UBB.threads PHP Forum Software Community Forums UBB.threads 7 Version 7 Support How to secure a potentially compromised board (passwords)

I am upgrading a board that might be compromised by rogue ex-administrators. The board has been in versions as low as 5.x.x recently


What are the safety hazards?

* server password, of course

* database password, of course (probably several passwords, the ubb database password but also general mysql passwords). Any instructions for dummies how to change all these passwords without having to spend days on basic mysql manuals?

* external access to database. Please dummy instructions how to stop external access to the database, which in the past I allowed. Right now I need only access to the database from my server. note the database right now is NOT on my server but on the hoster's database server on the same network.

Thank you very much for your patience



* Old passwords of old admins and moderators?

* any "trojans" an old admin could have planted into the database?

I understand all passwords have to be changed at the same time. Please advise!!




Oh, one more point.

I might want to take over a complete board database from one of these rogue administrators, that ran on his server. Any way to make that secure or could he have planted anything he wanted into that database??

You could hire someone (such as myself) to run through and change passwords and check access on the server (would probably take a bit as it'd include the install of PHPMyAdmin if it's not already installed on the server).

You'll definatley want to check which hosts have access to the MySQL server, and then change the passwords to all usernames (and likely purge the connect info for those addresses you don't know of).

You'll want to manage who has access to the forums, and who is an admin (and which you wish to purge)

You'll also want to be sure you change any passwords they may have had access to, even your own (or other admin's).

There won't be "trojans" in the db, however there may exist scripts that allow access to the db (such as the one which come with the mysql maintenance software like Navicat or SQLYog as they allow users to connect to servers which don't allow outside connections to connect).

So long as the old admin's dont have access, they cannot manage anything (assuming that any stored password data in the database is changed through whichever scripts they use).

Rogue administrators could theoretically spell havoc on your board by loggin in as one of your users and causing a mess. Technically they could have access to all users' passwords, which is why I think there should be a function that would FORCE users to change their password the next time they access the board.

:snicker: I'll change it to the same password! Or change it to a temporary one and change it back...

Really, i find systems that force people to update X amount of days pointless as well, it encourages people to write passwords down on a sticky note and put them on their monitors...

Forcing a change every x number of days is annoying, but there should be an admin option to force a one-off change in cases such as these. So the user goes onto the site, and is immediately asked to update his password.

But that wouldn't prove it was the user that owns the account.