digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

phpBB mass hack being prepared?

issociate.de — During the last few days a bot using a name FuntKlakow, has been registering to maybe thousands of phpBB forums. Some speculate that the bot's owners are preparing to exploit an unreported vulnerability.

Bury
show profanity settings
expand all
  • Flashman, on 10/12/2007, -2/+18243,000 search results for "FuntKlakow": http://www.google.com/search?q=funtklakow
  • effektz, on 10/12/2007, -47/+5lol interesting
  • serra, on 10/12/2007, -3/+9I can't wait to see what (if anything) comes of this.
    • Smokezz, on 10/12/2007, -5/+0pphpBB hasn't been "hacked" for over 2 months... clueless people suck.
  • aplusplus, on 10/12/2007, -19/+13phpBB seems to get hacked every two weeks.
  • ufoq, on 10/12/2007, -1/+12FuntKlakow is a polish word ;)
    • Flashman, on 10/12/2007, -1/+9"Funt" means "pound", but what's "Klakow"?
    • babbling, on 10/12/2007, -12/+4I don't speak Polish, but I'm guessing it's probably "them"? :)
    • emka, on 10/12/2007, -0/+9funt kłaków = pound of tufts
      :)
    • Tarmas, on 10/12/2007, -1/+32Direct translation: "a pound of tuft"

      Real meaning: "ain't worth *****"
  • Jarda, on 10/12/2007, -67/+8Thankgod PHPBB is open source so something like that couldn't happen
    • superalamar, on 10/12/2007, -22/+15To the guy who said this happened due to the open source nature of phpBB. I agree. Thankfully MS products are cloased source, which means its security has never been compromized/exploited.
  • snapya, on 10/12/2007, -10/+20Is this a good time for me to recomend that everyone who has a phpbb forum to move to an SMF( http://www.simplemachines.org/ ) forum it is very easy to migrate to SMF from phpbb. And to all you phpbb users you will not be able to use all the hacks/mods and skins for phpbb in SMF bu smf is way more secure!
    • Saintlink, on 10/12/2007, -15/+11SMF forums is the way to go, I recommend you switch.
    • Trekkie101, on 10/12/2007, -10/+9SMF is my choice aswell, well worth moving toward it from phpBB. Much better
    • gookie, on 10/12/2007, -4/+16Yeah, and when it's popular enough, it will the subject of the next hacks. It doesnt make it better. Although I use it as my main forum. Just being fair.
    • Seumas, on 10/12/2007, -3/+8I went the other route, decided all the existing forum software sucks. Wrote my own. Have been using it for eight years.
    • tempusrob, on 10/12/2007, -1/+17I really despise that "when it's popular, it'll be hacked" logic. It depends on the notion that all software is equally insecure, which is unquestionably not true...
    • Yorn, on 10/12/2007, -1/+1Send me a link to your SMF forum and I'll hack you. Unpatched exploit for SMF is out too. To avoid having your cookie compromised via XSS, all you have to do is not look at the IPs of your users. Fat chance of that happening, though, right?
    • Trekkie101, on 10/12/2007, -0/+1Yorn, you're very much mistaken. As of now, SMF has no known security issues. 1.0.7 and RC2-1 are out and patch any issues SMF was known to have.
  • Mike89, on 10/12/2007, -0/+15To me, it doesn't look like a "mass hack" at all. For the few posts it's made (on the forums mentioned in the article), it has a signature with a referal URL in it - to get clickthroughs ;). I thought maybe they were trying to raise their Google ranking but it'd seem they just want to get free stuff - no?
    • thenativeraver, on 10/12/2007, -0/+8"more visitors to y our web site"

