Sorry about that folks, we just got hacked and had our forums destroyed, and a few of you probably got a smartass mail from the hacker.

I think that's the end of the road for my forums, which have done their job but are no longer really any use any more.

Again, sorry for the inconvenience.

Anyone using phpbb should probably get the fix installed right away which is detailed here (http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
)

Cas :)

Anyone using phpbb should probably get the fix installed right away

Bah I think anyone using free forums need either to backup daily or give up... I can't watch for updates 24/24 and keep making games ;)

Thanks for the info, fixing mine!

pat.

My server has been hacked 3 times... each time through phpbb. Time to give it the boot I think.

Question: there are any other free forums out there that can't be hacked by a 8 years old with an automated script? :eek:

I was maintaining different forums and we were hacked couple of times through phpBB. Since I was personally maintaining a server, I had daily backups of all stuff so everybody was really excited how quick we were recovering.

However lately I've assigned all my maintaining duties to other people... They are telling awfull stories about servers being hacked and rootkited. Here's the basic scheme of how it happens:

1) There's a hole in phpBB.
It means it allows to access server through Apache and MySQL.
If Apache or MySQL are run using some nice priveleges, malicious kids could put temp files on server.
If it's done, they could analyze server and use local vulnerabilities like different kernel-level exploits to gain root priveleges.
Then, server is rootkited. There's a trojan virus which allows to innocently control machine without logs. You are doomed, you need to re-install entire machine and do a complete check of your phpBB db to be sure there are no fake admins, php files to see if they haven't added any backholes which will allow them to hack you after reinstall.
etcetc

BUT!
I'm not going to buy vB because of it IDIOTIC license. Single domain. Single forum. Because of the domain transfer authors could revoke your license (I've heard dozens of stories like that) if they don't like email (you've changed email since then). If they don't like your credit card - same story. I've heard DOZENS of stories about licenses being revoked for different reasons.

And if somebody will post something on your forum which is illegal in any way, your license could be revoked too.

I use Invision Power Board v1.1.1 (which is the last free version they released as far as I know). This forum works better than phpbb imo, and since it's not as popular as phpbb, chances of getting hacked are slim. I never had problems with it anyway.

I think I might try a realtime applet forum in future. With proper threading and stuff. Might be pretty nifty. Won't take too long to write either and it'll be totally secure.

Cas :)

It's damn annoying, a site on my server running phpNuke got hacked using SQL injection by some 8 year old. They sent a message along the lines of '1 am l33t u r l4m3 1 hax u lol'

Yes, well done 'neo' you little stain. You got a tutorial off the internet and got someone to read it to you.

This is why I'm kinda wary about open source stuff now, takes a bit longer to write your own but at least your less likely to fall prey to pointless little turds who've watched the matrix one time too many.

mine got melted a few days ago for the seond time. pathetic little script kiddies...
Im now using a site which hosts phpbb for free. Only set it up yesterday so not sure if its reliable etc. But that means protecting it is someone elses problem. Not ideal, but my forums are quite nice to have, and I refuse to give in to some 12 year old with a script he got from irc because he is so l33t.
grrrrrrrr.

Ouch...

I'd better put the new phpBB patch on them to avoid getting hacked (*cross fingers*)

thanks for the warnings guys!

Why do so many of you run personal servers?

Running on a third party gives you better security, higher speeds (most of the time), and extreme reduction of cost.
What are the pros?

I guess the main pros are:
- A lot more bandwith (there are people who need it)
- Total control about what and how it's installed on the system (cron programs, PHP/Apache/whatever configuration, etc.)

Why do so many of you run personal servers?

Running on a third party gives you better security, higher speeds (most of the time), and extreme reduction of cost.
What are the pros?
I got hacked while I was on a shared server (Was old USM site).
I have much more speed now (almost 2x during pitch hours).
I pay more but when I register a domain I can go on go-daddy and have one for 8$ (with my old ISP was paying 16$)

Ouch, sorry to hear that prince. I only very recently heard of the security exploit while stumbling onto a cracking/hacking forum. Aparrently, 2.0.11 - 2.0.12 are "very easy to hack", even the regulars on that specific forum reccomended everyone upgrade to the latest patch.

