post-page

PHPBB is a pain

27
responses
by
 
on
May 24th, 2005
in
General

The Pictorialis Forums have been hacked beyond repair. The hackers have left a message that says that the data is intact and can be restored but I refuse to ask them to do so or pay them in return. From what I gather, the database was modified to stuff the data into table overhead and out of the tables.

I realize that a lot of information (and a lot of hard work from users/programmers) on and about Pictorialis used to be on those forums and I would like to restore them from my last backup (from about 3 weeks ago) which I think I can do. This will take some time and the forums might not be up for some time. I apologize for the inconvenience.

I have received a lot of good advice from PHPBB admins. I concede that I had not upgraded in the past few months and was unaware that such a serious flaw existed that I had not patched. If I do manage to rescue the forums, I will migrate them over to BBPress when I get a chance and some time to script the imports. I am quite disillusioned with PHPBB. As a word of warning to others in the same boat, please make sure you upgrade to the latest every so often.

[EDIT] Forums are back up from a May 2nd backup and the latest and greatest of PHPBB. *whew*

heading
heading
27
Responses

 

Comments

  1. Andrew (1 comments.) says:

    Thanks for the advice, I hadn’t upgraded for months either. Hope you get it all working again

  2. Geof F. Morris (19 comments.) says:

    The best thing that the 2.0 branch has had [since .14] is notice that your install is out-of-date on the Admin Panel. That’s a God-send.

  3. Jason Bainbridge (4 comments.) says:

    This is of course possible with any online software that you use it just happens that phpBB is a big target and as it is such a large codebase these days hackers on a semi-regular basis find holes to exploit. You really do need to upgrade, upgrade, upgrade! All such projects should be responsible though and offer an “announce” mailing list that you can subscribe to and be notified of new releases so it is a push and not a pull.

    When something does go awry though there is a lot to be said for nightly backups, if your host doesn’t do nightly backups for you then I’d suggest looking elsewhere (you can of course set them up yourself if you have shell or Cpanel access but IMO hosts should do backups for you) or if you are hosting your site yourself setup a job to backup your database(s), gzip them and email them to a gmail account or somewhere, there are plenty of scripts out there that do that.

  4. Ozh (88 comments.) says:

    just to be curious, what version of phpbb2 was it ? did you patch regularly ? I also had a phpbb2 hacked and as a result my server’s 100Mb/s used to ping flood some dude for a couple of hours a few months ago …

  5. Mark (118 comments.) says:

    Version 2.0.11

    Backups are also very hard to do when the total size of your databases backed up exceeds 4 Gigs. :-)

    Last patch was a little over 3 months ago when the awstats scare was rampant. Did not patch for the santy worm.

    • Mark Steel (5 comments.) says:

      Wait, let me get this straight … You were running a version of phpBB released in November of 2004…

      …and complaining that *it* got hacked?

      *ANY* open source that’s been sitting out there for more than a month is probably going to be found vulnerable *to something*. Even WordPress has had its share of woes.

      Though you concede that you’d failed to upgrade it — we’re talking about FIVE YEARS, man! It wouldn’t matter *what* forum software you were running, because they *all* had the same security issue, the exact same SQL & HTML vulnerabilities, along with pretty much every other package from that year — including WordPress. And yes, disabling register_globals and enable_dl probably would have saved you, too. Unfortunately, since you were loathe to do any upgrade of phpBB in five years, I’m afraid to ask what vulnerable version of PHP you might be using. That is beligerant negligence.

      In this light, I’m gonna have to rescind some of my comment. That’s just irresponsible. There have been no less than fifty CERT warnings over the *years* since that version of phpBB was released, along with security advisories from pretty well everywhere. And pretty well every other bit of PHP-based, client-insertable software at the time had the same issue. If you’d ever so much dropped phpBB into Google you would had to have seen it… and with so many other resources, the same vulnerabilities affected literally thousands of other programs from that time… I just do not understand how you could have *possibly* been unaware. :(

      • Mark Steel (5 comments.) says:

        Oh, as for “other” PHP settings? That was also about the time everyone advised remote_fopen be closed, as well …

  6. XeroCool (7 comments.) says:

    This is why we all use IPB. :D

  7. Jason Bainbridge (4 comments.) says:

    Is that 4GB gzipped (heck you’d want to loook at BZ2 for a dump that big)? Databases backups as a general rule compress extremely well… Also for a database that big I would look at some solution for incremental backups like month to date with a regular full backup.

  8. Ajay D'Souza (39 comments.) says:

    Why not shift over to Simple Machines Forum?

  9. wirjo (1 comments.) says:

    That’s just bad luck. Good luck on your new forums.

  10. Alex Bischoff (3 comments.) says:

    PunBB is also rather nice. It’s released under the GPL and runs on PHP. And, it outputs valid XHTML to boot :).

  11. Sencer (1 comments.) says:

    > All such projects should be responsible though and offer an
    > “announce” mailing list that you can subscribe to and be notified of
    > new releases so it is a push and not a pull.

