Spammers and Hackers

User avatar
Steel Rat
General
Posts: 123
Joined: Thu Nov 24, 2005 4:54 pm
Location: Oak Harbor, WA
Contact:

Spammers and Hackers

Post by Steel Rat » Fri Jun 23, 2006 7:18 pm

Heruca,

The only way you're going to "secure" phpBB2 is to rename and move the Admin folder outside of a browsable area of your site. Then rename and move it back when needed. A pain, to be sure, but most of these would-be hackers are just script kiddies that run scripts allowing them access to the admin pages, such as happened on my HDRPG site when I was running phpBB2. I still have the site running, and ever since I performed the above actions the hacker hasn't been able to do squat.

Just a thought.
Steel Rat
Infinite Ordnance: Military RPG supplements
RPGMapShare.com - Free map and mapping object repository.

User avatar
heruca
Developer
Posts: 9380
Joined: Sun Nov 20, 2005 11:58 pm
Location: Buenos Aires, Argentina
Contact:

Post by heruca » Fri Jun 23, 2006 8:43 pm

:(

Yeah, I noticed that updating to the latest phpBB2 version did absolutely nothing to stem the tide of bot accounts. I really thought it would.

Will it break anything if I do as you suggest, other than the fact that I won't be able to enter the Admin Panel?
:arrow: Please help spread the word about BRPG and BGE, and never hesitate to tell me how I can make them better suit your gaming needs.

User avatar
Omnidon
Site Admin
Posts: 2186
Joined: Mon Feb 06, 2006 7:46 pm
Location: NY State, USA
Contact:

Post by Omnidon » Fri Jun 23, 2006 11:41 pm

Just moving the files won't harm anything.

The better way to do it though is to move it to a new directory on the same site and bookmark it. That way hackers won't find it and you can still get to it, though in rare cases bots could still come across it by mapping your entire site.

Even more secure would be to prevent access to those files to everyone except yourself by IP address. Then you wouldn't even have to move it. That can be done using htaccess from the Cpanel, or I can make you the file myself.

However, I doubt the reason for the spam is hackers. If you had people getting into the admin panel then you'd have more than just spam. The real problem is the fact that the registration page is so easy for a bot to bypass, since the bots are designed with phpBB in mind. That can be fixed by changing some things but that will take a bit of scripting.

Either way, be sure you backup the database regularly. If someone *did* get into the admin page they could wipe the entire forum, which would be a huge disaster if you hadn't backed it up recently.

User avatar
heruca
Developer
Posts: 9380
Joined: Sun Nov 20, 2005 11:58 pm
Location: Buenos Aires, Argentina
Contact:

Post by heruca » Sat Jun 24, 2006 12:10 am

I backed it up this morning.

Hackers, spam, and bots suck. Just wanted to say that.
:arrow: Please help spread the word about BRPG and BGE, and never hesitate to tell me how I can make them better suit your gaming needs.

User avatar
Steel Rat
General
Posts: 123
Joined: Thu Nov 24, 2005 4:54 pm
Location: Oak Harbor, WA
Contact:

Post by Steel Rat » Sat Jun 24, 2006 2:08 am

Unless you go into the admin panel frequently, it won't be anything but a minor annoyance to have to move the admin folder back into place.

I agree though that spammers usually don't cause any more problems than an annoyance. It's the wannabe hackers that are the real problem. They apparently troll for phpBB2 installations and then run their scripts, which usually include changing the forum description of a forum high up in the order so it hijacks the display. It's easy enough to fix, but moving the admin folder will stop it altogether.
Steel Rat
Infinite Ordnance: Military RPG supplements
RPGMapShare.com - Free map and mapping object repository.

User avatar
heruca
Developer
Posts: 9380
Joined: Sun Nov 20, 2005 11:58 pm
Location: Buenos Aires, Argentina
Contact:

Post by heruca » Sat Jun 24, 2006 11:18 am

Omnidon wrote:Just moving the files won't harm anything.

