Packet sniffing, session hijacking etc.

[kgun]

This is interesting.

1. ForumNorway spammed.

I have described how my forum is constantly spammed by one or more spammers that seem(s) to have no intention of stopping. I think the IP addresses I have posted in the stickys should be valuable for people interested in fighting spam.

2. Blocked from the Admin panel.

Now I am unable to login to my Admin Panel. I am in contact with my hoster that said there was a configuration error. They fixed it and I was able to login, but while I was logged in to block guests from posting, the site went down. When the site was up again, I was unable to login. I requested a new password, and it was sent to my email, but still I was unable to log in. I tried with 4 new passwords, but was not allowed to log in.

3. Packet sniffing and / or hijacking session ID's.

By listening in on the network between my Web Browser and the Web server of the site, it is possible to read my username and / or my password. Then a person may hijack my sessions. Session ID's may be stored in coockies or in a database. That is not a secure solution. So, is the only secure solution to use SSL to encrypt the communication? Does anybody know of phpBB running on secure servers?

4. Restoring the site.

You who know phpBB and MySQL, is the only way to delete the whole site, change passwords and upload it again? Is it possible that an intruder has placed a script on the site? Impossible to look through the entire code to figure that out.

5. Database of information about the spammer(s).

The spammer has left a lot of valuable information on the site:

IP addresses (they may be dynamic, but nevertheless contain valuable information).

A lot of webpages.

This information is stored in the database of ForumNorway. I thought of taking care of it and make some automatic reporting. Does anybody have good advice of what I should store, how it should be reported etc. In the end, as long as the information is in the database, it is only a programming task to produce the right information and report it. Ideally I should make a class that uses tools like DNSstuff etc. to automate the enquiry and reporting.

Final Question:
Should I use SSL technology to encrypt communication?

[sacx13]

1. If you block him the ip address it will not help in anyway. Try to find the latest version of phpBB.

3. Yes is ok to have a SSL conection on your administrator accoun, but this will not solve the entire problem. phpBB is have a bad history into security problems !

4. if you restore the same site is possible. Try reinstalling a fresh new version of phpBB with your old database

5. The informaration is dosen't help at all. Can be a Korea server or a sever from US and all can be hacked and without any information about your "good boys".

SSL it helps if you have a good secured server and not other problems.

Regards
Adrian

[bj]

I strongly suggest you switch to a different forum script. PhpBB is absolutely notorious for these sorts of problems, and if you've already been targeted it's not going to get better as long as you're using that insecure piece of manure.

Some of the other forum scripts have conversion utilities so you can convert your phpbb db to theirs and transfer over your posts.

This is really a better option than trying to secure something that's NEVER been secure.

[davidredwine]

You are asking for spam with guest on. However, many of the domain addresses of spam messages don't resolve properly for Whois lookup. (cloaked)

There are a few things you can do. Obviously the person planting the spam on your server has an advertising relationship with the drug, sex, finance, and other websites listed in the advertising.

ONE - Since this is a company in Dallas texas that is sponsoring the spamming, you can report them to http://www.ftc.gov/spam/ (File a complaint)

TWO - You could complain to the IP block owner of the IP addresses that are resolved to when you ping the sites. I think you will find that the majority of these junk/spam sites will come from one or two companies.

Be sure and notify the hosting companies (of the spammers servers) that you are taking action, and they should cease and desist.

The companies hosting the webservers that you will find inside the links contained in those postings are sponsoring the spammers as a part of their business model. You can ask the Internic IANA / ICANN to revoke their IP block and return it to the pool. This will get you some fairly rapid response from there company.

Doing a reverse IP lookup yielded that one of the small handful of companies that is most likely sponsoring your spammer is:

Here is the information for address 70.86.49.68:
( http://free-mp3-song.snow-send.com/ ) (Forum= Norwayforum.com/ Introducing Myself / MP3 Music Downloads (look at all those links the are all "theplanet.com" links, a spam-happy marketing company.

(Thanks for the reverse lookup tool from http://www.hashemian.com/tools/reverse-whois.php )


68.49.86.70.in-addr.arpa. 86400 IN PTR 44.31.5646.static.theplanet.com.

