Hacked! Every forum's worst fear.
#11
http://docs.mybb.com/1.8/administration/...rotection/ - it's written for 1.6 and not updated for 1.8 (yet, I hope), but most of these tips still apply.

And some stuff I'd add there:
1. You should never use the same password twice. Why? Because you never know how the site you're registering on stores them (might be plaintext) and if all admins are trustable. If you're worried about remembering many strong passwords, store them in software like KeePass: http://keepass.info/
2. You don't need to keep plugins to minimum, but only if you have someone experienced to check each of them for vulnerabilities for you before you install them. But even then, you need to keep in mind that noone is infallible. Also, your plugins should be kept up-to-date obviously too.
3. Of course you also have to secure your devices which you use to manage the site - PCs, laptops, tablets, phones, etc. Never assume that any of them is invulnerable. Many Windows/Android/iOS/OS X or even Linux 0days are found as the time goes by. That's why I try to read online security news as often as possible.

Oh, one more that I see too often:
4. If you provide ACP credentials to someone who works for you or helps you then:
a) it shouldn't be your main account, create a new user in ACP instead
b) the new user should have a strong password too
c) you should remove the new user after the person finishes
Reply
#12
I have this in development. It should technically work because I'm using it on a test site. I aim to provide an option where a whitelist is used for IPs. A system would be in place for IPs to get added. I also need to have an admin session manager part get built. This way you could force logout admins from the ACP if need be.
Reply
#13
Well when I was hacked, I noticed through out the day , I had one IP on 24/7 , it was always in an "Unknown Location".
[Image: tdlfbanner.png]
Reply
#14
(2014-11-11, 01:54 PM)AmatureDJ Wrote: I'm kind of frightened to be honest, i really don't know what to say right now after reading this thread and others.  

Can it be possible that someone with Security Knowledge on Mybb share with us extra security measures so that we as Admins can put it in place just in case were the next targets? Thanks!

It's not likely that it is actually a security vulnerability in MyBB itself because if that were the case, various large forums (including this forum) would probably have been attacked. So far, two people have stated that "spook and shade" have attacked forums with insecure passwords and/or administrators who give out sensitive information. My forum has had two hacking attempts itself during the past month, and in both cases, someone attempted to brute force the admin CP. It's not uncommon at all, but some steps that could be taken to prevent these issues from causing your forum to be hacked include:
  • Don't trust anyone with your admin CP info. I always "promote within" and bring administrators from already active members on the forums. If you receive a message asking for a staff position (even if it seems rather innocent), you should be suspicious. I have a section of my forum rules specifically prohibiting the requesting of staff positions, so when people request them, I can send them dirty replies linking to the forum rules xD Toungue
  • Use secure passwords. Your six character password with your birth year will probably be easy to guess. I personally use passwords that are a random mix of lowercase and uppercase letters, numbers, and special characters, with a length of at least 9-10 characters at minimum. It's going to be much harder to remember, but it is almost impossible for someone to guess your password if it's literally a string of random characters. Also, it goes without saying, it's generally best to avoid using the same password that you use on various other accounts for your forum account.
  • Always use the most up-to-date version of MyBB (currently 1.8.1 or 1.6.15).
  • If you use MyBB 1.8, add a PIN code in inc/config.php for additional security. This not only serves as an additional security barrier for hackers attempting to compromise accounts, but in the event that someone does guess or obtain your password, it will prevent them from accessing the ACP without access to the files.
  • This has been said numerous times in the past, but plugins can be a source of vulnerabilities in quite a few cases. The MyBB team does attempt to do auditing on code that gets on the mod site before it is published, but that is not a guarantee that a plugin is secure. I remember being involved in a promotion forum a while back that was hacked due to a XSS vulnerability in a skype plugin. The plugin was not even necessary because MyBB supports additional profile fields, but because the hacker falsely claimed it was a newpoints vulnerability, none of us would have guessed it was a skype plugin until we did our own research. In general, some precautions include:
    • Use plugins from reputable sources only. If the plugin is not from the MyBB community forums, do extensive research on the plugin as well as the source before you attempt to install it. MyBB-plugins.com is pretty safe, for example, but a lot of 3rd party plugin sites aren't as trustworthy.
    • Avoid plugins that are from authors who are notorious for writing bad or insecure code. It is wise to do some research on the author and to do a google search for plugin vulnerabilities before you attempt to install it. If you are using MyBB 1.6, this resource might be helpful.
    • This goes without saying, but in general, it's best not to use plugins for features you don't need. In the event that your forum is hacked due to a plugin vulnerability, it will be hard to diagnose the issue if you have 40+ plugins installed.

I don't think the majority of forums that follow these security practices are really at risk, to be honest. If this was a vulnerability in MyBB, more forums would be hacked. If you follow some of the basic security practices (including the ones listed above), you should be fine. Smile
Reply
#15
(2014-11-11, 01:54 PM)AmatureDJ Wrote: I'm kind of frightened to be honest, i really don't know what to say right now after reading this thread and others.

Can it be possible that someone with Security Knowledge on Mybb share with us extra security measures so that we as Admins can put it in place just in case were the next targets? Thanks!

few things I like to say...

1. Use Complex password with 10 characters minimum
2. Protect inc folder (check docs posted by Destroy666)
3. Enable ACP PIN
4. Renamed Admin folder
5. Password protect admin folder (no not the acp login)
6. http://www.mybbsecurity.net/topic-protec...basic-auth
7. Minimum plugins
We can't help everyone, but everyone can help someone - Ronald Reagan
Did you know? Your question has already been answered. But you haven't searched it yet.
Don’t  Forget to “Mark as Solved” after the fix
Reply
#16
8. Hire people you can trust.
[Image: tdlfbanner.png]
Reply
#17
(2014-11-11, 03:52 PM)Saint Francis Wrote: 8. Hire people you can trust.

i concur. I always tell forum owners starting their board to get to know people first..study how they conduct themselves on boards such as this one. Be observant of thier behavior patterns..then, when youve chosen that person to be a gm or co admin, make your move. Many a times on boards, i have been targeted by staff in getting me to join thier inner circle..lucky me..
Sup bro
Reply
#18
Okay, thanks for commenting and the tips! I'm going to impliment every tip before I launch my site,
on another note
Now this is just ridiculous, I just read that 2 more forums got hacked today, what is going on?
http://community.mybb.com/thread-162654-...pid1116942

here are the culprits on twitter https://twitter.com/alboraaq

They are so called the "House of real Hackers"
How can we report these hacknerds? To get their website shut down.
Hey man, what's up?
Reply
#19
Another thing... If you use CloudFlare and you don't anticipate a user base from Asia, India, or similar, just firewall those countries out.

If you have a VPS, install CSF/LFD and use the country code bans feature to just create a massive blocklist.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)
Reply
#20
(2014-11-11, 06:28 PM)Michael2014 Wrote: Okay, thanks for commenting and the tips! I'm going to impliment every tip before I launch my site,
on another note
Now this is just ridiculous, I just read that 2 more forums got hacked today, what is going on?
http://community.mybb.com/thread-162654-...pid1116942

here are the culprits on twitter https://twitter.com/alboraaq

They are so called the "House of real Hackers"
How can we report these hacknerds? To get their website shut down.

If you have their IP, you can report them to their ISP.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)