Thursday, April 24, 2008

Forum owners - Take your responsibility!!

After we had this, with a little update here, I'm still amazed how many website owners don't take responsibility.

I was researching/analyzing some SQL injection scripts a couple of days ago and a google search showed me how many websites, forums in particular are being hacked/compromised. A LOT!!

Example:



Above forum was not only hacked, but it was full with spam as well.
LACK OF RESPONSIBILITY!!

People hack forums/sites for different purposes. Some do it only to get attention, as a challenge - others do it for personal gain - for example, put malicious content on the site, so every visitor gets infected with a trojan/backdoor/whatever with their own purposes as well (steal data from your system, display ads..)
Or they post SPAM all over the place (as you see in above example). In other cases, you don't even see that the forum/site is hacked, but the scripts are doing its job anyway, silently in the background...
Some interesting info:

* http://www.prevx.com/blog/87/What-happens-when-your-Managed-Hosting-Server-Gets-Owned.html

* http://www.f-secure.com/weblog/archives/00001427.html

* http://ddanchev.blogspot.com/2008/04/united-nations-serving-malware.html

Anyway, when I saw the google results, I've contacted some of the forum owners + webhosting companies via mail to make them aware of the fact that they should take action asap.
Some replied and I was really suprised that many forum owners didn't know how to fix it, so that's why they left it as it was.

Luckily, we still have the webhosting companies who took action instead and took the forums offline or added a .htaccess to block access.
But then again, many didn't even reply to my mail and I see the compromised forums are still up and running. :(

This blogpost is mainly about forums/forum owners, because it's easy for anyone to install and run a forum, but maintaining it and keeping it secure is another story.
That's why, if you run a forum, take your responsibility!!!

Some tips to make your forum more secure:

*1. Install a forum - Read the documentation first!

Many install a forum without reading the documentation/tutorial how to properly install a forum.
This also involves how to CHMOD files and directories in order to properly install it - to set permissions for a file and/or directories. The most important part here is, make sure, after you installed your forum software, that you CHMOD your files and directories again, so it has restricted permissions.
Every forum software has (or should have) a tutorial available how to do this properly, even with support for several different FTP clients. So make sure you read it!

*2. Make sure you always use the latest forum software!

This is the most important part if you want to run a forum. The forum software is updated frequently, not only to fix some bugs in it, but mainly to fix security leaks/vulnerabilities.
In 80% of the cases, a forum was hacked/compromised because you were still running an outdated, vulnerable version of your forum software.
For most forum software, there's a mailing list available where you can subscribe to get notified about the latest updates. If your forum software is still running an older version, then update it ASAP!!!

Many forum owners also use a lot of plugins/mods. Make sure you're running the latest versions as well, because these plugins/mods may contain security leaks as well.

*3. Don't allow html

By default, if you install forum software, html is disabled to use in the forum. This is with a reason, because if html is enabled, it's a piece of cake to insert malicious content.
That's why BBcode takes its place.
However, some forum owners/administrators decide to allow html in the forum posts. If that is the case, make sure this option is only available for certain groups and not for everyone!

*4. Only for registered users

If you run a forum, only allow registered users to post. If you allow guests to post, they can post anything they want, post a lot of SPAM (with malicious links in it) and you can't do much against it.
That's why, if you give permission for registered members only to post, you can already avoid a lot of problems.
Some basic rules for registration:

*5. Make sure captcha is enabled
captcha is a way to avoid SPAMbots. This to make sure the registration is not generated by a computer. However, many spambots already found a way to "crack" the captcha and avoid a proper registration anyway.
That's also why..

*6. Use e-mail validation to register


During registration, people should enter a valid e-mail address to validate their registration, because the validation link will be sent to that address. So an account can only be registered via the link sent in that e-mail. This is also a way to avoid spambots.

*7. Rename your admin directory

Most forum software use their own way of creating directories/files. If you're a forum administrator, in most cases, the administrator directory related with your forum will be called admin or administrator. By default, this access is passwordprotected.
But, even though it's passwordprotected, there are many ways to get it. Bruteforcing the login/password, or retrieve the login/password somewhere else (for example, if you got infected and your data was stolen, or if if you gave your login/password to someone else etc..)
That's why it's always a good idea to rename your admin directory to something else, so it's not that obvious anymore. Make sure you also adjust this in your - in most cases - config.php file.
Even better is, if you rename your admin directory and delete all "visible" links pointing to it on your forum. This can also be done via the "config.php" file (or whatever file your forum software is using for "main access" to your database).

