How do forums get hacked

Discussion in 'Security and Legal' started by doodles, Jun 3, 2009.

  1. doodles

    doodles Adept

    Joined:
    May 28, 2009
    Messages:
    114
    Likes Received:
    2
    First Name:
    Lisa
    We got a message from another forum's admin that they had been hacked. the person had got into the admin stuff and messed it up. They have had to get some people in to try and fix it.

    They mentioned something about ips and proxy servers.

    Basically how do forums get hacked?
    Is it by having bad passwords or the web host security isn't that good or both?

    What additional security do you guys use just in case if any?
     
  2. Nick

    Nick Regular Member

    Joined:
    Jul 27, 2008
    Messages:
    7,441
    Likes Received:
    218
    Thread moved to Security & Legal Disputes.
     
  3. doodles

    doodles Adept

    Joined:
    May 28, 2009
    Messages:
    114
    Likes Received:
    2
    First Name:
    Lisa
    hey Im not getting tips on how to do it ya know lol
     
  4. Soliloquy

    Soliloquy Regular Member

    Joined:
    Jun 3, 2009
    Messages:
    2,402
    Likes Received:
    66
    Location:
    New York City
    How do you know if you've been hacked? Well, usually most hackers are looking for attention, so they'll often replace your index page with a taunting message. Unless you've seriously pissed someone off though, most hackings are kids with just enough knowledge to be dangerous looking for forums or sites with exploitable security holes through search engines. It's rarely personal.
     
  5. Chris

    Chris Regular Member

    Joined:
    Dec 27, 2007
    Messages:
    5,422
    Likes Received:
    86
    As mentioned above, the majority of hackers are kids (usually very young) - they quite literally have nothing better to do, and because of this, find amusement in viciously attacking one's website.
     
  6. Nick

    Nick Regular Member

    Joined:
    Jul 27, 2008
    Messages:
    7,441
    Likes Received:
    218
    Personally, I would say weak passwords are the biggest vulnerability. So many people think, "oh it'll never be me who gets hacked, so I'll just use my first name as my password." It's usually too late when they realize they were sadly mistaken.
     
  7. Tom

    Tom Regular Member

    Joined:
    May 27, 2009
    Messages:
    153
    Likes Received:
    18
    Location:
    New York
    Bad passwords, a bad host, poor security - really, there is no real reason to get hacked.

    And I beg to differ with kids hacking most forums... I think adults hack, more or less.
     
  8. Chris

    Chris Regular Member

    Joined:
    Dec 27, 2007
    Messages:
    5,422
    Likes Received:
    86
    Eh, not from my experience(s). I suppose that it depends on the community.
     
  9. Wayne Luke

    Wayne Luke Regular Member

    Joined:
    Apr 2, 2009
    Messages:
    991
    Likes Received:
    276
    Top reasons a forum gets hacked...

    1) Lack of Security
    2) Faulty Software
    3) Compromised Server.

    Security
    Security for a site starts in the chair in front of the monitor. If you are not proactive about security than you will have problems. Security should always be handled by first removing all permissions unless absolutely necessary and then only giving permissions as needed.

    This starts with your local computer. If friends use your computer than create a guest account and only allow what they would need to use. Don't let them use your account. Make sure you have the latest security applications and protocols in place on your computer regardless of the OS. When making a connection to your web server, you need to make sure it is as secure as possible and you use an account with only the permissions required. Logging into SSH via a root account is foolish. You need to use a wheel group to get super user access. Same for email, FTP, or any other protocol.

    Once you are connected to your server, you need to make sure your forum follows the same policies. If you're moderators don't need delete permission than don't give it to them. The barest minimum of permissions to get the job done.

    Passwords should be unique and gibberish. They should be 14-20 characters long. If you cannot remember your passwords than use a tool like Keepass to store them on a removable flash drive that you can take with you. Here is a suitable password:
    lksad@!rj39#W04uri5

    Make sure that critical areas are secure. Do not rely on the software layer to protect your investment. Make sure permissions are at the barest minimum to work and that people do not have access to folders they don't need access to. Move your configuration files above the web root so they are not acceptable. Turn off directory indexing, error reports and other notices. Don't display version numbers if at all possible.

    When installing addons or hacks, have them reviewed for potential vulnerabilities. Most hacks are called that because they are copied and pasted bits of information put together by people with no real programming experience. They just want something that works.

    Software Flaws
    Make sure your software is always up to date. This not only includes your forum software but the webserver, PHP, MySQL, your Operating System, any utilities you use, etc... If you're running Windows than make sure your security software is up to date. Updating daily is a good idea. A flaw in anything can cause issues. The Gumblar virus is an example of what can happen with faulty software. When is the last time you updated Adobe Reader?

    Make sure your software works together. Mismatched versions of software can introduce vulnerabilities.

    Server Compromises
    Least case scenario. If you're on a share server your at the mercy of every single site owner on that server for maximum security. This means that you should operate as if there is no security whatsoever. Sad but true. I bet in a apartment building with with 30 units, 2 people never lock their doors and 6 more use passwords that are 8 digits long and a variant of their name, the word password, their birthday or their dog's name. You cannot rely on others to be secure. There are 300-400 websites on that server. There are probably 80 exposing you to security risks.

    Ask your hosting provider what their security measures are and how they are implemented. Make sure they follow them.

    To ward off the hackers, you need to be secure and confident in your security measures. You need to learn as much as you can about your systems and how they are protected. Otherwise you will be at risk. This doesn't mean you'll be attacked but you'll be at risk.
     
  10. Soliloquy

    Soliloquy Regular Member

    Joined:
    Jun 3, 2009
    Messages:
    2,402
    Likes Received:
    66
    Location:
    New York City
    I wish we had a Thanks button here so I could hit it repeatedly for Wayne Luke. Thanks, that should answer the original poster's question quite well!
     
  11. Abomination

    Abomination Zealot

    Joined:
    Jun 1, 2009
    Messages:
    1,514
    Likes Received:
    102
    I looked for the rep button but only found the button marked "Did you find this post helpful?"

    I'm not sure if the button still exists for others, it has disappeared from my screen after clicking on Wayne's post.
     
  12. Chris

    Chris Regular Member

    Joined:
    Dec 27, 2007
    Messages:
    5,422
    Likes Received:
    86
    We have replaced the reputation system with the "Helpful Posts" plug-in. :)
     
  13. Abomination

    Abomination Zealot

    Joined:
    Jun 1, 2009
    Messages:
    1,514
    Likes Received:
    102
    And I just used it! :D
     
  14. Chris

    Chris Regular Member

    Joined:
    Dec 27, 2007
    Messages:
    5,422
    Likes Received:
    86
    Why thank you! ;)
     
  15. Soliloquy

    Soliloquy Regular Member

    Joined:
    Jun 3, 2009
    Messages:
    2,402
    Likes Received:
    66
    Location:
    New York City
    I didn't even notice those little buttons in the corner there; I'd suggest moving them to be with the other post buttons except the explanatory text would never fit.
     
  16. kev

    kev Regular Member

    Joined:
    Mar 9, 2009
    Messages:
    1,224
    Likes Received:
    61
    Well, I think Wayne pretty much summed it up. The security flaws can be anywhere from the forum software, modifications, server applications and the actual server operating.

    Then there are the key loggers that can get installed on your computer. When someone is recording your key strokes, its not going to be "too" difficult to watch you log into your site.

    Patch sniffers are another application, but that gets a little difficult.

    Weak forum security - such as letting members use html and javascripts in post.

    Uploading files to the server as root, instead of a limited user account.

    Weak passwords + no brute force protection = cracked server.
     

Share This Page