|phpbb2 forum registration question|
howdy ... recently we ( <snip> ) had a user join our pbpbb2 2.0.11 forum, but i can't see a POST request in the server log. the only log entries for /phpBB2/profile.php on that date showed a microsoft IP and msnbot references ...
how can a user register without a POST /phpBB2/profile.php...?
thanks for any help ...
[edited by: engine at 4:53 pm (utc) on Feb. 14, 2005]
[edit reason] TOS [webmasterworld.com] [/edit]
That's odd ... assuming the registrant didn't manage to pull off direct db access, you should see *something* in the log corresponding to the registration.
I notice your forums show they're running 2.08, but your post here says 2.011. You should probably double-check to be absolutely sure you don't have the highlight vulnerability issue.
the user registered at 4:02am ( from the date in the db ) but our log has no entries from midnight to after 4 am for that date and the next two days.
the changes to 2.0.11 were applied, but the php version in config was not updated until recently.
Wow. I'd venture to say that if someone was able to register a user on your phpBB account and there are absolutely no log entries for that time, one of two things happened: either the registrant was able to get direct db access at your server (eg. they came in through another account on a shared server) or they were able to erase the log files to cover their tracks. Either way you could have a security issue that's worth checking into!
Just as a general reminder to anyone running phpBB, if you didn't upgrade to 2.0.11 immediately after the highlight vulnerability became public knowledge (around November 19th, 2004), you really should check your site to make sure no hidden files have been installed. 2.0.11 provides no protection if you already have a backdoor installed!
A friend of mine fixed the highlight vulnerability (by upgrading to 2.0.11) in early December. He only realized two days ago that a backdoor had been installed in the short time-frame that elapsed before he upgraded. Interestingly, the users of the backdoor were completely "stealth", running processes on his server (and adding 27 extra tables to his DB), but in no way did they affect the functionality of his forum.
Again, for anyone who upgraded to 2.0.11 after November, it would be wise to check your site for anything unusual.
If your site was hacked before you applied the 2.0.11 update then the patch won't help you. As Dave_Palmer has said, there could well be backdoors still in place and the attacker would have got hold of your database password and others.
You need to take the forum (and probably the rest of the site or even the server) offline and rebuild from a fresh phpBB 2.0.11 package. If it is a shared server, your host will need to look into the problem as well - the attacker could be controlling other sites on the same server, and if there are vulnerable scripts by other users, you're still not out of the woods.
Your database needs to be rebuilt from scratch, and all passwords (including control panel, FTP, email, MySQL database name and password and ALL forum member passwords) need to be changed - once you're ensured that any backdoors have been removed, of course.
Perhaps I should add this: good luck!