phpBB got hacked again (Bas***ds)

the Guru

Please dont go onto my forum as there is a horrible little pop up that you have to keep clicking

This email I got a mail from ziox.org

Subject: New user account
From: webmaster@ziox.org
Date: Wed, December 21, 2005 1:42
To: info@bungee.ie
Priority: Normal
Mailer: PHP


Fook it im taking it down and getting rid of it , there not worth it

Sposs

Who is in charge of keeping the database patched? you or your host?

Ph3n0m

Does it matter? I dont depend on my host to keep my scripts updated - thats just being lazy if you have to rely on others. However for non technical people I would hope that any host would provide an auto patch, or atleast patch once every quarter (if needs be) for non techies

OP: very vague post about the problem you were having.

1. You never mentioned what version of phpbb you were using
2. Last time you got hacked, didnt someone advise you to turn on the code generator so that people have to enter a code before an account is created?

the Guru

I got hacked about a month ago , my host fixed it for me and then advised that I was to patch it myself , im havent got a clue how to patch it ..... the version of the phpBB im running is Powered by phpBB 2.0.6 © 2001, 2002 phpBB Group

Sposs

If your on a shared DB server your host should be patching it for you ,also start moderating new sign ups to reduce the risk.

That version of Phpbb is way out of date 2.0.18 is the most recent.

CuLT

the Guru wrote:

I got hacked about a month ago , my host fixed it for me and then advised that I was to patch it myself , im havent got a clue how to patch it ..... the version of the phpBB im running is Powered by phpBB 2.0.6 © 2001, 2002 phpBB Group

Oh dear, that's a problem. There was an update roughly six months ago which removed the version number from being publicly viewable; it should only appear in the admin panel.

You're about 12 updates behind.

Ph3n0m

the Guru wrote:

I got hacked about a month ago , my host fixed it for me and then advised that I was to patch it myself , im havent got a clue how to patch it ..... the version of the phpBB im running is Powered by phpBB 2.0.6 © 2001, 2002 phpBB Group

well did you tell your host that you had no idea how to patch? if not, why not?

steve-hosting36

Hosts actually have to take responsibility for that kind of things. With the amount of phpBB we host, for example, getting all of those hacked would be a big pain, so we patch -all- customers across all shared servers every time a major patch is released. It's just good practice - especially when the customer can install via a click in the control panel, asking them to maintain and patch a piece of software they didnt install and usually dont understand is too much.

seamus

the Guru wrote:

I got hacked about a month ago , my host fixed it for me and then advised that I was to patch it myself , im havent got a clue how to patch it ..... the version of the phpBB im running is Powered by phpBB 2.0.6 © 2001, 2002 phpBB Group

It's actually extremely simple to patch. You download the "Changed Files Only" version of the latest version from here:
http://www.phpbb.com/downloads.php

This will be a (g/b)zipped file, and within the archive, you'll see a readme or install file. Read it and follow the instructions. Seriously, it's very simple.

squibs

we patch -all- customers across all shared servers every time a major patch is released

Strange - I always have to patch mine myself. I have 3 sites on 365 - 2 with phpBB. They are running 2.0.17 now and 2.0.18 has been out a while.

steve-hosting36

Simple for some people. A lot of customers with basic hosting know enough to maintain their website with a site builder, or frontpage, or similar, and wouldnt know what to do with a file like that.

steve-hosting36

squibs wrote:

Strange - I always have to patch mine myself. I have 3 sites on 365 - 2 with phpBB. They are running 2.0.17 now and 2.0.18 has been out a while.

We patch roughly on a 2 month cycle, unless a security issue pops up that makes the forums defacable or causes an issue for the server or other customers. You can of course patch yourself, our patching systems will detect the running version and not make changes.

CuLT

It's also made instantly not simple if you have a couple of mods installed. But you probably know how to update the system manually if you know how to mod it.

the Guru

seamus wrote:

It's actually extremely simple to patch. You download the "Changed Files Only" version of the latest version from here:
http://www.phpbb.com/downloads.php

This will be a (g/b)zipped file, and within the archive, you'll see a readme or install file. Read it and follow the instructions. Seriously, it's very simple.

I might have a look at that later cheers for the heads up

jd

steve-hosting36 wrote:

We patch roughly on a 2 month cycle, unless a security issue pops up that makes the forums defacable or causes an issue for the server or other customers. You can of course patch yourself, our patching systems will detect the running version and not make changes.

Er, this aint hosting365 support - either PM him or go to their site please

squibs

We patch roughly on a 2 month cycle, unless a security issue pops up that makes the forums defacable or causes an issue for the server or other customers. You can of course patch yourself, our patching systems will detect the running version and not make changes.

That's a bit different to patching when a new release comes out as you originally claimed. Don't get me wrong - it's great that you do it at all, but a lot of hacking can happen in two months!

steve-hosting36

If the release fixes an exploit that could lead to the forum being hacked, we patch immediately, as I said above. The bi-monthly cycle is for non-critical patches.

jd

jd wrote:

Er, this aint hosting365 support - either PM him or go to their site please

To be clear, ph3n0m edited my post. I don't have an account with hosting365, and my question was purely out of interest (regarding how hosts deal with modded boards). I do look after a phpbb board elsewhere, and it is modded.

john_

I gave up on PHPBB on my sites, it seems there was a problem every week or so, so i switched to V Bulletin, but i can see why people stay with PHPBB, v Bulletin can be expensive...

axer

wow, am using PhpBB and had heard it has alot of security issues but my forum isn't that important and after reading this thread I decided to see how hard (easy) it would be to access the admin section of a friends site running the same version and I must say it was way too easy. Granted the phpBB forum I tried it on was version 2.0.11 and they are up to 2.0.18 now (i think) but omfg how easy it was! I can see now why people pay the $85 a year for vbulletin. I would never use PhpBB for anything other than sites where the forum isn't anyways important.

the Guru

seamus wrote:

It's actually extremely simple to patch. You download the "Changed Files Only" version of the latest version from here:
http://www.phpbb.com/downloads.php

This will be a (g/b)zipped file, and within the archive, you'll see a readme or install file. Read it and follow the instructions. Seriously, it's very simple.

Spent allday today trying to patch or update the forum , I couldnt do It the main issue was when I tryed to look for http://www.bungee.ie/forum/install/install.php it was not there 404 Error - File not found! after I uploaded it
fook it I dont care anymore case closed I dont need a forum there not secure I cant keep it secure

Sparky

i dont trust phpbb anymore either thats why i moved to vB

Serbian

You could try the Lussumo Vanilla forum. It looks pretty nice and it's free.