I'm not alone: phpbb.com gets hacked

It’s nice to know I”m in good company.  Phpbb.com got hacked.  Click Read More to see more.

Here’s a picture of the front page of phpbb.com right now.  (Apparently, it’s been this way for at least a day.)

phpbb.com

I feel for them.  I wish I could help.  It wasn’t phpbb itself that was the problem, but a mailing list manager they were using called phplist.  It was out of date and had a vulnerability that was exploited.  Yuck.

Do yourself a favor:
1. Make sure the backups of your website work and are stored where the hacker can’t get to them.
2. Make sure  you’re doing everything you can to secure your server.  I know I wasn’t.



Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at Sullivan Strickler, which helps companies manage their legacy data

2 comments
  • Don’t use PHP. I know a lot of PHP fans out there will flame me for it but the only web apps I’ve ever had exploited were PHP apps. Despite running lots of Django, Plone, Zope, and various other kinds of apps. I have probably run equal shares of all of the above and PHP is the only one that gets exploited on a regular basis. It is debatable whether it is the technology itself (registered globals, no escaping SQL queries by default, etc) or simply the level of experience of those who implement it but the fact remains that it is a problem.

    phplist was not exploited because it was out of date. It was exploitable the day it was released. It isn’t like software suddenly develops vulnerabilities over time and must therefore be refreshed eventually.

  • This whole site is run by PHP apps. Phpbb, joomla, wikipedia. The only non-PHP app we have is Mailman.

    Given that I’m running this site in my spare time, I don’t even have the time to consider the possibility, let alone do the conversion of everything.