49.86.70.in-addr.arpa. 86400 IN NS ns1.theplanet.com.
49.86.70.in-addr.arpa. 86400 IN NS ns2.theplanet.com.




Continues below ↓
--------------------------------------------------------------------------------




--------------------------------------------------------------------------------
Additional whois information for 70.86.49.68:

[Querying whois.arin.net]
[whois.arin.net]

OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange: 70.84.0.0 - 70.87.255.255
CIDR: 70.84.0.0/14
NetName: NETBLK-THEPLANET-BLK-13
NetHandle: NET-70-84-0-0-1
Parent: NET-70-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate: 2004-07-29
Updated: 2006-02-17

RTechHandle: PP46-ARIN
RTechName: Pathos, Peter
RTechPhone: +1-214-782-7800
RTechEmail: admins@theplanet.com

OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-214-782-7802
OrgAbuseEmail: abuse@theplanet.com

OrgNOCHandle: TECHN33-ARIN
OrgNOCName: Technical Support
OrgNOCPhone: +1-214-782-7800
OrgNOCEmail: admins@theplanet.com

OrgTechHandle: TECHN33-ARIN
OrgTechName: Technical Support
OrgTechPhone: +1-214-782-7800
OrgTechEmail: admins@theplanet.com

# ARIN WHOIS database, last updated 2006-04-12 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


ONE LAST NOTE --------- !!!!! You will feel better for going on this crusade, but the results may not be very fruitful. I would just upgrade your phpBB code, and disable guest.

dr

[Easywebdev]

Quote:

Originally Posted by bj

I strongly suggest you switch to a different forum script. PhpBB is absolutely notorious for these sorts of problems, and if you've already been targeted it's not going to get better as long as you're using that insecure piece of manure.

Some of the other forum scripts have conversion utilities so you can convert your phpbb db to theirs and transfer over your posts.

This is really a better option than trying to secure something that's NEVER been secure.

I dont want to get into a flame war over this but that is a very misinformed statement. A lot of the security advisories that have posted security vunlnerabilities regarding phpbb are to do with weak server security, other packages leading to a compromised server (it was awstats that took down the phpbb site last year, not phpbb), ignorant users chmodding files to 777, leaving install directories in place, installing insecure hacks etc.

The stock phpbb's record stands up against most other forum scripts quite well. Indeed a hell of a lot better than ipb, yabbse, ikonboard and others.

From a programmers point of view it is one of the best written forum scripts out there and believe me I have looked under the hood of most of them. While some forum software depends on register_globals beeing on phpbb actually unsets all global variables and is a lesson for newbie programmers on good security practices (it has come a long way codewise from its early days). For someone to call it an insecure piece of manure is severly misinformed, has never used it or has no clue whatsoever about php programming and security practices.

If anyone thinks different and thinks they can prove it, I will put my money where my mouth is gladly put up a stock phpbb on one of my servers and they can fire all the kiddies scripts they can find at it.

Kgun, a secure cert isnt going to help a jot if your hosts server is not secure. I doubt very much it is packet sniffing. I would not use a shared host. You should be looking at renting a dedicted server or small vps to host your sites.

I have pm'ed you a script you can upload to your hosting space, run it and if you can traverse the directory tree and read files outside of your own directory then find another host.

How do you harden up the default phpbb's security?
1. upgrade to the latest version (that has captcha image verification on by default for new registrations).
2. NEVER allow guest posting (you know why with the spam you are getting).
3. NEVER allow html in posts, you are opened up to cross site scripting by a user injecting javascript.
4. Edit the overall_footer.tpl and remove the powered by phpbb, you wont get support from the phpbb site if you do this but it stops bots finding your site by it.
5. NEVER allow remote avatars.
6. Enable mod gzip, it will speed things up slightly plus the server sends compressed files which the browser decompresses, which gives you an added layer against packet sniffing (they can get by it but it will stop some script kiddies).