      I saw that too, I think it may just be a way to spam forums.
  • nato64, on 10/12/2007, -0/+11Holy cow, it registered on my forum this morning! I completely erased him now. He only made one post and it was obvious it didn't have anything to do with what was on the forum. Thanks for the news!
    • kurosen, on 10/12/2007, -3/+6same thing occured on mine as well... I just deleted the name :p
  • hutchy, on 10/12/2007, -2/+3it registered on mine on March 4th
  • just2digg, on 10/12/2007, -23/+5i've heard about it; they say this was prepared by MS, and known by phpBB devs.
  • serra, on 10/12/2007, -1/+5You know, I actually just realized that I have a forum (inactive site that I have been procrastinating on), and I see that it registered on there too. (04 Mar 2006)
  • just2digg, on 10/12/2007, -38/+6if this happens, this can be the end of open source for enterprises!
    • SniperX, on 10/12/2007, -1/+7This potential hack has nothing to do with it being open source. It's merely a problem because phpBB is so popular, thus it was the decided target. All they did was write a bot to search for and register to phpBB forums, probably not for potential exploits, but just because it's easies to write a script/program to register for one particualar forum type, and phpBB is one of the more popular.

      A Solution for this is to implement a good image text verification system.
  • OOTay, on 10/12/2007, -7/+3im switchin over to vBulletin sometime this month so hopefully it doesnt happen anytime soon. Ya know what scratch that ill do it tomorrow :)
  • Hanthus, on 10/12/2007, -2/+8Just ban the damn thing, duh!
    phpBB is a great forum system, I know that there are other good forums but phpBB is also a very good and robust forum system.
    • Haplo, on 10/12/2007, -0/+1I backup several phpBB boards daily using a nifty Perl script: http://johnbokma.com/perl/phpbb-remote-backup.html
      In case something bad happens, I can restore the database.

      And yes, automatic registration on one of the boards I am admin of has been made very hard, just because I got almost every month 4-5 profile spammers signing up.
  • timmarhy, on 10/12/2007, -20/+7phpBB is like laying out the welcome mat to be hacked.
    don't use it.
  • Emptythought, on 10/12/2007, -15/+21i hate to say it, and will probably just get thumbs-downed.

    but its your own goddamn fault for using phpbb, I've completely lost count of the number of times it's been exploited.

    i can think of 1, maybe 2 when vbulletin has.. and a few more for IPB(mentioned because those are basically the top 3, if you count phpbb)

    as has been said earlier in the thread, there are many alternatives and really no upside to using phpbb
    • deut, on 10/12/2007, -1/+12I hear what you are saying and agree with some of what you say.

      However....

      Have you considered the fact that the very reason phpBB is attacked so often is because of its popularity? It's no different to Win32 viruses in this regard. Hax0rs will aim their code at the platform most likely to spread their code, it's as simple as that.

      As for vBulletin, I like it as well. But, do you really think there are *NO* vulnerabilities in it?
    • hutchy, on 10/12/2007, -3/+6i bet your a windows user, talk about hypocritical?

      phpBB has vunerabilities. That's because it's programmed by humans, software created by humans is never going to be bulletproof. You should be thankful that there is such a robust and free piece of software available which is on par with the paid equivalents.
    • Ryosen, on 10/12/2007, -1/+2Hmmm, you claim that phpBB is insecure when, in reality, it's the way that it gets configured by many users that is the problem. My boards, and I have a lot of them, have never been hacked. I keep up to date with releases and I implement a captcha system to prevent bots such as this one.

      phpBB's "ranking" in attacks and exploits is due to its popularity, nothing more. Yes, it did have a nasty hole in it that allowed sql injection attacks, but so did a *ton* of other php-based applications and it was fixed over a year ago.
    • Arch, on 10/12/2007, -0/+1It's not fair to single out phpBB as the only forum software that has vulnerabilities. In fact, there's actually an easy exploit with older vBulletin forums which involves putting in a few [quote] and [/quote] BBcodes. Also, doing a google search on "vBulletin exploits" will get you some results.
  • Pstonie, on 10/12/2007, -18/+4Hooray for open source!
  • travis9, on 10/12/2007, -0/+10a more accurate google search might include the inurl: operator in order to discern actual registered accounts from noise generated about said registered account. I chose to use inurl:viewprofile to only see the profiles for said bot. This may not be accurate but is certainly far better and less alarming that the previous search.

