vb.org Archive - View Single Post - HACKED

Angel-Wings · #32 09-26-2009, 12:58 PM

Quote:

Originally Posted by knucklenitz

Just to make sure I understand, moving the config.php to another directory out of the public html will not affect vb operation?

This won't increase security at all for the simple fact your VB still needs to be able to read that file. So you may move it around on the filesystem, still find a way on how VB can read this file, either by symlinking or something else.
If that is done, every "hacker" will be able to read that file as well.

Better spend your time keeping your VB & Plugins up-to-date and use things like mod_security / suhosin and the typical setups like chroot / jail. That's more time consuming but no "security by obscurity" when moving some files just to have a work-around that VB can read them.

And make sure your VB files aren't writeable by PHP itself, if you store uploads in the filesystem, move that directory outside the webroot and additionally some directories like images / signaturepics - don't need PHP because there just images are stored.

Something simple like:

Quote:

<Directory /where_ever_your_vb_is_stored/(clientscript|cpstyles|customavatars...)>
php_flag_engine Off
</Directory>

<Files "/where_ever_your_vb_is_stored/includes/config.php">
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Files>

Then moving the "uploads" directory outside the webroot that it can't be accessed directly.
Finally - mod_security & suhosin should be used. First starting them both in logging mode to collect a whitelist, highly depends on how your forum is used, and once that whitelist is completed to sort out false-positives set both in blocking mode.

And - as last addition - you can setup an IDS system that creates checksum of your VB files and alerts you if there're any changes.

Yes - I can do this

It won't even cost much

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01288 seconds Memory Usage 1,768KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_quote (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages: