[新聞]phpbb.com被駭了

[哈啦]

phpbb論壇的本店phpbb.com自己也被駭了

現在上去還可以看到phpbb.com的告示，說明他們如何被駭的。

引用:

Hi everyone,

A further update and reminder as to the situation with this site. Our system was compromised Sunday evening by a group of hackers/crackers who (based on available information apparently corroborated by said hackers/crackers) used an exploit in awstats to gain entry. I'll repeat this very clearly since some people and worse some hosting providers are not listening to what is being said. Based on said information we do not believe, nor do we have any reason to believe, that our system was compromised due to any fault in phpBB 2.0.11.

Server update, unfortunately the datacenter where our box is located have been less than helpful. The box was supposed to have been shipped Monday, it wasn't. With further pushing we were told it would definitely ship yesterday (Tuesday), it didn't. The box is now being collected "manually". Very unimpressive service quite frankly. Because of this we are now working to an altered plan which may see the site return tomorrow (Thursday 9th) or Friday (10th). Please note that we will not be able to comment on the method used to exploit our site for at least several days.

It is actually quite fustrating at present that some hosting providers are asking or forcing their customers to remove installs of phpBB 2.0.11 due to the loss of phpbb.com. As I say above, our best available information right now is that phpBB was not to blame. If a hosting provider knows different perhaps they can inform us (along with details of how they know!).

Equally it's annoying to see some people posting the same old highlighting exploit claiming their 2.0.11 board was hacked via it. Again unless my team and indeed our other teams, heck large sections of our community, are all lying to me that vulnerability was fixed in 2.0.11. Sites running .11 and claiming (or thier hosts claiming) to have been attacked using it should take a close look at other applications they have installed. phpBB is not alone in being exploited, all the major boards can be if you don't update as new releases are made. Equally users should ensure the relevant highlighting fix is indeed present. Over the years we've dealt with thousands of users who say they've patched something (be it an exploit or bug) but upon examination we've discovered the problem code is still there. Equally hosts should look at their own systems. Are you running awstats if so have you updated? Do you regularly update your OS and particularly the kernel (if appropriate) as fixes are released? Are your users running old versions of other PHP/Perl/etc. software? Have you set appropriate permissions on key folders such as /tmp and /var/tmp? Is your webserver running with as few permissions as possible? Just because we overlooked something doesn't mean you should!

To our community, please do not ask us for further updates as to the situation, its cause, etc. Everything we have to say is said here. Our support channel (#phpbb) on IRC has at times been swamped with "What happened? Any news?" style questions which are making it extremely difficult to support users with real issues. So we appreciate the interest but please, accept that we have nothing else to add.

Users in need of support with phpBB 2.0.x can visit our development board, area51.phpbb.com where such support is being offered at this time. Of course you can also view the next version of phpBB, 3.0 "Olympus" in the process (minus the new style of course!). We are also maintaining our IRC support channel, #phpbb on the irc.freenode.net network

Again we apologise for any problems this may cause our userbase. We obviously take the huge support our community gives phpBB very seriously. And we will do our best to return to "normal operations" just as soon as we can.

psoTFX - phpBB Group

[vincentliao]

實在不曉得該說什麼...
一個公益網站,樹大招風,懷璧何罪...
可能原因有:
1.同行相忌.
2.管理人員疏失.
3.自炒新聞.
4.Hacker駭客太無聊了,找個非商業網站下手.

[哈啦]

據說不是phpbb本身的問題，而是cpanel中的awstats這個流量軟體。
只是不知是如何藉由這個地方突破的？

[seesawgame]

不會是網管的安全出現問題?還是phpbb本身的安全性被發現有狀況?!
這麼大的站被駭實在是令人感到吃驚啊
且phpbb又有這麼多的用戶群說

[some]

官方說法是因為 awstats 這套知名的網站分析軟體
http://awstats.sourceforge.net/
是被入侵的管道.

小弟為了學習php 整個phpbb都研究透澈過了,學了不少東西,
覺得 phpbb 的程式碼很嚴謹,
小弟不大相信是由 phpbb 2.1.1 的缺點而被入侵的.

[vincentliao]

流量軟體會用到 Snmp 與 Rmon , 會是這個嗎? 機會不大...

[some]

awstats 是利用 apache 產生的 log 檔來分析
應該沒用到 Snmp 這種協定.. 小弟也不懂.

[dx2]

Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").
If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole.

[adam]

或許應該還可以這麼說吧...

其實, 國內外很多知名的主機公司提供的虛擬主機, 在使用者 HOME 的目錄權限設定
都不是很完善, 這個情況會導致:

1.一個網站的站長失誤, 就可能導致該部主機的全部網站被入侵、首頁被換掉....
　再加上很多主機都使用客戶的網址來當使用者的ID與HOME目錄的名稱, 例如像:
　/home/myhome.com.tw 或 c:/inetpub/www/myhome.com.tw
　還可讓入侵者增加快感與成就感, 就算是一般的網友看到以上的資料匣路徑, 也
　應該都會立刻曉得那個資料匣的網站或對應到的網名是什麼了吧!!

2.您費盡心思設計的個人留言板或購物車程式, 居然在別人網站看到90%相似的版本,
　那代表您放在虛擬主機空間的資料, 已被同一部主機的其他客戶複製回家.......
　(有人喜歡到處租用虛擬主機, 就是這樣到處收集別人的程式碼, 再做成光碟出售)