Is ipboard safe from hackers?

[.Ian]

Hi,

I see that http://www.ibskin.com/forums have now apparently been hacked.

This follows another third party site for IPB which was hacked about 3 weeks ago.

Is IP.Board safe if these sites are being hacked?

< I will ask my other question via a ticket, just in case it is a backdoor >

Thanks.

[Russell.]

[quote name='.Ian' date='06 October 2009 - 01:31 PM' timestamp='1254832266' post='1863882']
Hi,

I see that http://www.ibskin.com/forums have now apparently been hacked.

This follows another third party site for IPB which was hacked about 3 weeks ago.

Is IP.Board safe if these sites are being hacked?

< I will ask my other question via a ticket, just in case it is a backdoor >

Thanks.

Personally I think IP.Board is one of the most secure forum software out there and you should always keep your board up to date.

This also highlights the importance of keeping regular backups.

As for ibskin.com:

Evanescense - Working as fast as we can to get IBSkin restored without loss of content. We were hacked pretty bad. We think it was an exemployee, not an actual hack.

[Energizer]

There is no safe forum!
Each forum is only safe as long until someone proves the contrary.
Many people make no effort to find ways to hack into.
Therefore so many people think a forum is safe.
A forum is certainly = the earth is a Disc!

[Enkidu]

IBSkin hacked? :o who? why? when? how?

[mld11]

Simple precautions can be taken:

Make sure conf_global.php has only 444 permissions, and that everything else has 755 permissions. The only folders (recurrsively) that should be set to 777 are downloads, public, cache, and uploads. (Credit to IPS for that tidbit)

As well, any passwords used to access something that controls your forum (SSH, FTP, and/or Control Panel), make sure they are all different. This way if someone gets your forum password, it's not the end of the world. Another good thing is to change the admin directory, and put a password on it. This way if they find your hidden directory, they still need ANOTHER login to even access your ACP. :)

If you use cPanel, Kloxo or something similar, you should create a client/reseller account that does not have the privledges to delete MySQL databases/rows. This way, you can randomly generate a massive password for the main account, and write it down (so it can't be electronically hacked), and if the account you created gets hacked, your databases won't be compromised.

I've done all of that, it works very well. But you can only protect yourself so far. Good luck!

[rct2·com]

I think that it is dangerous to assume that because a domain is hacked, then the 'back door' must be through the IP.Board. Sure ibskin/forums etc is posting about a hack, but it doesn't necessarily mean the attack came through the forums.

For example, a few months back one of the boards I help with started serving up a Trojan virus. An <iframe> had been placed in the skins which were downloading the Trojans through vistors' browsers.

Immediately, we all got worried about the security of IP.Board (v2.3.6 as it happens).

However, after extensive forensic evidence gathering I discovered that the backdoor was on a completely different script on a completely different domain that was run by somebody else on our server.

This forum software creates and updates a lot of files. These files belong to the web server user called 'Apache'. Every script on the server belongs to the same user 'Apache'. So when people find a backdoor where they can upload a hacking script, that script is owned and runs as user 'Apache'. Therefore every file created by a web server script is vulnerable to being attacked. whether it is in the domain being attacked, or otherwise.

This vulnerability is true of ANY web-based scripting engine, and not just IP.Board. You have to rely on the developers of the scripts being as diligent as possible in preventing 'hacks' by injecting nasty commands through their URLS. I have confidence that the folks at InVision have that diligence. What is more, even modders of Ip.Board can be reassured that any URLS that they serve up will have the input thoroughly cleaned before it is passed to their code.

[.Ian]

Thanks - I didn't see the status post by Evanescence before I posted, but she says it might have been an ex-employee. I hope all is sorted out soon.


Let us hope it was a rogue admin, rather than a hacker.

[.Ian]

[quote name='rct²·com' date='06 October 2009 - 02:24 PM' timestamp='1254835452' post='1863899']
I think that it is dangerous to assume that because a domain is hacked, then the 'back door' must be through the IP.Board. Sure ibskin/forums etc is posting about a hack, but it doesn't necessarily mean the attack came through the forums.



Agree with you, but in both this case and the previous case it appears that data has been deleted by an admin of some description.

