StarDestroyer.Net BBS

Question for you wizards out there.

I, Together with my friends had a private forum, only for discussing private matters between us. And recently, someone stole some posts and published them on an open forum (shit hit the fan btw, but that's a different story).

Tell me, how difficult it is to hack such forum? It was posted on a big forum server (www.fora.pl), which should theoretically make it more difficult to track. Also, we had a limited number of users and we looked if someone didnt create an account. Also, access to reading & posting was restricted by our admin, so you had to be a logged in user to read anything.

I also had the impression that someone was reading the forum live, and it wasn't an inside rat who leaked the information outside.

Someone may have hacked an account. Happened here once too.

which basically means, that an outsider logs in using existing forum account details. Does PhpBB track IP details of succeeding logins?

EmKay wrote:which basically means, that an outsider logs in using existing forum account details. Does PhpBB track IP details of succeeding logins?

Normally you can check what IPs a user has logged in with by clicking on the IP button on someone's post. At least, that's how it works here.

Destructionator XIII wrote:

Dalton wrote:Normally you can check what IPs a user has logged in with by clicking on the IP button on someone's post. At least, that's how it works here.

That is only if the user actually posted from that IP at least once. If he was just browsing, the IP is not logged.

Oh, my bad.

EmKay wrote:Question for you wizards out there.

I, Together with my friends had a private forum, only for discussing private matters between us. And recently, someone stole some posts and published them on an open forum (shit hit the fan btw, but that's a different story).

Tell me, how difficult it is to hack such forum? It was posted on a big forum server (www.fora.pl), which should theoretically make it more difficult to track. Also, we had a limited number of users and we looked if someone didnt create an account. Also, access to reading & posting was restricted by our admin, so you had to be a logged in user to read anything.

I also had the impression that someone was reading the forum live, and it wasn't an inside rat who leaked the information outside.

There are two principal ways of hacking a phpBB forum:

1) Hack into somebody's account by guessing his password or using a dictionary-based brute-force password search (this can't be done here because we lock out users after 3 failed login attempts, so you can't just rack up hundreds or thousands of automated login attempts with a dictionary search program).

2) Take advantage of somebody who failed to update his software when security updates came out. It's amazing how many people out there are still running ancient versions of phpBB. It's like people who never install any of the security patches for Windows; they're just asking for it.

phpBB is one of those software packages which must be updated as soon as the patch comes out. It can be worse than windows.

ggs wrote:phpBB is one of those software packages which must be updated as soon as the patch comes out. It can be worse than windows.

True, because it's a web app, and that means it's online 24 hours a day. With a Windows security flaw, if you're behind a firewall it might not affect you at all, even if you never update. And if it's related to web browsing, it might not affect you until you visit a website that takes advantage of the vulnerability, which also might not happen. But with a web app like phpbb, once a hack comes out the script kiddies will simply do a Google search to find all the websites using it, and then go to town.

Thanks guys, Im still investigating, thanks for the insight.