I've been considering switching to vBulletin or Invision Power Board board myself, but its such a waste :( , I totally tricked and pimped out my forum just a month ago.

Bah I think anyone using free forums need either to backup daily or give up... I can't watch for updates 24/24 and keep making games I personally would much rather be informed about the latest security exploits, rather then hiding in the dark and hoping nothing will happen. If my business depends on the internet to make sales then I would think it be part of the job.

How are you guys performing backups? Are you keeping them off the main server somewhere?

Getting rid of my forum isn't an option since I have a lot of long time members. But I'm planning to move the phpBB forum to a separate server, so if I ever get hacked my main site will be unaffected. The rate which people are getting hacked through phpBB lately is alarming.

This is one of the main reasons why I don't ever use free CGI/PHP scripts or open source software that can be tampered by the public. I always create my own custom CGI scripts. Looks like it might be time to change the forum software as well.

Does Vbulletin have any conversion utilities for phpBB?

How are you guys performing backups? Are you keeping them off the main server somewhere?
With phpbb, go under admin tools->General Admin->Backup Database. Its pretty small so I just save this to my hardrive every so often.

Ouch hat sucks. I recently removed the link to my forums. It seems random people would sign up and link to porn sites in their info and post messages to a bunch of more porn sites :).

Here's the warning from the Internet Storm Center. Folks can read up on it and many other warnings at SANS - Internet Storm Center (http://isc.sans.org/)



(One of yesterday's warnings)
More about phpBB <= 2.0.12
phpBB 2.0.13 is still safe. An exploit has been released for phpBB bulletin boards. This exploit tries to drop netcat into the web root. There is another binary in tmp which I have not directly identified which appears to exploit a race condition in the Linux kernel. The file name is pwned and it calls a data file called TTdummyfile. Previous diary entries regarding phpBB:
http://isc.sans.org/diary.php?date=2005-03-12
http://isc.sans.org/diary.php?date=2005-02-27
http://isc.sans.org/diary.php?date=2005-02-22

We have had one report of a system compromised with this tool. Since it creates at least one backdoor on the system my recommendation is to take the machine offline and rebuild it. With the caveat that the same exploit path may still exist since from the report that I have seen the exploit works on all the current versions of phpBB, Apache, and PHP. I will update this information as I learn more. The exploit is listed as affecting versions phpbb <= 2.0.12. The report we got today was running version 2.0.12. It had not been fully patched to 2.0.13. I was informed this evening that the netcat file was downloaded by the owner and not the exploit to compare to the pwned and other files in the tmp directory.

Does Vbulletin have any conversion utilities for phpBB?

Pretty good ones. My transition took a few hours. The vBulletin admin interface is an improvement over phpBB.

I use IBackup (http://www.ibackup.com) for backups.

Anyone who runs phpBB should sign-up for their mailing list. You get notified anytime there is a new release. I have applied the patches for the last 2 versions soon after getting the announcement, and have had no hacks (that I know of). You can sign-up here:
http://www.phpbb.com/support/

Anyone who runs phpBB should sign-up for their mailing list.
Yes - when I applied the 2.012 patch because of the mail list - I checked the server logs for the highlight code attack and there were 2000 hits to it the day after.

I think phpbb team are doing as good a job as any others - the problem is they are the highest profile open source board, and so the most attacked. Conversely - you know they get phpbb patched up really quickly.

We also run a cron job that does a mysql dump every day though, just incase.

Argh, sorry to hear that, Cas! My own forum got hacked a few days ago, and as a result, Berkeley shut my account down. My sympathies... :(

Anyone serious about hosting a forum should not use phpbb. It's so full of exploits. It seems every time I turn around I'm hearing about someones phpbb that got hacked by a script kiddy and got their server shut down.

Anyone serious about hosting a forum should not use phpbb. It's so full of exploits. It seems every time I turn around I'm hearing about someones phpbb that got hacked by a script kiddy and got their server shut down.
I agree to this 100% !

Isn't there a way to *safely* host phpbb without resorting to a seperate server or account?