If you are using a shared host then when you install your forum pop on over to ioncube.com and encrypt your config.php ($5 will get you 50 credits to encrypt individual files)

If you really want to harden up passwords then you can add a variable to the config file such as $secret_word = md5("secret_word"); and in login php where it checks if the md5'ed password = the database password you can concatenate the secret word to all passwords. You will need to do this on registration as well but it will stop md5 collisions and brute force hack attempts stone dead. If you want this done then pm me about it and I'll send you the files that I have done it with.

Dont give up on phpbb, as I say it is a great piece of software but if you dont follow the points 1-5 above and host on a shared server then you are going to get propblems.

I doubt if you are getting hit with a good hacker, more than likely an irritating script kiddie who has ssh access to your webhost and the host has not properly set permissions on databases and directories. It is amazing the number of clueless hosts out there.

[Easywebdev]

Forgot to mention if you want the enhanced password handling then you will need your own encrypted config.php with your own database connection info.

[FusionX]

It definitely seems that the problem is with your setup and posting policies. As everyone suggested, you should upgrade to the latest version of the forum software and make use of image verification for registration.

And NEVER EVER allow guests to post anything on the forums.

Regarding the comment about the webhosting provider www.theplanet.com, it is a really reputed web hosting provider company. Lots of small to medium sized companies actually rent dedicated servers from ThePlanet. So it is really hard to believe that they have anything to do with the spam. It would even be helpful to you if you can contact them regarding this incident and provide them with the domain names and IP addresses and they will definitely help you out.

Disclaimer: I am not affiliated with ThePlanet. However, I do rent 3 dedicated servers from them.

[Easywebdev]

I missed the bit about the planet. I'd echo fusionx's statement. The planet is a large reputable company who rent dedicated servers (one of its subsiduries is servermatrix.com) both are big names in the dedicated arena.

I've know the planet to pull the plug on email spammers very quickly, the last thing they want is a block of their ip's on a blacklist.

Kgun you could try contacting the planet with the ip's you have and they can narrow it down for you to see if it is a single user on that server or if it is a webhosts server they can point you at the person to contact and they in turn can narrow it down to a single user.

[kgun]

Thank you for good advice so long.

1. The consequence of e-mail spam.

I think big companies like Micorsoft has won in court against e-mail spammers. This is in my view much worse.

2. My own responsibility.

Is it free for anybody to spam my forum if I have not made the necessary steps to prevent it myself? Is anybody free to break into your house if it is not properly secured? There are warnings in the preliminary rules.

3. The consequence of destroying my website(s) real estate.

I am an economist and know that the value of a site is the present value of all future direct and indirect (I have more than 20 other sites) profit. The spammer(s) is (are) conciously destroying my eProperty real estate.

4. Who are it (they)?

Some of you claim to be IT-professionals. You say that it is difficult to find who it is. Do you relly mean it with all that information in the form of a lot of web sites and IP-addresses?

5. My solution

This take foccus from my work that is to make good sites. Now I have installed and are configuring Apache 2 on my Windows XP Machine I have downloaded php and MySQL and will install and configure it myself. I may also download phpBB and phpMyAdmin. It was not my intention to make my own webserver (one of my neighbours have one, but I regarded professional foreign servers (hosting) as more secure), but that may be an sideeffect of this spamming.

I have no intention of deleting the information in the MySQL database for ForumNorway.

[khurramali]

The real problem is keeping the program updated, PhpBB has just come out with a new version, if you don't upgrade soon your forum will be over run by bots hell bent on distroying your forum beyond repair.

heed my words as I have been hurt in the past.

[kgun]

think they can continue spamming without concequences.

It is easy to repair.

1. Reinstall a backup. The hoster has one before the spamming started. Then download the latest version of phpBB.
2. Delete the whole site and reinstall the latest version.
3. I also have a backup of all posts.
4. In the worst case, find a new hoster, upload the site, change the name servers and delete the old one. That should be effective in 48 hours. That is not an option now, since I rely on the hoster, even if they have had problems, as my other two hosters had in the start of the hosting periode.

<digression>
khurramali the links in your signature are broken.
</digression>