    Results 1 - 10 of about 27,100 for funtklakow inurl:viewprofile

    www.example.com/forum/profile.php?mode=viewprofile&u=&sid=

    http://www.google.com/search?q=funtklakow+inurl%3Aviewprofile
    • morganix, on 10/12/2007, -1/+2Just went up to 33,200 just two hours after your post... this guy is really moving.
    • quick5pnt0, on 10/12/2007, -0/+0Now it's 33,500. People are making such a big thing of this. Just ban the name and he cant register.
  • TestFar, on 10/12/2007, -0/+6in the posts it has made, it looks like its just being used for advertising on one of those 'make money on the net' schemes.
    e.g. http://www.buensoft.com/phpbb/viewtopic.php?p=142&highlight=#142
    (in the sig?)
  • daza, on 10/12/2007, -0/+3My first thought was, not again. Second thought was, damn, he registered on my forum too!

    I have admin activation on anyway so 90% of registrars don't get in. Funny enough I googled him too thinking I could find out more info on the person and saw a lot of results. I just thought "spambot" and continued with the day. Probably only that, I hope?
  • arrrrrg, on 10/12/2007, -2/+7In the words of Monty Python: Spam, Spam, Spam, Spam, Spam, Spam, ... Why would you register in advance of unleashing a worm? That doesn't make any sense. This story is just another baseless sensationalist headline that's made it to the frontpage.
    • frizop, on 10/12/2007, -6/+4Caus uhh, maybe the sploit needs an active account? And with more active accounts pre-release of the sploit you get more use of it.

      I just wonder why the guy didn't generate some random usernames. Maybe he let it go (the bot) and didn't figure it would get 25k+ accounts going.
  • metrofeed, on 10/12/2007, -0/+2The email address given for the user is socialinfohub.com (not an active domain), but perhaps it's some sort of tracking bot for message boards?
    • frizop, on 10/12/2007, -0/+1>> a little more digging about who this is.

      ;; ANSWER SECTION:
      socialinfohub.com. 300 IN A 69.25.212.134

      whois 69.25.212.134
      Internap Network Services PNAP-12-2002 (NET-69-25-0-0-1)
      69.25.0.0 - 69.25.255.255

      http://www.google.com/search?q=Internap+Network


    • dognose, on 10/12/2007, -0/+1Yup. this user had registered, but not completed email validation on two of my forums. It's now banned as is *@socialinfohub.com .. I think I have to move to visual confirmation when registering...
  • daza, on 10/12/2007, -1/+2http://www.google.com.au/search?q=site:socialinfohub.com&hl=en&lr=&rls=GGGL,GGGL:2005-09,GGGL:en&filter=0

    Just some keyword traficking sites. I really don't think a worm will be unleashed..
  • richmastaplus, on 10/12/2007, -0/+3Only on digg would I see a story that actually related to me. I noticed this dude registered to my forums just a few hours before I saw it on digg but I did not suspect an attack. It's good to see this hit the front page because if something does happen alot of people got a heads up :)
  • krux, on 10/12/2007, -0/+1sounds like a spam bit to me
  • Ianmacisaac, on 10/12/2007, -2/+1Woahm thanks for the info!
  • tgraham, on 10/12/2007, -0/+2Surely some clever chap doing a bit of SEO related stuff?
  • lini, on 10/12/2007, -0/+0why isn't phpBB using some form of captchas when new users try to register? Like the one I have to write just now when posting a comment here on digg.
    • g0zer, on 10/12/2007, -0/+2"captchas: because blind people don't exist!"
  • jcostom, on 10/12/2007, -1/+2Makes me glad I switched the forum I run to Vanilla....

    http://getvanilla.com/
  • Pioto, on 10/12/2007, -0/+1I used to run a phpBB, but I subsequently decided against it for several reasons, one of the biggest of which was how often it seems to need to be patched for some vulnerability or another. It's gotten to the point that the Gentoo security team doesn't even wanna try keeping up with it, so they've "masked" it out of the regular portage tree.

    Although, one way that I kept myself safe from this sorta thing when I did run such a forum was to prevent new users from doing anything until I had activated their accounts by hand. For a forum run by an individual, I'd highly recommend it, as it's a good way to filter out spam bots and the like. Obviously for larger forums this isn't practical.
  • holdemcharts, on 10/12/2007, -0/+1I just added this name to my "Disallow User Names" and also deleted the user. Hopefully that will help stop it from re-registereing.
  • festivalman, on 10/12/2007, -1/+3Anyone thinking vbulletin is less vulnerable than phpbb is wrong. They release exploit patches probably about once a month. The difference is that they have a plugin system so that you can secure your board in literally 5-10 seconds vs. 10-15 minutes with phpbb's manual process.
  • Switch22, on 10/12/2007, -0/+3I had this user register on 04 Mar 2006 , and now I've been massed spammed, http://22pixels.com/forums/memberlist.php?mode=joined&order=ASC&start=250 (FuntKlakow is number 288, there are a few lagit and the rest are bots, all 159 pages of them). I have 7950 registered bots register from 18 Mar 2006. I don't know if its linked, but I'm going to have a tough time getting rid of these things.

    I did have a auto-ban bot mod, but FuntKlakow got around it once or twice, these other bots haven't been able to it seems.
    • tek1024, on 10/12/2007, -1/+3I had this same kind of problem--over 200 spambots registered on my boards. But they were, thankfully, all in one block and I could delete them with a SQL query in phpMyAdmin. Let's say you had 178 valid registrants, but everyone from that point on was a spambot in disguise; the following would delete all of them in one fell swoop:

      DELETE FROM `phpbb_users` WHERE `user_id` > 179

      I have not tried deleting in a bounded range, but according to DELETE syntax, it should work by just adding "and" after the first conditon, such that if you had a block of 150 valid users, 200 invalid spambots , and 150 more valid users, you could say the following:

      DELETE FROM `phpbb_users` WHERE `user_id` > 150 and `user_id` < 350

      Hope that helps!
    • Switch22, on 10/12/2007, -0/+1Thanks so much, It worked fine! I'm going to publish this solution onto PHPBB and other places I made posts about this problem. Thanks again!
  • festivalman, on 10/12/2007, -2/+4Anyone notice how DnH500 "blogged this post" in the upper right of this page, but all it is, is an RSS aggregator that shows his own ads for digg articles. He has no original content on there. Ban his ass!
    • DD32, on 10/12/2007, -0/+1from same page:
      "Other » My personal blog one big mess"

      It seems its just a blog for other stories he Likes, and probably shares it with others... anything wrong with borrowin news stories from digg? Its the same as borrowing them from some others news site..
  • vhtrading, on 10/12/2007, -0/+0At this point, is there any evidence that even hints this is tied in with some phpBB vulnerability? I'm not saying a vulnerability doesn't exist, but right now it just looks like a very successful spammer to me. phpBB admins should still take any precaution they could to prevent this (visual/graphical confirmation during registration, IP banning, username blocking, a good backup of your forums, etc.).
  • Atomic1fire, on 10/12/2007, -0/+1after digging some more i found out that the ip address mentioned by fizop is in parker colorado
  • gmailgeoff, on 10/12/2007, -1/+3Yes, the problem with phpBB is popularity, as many have cited. But why do people cite this as if to discount the validity of that fact that running phpBB is a security liability that can be avoided by running a less popular system?
    I am a sysadmin for a server on which a number of forums are hosted (mostly phpBB, to my chagrin, but a few vBulletin and invision boards) and the frequency with which phpBB is targeted is absolutely staggering to me. By comparison, vBulletin and invision haven't been targets of attacks (on my server) one single time. Are either of them unpopular? Heck no. Are either of them less feature-rich than phpBB? Not in my opinion, no.
    The time and frustration I've paid out in repairing and recovering from phpBB attacks to my clients' forums has cost me far more than it's worth. Is it the fault of phpBB? No, often not directly. But just as running Windows makes you more vulnerable to MS-targeted worms, running phpBB makes you more vulnerable to devils like Santy.A.
    Digg.
  • h2d2, on 10/12/2007, -0/+2This is one of the reasons I wrote my own signup routine for phpBB integrated with my site.

    No profile.php?mod=register, no worries...
  • rft3rd, on 10/12/2007, -0/+5i perosnally like all the auto post garbage it does.. "ditto", "i didn;t think of that", "I agree completely"

    intersting to say the least.
    • silhouette88, on 10/12/2007, -1/+4I didn't think of that. I agree completely. ;-)
  • NejiKun, on 10/12/2007, -0/+3If you take a look here:

    http://www.tweedmag.com/talk/search.php?search_author=FuntKlakow&sid=cb5f69214f90559d48fd7f776ed05dec

    You'll see that all the posts made by "FuntKlakow" are pretty much the same....weird...sounds more like a machine to me.
  • LordRahl72, on 10/12/2007, -0/+3Well after having FuntKlakow register on my board I figured it was time to enable some extra security measures.
  • merlinicorpus, on 10/12/2007, -2/+2I switched over to SMF a year ago and never looked back. The problem with phpBB is they release a new version to fix a "major security issue" what seems like every two weeks. The majority of people running phpBB are people with a lower technical proficiency than your average webmaster (admit it, any decent sized site is using something else), so these sites usually don't get upgraded up from whatever version they installed in the first place. If you don't believe me, Google for "Powered by phpBB 2.0.11".

    http://www.google.com/search?sourceid=navclient-menuext&ie=UTF-8&q=%22Powered+by+phpBB+2%2E0%2E11%22

    Yes, phpBB is popular, and that's why its a target. More importantly, its history is ridden with more security holes than you can shake a stick at. Combine that with a user base that is lax about security in general, you have a dangerous combination.
    • h2d2, on 10/12/2007, -2/+1Okeyyy... here we go again.

      Users of one "piece of code" of smarter than those of another:

      Mac - Windows
      Google - Yahoo!
      Digg - Slashdot
      ...
  • bloodclot, on 10/12/2007, -2/+0this is definatly a bot and definatly a hacker, my guess is that he is probably gonna spam a free ipod thing in all the forums, he also posts few bot posts so he wouldnt get deleted from forum, my guess.

    http://img528.imageshack.us/img528/7921/031920061123193rs.png
  • bloodclot, on 10/12/2007, -0/+2WOW this is really gonna be serious, i counted 3 bots from him so far.

    http://www.google.com/search?hl=en&q=%22viewing+profile%22+%22budowa_cepa%22&btnG=Google+Search
    • emka, on 10/12/2007, -0/+2lol
      another Polish word :)
      budowa cepa = structure of the flail
  • plasticated, on 10/12/2007, -0/+2Yep, was registered on my board. I have banned it - thanks for the heads up! Digg
  • Madh2orat, on 10/12/2007, -0/+2Just enable visual confirmation, it will keep the automated bots out, which keeps most all bots out.
  • porplem, on 10/12/2007, -0/+2One registered on one of my boards as well, I just banned the username and deleted the account. I'm also enabling the captcha, which I really should have done anyway. :/
  • spling, on 10/12/2007, -0/+3Found it on my board. Banned. Digg++
  • brainjuice, on 10/12/2007, -0/+1Thanks for the heads up whatever it turns out to be. :)
  • Fetching more discussions...
    Show 51 - 76 of 76 discussions
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.