Page 1 of 1

Prevent Forum from Hacking

Posted: Sun Sep 03, 2006 3:22 am
by Ankushforyou
Hello,

Now in a days my forum has been hacked in twice thrice .

I need to know , how do I protect my phpbb forum from hacking . What is the precaution I should take for the same .

Thanks in Advance for your Help...!


AnkuShforyou...!

Posted: Sun Sep 03, 2006 4:17 am
by matthijs
Have you updated to the latest version? Have you changed your passwords? Are there other scripts on the same server which might be vulnerable (and therefore a place were hackers can get in)?

Posted: Mon Sep 04, 2006 11:10 pm
by hanji
matthijs wrote:Have you updated to the latest version? Have you changed your passwords? Are there other scripts on the same server which might be vulnerable (and therefore a place were hackers can get in)?
As matthijs said.. updating the code would be a wise move. Do you have control of the server you're on? Meaning, can you adjust apache settings or install software? If so, you may want to look at mod_security to help stop the script attacks. Another solution, server based is implementing snort and snortsam to block at the firewall level based off of signatures.

ModSecurity
http://www.modsecurity.org/

Here is a set of modsec rules for phpbb from gotroot (http://www.gotroot.com/tiki-index.php?page=mod_security+rules)

Code: Select all

# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective REQUEST_URI "/quick-reply\.php" chain
SecFilter "phpbb_root_path="


#phpbb
SecFilterSelective REQUEST_URI "admin/admin_styles\.php\?mode=addnew\&install_to=\.\./\.\./"

#phpbb XSS
SecFilterSelective REQUEST_URI "/posting\.php\?mode=reply&t=.*userid.*phpbb2mysql_t=(\<(script|javascript|about|applet|activex|chrome)|(http|https|ftp)\:/)"


#phpbb XSS
SecFilterSelective THE_REQUEST "/admin/admin_forums\.php\?sid=.*" chain
SecFilter "(forumname|forumdesc)=*\<[[:space:]]*(script|about|applet|activex|chrome)"


SecFilterSelective REQUEST_URI "/poc_loginform\.php\?phpbb_root_path=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/poc\.php\?phpbb_root_path=(http|https|ftp)\:/"


#phpbb 2.0.13 download vuln
SecFilterSelective REQUEST_URI "/downloads\.php\?cat=.*(UNION|SELECT|delete|insert)*user_password.*phpbb_users"


#phpbb p[lus
SecFilterSelective REQUEST_URI "/groupcp\.php\?g=.*sid=\'"
SecFilterSelective REQUEST_URI "/index\.php\?(c|mark)=*\'"
SecFilterSelective REQUEST_URI "/portal\.php\?article=*\'"
SecFilterSelective REQUEST_URI "/viewforum.php?f=.*sid=\'"
SecFilterSelective REQUEST_URI "/viewtopic.php?p=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_search\.php\?mode=\'"
SecFilterSelective REQUEST_URI "/album_cat\.php\?cat_id=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_comment\.php\?pic_id=.*sid=\'"
SecFilterSelective REQUEST_URI "calendar_scheduler\.php\?d=.*&mode=&start=\'">"


#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecFilterSelective THE_REQUEST "\.php\?" chain
SecFilter "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]"


#phpbb wormsign
SecFilterSelective THE_REQUEST "echo _GHC/RST_"


#phpbb xss, sql injection and PHP code injection
SecFilterSelective REQUEST_URI "usercp_register\.php" chain
SecFilterSelective ARG_error_msg "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "login\.php" chain
SecFilterSelective ARG_forward_page "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "search\.php" chain
SecFilterSelective ARG_list_cat "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "usercp_register\.php" chain
SecFilterSelective ARG_signature_bbcode_uid "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective ARG_signature_bbcode_uid "(<.*php|<php)"


#phpBB foing Module "phpbb_root_path" File Inclusion
SecFilterSelective  REQUEST_URI "(index|faq|song|list|gen_m3u|playlist)\.php" "chain,id:390053,rev:1,severity:2,msg:'JITP: phpBB foing Module phpbb_root_path File Inclusion'"
SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?:/|\.\./\.\.)"


#General phpbb_root_path vulnerabilities
SecFilterSelective ARG_phpbb_root_path "((ht|f)tps?\:/|\.\./)"  "id:390070,rev:1,severity:2,msg:'JITP: Generic phpbb_root_path exploit'"
Hope this helps. Also, some hosts (ie www.dreamhost.com among others) offers mod_security as a feature with their hosting.

hanji

Posted: Tue Sep 05, 2006 12:38 am
by RobertGonzalez
The most important thing is to make sure that you are running the most recent version of phpBB and the most recent versions of all the other software that is residing on your server.

Posted: Tue Sep 05, 2006 3:44 am
by Ollie Saunders
How was the hack achieved?