The better way to do it though is to move it to a new directory on the same site and bookmark it.
I tried that, but then I get this error when I try to use the bookmark:
"Fatal error: main(): Failed opening required './../extension.inc'"

Do I need to copy the extension file somewhere else, or edit some file to reflect the new location?
:arrow: Please help spread the word about BRPG and BGE, and never hesitate to tell me how I can make them better suit your gaming needs.

User avatar
Steel Rat
General
Posts: 123
Joined: Thu Nov 24, 2005 4:54 pm
Location: Oak Harbor, WA
Contact:

Post by Steel Rat » Sat Jun 24, 2006 12:38 pm

heruca wrote:I tried that, but then I get this error when I try to use the bookmark:
"Fatal error: main(): Failed opening required './../extension.inc'"

Do I need to copy the extension file somewhere else, or edit some file to reflect the new location?
Did you move the entire admin folder?

There may be some problems with that approach (moving and bookmarking), if the amdin panel pages require access to things outside the admin folder. which is why I advocated moving outside the browsable folder structure, and moving it back when needed. An FTP client should be able to do this pretty easily as needed.
Steel Rat
Infinite Ordnance: Military RPG supplements
RPGMapShare.com - Free map and mapping object repository.

User avatar
heruca
Developer
Posts: 9380
Joined: Sun Nov 20, 2005 11:58 pm
Location: Buenos Aires, Argentina
Contact:

Post by heruca » Sat Jun 24, 2006 12:52 pm

That's what I've done. Thanks for all your help, guys. It seems to work.
:arrow: Please help spread the word about BRPG and BGE, and never hesitate to tell me how I can make them better suit your gaming needs.

User avatar
Omnidon
Site Admin
Posts: 2186
Joined: Mon Feb 06, 2006 7:46 pm
Location: NY State, USA
Contact:

Post by Omnidon » Sat Jun 24, 2006 3:09 pm

Steel Rat wrote:There may be some problems with that approach (moving and bookmarking), if the amdin panel pages require access to things outside the admin folder. which is why I advocated moving outside the browsable folder structure, and moving it back when needed. An FTP client should be able to do this pretty easily as needed.
Well you have to keep the directory structure intact. What I meant by "moving" the admin folder is simply changing the name of the folder. That way the files still can see eachother.

But yes, as long as you don't use the admin panel very often, SteelRat's way is fine. I use mine every day though ;-)

User avatar
Steel Rat
General
Posts: 123
Joined: Thu Nov 24, 2005 4:54 pm
Location: Oak Harbor, WA
Contact:

Post by Steel Rat » Sat Jun 24, 2006 5:02 pm

lol, I feel for you Omnidon. I think the phpBB2 Admin panel is the most illogically laid-out piece of crap ever made. Ok, Postnuke is worse, but you know what I mean. Creating a forum, making it private and adding users takes an eternity because you have to go to 5 different places. There's no reason you couldn't do it in one place. I used to run an ASP-based forum called Snitz that allowed you to do just that. It was great.

But, every time I mention the possibility of making the admin panel more logical I get yelled at by the fanboys. So I'm moving away from phpBB2. Phorum is much more flexible.
Steel Rat
Infinite Ordnance: Military RPG supplements
RPGMapShare.com - Free map and mapping object repository.

User avatar
Omnidon
Site Admin
Posts: 2186
Joined: Mon Feb 06, 2006 7:46 pm
Location: NY State, USA
Contact:

Post by Omnidon » Sat Jun 24, 2006 5:19 pm

Well they claim they're making the admin panel a lot nicer for the distant dream known as phpBB 3 :P

But I'll have to look into "Phorum" and some other ones. It's been a while since I looked at other forum applications, though I've always been fond of phpBB.

I definitely hate phpNuke and Postnuke; they are a programmer's nightmare. I can't install a single block or module in those without having to practically rewrite the darn things to fix the bugs.

