27
Responses
Comments
Trackbacks/Pingbacks
-
phpBB – Cautionary tale
“The Pictorialis Forums have been hacked beyond repair. The hackers have left a message that says that the data is intact and can be restored but I refuse to ask them to do so or pay them in return. From what I gather, the database was modified …
-
Data Ransom, A Trend?
I was reading this article on hackers locking files and demanding ransom for unlocking it, which somehow eerily reminds me of this recent post I’ve read on Weblog Tools Collection. At the time of the hack, this was how the Pictorialis Forums loo…
-
[…] 1 å‰é™£å在 Weblog Tools Collection å‡ºç¾ é€™ç¯‡ . 如果是從以å‰å°±æœ‰å […]
-
PhpBB is a pain!?
å‰é™£å在 Weblog Tools Collection å‡ºç¾ é€™ç¯‡ .
如果是從以å‰å°±æœ‰åœ¨çœ‹æˆ‘這個 Blog 的人, æ‡‰è©²ä¹Ÿéƒ½çœ‹éŽ phpBB 的版本更新訊æ¯.
在å„種論壇系統裡é¢, phpBB 的效能算是很好的一套, 而且在全世界站å°ä¸…
-
PhpBB is a pain!?
å‰é™£å在 Weblog Tools Collection å‡ºç¾ é€™ç¯‡ .
如果是從以å‰å°±æœ‰åœ¨çœ‹æˆ‘這個 Blog 的人, æ‡‰è©²ä¹Ÿéƒ½çœ‹éŽ phpBB 的版本更新訊æ¯.
在å„種論壇系統裡é¢, phpBB 的效能算是很好的一套, 而且在全世界站å°ä¸…
-
[…] Weblog Tools Collection ?? ?? […]
Translate This Page
About the Author
- Mark Ghosh
An avid fan of business, education, technology and finance. I lead a lean, highly focussed and capable team of Java Back End developers and Front End developers through a maze of complex software wizardry to fulfill the web maintenance needs of a large chemical manufacturer. As per Myers-Briggs Personality Types, I am an ESTJ. I pride in a project completed on time and according to plan. My hobbies include all kinds of technology, anything that I can taste and anything that goes fast or flies in the air. I like to read business books and comics in my spare time.
Categories
- bbpress
- Best of WordPress
- Blog Templates Blog Skins Blog Themes
- Blogging
- Blogging Essays
- Blogging News
- brainstorming
- buddypress
- Business of Blogging
- CMS
- Code
- Cold Fusion
- Community Interviews
- Cool Scripts
- General
- HOW-TO
- LinkyLoo
- Movable Type Plugins
- Photolog Script
- Podcasting
- QuickLinking
- Spam
- SXSW
- TLA
- Tutorials
- User Reviews
- Web Design
- Web Ethics
- Weblog Add-Ons
- Weblog tools blog tools blogging tools
- Weekly Plugin Review
- WLTC Community
- wordcamp
- WordPress
- WordPress Discussions
- WordPress FAQs
- Wordpress for Beginners
- WordPress Hack
- WordPress News
- WordPress Plugin Competition
- WordPress Plugins
- WordPress Polls
- WordPress Security
- WordPress Templates WordPress Skins WordPress Themes
- WordPress Tips
- WordPress Tools
- WordPress Troubleshooting
- WordPress Weekly
- WordPress Widgets
- WordPress WishList
- XHTML Tips
Obviously Powered by WordPress. © 2003-2013
Thanks for the advice, I hadn’t upgraded for months either. Hope you get it all working again
The best thing that the 2.0 branch has had [since .14] is notice that your install is out-of-date on the Admin Panel. That’s a God-send.
This is of course possible with any online software that you use it just happens that phpBB is a big target and as it is such a large codebase these days hackers on a semi-regular basis find holes to exploit. You really do need to upgrade, upgrade, upgrade! All such projects should be responsible though and offer an “announce” mailing list that you can subscribe to and be notified of new releases so it is a push and not a pull.
When something does go awry though there is a lot to be said for nightly backups, if your host doesn’t do nightly backups for you then I’d suggest looking elsewhere (you can of course set them up yourself if you have shell or Cpanel access but IMO hosts should do backups for you) or if you are hosting your site yourself setup a job to backup your database(s), gzip them and email them to a gmail account or somewhere, there are plenty of scripts out there that do that.
just to be curious, what version of phpbb2 was it ? did you patch regularly ? I also had a phpbb2 hacked and as a result my server’s 100Mb/s used to ping flood some dude for a couple of hours a few months ago …
Version 2.0.11
Backups are also very hard to do when the total size of your databases backed up exceeds 4 Gigs.
Last patch was a little over 3 months ago when the awstats scare was rampant. Did not patch for the santy worm.
Wait, let me get this straight … You were running a version of phpBB released in November of 2004…
…and complaining that *it* got hacked?
