Forum offline today - possible compromise

[coaster]

I experienced something today that I think needs to be referred to whoever needs to know. Apparently there was some kind of problem earlier today. I got a VBulletin "database error" message. I've seen that before and the problem was with my IE6 browser. So, I fired up Firefox and tried again. This time, what I got was what looked like an index with several links, and the links were pointing to the config.php file in the script path!! Ooohhhh, bad, bad deal. Tempting as it was to see if I could read them, I passed, but I wonder who else might have seen that and yielded. I don't know if it would have been possible anyway. Depends how your permissions are set, I guess. But you might want to take measures if you feel they're necessary.

 

[jcat]

The big question is what's causing the problem - vBulletin, IE, or Firefox? I'm currently posting using my PDA, as there have been all sorts of issues with my notebook since I downloaded the latest version of Firefox 8 or 9 days ago, and also allowed the latest IE updates this past week.

 

[coaster]

The should be NO WAY that just anybody can read that config.PHP file. Your tech people need to look into it. Is it possible the board was hacked today?

 

[Anne]

Could you please take a screenshot next time and email it to me? anne.moss [at] gmail.com

That would help track down the problem, I'm sure. As it is, I'll forward this to our server admin and see what he says. Last time we had problems it was due to a major backup process that was running on the machine.

 

[Anne]

Are you sure the links were to the forums config file? We have several config files, and if it's the same one that one of our mods got, then it's to a different php system on the server which is very much password protected. Feel free to try and follow the URL and let me know if you can get in.

 

[coaster]

Anne - I remember now that I was in my Safari browser, not Firefox when this happened. I was so surprised I didn't take a screenshot, and I didn't write down the url. As I recall it was public_html/node/forums and there was an index, like you'd get if you had no index.php or index.html showing the contents of the directory. I can't get in there now. When I click on the link saved in my history, a password prompt comes up. If I try some of the standard passwords people forget to change, all I get are "not authorized" pages.

I don't know how to edit Safari history, so what I see in my history is probably what the url resolves to NOW, not what it did this morning.

Now I almost wish I would have clicked on the config file to see what would have happened. But, heh heh ... I know what's in there ... I wouldn't want someone doing that to me. I'm sure it's already been taken care of.

I think you're OK for now. Why it happened and whether it ever happens again is another thing. It might have been one of those freaky things. Anyway, if you've got your permissions set to a high security level, I wouldn't have been able to get in. I don't know about VBulletin, but phpBB3 runs just fine with config.php permissions set to 600.

 

[fastnoc]

lol you can click the config file all you want. You won't see squat.

If it were so treacherous how would anyone ever run a cms? they ALL have config files and they do not require special permissions.

Executing the file does NOT display the contents of the file. it will give you an empty page. it's only used by the core to gather the configuration requirements. It's just a tad more secure than simply viewing the file

 

[coaster]

I dunno. I don't claim to know all that much about it, but I do know that when I click on the config file it opens in my local text editor and displays the contents. One thing....you might be correct in a normal situation, because when I disable the index.php file and http to that url, the index listing I get doesn't even SHOW the config.php file. So if you can't see it, obviously you can't see the contents.

However, in this case, the config.php file DID display in the directory listing. So I'm just assuming that if I can click on a config.php file in a directory listing when I can see it and have it open and display the contents, then it might have been possible in this case. Perhaps my assumption that it was due to permissions settings wasn't correct; like I said, I can't claim to know that much about it. But just going from my own experience, a config.php file for a phpBB3 installation IS readable if it can be seen, and the permissions are set to allow world to read it.

If you go to the phpBB support site, there are plenty of frantic posts from forum admins about "help!! my board has been hacked!!"

 

[fastnoc]

The only way I can see that the contents of ANY php would display if you tried to view it in a browser would be if PHP was not running, or not running correctly on a server. That would cause it to be a typical link and your browser could associate it as a text file. But php does not display it's contents by running it. It displays the results of the code within the file.

If someone was hacked I could see the hack changing things, but it's not common, no.

Here's a link to a config file for example:

http://forum.e-referrer.com/includes/config.php

You will only see an empty page, and the source reveals nothing.

Unlike HTML, php pages only show the results. HTML pages show all the underlying code.

If you could see the database name, username and password when you clicked that file here, then PHP was NOT running on the machine at that time.

FYI, PHPBB is the absolute worst forum to run. it is constantly hacked. They try to kepe up with it but it's futile. vBulletin (the forum this site runs on) is MUCH better, and the owners here do a good job of keeping it up aparrently. it's only one rev off from being the latest version.

 

[coaster]

Originally Posted by fastnoc

The only way I can see that the contents of ANY php would display if you tried to view it in a browser would be if PHP was not running, or not running correctly on a server. That would cause it to be a typical link and your browser could associate it as a text file. .

I think that's what I was trying to say, though you said it better. I do understand the part about php being a server-side script. But scripts are text files and so if the script crashes AND the files are set to world "read" I would think they could be read. The fact that I could even see the config file was an indication something was amiss, and so that's why I posted. Today I couldn't see it; I couldn't link to it; and even when given the link I couldn't access it. Which means all is back to normal, and secure. But if they can find out what happened, I think they'd want to prevent it from happening again.

If I'd known ahead of time I was going to be putting this much of my life into developing my forum, I certainly would have gone ahead and spend the $160 (?) for vBulletin. That's a pittance if my time is worth anything. But I've got what I've got now, so I'm going to make the best of it. And it's working out pretty good, so far.

 

[fastnoc]

Well, don't mistake what i said for saying PHPBB is bad itself. it's just that it's targetted for hacking. The authors make frequent updates to combat it but they're overwhelmed.

As long as you keep on top of the updates you'll be fine if that's what you want to run.

If you ever decide to switch on whatever site you're running, vBulletin has an impex (import export) tool that will convert your phpbb users, posts and other data into vbulletin.

 

[coaster]

Oh, hey, that was going to be my next question, and you beat me to it, because frankly, I've thought about it more than once.

Thing is, 90% of the work went into the style, and I'd have to start over with that, wouldn't I? vBulletin only converts the database, right?

 

[fastnoc]

yeah pretty much. you'd have to rework your theme which i know takes an enormous amount of time.

There MIGHT be a converter though that will do that too. it should be a pretty common request.