Question for you wizards out there.
I, Together with my friends had a private forum, only for discussing private matters between us. And recently, someone stole some posts and published them on an open forum (shit hit the fan btw, but that's a different story).
Tell me, how difficult it is to hack such forum? It was posted on a big forum server (www.fora.pl), which should theoretically make it more difficult to track. Also, we had a limited number of users and we looked if someone didnt create an account. Also, access to reading & posting was restricted by our admin, so you had to be a logged in user to read anything.
I also had the impression that someone was reading the forum live, and it wasn't an inside rat who leaked the information outside.
How can this be possible (PhpBB hack thread)
Moderator: Thanas
-
Dalton
- For Those About to Rock We Salute You
- Posts: 22637
- Joined: 2002-07-03 06:16pm
- Location: New York, the Fuck You State
- Contact:
Someone may have hacked an account. Happened here once too.
To Absent Friends
"y = mx + bro" - Surlethe
"You try THAT shit again, kid, and I will mod you. I will
mod you so hard, you'll wish I were Dalton." - Lagmonster
May the way of the Hero lead to the Triforce.
-
Dalton
- For Those About to Rock We Salute You
- Posts: 22637
- Joined: 2002-07-03 06:16pm
- Location: New York, the Fuck You State
- Contact:
Normally you can check what IPs a user has logged in with by clicking on the IP button on someone's post. At least, that's how it works here.EmKay wrote:which basically means, that an outsider logs in using existing forum account details. Does PhpBB track IP details of succeeding logins?
To Absent Friends
"y = mx + bro" - Surlethe
"You try THAT shit again, kid, and I will mod you. I will
mod you so hard, you'll wish I were Dalton." - Lagmonster
May the way of the Hero lead to the Triforce.
-
Dalton
- For Those About to Rock We Salute You
- Posts: 22637
- Joined: 2002-07-03 06:16pm
- Location: New York, the Fuck You State
- Contact:
Oh, my bad.Destructionator XIII wrote:That is only if the user actually posted from that IP at least once. If he was just browsing, the IP is not logged.Dalton wrote:Normally you can check what IPs a user has logged in with by clicking on the IP button on someone's post. At least, that's how it works here.
To Absent Friends
"y = mx + bro" - Surlethe
"You try THAT shit again, kid, and I will mod you. I will
mod you so hard, you'll wish I were Dalton." - Lagmonster
May the way of the Hero lead to the Triforce.
-
Darth Wong
- Sith Lord
- Posts: 70028
- Joined: 2002-07-03 12:25am
- Location: Toronto, Canada
- Contact:
Re: How can this be possible (PhpBB hack thread)
There are two principal ways of hacking a phpBB forum:EmKay wrote:Question for you wizards out there.
I, Together with my friends had a private forum, only for discussing private matters between us. And recently, someone stole some posts and published them on an open forum (shit hit the fan btw, but that's a different story).
Tell me, how difficult it is to hack such forum? It was posted on a big forum server (www.fora.pl), which should theoretically make it more difficult to track. Also, we had a limited number of users and we looked if someone didnt create an account. Also, access to reading & posting was restricted by our admin, so you had to be a logged in user to read anything.
I also had the impression that someone was reading the forum live, and it wasn't an inside rat who leaked the information outside.
1) Hack into somebody's account by guessing his password or using a dictionary-based brute-force password search (this can't be done here because we lock out users after 3 failed login attempts, so you can't just rack up hundreds or thousands of automated login attempts with a dictionary search program).
2) Take advantage of somebody who failed to update his software when security updates came out. It's amazing how many people out there are still running ancient versions of phpBB. It's like people who never install any of the security patches for Windows; they're just asking for it.
"you guys are fascinated with the use of those "rules of logic" to the extent that you don't really want to discussus anything."- GC
"I do not believe Russian Roulette is a stupid act" - Embracer of Darkness
"Viagra commercials appear to save lives" - tharkûn on US health care.
http://www.stardestroyer.net/Mike/RantMode/Blurbs.html
phpBB is one of those software packages which must be updated as soon as the patch comes out. It can be worse than windows.
"Okay, I'll have the truth with a side order of clarity." ~ Dr. Daniel Jackson.
"Reality has a well-known liberal bias." ~ Stephen Colbert
"One Drive, One Partition, the One True Path" ~ ars technica forums - warrens - on hhd partitioning schemes.
"Reality has a well-known liberal bias." ~ Stephen Colbert
"One Drive, One Partition, the One True Path" ~ ars technica forums - warrens - on hhd partitioning schemes.
-
Darth Wong
- Sith Lord
- Posts: 70028
- Joined: 2002-07-03 12:25am
- Location: Toronto, Canada
- Contact:
True, because it's a web app, and that means it's online 24 hours a day. With a Windows security flaw, if you're behind a firewall it might not affect you at all, even if you never update. And if it's related to web browsing, it might not affect you until you visit a website that takes advantage of the vulnerability, which also might not happen. But with a web app like phpbb, once a hack comes out the script kiddies will simply do a Google search to find all the websites using it, and then go to town.ggs wrote:phpBB is one of those software packages which must be updated as soon as the patch comes out. It can be worse than windows.
"you guys are fascinated with the use of those "rules of logic" to the extent that you don't really want to discussus anything."- GC
"I do not believe Russian Roulette is a stupid act" - Embracer of Darkness
"Viagra commercials appear to save lives" - tharkûn on US health care.
http://www.stardestroyer.net/Mike/RantMode/Blurbs.html