Forum Moderators: rogerd
See my earlier thread how my forum was hacked, mostly because I was using amazingly out of date PHPBB software. [webmasterworld.com...]
The "hacker" in question doesn't appear to be amazingly technically proficient. But he does seem to be determined. What with information from "real hackers" distributed around to script kiddies to copy from, this worries me.
A real hacker would have just done something trivial, like replaced a graphic, or something non-destructive. Something probably rude and annoying, but not something that's going to risk irreparable loss.
But this guy went a deleted most of the posts, and spent many hours defacing everything he could get his hands on. Totally obsessive. These posts that were deleted annoy me the most actually, because I've spent many hours over a year, writing them.
They were what I consider to be "inspired" posts, basically they were article-worthy. And he specifically targeted them to be deleted.
So anyhow, I have someone who is determined and obsessed with hacking my website.
I'll do what is the best approach:
1) Protect my website as best I can.
2) Don't respond to him, as that will only encourage him. The more he is ignored the quicker he'll disappear. (Unfortunately with a psycho like him, it may take a few months or worse.)
Point 1) is what I am most unsure about. What if he grabs tools to auto-generate passwords against my website? I'm using a web host (which I can't name due to forum rules), but they don't seem to give me the idea that they make an extra special effort to defend themselves from hackers.
They probably use standard tools in a standard security setting, whatever that is.
For example, what if he runs a password generator against my FTP? Or against my forum again? IE, just opens up a shell tool, points it at my website, and lets it generate millions of passwords, and leaves it running for a few years... I have a feeling I could be up against someone that obsessive.
Will my web host stand up against such an attack?
I think I'm going to have to start doing backups regularly to my computer at my house. This is really annoying me, because now this guy has gone and wasted MY time, which is exactly what he wanted to do. To annoy and inconvenience me and waste my time.
If I do have to do regular backups, I WANT it to be done automatically. I really do not want to have to manually every day go to this website of mine and go through their web-based interface and set stuff up.
I am a software developer, a shareware solo guy. I am NOT an admin. Us coders don't like doing repetitive admin stuff :( In fact we hate it, thats why we became software develoeprs.
Your host should be able to shed some light.
Perl Version 5.8.1
PHP Version 4.3.10
Mysql Version 4.0.22-standard
Anything more than that, I'll have to ask from the company personally, via email or phone.
I'm considering moving to a host which takes security and professionalism seriously. But I don't know hosts so well. It's all very well reading what marketing will tell you, but marketing will tell you anything if it gets them a sale...
[edited by: rogerd at 2:34 pm (utc) on Aug. 15, 2005]
[edit reason] no email addresses, please [/edit]
What software/technique were you using that let you restore a backup so quickly?
For example, what if he runs a password generator against my FTP?
This is why you should have a complicated password. Use numbers and dashes as well as letters. If it is case sensitive, use upper and lower case. Avoid words in the dictionary.
The longer the password, the more of a pain it is to type in every time for you. But the more hassle it is for you to get in, the more hassle it is for anyone else.
Check your forum is up-to-date with any security patches available - he may be exploiting a known security problem with your site.
On your side, the script itself is the greatest point of weakness - that is why keeping it up to date is so vital. It is very unlikely that your friend is a real hacker - he is undoubtedly just push-button implementing known exploits which have been published by others. This makes it easier to stay ahead - if you update your board within 24 hours of receiving notification of an update, you will be pretty safe. I started a thread a couple of months back covering the basics of securing phpBB, which you can see here:
[webmasterworld.com...]
Since that thread, phpBB has been hardened further - it has a so-so reputation for security, but its vulnerability is also due to its popularity. You might want to consider switching to a different forum package if you are concerned. The best alternative is vBulletin, although that is a $150 option. If you do a search here you will see dozens of threads extolling the virtues of different forum packages. :)
For automating backups, see if your hosting company admin panel has an option for "cron jobs". You can set an automated process to make a database backup at regular intervals. Otherwise, you will need to have SSH (command-line) access.
Thank you.
There is simply an option to restore backup...
Can you tell me your web host in private, so that I can take a look at if it is good for me?
[edited by: jatar_k at 3:35 pm (utc) on Aug. 15, 2005]
[edit reason] emails in profiles thanks [/edit]
So, to search WW for posts relating to the best forum software to use, you could type "site:www.webmasterworld.com best forum" (again, no quotes) into google and have a look through those results.
Hope this helps.
[edited by: rogerd at 10:11 pm (utc) on Aug. 24, 2005]
[edit reason] broken URL [/edit]
