Welcome to WebmasterWorld Guest from 54.221.9.209

Forum Moderators: rogerd

Message Too Old, No Replies

Important phpBB security upgrade

phpBB 2.0.11 released

     
4:11 pm on Nov 20, 2004 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9063
votes: 2


Just a quick heads-up to all of you running a phpBB forum: there is a very serious security vulnerability in all versions of phpBB up to and including version 2.0.10.

The latest version (2.0.11) is now available from phpbb.com which corrects the problem, so you need to update your installation as soon as possible.

If you can't update straight away, at least apply the fix as described here:

[phpbb.com...]

If you don't update and you subsequently have problems, don't say we didn't warn you ;)

11:36 pm on Nov 24, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 5, 2003
posts:380
votes: 0


Yep very very serious. I missed this one, thankfully they didn't wipe my server ( yes thats how serious ). I'd guess almost every php webserver has at least one copy of phpbb installed. I think this should go frontpage, because of the seriousness, if this doesn't get done there could be a load of zombies out there waiting to do a lot of damage.
11:51 pm on Nov 24, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:July 16, 2001
posts:545
votes: 0


I'm digging through their website right now, but does anyone know how to tell if your board's already been hacked?
11:51 pm on Nov 24, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Aug 25, 2003
posts:367
votes: 0


Be careful, some of the hacked forum owners had their config.php files scanned giving the hacker access to the root MySQL database username and password for their account.

Thanks.

12:17 am on Nov 25, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 5, 2003
posts:380
votes: 0


search through your logfiles for lines with "viewtopic" and "system" in them, and a whole bunch of characters like 252echr(110)%252echr(97)%252echr(109)%252echr(101))%252e%25

On one of my forums I've had 318 different attempts. Now I have to work out what they did, and how to clean it up.

12:26 am on Nov 25, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 5, 2003
posts:380
votes: 0


Found 2 different shellkits so far. If you are just hosting on someone else's server, get your hosting provider to check their server if you see those lines in your logs, as if you do not have root access it is out of your hands.
1:03 am on Nov 25, 2004 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9063
votes: 2


eaden, I don't think you're the only one: there are hacking attempts galore going on at the moment. The patch came out last Thursday, but despite supposing to be on the release mailing list I wasn't notified and only happened upon it by chance last Saturday.

If your board was hacked, it's probably better to disable the board and reinstall from scratch, patching a known good backup at least. I don't know how much the database could be affected, but at worst you'll have to roll back to a backup from last week even if that means losing a week's postings. androidtech's right also: I would certainly change the database name and password too.

Good luck!

1:08 am on Nov 25, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 5, 2003
posts:380
votes: 0


the problem is, on a shared host using a standard/common configuration, if anyone on your host is running phpbb, and you have any database driven site, your database passwords could be revealed by looking at config files.

Also, the person who notified me about this said patching is NOT enough, and you must install the full 2.0.11.

1:37 am on Nov 25, 2004 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9063
votes: 2


patching is NOT enough

Just doing the one-line patch as described in the link in my original message is a short-term fix, but not a long-term solution. The full patch file downloadable from the phpbb.com website is however sufficient for fully fixing the hole, as it includes all the file changes from the full 2.0.11 version.

It is true that on a shared server there may be additional difficulties, but that is a file permission problem more than anything, and it depends on how the server is set up. If the hacker manages to get root access, then the phpBB passwords are the least of your (or the hosting company's) problems.

1:43 am on Nov 25, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 5, 2003
posts:380
votes: 0


It is true that on a shared server there may be additional difficulties, but that is a file permission problem more than anything, and it depends on how the server is set up. If the hacker manages to get root access, then the phpBB passwords are the least of your (or the hosting company's) problems.

The expoits being used gain a shell as the web server user. It's not a permissions issue as if you have a shell as the web server user you can read any file in the web directories. The web server *has* to be able to read all the web files else php can't open them.

2:26 am on Nov 25, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member eliteweb is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:June 5, 2001
posts:2723
votes: 0


Yah think of it like this, a user can become admin and wammo download your database then create a site based off your content, or spam your users... so fix it and fast ;)
3:01 am on Dec 10, 2004 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:11309
votes: 163


A software support phpBB board was hacked while I was posting... a strange and sad experience. When I tried to post, I got a message that the thread did not exist, and, when I checked further, it didn't. In fact, all threads on the board had disappeared.

There was a note on the board... that it had been "hacked by Frosty-E"... with one thread for members to discuss how the board had been hacked. Really disgusting.

It occurred that a warning to the phpBB community might be in order. I don't know whether this is old news or not, but I thought I'd share it just in case

3:39 am on Dec 10, 2004 (gmt 0)

Administrator

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 2, 2000
posts:9685
votes: 0


There was a thread about an important phpBB security upgrade [webmasterworld.com] not long ago... no doubt there are plenty of boards that haven't patched yet.
3:42 am on Dec 10, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:July 16, 2001
posts:545
votes: 0


There was a vulnerability found in at least one version of phpbb last week or so.

I didn't know about it either until after i noted something odd in my logs.

I can't recall if it was brought up on this board or not, but I did see it somewhere else. It is known, but given that not everyone is registered on the anouncement list(I'm still not), it can be overlooked.

