage Welcome to WebmasterWorld Guest from 54.145.209.80
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
Forum Library, Charter, Moderators: rogerd

Community Building and User Generated Content Forum

    
phpbb2 forum registration question
d_sprague

5+ Year Member



 
Msg#: 338 posted 5:58 pm on Feb 11, 2005 (gmt 0)

howdy ... recently we ( <snip> ) had a user join our pbpbb2 2.0.11 forum, but i can't see a POST request in the server log. the only log entries for /phpBB2/profile.php on that date showed a microsoft IP and msnbot references ...

how can a user register without a POST /phpBB2/profile.php...?

thanks for any help ...

[edited by: engine at 4:53 pm (utc) on Feb. 14, 2005]
[edit reason] TOS [webmasterworld.com] [/edit]

 

Dave_Palmer

10+ Year Member



 
Msg#: 338 posted 7:58 pm on Feb 11, 2005 (gmt 0)

That's odd ... assuming the registrant didn't manage to pull off direct db access, you should see *something* in the log corresponding to the registration.

I notice your forums show they're running 2.08, but your post here says 2.011. You should probably double-check to be absolutely sure you don't have the highlight vulnerability issue.

Good luck,

Dave

d_sprague

5+ Year Member



 
Msg#: 338 posted 4:33 pm on Feb 14, 2005 (gmt 0)

the user registered at 4:02am ( from the date in the db ) but our log has no entries from midnight to after 4 am for that date and the next two days.

the changes to 2.0.11 were applied, but the php version in config was not updated until recently.

Dave_Palmer

10+ Year Member



 
Msg#: 338 posted 4:47 pm on Feb 14, 2005 (gmt 0)

Hi d_sprague,

Wow. I'd venture to say that if someone was able to register a user on your phpBB account and there are absolutely no log entries for that time, one of two things happened: either the registrant was able to get direct db access at your server (eg. they came in through another account on a shared server) or they were able to erase the log files to cover their tracks. Either way you could have a security issue that's worth checking into!

Just as a general reminder to anyone running phpBB, if you didn't upgrade to 2.0.11 immediately after the highlight vulnerability became public knowledge (around November 19th, 2004), you really should check your site to make sure no hidden files have been installed. 2.0.11 provides no protection if you already have a backdoor installed!

A friend of mine fixed the highlight vulnerability (by upgrading to 2.0.11) in early December. He only realized two days ago that a backdoor had been installed in the short time-frame that elapsed before he upgraded. Interestingly, the users of the backdoor were completely "stealth", running processes on his server (and adding 27 extra tables to his DB), but in no way did they affect the functionality of his forum.

Again, for anyone who upgraded to 2.0.11 after November, it would be wise to check your site for anything unusual.

Dave

encyclo

WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 338 posted 5:00 pm on Feb 14, 2005 (gmt 0)

If your site was hacked before you applied the 2.0.11 update then the patch won't help you. As Dave_Palmer has said, there could well be backdoors still in place and the attacker would have got hold of your database password and others.

You need to take the forum (and probably the rest of the site or even the server) offline and rebuild from a fresh phpBB 2.0.11 package. If it is a shared server, your host will need to look into the problem as well - the attacker could be controlling other sites on the same server, and if there are vulnerable scripts by other users, you're still not out of the woods.

Your database needs to be rebuilt from scratch, and all passwords (including control panel, FTP, email, MySQL database name and password and ALL forum member passwords) need to be changed - once you're ensured that any backdoors have been removed, of course.

Perhaps I should add this: good luck!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved