Jump to content

Backdoor Admin

Guest America's Reject

Recommended Posts

It's somewhat pointless. If you get hacked, you could just as easily use MySQL to upgrade another user account and use that to log in and 'take back over'.

Link to comment
Share on other sites

You do not need to know be completely literate in sql as it's very easy to find even for someone that is new to sql and IPB. If someone was to purchase this board and install it then get hacked and they were unaware how to get the forum access back all they would need to do is nip onto this support forum and ask. Many people are willing to help. This without a doubt opens up security issues other than the one's that the majority of people first think about.

Link to comment
Share on other sites

Say you get hacked. And they find no traces of a back door admin,

THen u can log in an dtake it back over.

Never been hacked before myself, why should it happen in the future? As long as you follow IPS's recommendations on Board Security and check your CHMOD settings are all OK, you can't go wrong. Also having a strong Admin password would be a good thing, like me (upper/lowercase letters and numbers). If your board has been hacked, then you or one of your Admins has been careless and that's where the problem lies. Such a feature shouldn't be needed.
Link to comment
Share on other sites

I think a backdoor admin would be great. Could be enabled or disabled and other settings found fit.

It would not have a member No. Would not appear anywhere. Only root admins would have access to the config.

I think this idea will serve your purpose:

$back['pass'] = (md5hash of password);
$back['challenge'] = "question to ask";
$back['response'] = (md5hash of response);

In order to change/delete it, the password would have to be put in, thus preventing a hacker from just disabling it. Being a file, a hacker couldn't use SQL to delete it.

When using it, userID would be blank, password would be the 'pass', then it would take you to the challenge/response part, and once completing that, would let you add/edit an account to give root admin access to. (Edit so you can change a password on an account if it was stolen).


If you want to take it an extra step, have the filename be backdoor_(md5 hash of password).php
Then when the file is created, the only way to edit it is to use the right password. Then only allow 1 backdoor_*.php file so that a hacker can't create one of their own.
Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...