4:16 am on Dec 10, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 19, 2003
posts:1747
votes: 0


Thanks much Robert Charlton. I was away when this occurred and was discussed initially, so I'm very glad you posted! In process of downloading 2.0.11 right now, already installed the temp fix....
10:42 pm on Dec 10, 2004 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:11309
votes: 163


Hey, folks... I'm freaked. It's just happened again, while I was posting to another forum. I logged onto the forum and was composing my message offline. When I clicked the post link, I got a 404.

I don't think that I could be transmitting any sort of Spyware, but I'm not sure. I'm in the process of moving over to a new machine, so I've been lax about updating Spybot... and I'm using a dial-up until I build my new machine, so don't yet have a firewall.

Since I run PocoMail and have Active-X disabled, with several levels of email virus screening, I've figured I can't do much harm. I promise I won't visit your phpBB boards.

Just coincidence, or could something else be going on? Am about to update Spybot right now.

12:07 am on Dec 11, 2004 (gmt 0)

Full Member

10+ Year Member

joined:June 12, 2003
posts:222
votes: 0


A local community activism one went down here in Edinburgh as well yesterday.
2:34 am on Dec 11, 2004 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:11309
votes: 163


Freshly updated Spybot Search and Destroy says I'm clean, and report from one board owner suggests it wasn't connected to my log-on. I'm guessing there must be a lot of hacks going on right now. This is either an epidemic or a very weird coincidence.

Maybe the original thread should get moved to the home page. Half the people I've talked to with phpBB boards have already gotten hit.

7:37 am on Dec 11, 2004 (gmt 0)

New User

10+ Year Member

joined:Dec 5, 2004
posts:8
votes: 0


I have a solution to this problem. Build your own software and stop depending on 3rd party stuff. It's not like I'm asking people to build entire OS' from scratch. I'm talking web applications. Programmers make computer languages that are more accessible, and people turn around and get lazier...

my 2 cents

11:03 am on Dec 11, 2004 (gmt 0)

Moderator

WebmasterWorld Administrator lawman is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 28, 2001
posts:3519
votes: 25


Hello fcharrua:

Welcome to Webmaster World. BTW, if someone asks you for the time, do you build them a clock? :)

lawman

12:18 pm on Dec 11, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:July 17, 2003
posts:560
votes: 0


Does anyone know if this effects phpBB on PostNuke and PHPNuke installations?
12:21 pm on Dec 11, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Feb 25, 2002
posts:311
votes: 0


when i installed phpbb it got hacked everytime, which was maybe 5 times

not good

12:58 pm on Dec 11, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 9, 2003
posts:2072
votes: 2


fcharrua's solution is the ideal but also idealistic.

I would be happy to use phpBB but can't at present since my site is hosted on a Win2K box. Instead I am using a third-party hosted BB which is backed up by the company which provides it.

Furthermore if it ever gets hacked - it was once - it's their server that gets hacked not mine.

The obvious downside though is that it's not free, it's a subscription service.

2:54 pm on Dec 11, 2004 (gmt 0)

New User

10+ Year Member

joined:June 12, 2003
posts:16
votes: 0


Does anyone know if this effects phpBB on PostNuke and PHPNuke installations?

I believe it does, came across a thread on the phpbb forum about it days ago. Better to be safe than sorry, upgrade!

4:41 pm on Dec 11, 2004 (gmt 0)

New User

10+ Year Member

joined:Dec 5, 2004
posts:8
votes: 0


Welcome to Webmaster World. BTW, if someone asks you for the time, do you build them a clock? :)

I would say: If you asked someone for the time on a regular basis, and on occasions, that person gives you the wrong time of day, would you go out and buy your own watch? ~_^

10:52 pm on Dec 11, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Dec 5, 2002
posts:529
votes: 0


My own simple solution is to disable wget except for root. I was hit before with another exploit, and what many do is they wget a remote file to exploit your system. As long as you block wget from being used it blocks a lot of their crap :)
11:07 pm on Dec 11, 2004 (gmt 0)

Moderator

WebmasterWorld Administrator lawman is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 28, 2001
posts:3519
votes: 25


Sorry fcharrua, my bad. I should have said "when someone asks you for the time, do you tell them to build their own clock." :)
5:38 pm on Dec 12, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts:5063
votes: 11


My forum was hacked a couple of weeks ago using this. Could'a been serious (5-10K users, 750K posts, dedicated server). Instead all they did was post a thread with my userid title 'HACKED' and pointed a URL to the fix. They made their point :).

As a result, along with a couple of other changes I'm:
- moving to vbulletin
- starting with a freshly wiped server and simply upgrading the database to the new forum program

8:16 pm on Dec 12, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 31, 2004
posts:86
votes: 0


Hi,

I've found a number of attempts in my log files coming from a few different IPs. However it doesn't look like anything's been changed. I've applied the patch now and will upgrade to the latest version asap.

What's the worst that could happen from this? a wiped forum db? Root access?

Cheers

9:54 pm on Dec 12, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 27, 2003
posts:1308
votes: 0


Seems very serious,
today I received this e-mail from my host:

[Summary: Due to phpBB exploits that could crash the server running phpBB, the host is suspending accounts running phpBB until the software is upgraded for each account.]

[edited by: rogerd at 7:12 pm (utc) on Dec. 13, 2004]
[edit reason] e-mail quote [/edit]

This 46 message thread spans 2 pages: 46