*ANY* open source that’s been sitting out there for more than a month is probably going to be found vulnerable *to something*. Even WordPress has had its share of woes.
Though you concede that you’d failed to upgrade it — we’re talking about FIVE YEARS, man! It wouldn’t matter *what* forum software you were running, because they *all* had the same security issue, the exact same SQL & HTML vulnerabilities, along with pretty much every other package from that year — including WordPress. And yes, disabling register_globals and enable_dl probably would have saved you, too. Unfortunately, since you were loathe to do any upgrade of phpBB in five years, I’m afraid to ask what vulnerable version of PHP you might be using. That is beligerant negligence.
In this light, I’m gonna have to rescind some of my comment. That’s just irresponsible. There have been no less than fifty CERT warnings over the *years* since that version of phpBB was released, along with security advisories from pretty well everywhere. And pretty well every other bit of PHP-based, client-insertable software at the time had the same issue. If you’d ever so much dropped phpBB into Google you would had to have seen it… and with so many other resources, the same vulnerabilities affected literally thousands of other programs from that time… I just do not understand how you could have *possibly* been unaware.
Oh, as for “other” PHP settings? That was also about the time everyone advised remote_fopen be closed, as well …
This is why we all use IPB.
Is that 4GB gzipped (heck you’d want to loook at BZ2 for a dump that big)? Databases backups as a general rule compress extremely well… Also for a database that big I would look at some solution for incremental backups like month to date with a regular full backup.
Why not shift over to Simple Machines Forum?
That’s just bad luck. Good luck on your new forums.
PunBB is also rather nice. It’s released under the GPL and runs on PHP. And, it outputs valid XHTML to boot :).
> All such projects should be responsible though and offer an
> “announce†mailing list that you can subscribe to and be notified of
> new releases so it is a push and not a pull.
Which is exactly what phpBB has done several months ago (read the announcement from December): http://www.phpbb.com/phpBB/viewtopic.php?t=249416
Simple Machines is an excellent forum service that includes on their administration panel an RSS feed that provides you with the notice that there are updates available, and a package manager that lets you download directly from their site and install it. The ultimate in lazy, perhaps, but since you probably go in the administration section frequently, it makes a lot of sense. Highly recommended.
Hello !
Sorry to bother you. I found this forum when looking through google for forums to use. I need
to install a forum on my website but I cannot find where it is sold.
Where did you get this one
Thanks for any assistance
Backup, Backup, Backup, and then Backup some more. I have been hit many times by hackers… not just phpbb… oh ya after you Backup Check for UPGRADES… One trick I use so you not always running a MD5 hash on your server files… is to open a clean copy of a backup run a hash on the files THEN download the hacked files run a hash on them, then compare, you find most hacked files that way. But having a clean backup every day means at the most you lost only 24hours of data when you reinstall. and don’t forget to Backup and UPGRADE.
Some people always say that it’s not just PHPBB, but I’ve used plenty of forums & PHPBB to date is the only one that seems to get hacked constantly. It’s like a regular basis thing.
phpbb is so unsecured that by the time a fix is out its way to late. just install a local copy and hackit yourself and you will see what I mean. there is always a way in. I don’t care what the phpbb people say.
[rant]This comment isn’t meant to be combative and aggressive towards the author as much as some of the commenters here.
Ya know, horse crap, guys. Seriously. It’s one thing when the software is inherently insecure like, oh, PHP-Nuke. Hell, I’d even go as far to say Gallery, as well, thanks to its ridiculous feature bloat. But phpBB just isn’t that way. Having done some development on phpBB as well as WordPress, I honestly believe that 99% of the issues with phpBB *are* the administrator’s fault. With BOTH pieces of software, if you don’t secure your php installation, it’s gonna get hacked. You don’t patch your software on a regular basis, it’s gonna get hacked. Period, the end.
phpBB’s been around a *long* time. There are plenty of resources to keep people up-to-date on when to upgrade, when a patch is available, and how to secure the installation. If people don’t use those resources, where does the blame lie?
I sorry to say, Mark, but blaming the software for the problem makes about as much sense as running WordPress 2.3 with register_globals open — or, like Jeff said, blaming the WordPress team because 2.9 “isn’t tested” and people aren’t using the resources available to help make it a better product.
And by the way — if you’d had register_globals, enable_dl and a couple of other settings checked off in php.ini (as has been the case for about six years), there’d most likely never have been a problem.
Running software on the Internet takes responsibility on the part of the administrator, and the web host the administrator chooses to host their application with.
It always has, and it always will.[/rant]
One more serious point, Mark — I just looked to see where you’re hosting the site. All hosting is not created equal … sometimes, you get what you pay for.
OK, my mistake. My mistake. I made a typo and say GoDaddy as a host. Oops. I blew it that time. So yeah — secure php.ini. Problems mostly solved.