phpBB1.4 hacked by Crime Lordz, help?

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
Kathleen McCall
Registered User
Posts: 2
Joined: Sun May 12, 2002 3:47 pm

phpBB1.4 hacked by Crime Lordz, help?

Post by Kathleen McCall » Sun May 12, 2002 3:52 pm

Our board are under attack by Crime Lordz - currently just graffiti which i am cleaning up, but they can do anything they want. Hackers register, then grant themselves admin privileges.

I understand we need to upgrade, but the tech support for our site is not available this weekend. I am only a board admin, but I have access to the files on the host. Is there anything I can do to patch the vulnerablity in the meantime?

Thanks for any help you can give.

zoid
Registered User
Posts: 743
Joined: Fri Oct 12, 2001 6:29 am
Location: $SCRIPT_NAME
Contact:

Post by zoid » Sun May 12, 2002 4:16 pm

phpbb 1.4.4 fixed many bugs.

Alexander
Whatever you want to know, please do a Image Search before asking :).

Run your own Chatcommunity
>> PINO - Client/Server Chat for Windows <<

Kathleen McCall
Registered User
Posts: 2
Joined: Sun May 12, 2002 3:47 pm

Post by Kathleen McCall » Sun May 12, 2002 4:35 pm

Thanks. I'm sure we'll do an upgrade soon. I can't do it myself (I have access, but not the expertise or authority) so I was hoping to find something I could do in the meantime that might protect us temporarily.

dlkeur
Registered User
Posts: 55
Joined: Sun May 12, 2002 3:31 am
Contact:

Post by dlkeur » Sun May 12, 2002 4:40 pm

set an .htaccess file in the main phpBB2 directory. That will close down access to everyone unless they have the u passwd for the htaccess...which only YOU will have.

AL
Registered User
Posts: 442
Joined: Tue Jul 03, 2001 10:21 pm
Location: Texas Ya'll

Post by AL » Mon May 13, 2002 4:00 am

or just htaccess the admin directory - then they can't screw with admin stuff. they can still post things, edit posts etc if they have admin status, but they can't change forum names, change header, etc.

also please be aware that the phpBB group no longer supports 1.4.x so it is recommended you upgrade to 2.0
"A nerd is someone whose life is focused on computers and technology, but a geek is someone whose life is focused on computers and technology and LIKES it that way."

Kanuck
Former Team Member
Posts: 2791
Joined: Thu Jul 05, 2001 9:33 pm
Location: Toronto, Ontario

Post by Kanuck » Mon May 13, 2002 4:04 am

Actually, neither one of those will work, they'll just deny access to everyone. Really the only way to fix this problem is to upgrade your boards, or edit the vulnerable piece of PHP code, neither of which is really a viable solution.

The best idea is to disable registration for the time being. Simply rename register.php to some random combination of letters and numbers, and create a new register.php containing the following code:

Code: Select all

<html>
<body>
<p>Registration is temporarily disabled. Sorry!</p>
</body>
</html>
That will prevent any new registrations. Just delete the existing troublemakers, and they can't register again!
Kanuck
Former phpBB.com team member

Locked

Return to “2.0.x Support Forum”