    Which is exactly what phpBB has done several months ago (read the announcement from December): http://www.phpbb.com/phpBB/viewtopic.php?t=249416

  12. The Ar'tak (1 comments.) says:

    Simple Machines is an excellent forum service that includes on their administration panel an RSS feed that provides you with the notice that there are updates available, and a package manager that lets you download directly from their site and install it. The ultimate in lazy, perhaps, but since you probably go in the administration section frequently, it makes a lot of sense. Highly recommended.

  13. wepouys says:

    Hello !
    Sorry to bother you. I found this forum when looking through google for forums to use. I need
    to install a forum on my website but I cannot find where it is sold.

    Where did you get this one

    Thanks for any assistance

  14. John Sharp (5 comments.) says:

    Backup, Backup, Backup, and then Backup some more. I have been hit many times by hackers… not just phpbb… oh ya after you Backup Check for UPGRADES… One trick I use so you not always running a MD5 hash on your server files… is to open a clean copy of a backup run a hash on the files THEN download the hacked files run a hash on them, then compare, you find most hacked files that way. But having a clean backup every day means at the most you lost only 24hours of data when you reinstall. and don’t forget to Backup and UPGRADE.

  15. Jessi says:

    Some people always say that it’s not just PHPBB, but I’ve used plenty of forums & PHPBB to date is the only one that seems to get hacked constantly. It’s like a regular basis thing.

  16. John Sharp (5 comments.) says:

    phpbb is so unsecured that by the time a fix is out its way to late. just install a local copy and hackit yourself and you will see what I mean. there is always a way in. I don’t care what the phpbb people say.

  17. Mark Steel (5 comments.) says:

    [rant]This comment isn’t meant to be combative and aggressive towards the author as much as some of the commenters here.

    Ya know, horse crap, guys. Seriously. It’s one thing when the software is inherently insecure like, oh, PHP-Nuke. Hell, I’d even go as far to say Gallery, as well, thanks to its ridiculous feature bloat. But phpBB just isn’t that way. Having done some development on phpBB as well as WordPress, I honestly believe that 99% of the issues with phpBB *are* the administrator’s fault. With BOTH pieces of software, if you don’t secure your php installation, it’s gonna get hacked. You don’t patch your software on a regular basis, it’s gonna get hacked. Period, the end.

    phpBB’s been around a *long* time. There are plenty of resources to keep people up-to-date on when to upgrade, when a patch is available, and how to secure the installation. If people don’t use those resources, where does the blame lie?

    I sorry to say, Mark, but blaming the software for the problem makes about as much sense as running WordPress 2.3 with register_globals open — or, like Jeff said, blaming the WordPress team because 2.9 “isn’t tested” and people aren’t using the resources available to help make it a better product.

    And by the way — if you’d had register_globals, enable_dl and a couple of other settings checked off in php.ini (as has been the case for about six years), there’d most likely never have been a problem.

    Running software on the Internet takes responsibility on the part of the administrator, and the web host the administrator chooses to host their application with.

    It always has, and it always will.[/rant]

    • Mark Steel (5 comments.) says:

      One more serious point, Mark — I just looked to see where you’re hosting the site. All hosting is not created equal … sometimes, you get what you pay for. :(

      • Mark Steel (5 comments.) says:

        OK, my mistake. My mistake. I made a typo and say GoDaddy as a host. Oops. I blew it that time. So yeah — secure php.ini. Problems mostly solved.



Trackbacks/Pingbacks

  1. phpBB – Cautionary tale

    “The Pictorialis Forums have been hacked beyond repair. The hackers have left a message that says that the data is intact and can be restored but I refuse to ask them to do so or pay them in return. From what I gather, the database was modified …

  2. HTNet says:

    Data Ransom, A Trend?

    I was reading this article on hackers locking files and demanding ransom for unlocking it, which somehow eerily reminds me of this recent post I’ve read on Weblog Tools Collection. At the time of the hack, this was how the Pictorialis Forums loo…

  3. […] 1 前陣子在 Weblog Tools Collection 出現 這篇 . 如果是從以前就有å […]

  4. PhpBB is a pain!?

    前陣子在 Weblog Tools Collection 出現 這篇 .

    如果是從以前就有在看我這個 Blog 的人, 應該也都看過 phpBB 的版本更新訊息.

    在各種論壇系統裡面, phpBB 的效能算是很好的一套, 而且在全世界站台丅

  5. PhpBB is a pain!?

    前陣子在 Weblog Tools Collection 出現 這篇 .

    如果是從以前就有在看我這個 Blog 的人, 應該也都看過 phpBB 的版本更新訊息.

    在各種論壇系統裡面, phpBB 的效能算是很好的一套, 而且在全世界站台丅

  6. […] Weblog Tools Collection ?? ?? […]

Obviously Powered by WordPress. © 2003-2013

page counter
css.php