Maybe you should develop your own phplist type of software.
A quick google search I found this page below. I think the guy that hacked your site has posted how he completed the hack.
Removed *paul*
[Discussion] Downtime and Server Compromise
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Re: [Discussion] Downtime and Server Compromise
Last edited by Paul on Sun Feb 08, 2009 7:27 pm, edited 1 time in total.
Reason: Removed link, we know regarding it.
Reason: Removed link, we know regarding it.
-
- Registered User
- Posts: 3
- Joined: Sat Feb 07, 2009 6:39 am
Re: [Discussion] Downtime and Server Compromise
i am not sure why it's taking so long to bring the site back. This is why you should always keep a complete site backup that is current, and backup your databases every day (and for the forums, every few hours). Also if they own the dedicated servers running the site, have a current image of them as well. Then this type of thing would only cause a few hours or a day of downtime, not a week+.
Lesson to be learned: Keep your software and mods up to date and make backups often.
Lesson to be learned: Keep your software and mods up to date and make backups often.
Re: [Discussion] Downtime and Server Compromise
Hackers have 'bots' that do phishing attempts against domains.mulkman wrote:Yes
But how did the attacker know you were running phplist software. Im pretty much certain the page did not have "Powered by phplist" at bottom
Although their is nothing you can do about 0day exploits.
They 'know' the usual folder and files names containing in most server software packages and the make attempts to read each of those files/folders to see what responce they get. If they get a 'file found' responce from the server they finish off with an attack against any known vulnerabilities against that software.
If you are realy interested in this follow the link below in my signature to my live v3 forum - check out the publicity room where I have given talks on the subject of server security and 'malware'.
If you check your own domain error logs you will see those 'phishing' attempts - every day.
If you read back over this topic, you will see that, yes, we do have copies and could easy have restored to them.sevenalive wrote:i am not sure why it's taking so long to bring the site back. This is why you should always keep a complete site backup that is current, and backup your databases every day (and for the forums, every few hours). Also if they own the dedicated servers running the site, have a current image of them as well. Then this type of thing would only cause a few hours or a day of downtime, not a week+.
Lesson to be learned: Keep your software and mods up to date and make backups often.
However the hacker had access for 2 weeks and it would mean losing 2 weeks of posts.
We do not think it in the best interest of the community to lose those.
Starfoxtj Toolkit
ASAP member since 2004 - MS MVP (Windows Security) member since 2005
Live phpBB3 Forum
ASAP member since 2004 - MS MVP (Windows Security) member since 2005
Live phpBB3 Forum
Re: [Discussion] Downtime and Server Compromise
Backups are made often, but as the hacked had access since Januari 14, we would need to restore a backup from before that date .
Instead we decided to use a later backup, and santinise that. But that just takes some time.
Instead we decided to use a later backup, and santinise that. But that just takes some time.
- EXreaction
- Registered User
- Posts: 1555
- Joined: Sat Sep 10, 2005 2:15 am
Re: [Discussion] Downtime and Server Compromise
I am not too worried about email addresses being taken. Most people have decent spam filtering anyways (if you don't, get gmail and forward your mail to it).
I list my email address tons of places anyways.
Could you go through 2 weeks worth of posts, attachments, users, on phpbb.com in a few hours or a day? They all must be gone through to make sure that the cracker did not alter anything else to leave backdoors, etc. What good would it do to put up the site again if the cracker left a backdoor?
The software WAS up to date, this was a 0-day exploit.
I list my email address tons of places anyways.
Sorry, but you really don't have a clue just how large the phpbb site was, do you? I wouldn't be surprised if the database was in the 10's of GB's or even larger. Backing that up daily would pretty much require a dedicated server, doubling their costs (besides bandwidth). Backing up hourly simply would not work (and would not help at all anyways). Backing it up that often would almost require an additional dedicated server for the database to prevent backups from putting too much load on the server and taking it down.sevenalive wrote:i am not sure why it's taking so long to bring the site back. This is why you should always keep a complete site backup that is current, and backup your databases every day (and for the forums, every few hours). Also if they own the dedicated servers running the site, have a current image of them as well. Then this type of thing would only cause a few hours or a day of downtime, not a week+.
Lesson to be learned: Keep your software and mods up to date and make backups often.
Could you go through 2 weeks worth of posts, attachments, users, on phpbb.com in a few hours or a day? They all must be gone through to make sure that the cracker did not alter anything else to leave backdoors, etc. What good would it do to put up the site again if the cracker left a backdoor?
The software WAS up to date, this was a 0-day exploit.
- 3Di
- Registered User
- Posts: 951
- Joined: Tue Nov 01, 2005 9:50 pm
- Location: Milano 🇮🇹 Frankfurt 🇩🇪
- Contact:
Re: [Discussion] Downtime and Server Compromise
so you made a backup of what it was since you discovered the issue and blocked the boards?paulus wrote:Backups are made often, but as the hacked had access since Januari 14, we would need to restore a backup from before that date .
Instead we decided to use a later backup, and santinise that. But that just takes some time.
do you confirm that no posts/etc will be lost after the sanitisation?
Thanks.
Free support for our extensions also provided here: phpBB Studio
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
- EXreaction
- Registered User
- Posts: 1555
- Joined: Sat Sep 10, 2005 2:15 am
Re: [Discussion] Downtime and Server Compromise
Of course they would have made a backup then.3Di wrote:so you made a backup of what it was since you discovered the issue and blocked the boards?paulus wrote:Backups are made often, but as the hacked had access since Januari 14, we would need to restore a backup from before that date .
Instead we decided to use a later backup, and santinise that. But that just takes some time.
do you confirm that no posts/etc will be lost after the sanitisation?
Thanks.
Posts shouldn't be an issue, unless unescaped HTML was inserted into them, which should be easy to check using a simple script.
Re: [Discussion] Downtime and Server Compromise
I've got two forums running and have more or less eliminated the current rash of registrations by changing my captcha x-axis to 14 and my y-axis to 6. Give that a try everyone.
Re: [Discussion] Downtime and Server Compromise
Actually a certain amount of HTML is stored in the posts table un-escapedEXreaction wrote:Posts shouldn't be an issue, unless unescaped HTML was inserted into them, which should be easy to check using a simple script.
At most a few hours have been lost, I'm not 100% sure though.3Di wrote:do you confirm that no posts/etc will be lost after the sanitisation?
Bit off topic for this topicrockeiro wrote:I've got two forums running and have more or less eliminated the current rash of registrations by changing my captcha x-axis to 14 and my y-axis to 6. Give that a try everyone.
Re: [Discussion] Downtime and Server Compromise
Has there been any update as to when the site will be back up? I was just going to work on a mod... Then I tried to access the website. Oh well. Keep up the good work!