UBB.threads PHP Forum Software Community Forums UBB.threads 6 Version 6 Support Hacked?

Lumpy I understand your concern.

I know that their level of access did not reach the license info because it is not kept on that server, the server with the license doesn't allow conections outside of localhost, and there was not possible way he could have reached it. I don't store license information on a server that someone from outside my office has any access to. Threadsdev.com and otehr websites that we host are on their own server eintirely on their own. Even if he were to gain root he wouldn't get licenses. All that was on that server and available to be had was the user database from the old wwwthreads message board. We imported the users from Scream's old board into this one so Scream's old users would not have to reregister.

What it comes down to is that if you were once registered on Scream's old board you got an email.

How he did it? He uploaded a php script that read off the config.php.inc file, then uploaded a php mysql script and used the password from the conf file. From there he changed the password and logged into the admin area of the threads board. Then he emailed all of you folks and emptied the tables out.


How do we prevent it? We need to make sure that php, perl and other scripts don't get uploaded, that they can't be executed. We need to make sure everyone has that filter turned on and working. We need to find a way to make sure that the config script just cannot be read. You know the last part will be hard to do if it is even able to be done. The scripts themselves have to read this file in order to connect to the database.

Honor The Victims