phpBB

i and currently putting up a small forum for me and my freinds to mess around on. I am using phpbb till i buy vbulletin. And the other day i got flooded with members from a proxy i guess. So i put up a anti robotic register mod. And then the next day i get hacked. Is there any way to make phpbb more secure i have the newest version out. Or should i just wait and buy vbulletin? :confused:

Get a strong password, make sure your ftp and ssh servers are up to date on your host, as well as the web server itself. Once that is taken care of, if you own your server and have root, run some AV and Spyware and just rule out any lingering malware.

Make sure you are getting phpbb from the source, phpbb.com. Latest version is 2.0.10 I believe.

What was the "hack"? Was it a defacement or a screw around with phpbb itself?

Wow, how many enemies did you make my friend?

Traditionally, PHPbb has a history of security problems, but mostly because of end user installation and modification mistakes. For instance, some leave the config files at 777, have .htaccess files writable, and even have no password to the database. Lastly, weak passwords can do really bad things to you too.

Another thing to consider is to see how you got hacked in the first place. Check logs, who defaced it, and most will tell you how they defaced it. Some other places to check are the PHPbb forums and google to see if there are any known exploits for it.

If you do not have or want to spend the money, check other bb's out there.

http://opensourcecms.com and "try before you install" it's a very nice resource.

L0w M3m0ry -

You are alone in this. I have had my database compromised before using phpBB so I moved to Vbulletin and haven't had an issue since. My entire phpBB database was deleted and the logs didn't show a thing. So I took it as a lessoned learned and reinstated my back up and started to change my password regularly. After a bit I ended up moving to Vbull and I have never looked back.

The only downside of Vbulletin is having to pay the certain fee.

- MilitantEidolon

phpBB isnst famous as "best secure bb".

you can get other CMS for free as www.phpnuke.org OR

take a look at this ($)


http://www.invisionboard.com/
inst bad too

Quote:

---

Originally posted here by cacosapo
phpBB isnst famous as "best secure bb".

you can get other CMS for free as www.phpnuke.org

---

Hah, if phpBB isn't famous for it's security then PHP-Nuke sure as hell isn't. It's one of the buggiest PHP scripts I've ever had the misfortune to come into contact with.

WRT to phpBB forums getting cracked, there are some automated bots that go round searching for forums powered by phpBB so that people can then try and break into them/make spam submissions.

Quote:

---

It's one of the buggiest PHP scripts I've ever had the misfortune to come into contact with.

---

:D
Free software, Free bugs...
here: http://www.karakas-online.de/EN-Book/ you can find some "countermeasures" about php-nuke buggies. Not solve all (there is a lot of "Injections")

BTW, new version (7.4) needs $$$. Crap. d/l previous one.

i forgot that: you have access to it, block spiders to index your CMS site (unless you want that). At least, your buggies wont appear at google. :)

I pay for my server, i dont have my own. I do change my passwords weekly. I know who is doing it (username anyways) and i have his ip, whats the next step? My server comes with invision should i use that instead? When i say "hacked" someone somehow, deleted all of the boards posts, and topics. Deleted my username. and inverted all of my boards colors.

i have some friends that use Invision on a clan site. I cant say that is more or less secure than others. you may need to dig that information. Aparentelly, they like invision and it has a great visual.

I like phpnuke. But as pwaring noticed, isnt better (or maybe is worse) than phpBB.

If u want some support about weakness, i would advice to buy a software that includes support. Or use the ISP one, if support is included.

A very good Brazilian security site runs vbulletin now. I will ask the owner what are his impressions about this.

There is lot of "holes" on those CMS nowadays

i was thinking about gettin vbulletin but when your 14 150 bucks doesnt come easily.

I've been using phpBB since 2.0 release and while I've been wary of the issues at hand, never once I've had my database hacked or my board compromised. Maybe it has something to do with the fact that I never index my pages with any search engines. I've removed all metadata content from the headers and since I'm behind a firewall (ipchains) and router, I'm not abject to the cookie vulnerability, etc...

I like phpBB as it definitely allows me to use postgresql, something that other boards don't do. Everything's mySQL or some **** and that pisses me off!

Quote:

---

I've been using phpBB since 2.0 release and while I've been wary of the issues at hand, never once I've had my database hacked or my board compromised. Maybe it has something to do with the fact that I never index my pages with any search engines. I've removed all metadata content from the headers and since I'm behind a firewall (ipchains) and router, I'm not abject to the cookie vulnerability, etc...

---

Indeed. a robots.txt does wonders. It also never ceases to amaze me how many people install it and do not do the recommended things like changing the config files back to something like 444...

I have used it before and never had a problem either, but I have seen other boards hacked.

Yeah, I don't think I'll ever have a robots.txt file unless I make sure everything that I want kept away listed in the denied section. I have to wonder how the invention of spiders would not be have been abused, etc...

Just a word of warning with robots.txt.

I read it somewhere and I can't remember where and it might be a "Google hack" that people look for robots.txt and read it to see what you don't want to be publicly available... Then they go and look at it anyway..... 'cos it really is publicly available.... ;)

Just a thought.....

Quote:

---

A very good Brazilian security site runs vbulletin now. I will ask the owner what are his impressions about this.

---

AntiOnline runs vBulletin, too :)

Well, vBulletin is very nice software, is well coded but it is not cheap. When you think of other CMSs out there that do cost money, that is not a huge cost at all. Also, a lot of open source cms's have dual licensing schemes as well.

So yeah, check with other people and see how they like it...

Quote:

---

I read it somewhere and I can't remember where and it might be a "Google hack" that people look for robots.txt and read it to see what you don't want to be publicly available... Then they go and look at it anyway..... 'cos it really is publicly available....

---

If you were really worried about it, you could use this link:
http://services.google.com/urlconsole/controller
Its broken right now but google says you can instantly remove yourself from the index.

In addition, its not really the indexing thats the problem, its being indexed and cached. So the problem is being cached before you can password protect. but why not password protect in the first place...?

hrm, well thanks for all of your suggestions. Ill have to think over what my next step will be. But just a ? if i have his IP isent there anything i could do?

I got al little help with figuring out someones ISP and contacting them in this thread. Hope it helps.
http://www.antionline.com/showthread...hreadid=251185

Quote:

---

In addition, its not really the indexing thats the problem, its being indexed and cached.

---

Where Google is concerned yes, but other wise no.

I can come to your site and request robots.txt. If I get 404ed then you "have nothing to hide" if I get the file then I can see what you are trying to hide so I will go and look at it. It is publicly available so you have it there for someone to see - just not the whole world.

It's security by obscurity in it's worst form since you actually tell anyone what it is you don't want them to see knowing full well that once they know about it there are no further access restrictions on it...... ;)

Quote:

---

It's security by obscurity

---

Just put you out of first shot :)

I cant consider this security by obscurity. If it is the ONLY security its a crap.

But as an aditional "Protection" (i cant really call it protection) is good.

I use to configure some servers that must reside on "internet" but isnt G.A. as this. I dont want that they get indexed and ppl try the links just because "its on google".

Of course those servers have a huge protection scheme too.
It helps when you dont turn the lights on at your brand new ferrari parked at your house...

precaution maybe...

I run several sites with phpbb, some high traffic, and have been happy with it.

If you watch the phpbb site & bugtraq and patch vunerabilities when they come out, you probably won't have any problems.

Additional security measures I take on my high risk sites:
IPs that admin accounts can be logged in from are hard coded.
Auto-Login is disabled for Admin accounts.
The /admin directory is password protected and set up with htaccess.
Globals are turned off.
etc.