User avatar
Steel Rat
General
Posts: 123
Joined: Thu Nov 24, 2005 4:54 pm
Location: Oak Harbor, WA
Contact:

Post by Steel Rat » Sat Jun 24, 2006 6:13 pm

Omnidon wrote:Well they claim they're making the admin panel a lot nicer for the distant dream known as phpBB 3 :P

But I'll have to look into "Phorum" and some other ones. It's been a while since I looked at other forum applications, though I've always been fond of phpBB.

I definitely hate phpNuke and Postnuke; they are a programmer's nightmare. I can't install a single block or module in those without having to practically rewrite the darn things to fix the bugs.
I never even got PHPNuke to install properly, but i've done several Postnuke installations, have a couple running now.

The thing that bugs me most about it is you have one entire page devoted to a configuration item which is comprised of one field, count 'em, one. And like phpBB2, you have to go to 20 different places to do what should logically be only in one or two places. The UI design of the administration is just horrendous.
Steel Rat
Infinite Ordnance: Military RPG supplements
RPGMapShare.com - Free map and mapping object repository.

User avatar
heruca
Developer
Posts: 9380
Joined: Sun Nov 20, 2005 11:58 pm
Location: Buenos Aires, Argentina
Contact:

No more spambots!

Post by heruca » Wed Aug 09, 2006 11:23 am

I'm fed up with having to manually delete about 5-7 spambot accounts every single day, so I've installed a forum mod today that should help prevent spambot accounts from being created in the first place.

New forum policy: You may not include a website URL in your user profile until you have posted at least once.

Please let me know if you experience any problems. Thanks.
:arrow: Please help spread the word about BRPG and BGE, and never hesitate to tell me how I can make them better suit your gaming needs.

User avatar
Steel Rat
General
Posts: 123
Joined: Thu Nov 24, 2005 4:54 pm
Location: Oak Harbor, WA
Contact:

Post by Steel Rat » Wed Aug 09, 2006 7:35 pm

Don't blame you at all man, not at all.
Steel Rat
Infinite Ordnance: Military RPG supplements
RPGMapShare.com - Free map and mapping object repository.

User avatar
Jixxala
Captain
Posts: 67
Joined: Tue May 30, 2006 3:22 pm
Contact:

Post by Jixxala » Thu Aug 10, 2006 9:50 am

This sounds reasonable to me. I support you on that one, we need all your free time spent on the product and not deleteing those silly spam bots and their annoying posts.
Jixxala
Developer of PGS (Pegasus Gaming System)
Current state - Alpha
Beta starts October.
www.Pegasus-Foundation.com

User avatar
Kepli
High Commander
Posts: 660
Joined: Mon Nov 21, 2005 5:53 am
Contact:

Post by Kepli » Fri Aug 11, 2006 5:04 am

Good solution Heruca :D
Image

User avatar
heruca
Developer
Posts: 9380
Joined: Sun Nov 20, 2005 11:58 pm
Location: Buenos Aires, Argentina
Contact:

Post by heruca » Fri Apr 20, 2007 5:15 pm

Sorry about the recent spam posts, everyone, particularly the ones with graphic images. I try to delete the spam and ban the IP of the poster as soon as I can, but I can't be on here 24-7.

I'll take more proactive measures as soon as I have the time. For what it's worth, this is happening on nearly all the VTT forums.

Note to moderators: if you delete a spam post, please also send me the IP address of the spammer so that I can ban it.
:arrow: Please help spread the word about BRPG and BGE, and never hesitate to tell me how I can make them better suit your gaming needs.

User avatar
Steel Rat
General
Posts: 123
Joined: Thu Nov 24, 2005 4:54 pm
Location: Oak Harbor, WA
Contact:

Post by Steel Rat » Sat Jul 21, 2007 11:37 pm

Does PHPBB2 have a Captcha mod to prevent bot postings?
Steel Rat
Infinite Ordnance: Military RPG supplements
RPGMapShare.com - Free map and mapping object repository.

