Phpbb3 hacked

Non-phpBB related discussion goes in General Discussion! How safe is phpbb3? Has there any incident of phpbb3 getting hacked since it launch? What are the common methods that hackers use? I have the latest phpbb3 version installed on my forum. What I can I do to make sure that no one can hack my forum? Re: pervent getting hacked Post by Phil » Sun Jan 25, am phpBB3 has no known security vulnerabilities at this time.

If you do this, you should be fine. Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up. Connect and share knowledge within a single location that is structured and easy to search. I have a phpBB 3. I noticed two days ago someone using an autogenerated email address from China created a new account without having read a single message.

I deleted the account. Yesterday, the same or similar email address created another account, but this time they posted a message complaining about having trouble with registration and posted their registration link. I stupidly clicked the link and it took me back to my forum. I then deleted the account and its message. So my questions: 1. Is there a way to hack a phpBB 3.

Is there a way to determine if the message board has been hacked? Is there any way to retrieve that deleted message so I can determine precisely what the URL was?

By clicking on links, the admin is performing actions. Specially crafted links can be created to perform undesirable actions. Check file integrity. Determining if you've been hacked is not a trivial problem.

One thing to test I would register yourself a fake user and get the registration email with the link. Take it and paste it into the address bar and change a few characters to make it fake. If it just redirects you back like the link he posted did, more than likely he just linked the original link he received upon the first registration and phpBB just routes you to a predefined page if the validation link is not valid.

Hi, I just want to clarify a little on certain points of the article. The vulnerability used in the attack on PHPlist was actually a zero-day vulnerability that had no patch available until two weeks after the initial attack. Regarding password storage, only a few of the passwords were stored using plain MD5.

Accounts which had not been logged into since March were not upgraded to the phpass password scheme used by phpBB3 and still in the old format from when our site used phpBB2. Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience. You can read other case studies from our security archive here : Jan 31st, — PHPbb.

What happened? Mistakes Anyone defending a server has a big disadvantage compared to the attackers. These were the mistakes by the phpbb team: They were using an unpatched vulnerable software called PHPlist. The attacker was doing things like downloading the password file and not being blocked. Anyone looking at the logs would have catched it right away. No integrity monitoring. The attacker was able to modify template files and remain undetected.

They were storing the passwords in the database hashed with the md5 algorithm, and not with a more secure password hashing method. That allowed the passwords to be cracked very easily. There was no notification system in place to notify the admins in case a password was reseted or modified. What do we learn from this and How to protect ourselves? This is what we can do differently to protect ourselves: Keep your site updated! And it is not just your main CMS or plugins. But anything you have installed in there, from plugins to add-ons and themes.

Look beyond the application and make sure you are applying the same due diligence to your web server. Do an inventory of everything you install. If you ever install something on your site, make sure to track it somewhere, to make sure you are always looking for updates and vulnerabilities to it.