Some forum owners love to have a Web counter and statistics tracker on their forum to see how much traffic the forum gets. In case you decided to change your admin directory and remove all "visible" links pointing to it - then make sure that the web counter/statistics tracker results are visible for you only! Because otherwise it won't make sense to rename directories if anyone can achieve it via the statistics page.

*8. Check your files in the forum directory frequently

If you install a forum, you should upload files via FTP this in order to make the forum "work".
If you update your forum, some files will be patched or added - make sure you are aware of that.
That's why, it's always a good idea to check your files in your forum directory and root directory (if possible) for any changes. This especially if some php files, script files, whatever are added which are not a part of the basic forum software or upgraded parts. Ofcourse if you allow users to upload avatars or attachements, that part will be changed/updated frequently, however, always be cautious!!!
If your webhosting company supports access via SFTP-SSH file transfer protocol and your FTP Client supports it as well, then I recommend you switch to that. This because "normal FTP access" doesn't show all files/folders present - SFTP (SSH) access does - so in case your website/forum is compromised, it's better to have "full" access and be able to view everything present there instead of "restricted access". You can also use PuTTY for that, to have the same access - but normally, every decent FTP Client should support it as well.

*9. Back up your database and files frequently!

If you run a big forum with lots of traffic and forum posts everyday, then I suggest you back up your database once a day. In other cases, I suggest a backup at least once a week.
A backup of the database is the most important part, however, I also recommend to backup your files (the ones you uploaded via FTP) frequently as well. This in case some files were patched by malicious scripts/contents.

*10. Don't give your login/password to anyone!!

Unless you can trust the person for 100%!
Keep in mind, if many people are aware of your login/password and they get infected with a password stealer (which is common nowadays), then it will be known as well.

*11. Disallow PM for new members

This is something I noticed a lot in the last couple of months - and that is - SPAM via PM (Private message).
A lot of spammers (sometimes spambots), manage to bypass the captcha, enter a valid mailaddress, so they are in! Then they start to spam the forums..
Moderators and administrators should catch these spamposts, delete them and ban the user. However, what if SPAM, or malicious links are being posted via PM (Private message)? So admins, mods don't know about these spam messages, since they are sent via PM.
That's why it's always a good idea to disable PM for guests in the first place! For registered members, there should be a policy present to accept PMs if they have posted at least 3 posts in public - this as an example.

*12. Don't let the people know what forum software/version you are running!

The best way to find vulnerable forum software is via Searchengines. Google for example..
Most (free) forum software require their Copyright signature below. You may not remove that!
In some cases, forum software also displays what version you are running (however, in most cases, that is also disabled by default now). In anyway, an easy way for hackers, mainly scriptkiddies to find out if your forum is vulnerable, is via a searchengine. They search for "powered by.. whateveverforumsoftware" and then they try to run their scripts against it to see if it's vulnerable or not.
As I already said, you may not remove the "forum copyright" and links, unless you paid for it to be removed. So that's why it's always a good idea to replace the copyright with an image (jpg/gif/png) instead. Ofcourse, if there are links involved, it's advised to use image maps so that you can retain the links to the copyright/forum.

*13. Still so many other tweaks to make your forum more secure...

I only made you aware of the most important ones. There are still a lot of other tweaks/modifications to make your forum much secure. You can find a lot of extra tips/tweaks on the main site of the forum software you are running.

In anyway.. If your forum was hacked/compromised, then it's YOU who should take action ASAP! Don't leave it as it is, because it's YOUR responsibility if people get infected when they visit your site/forum. It's YOU who should fix it and make your forum/site more secure.
In case you are pretty sure that your forum/site is secure, then try to find out how exactly it was hacked/owned. Contact your webhosting company and ask for the logs. If you can find the cause, then you can do something against it!

A good example.. My forum was once hacked/owned as well. And even though I had taken all precautions and the forum software was up to date as well, it appeared afterwards that there was still a vulnerability present in the forum software I was running. I've researched/investigated it and made the forum developers aware of it. Glad to see they have patched it now as well, even though it took them more than 2 weeks to release the patch! Imagine how many forums were compromised in between..... :(
That's why I changed forum software since I couldn't trust it anymore.

Also, even though you are responsible for your forum/site, if you have a good webhosting company, they will already make you aware of suspicious action/behavior and take action before you are even aware of it. I've had/used a lot of webhosting companies in the past, but the one I'm using now is SUPERB! Support is great and they take action asap! I never want to change anymore!


AFTER ALL, if you are running a site/forum/whatever, It's still YOUR responsibility for whatever happens on your site. If you don't want to take responsibility, or you don't know how to take action if something similar happens, then make sure you know someone who does - if not, then you shouldn't run a forum/site anyway!

Related Posts by Categories