It is either a foolish admin (who would appear in the logs anyway) or the admin accounts are being compromised, so no security would help if that was the case (short of making all decision via a fellow admin reversible by another admin with a set period of time)

[Caelum Nimmiël]

To my (quite extensive, heh) knowledge, Energizer is right; there is no secure forum.

But I also believe IPB is by far the most secure at the moment, Assuming you use proper precautions.

The security center in ACP helps with security a great deal though, and I don't know any exploits in IPB myself currently.

Long story short, a hacking isn't neccesarily an issue with the software, no, and IPB is the most secure out there at the moment in my opinion, yes ;)

[Axel Wers]

[quote name='.Ian' date='06 October 2009 - 02:31 PM' timestamp='1254832266' post='1863882']
Hi,

I see that http://www.ibskin.com/forums have now apparently been hacked.

This follows another third party site for IPB which was hacked about 3 weeks ago.

Is IP.Board safe if these sites are being hacked?

< I will ask my other question via a ticket, just in case it is a backdoor >

Thanks.

Probably security hole in custom skin. I am not sure.

[Ryan H.]

[quote name='Axel Wers' date='06 October 2009 - 10:36 AM' timestamp='1254839794' post='1863917']
Probably security hole in custom skin. I am not sure.

Things don't work that way.

[Brian Garcia]

Cracked not hacked.

[Michael]

[quote name='No1 1000' date='06 October 2009 - 10:39 AM' timestamp='1254839965' post='1863919']
Things don't work that way.

It is actually feasible. IPS might have added a security check into some random form's template in a new release, and the custom skin failed to include that, thus opening a hole for some type of injection or other malicious activity.

[Ryan H.]

[quote name='Μichael' date='06 October 2009 - 11:20 AM' timestamp='1254842416' post='1863933']
It is actually feasible. IPS might have added a security check into some random form's template in a new release, and the custom skin failed to include that, thus opening a hole for some type of injection or other malicious activity.

Any security checks would be server-side and in the source files; them being in the templates would only mean that it could be removed by the client making it utterly useless [that is, the security hole would be there regardless of the state of the skin]. I realize that there are conditionals which are not public-facing, but again, those would not be the final layer of security. The worst that could happen in that regard, that I can see, is that a form key would be mistyped [which there are a couple cases of in prior versions] causing a particular action to not work. Not quite board-compromising caliber.

There is definitely the potential for bad things to happen through custom skins, particularly if the creator includes their own special PHP for whatever purpose, but for a general skin and especially one of Sherri's, I'm pretty sure that would not be the case.

[Mark]

[quote name='No1 1000' date='06 October 2009 - 04:43 PM' timestamp='1254843806' post='1863941']
Any security checks would be server-side and in the source files; them being in the templates would only mean that it could be removed by the client making it utterly useless [that is, the security hole would be there regardless of the state of the skin]. I realize that there are conditionals which are not public-facing, but again, those would not be the final layer of security. The worst that could happen in that regard, that I can see, is that a form key would be mistyped [which there are a couple cases of in prior versions] causing a particular action to not work. Not quite board-compromising caliber.

There is definitely the potential for bad things to happen through custom skins, particularly if the creator includes their own special PHP for whatever purpose, but for a general skin and especially one of Sherri's, I'm pretty sure that would not be the case.


Michael is correct, it is certainly possible, although it's a bit of a long shot.

I don't think it's really appropriate to speculate on what has happened to a particular site - if the owner has concerns they will contact us and we will investigate what happened. At the moment there are no known vulnerabilities in IP.Board's latest supported versions (3.0.3 or 2.3.6).

[Enkidu]

I thought they already did? hmmm :unsure: maybe it's safe to conclude it was "internal" as eva said. Glad to know that IPB is safe.

if the owner has concerns they will contact us and we will investigate what happened.

[bfarber]

[quote name='Enkidu' date='06 October 2009 - 12:38 PM' timestamp='1254847121' post='1863953']
I thought they already did? hmmm :unsure: maybe it's safe to conclude it was "internal" as eva said. Glad to know that IPB is safe.


If the owner did contact us through the ticket system, we wouldn't be at liberty to share that information, so Mark's statement still stands. We don't really need to divulge whether they have or not. :)