Page 1 of 1

phpBB and Hacking Attempts

Posted: Sun Nov 17, 2002 9:06 pm
by psoTFX
Over the past couple of weeks we've been emailed, PM'd and had people posting about hacking attempts on their boards.

While we will often try and help repair damage inflicted by those persons who simply "read and repeat" the work of others YOU can do an awful lot to prevent it happening in the first place.

Firstly UPGRADE to the latest available version of phpBB 2.0.x! We realise that many people modify their boards ... however we supply three different methods of upgrading from one version to the next. An upgrade need not mean starting from scratch, investigate both the changed files and patch methods ... one or other may suit your needs better than a full install. If you refuse to upgrade then I'm afraid there is nothing we can do to help ... you have been warned!

Secondly ENSURE you read ALL the documentation we provide with phpBB 2.0.x! Time and effort went into writing those documents and many basic questions on installation, security, etc. are answered within them. If AFTER reading these docs you are still having problems feel free to search and then post on our support board (in the correct forum!)

Thirdly ENSURE you select only responsible people to act as administrators and moderators! We not infrequently get told "An administrator on my board did x, y and z!". It is entirely your responsibility to maintain and operate your forums ... do so wisely.

Fourthly CHOOSE PASSWORDS CAREFULLY! Try and use different passwords for different parts of your site or account, e.g. don't use the same password to access your account, the database, any web control panel, your administrator account on phpBB, etc.! Doing so leaves you WIDE OPEN to potential problems. NEVER give out your passwords on this or any other forum ... no one on any official phpBB board will ask you to reveal your password in public and is extremely unlikely to ask for it even privately (few problems need direct intervention on an admin or account level). If you do reveal your password (for whatever reason) ENSURE you change it as soon as the task at hand is complete.

Fifthly REMEMBER that should you use a shared host, and that host offers shell access that your configuration file may well be readable by anyone on the same server. There is nothing much we (phpBB) can do about that ... it's a "limitation" of the operating system and server environments. However, should you have a cooperative host they may be able to alter ownership and permissions to reduce the chances of this being an issue (although such hosting providers are likely to actively monitor shell access and thus problems are typically reduced).

Finally, if you SUSPECT you've been hacked please don't post anywhere and everywhere blaming phpBB. While we cannot rule out it as a potential source of trouble there are many possible reasons beyond this software. Before posting anywhere you should check the above five points and try and discover if you've overlooked one of those issues. If you have not then feel free to post HERE with an appropriate topic, i.e. something other than "My phpBB has been hacked!" ... it tends to give rather the wrong impression to users!