Hello,
Now in a days my forum has been hacked in twice thrice .
I need to know , how do I protect my phpbb forum from hacking . What is the precaution I should take for the same .
Thanks in Advance for your Help...!
AnkuShforyou...!
Prevent Forum from Hacking
Moderator: General Moderators
As matthijs said.. updating the code would be a wise move. Do you have control of the server you're on? Meaning, can you adjust apache settings or install software? If so, you may want to look at mod_security to help stop the script attacks. Another solution, server based is implementing snort and snortsam to block at the firewall level based off of signatures.matthijs wrote:Have you updated to the latest version? Have you changed your passwords? Are there other scripts on the same server which might be vulnerable (and therefore a place were hackers can get in)?
ModSecurity
http://www.modsecurity.org/
Here is a set of modsec rules for phpbb from gotroot (http://www.gotroot.com/tiki-index.php?page=mod_security+rules)
Code: Select all
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective REQUEST_URI "/quick-reply\.php" chain
SecFilter "phpbb_root_path="
#phpbb
SecFilterSelective REQUEST_URI "admin/admin_styles\.php\?mode=addnew\&install_to=\.\./\.\./"
#phpbb XSS
SecFilterSelective REQUEST_URI "/posting\.php\?mode=reply&t=.*userid.*phpbb2mysql_t=(\<(script|javascript|about|applet|activex|chrome)|(http|https|ftp)\:/)"
#phpbb XSS
SecFilterSelective THE_REQUEST "/admin/admin_forums\.php\?sid=.*" chain
SecFilter "(forumname|forumdesc)=*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/poc_loginform\.php\?phpbb_root_path=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/poc\.php\?phpbb_root_path=(http|https|ftp)\:/"
#phpbb 2.0.13 download vuln
SecFilterSelective REQUEST_URI "/downloads\.php\?cat=.*(UNION|SELECT|delete|insert)*user_password.*phpbb_users"
#phpbb p[lus
SecFilterSelective REQUEST_URI "/groupcp\.php\?g=.*sid=\'"
SecFilterSelective REQUEST_URI "/index\.php\?(c|mark)=*\'"
SecFilterSelective REQUEST_URI "/portal\.php\?article=*\'"
SecFilterSelective REQUEST_URI "/viewforum.php?f=.*sid=\'"
SecFilterSelective REQUEST_URI "/viewtopic.php?p=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_search\.php\?mode=\'"
SecFilterSelective REQUEST_URI "/album_cat\.php\?cat_id=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_comment\.php\?pic_id=.*sid=\'"
SecFilterSelective REQUEST_URI "calendar_scheduler\.php\?d=.*&mode=&start=\'">"
#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecFilterSelective THE_REQUEST "\.php\?" chain
SecFilter "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]"
#phpbb wormsign
SecFilterSelective THE_REQUEST "echo _GHC/RST_"
#phpbb xss, sql injection and PHP code injection
SecFilterSelective REQUEST_URI "usercp_register\.php" chain
SecFilterSelective ARG_error_msg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "login\.php" chain
SecFilterSelective ARG_forward_page "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "search\.php" chain
SecFilterSelective ARG_list_cat "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "usercp_register\.php" chain
SecFilterSelective ARG_signature_bbcode_uid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective ARG_signature_bbcode_uid "(<.*php|<php)"
#phpBB foing Module "phpbb_root_path" File Inclusion
SecFilterSelective REQUEST_URI "(index|faq|song|list|gen_m3u|playlist)\.php" "chain,id:390053,rev:1,severity:2,msg:'JITP: phpBB foing Module phpbb_root_path File Inclusion'"
SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?:/|\.\./\.\.)"
#General phpbb_root_path vulnerabilities
SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?\:/|\.\./)" "id:390070,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path exploit'"hanji
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK