How to prevent your forum being hacked

Web Wiz Forums is one of the most secure forum packages around, and this can be seen by the very few vulnerabilities that have been found in the software and the 24 hour patch turn around for any that are found (this is why allot of large hacking sites use Web Wiz Forums).

However, your forum is only as safe as you make it, and often people don't follow the install instructions on securing their forum, then blame it on the software when their forum is hacked.

The Turkish hacker, is just one hacker, who constantly hacks unsecured Web Wiz Forums installations on a daily basis.

Like all hackers he is using a number of exploits to get in and delete or deface forums, on sites that have; insecurely setup servers, running old versions or incorrectly patched Web Wiz Forums, or those who simply have not followed the install instructions to secure their forums Access database.

Please read the following on how forums and web sites are hacked and ways to prevent it:-

1. Hackers download Access database's and get details to use so they can login as the forum admin from that they can not only mess up your forum, but your entire web site!!. Make sure you place the database out side of your web sites root folder where it can be downloaded see, http://www.webwiz.net/web_wiz_forums/docs_access_move_db.asp
   
   
2. Hackers look for older versions of Web Wiz Forums, or ones that have not been updated correctly and then uses old, mainly XSS hacks, to deface forums. To prevent this make sure you are running the latest version.
   
   
3. Hackers also looks for holes in the servers own security, for sites that have not setup permissions securely and have write and modify permissions enabled on public files and folder, this allows a hacker who has compromised the admin account of your forum to upload his/her own files to the server to deface or hack entire sites. Permissions need to be set by your web host, contact them to setup secure permissions for your site (disable Write and Modify permissions).
   
   
4. Do not enable upload features in the forum. For uploading to work you need to make your server insecure by enabling write permissions on the upload directory, these can be used by a hacker to hack your site (as in point 3).
   

Edited by -boRg- - 19 January 2006 at 10:52am

Cheers BoRg, thanks for the pointers.

Now people, wake up and obey them and dont be complaining in time when you have been hacked.

Jus one question about 1...

dfrancis wrote: BoRg, can you explain number 3? (Privately if you think better.) I'm not familiar with this exploit.

Yes, it quite easy, you should always secure your server by disabling write and modify permissions on public folders.

If you don't any hacker armed with simple hacking tools is able to place files onto the server through HTTP and deface web sites. This is how web sites are usally defaced.

I was tought how to do this as a security part of a network unit at University and it is so simple 12 year old hackers often just download simple tools to do this. This is why most sites are hacked around the school holidays.

I haven't used it for a long time but as far as I remember the IIS lockdown tool from MS disables write and modify permissions for public folders (I could be wrong about this tool).

For this site the only permissions I allow for the IUSR account on public folders is read.


Edited by -boRg- - 03 January 2006 at 2:01pm