User avatar
heruca
Developer
Posts: 9380
Joined: Sun Nov 20, 2005 11:58 pm
Location: Buenos Aires, Argentina
Contact:

Post by heruca » Sun Jul 22, 2007 12:11 am

Omnidon might know.

BTW, your avatar is missing, SR.
:arrow: Please help spread the word about BRPG and BGE, and never hesitate to tell me how I can make them better suit your gaming needs.

User avatar
Steel Rat
General
Posts: 123
Joined: Thu Nov 24, 2005 4:54 pm
Location: Oak Harbor, WA
Contact:

Post by Steel Rat » Sun Jul 22, 2007 1:05 am

Got the new one goin' now ;)
Steel Rat
Infinite Ordnance: Military RPG supplements
RPGMapShare.com - Free map and mapping object repository.

User avatar
Omnidon
Site Admin
Posts: 2186
Joined: Mon Feb 06, 2006 7:46 pm
Location: NY State, USA
Contact:

Post by Omnidon » Sun Jul 22, 2007 11:14 am

Steel Rat wrote:Does PHPBB2 have a Captcha mod to prevent bot postings?
Vanilla (unmodded) phpBB2 has a basic visual confirmation image during registration that rarely manages to fool the bots.

Categories Hierarchy, which is the mod currently used on this forum, includes a much more solid visual confirmation system that can also be applied to guest posting, along with some other security improvements.
It has completely eliminated spam since it was installed ;-)

User avatar
heruca
Developer
Posts: 9380
Joined: Sun Nov 20, 2005 11:58 pm
Location: Buenos Aires, Argentina
Contact:

Post by heruca » Sun Jul 22, 2007 12:05 pm

Omnidon wrote:It has completely eliminated spam since it was installed ;-)
And we're loving that fact.

In fact, I think Flash support got added using just the time I saved not having to be a spam janitor. :lol:
:arrow: Please help spread the word about BRPG and BGE, and never hesitate to tell me how I can make them better suit your gaming needs.

User avatar
heruca
Developer
Posts: 9380
Joined: Sun Nov 20, 2005 11:58 pm
Location: Buenos Aires, Argentina
Contact:

Post by heruca » Thu Aug 05, 2010 10:16 am

Bot spammers seem to be on the rise again, lately. :(

I've been deleting and banning their IPs as fast as I can, but it's getting to be a real pain. I hope a new security update for the forum software is released soon.
:arrow: Please help spread the word about BRPG and BGE, and never hesitate to tell me how I can make them better suit your gaming needs.

User avatar
Omnidon
Site Admin
Posts: 2186
Joined: Mon Feb 06, 2006 7:46 pm
Location: NY State, USA
Contact:

Post by Omnidon » Fri Aug 06, 2010 4:34 am

heruca wrote:Bot spammers seem to be on the rise again, lately. :(

I've been deleting and banning their IPs as fast as I can, but it's getting to be a real pain. I hope a new security update for the forum software is released soon.
Really? I haven't seen any of that. You must be deleting them pretty quickly.

And no, there won't be any official updates to the software any time soon since phpBB3 has replaced phpBB2 and the developer of Categories Hierarchy is working on an entirely new forum script.

However I can add some additional spam prevention methods to the registration process if you mean the bots are actually making new accounts again.

User avatar
heruca
Developer
Posts: 9380
Joined: Sun Nov 20, 2005 11:58 pm
Location: Buenos Aires, Argentina
Contact:

Post by heruca » Fri Aug 06, 2010 8:50 am

I delete them ASAP, and I guess I've just been waking up earlier than normal.

The most recent bot created an account and posted 4 messages overnight. I deleted it and banned the IP right away.

The posts made were a mish-mash of earlier (real) posts in each thread, perhaps a crude attempt at making it seem like it was an on-topic comment, and with a link in the signature.
:arrow: Please help spread the word about BRPG and BGE, and never hesitate to tell me how I can make them better suit your gaming needs.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest