Design a site like this with WordPress.com
Get started

The Phorum, Part 3: Hacked!

As you should recall from the last part, in 2003 my brother’s friend Josh purchased a domain name and a license for Invision Power Boards, some commercial forum software. He and I shared admin duties and ruled benevolently over a kingdom of between 20 to 40 active users.

Since the site was completely ours, it was a rarity: a web site with no advertising, banners, or popups. The Phorum was not a commercial enterprise, and none of us were in it for the money (which is good, because there wasn’t any). Josh paid for everything out of his own pocket.

One benefit of the IPB software was that punctuation marks were allowed in usernames, so I could assume my proper name of Vlad! (although the full name Vlad! The Mighty Armored Assault Duck was too long for the site). It also allowed for a much greater degree of customization than before. I designed a custom theme for the site, and as I mentioned last time there were a couple of members who even created custom graphics! I’m sure the Phorum wasn’t the most tricked-out messageboard on the Internet, but it had a certain flair…it certainly didn’t look like a standard install!

One event that happened during this time was that my brother started drifting away from the site. During that time he graduated from high school and began his quest to find his life passion and purpose by exploring various majors and universities. I’m happy to say that his quest seems to have been successful, and even at the time nobody begrudged his absence and eventual departure. The Phorum was very much a voluntary community (all communities are voluntary communities, of course, but some will go to great lengths to make its members think they’re not. The Phorum was under no such pretensions) and it was not uncommon for a member who had been extremely active to completely fall off the radar, as it were, over the course of a month or two.

During this time, The Rebel Base (the site that the Phorum had formerly been associated with) also completely shut down. The phrase “not with a bang but a whimper” comes to mind, as it was not a dramatic implosion so much as a gradual shuttering. I do think that the end of The Rebel Base provides an important lesson though, because really it was not a failure but a success. The Rebel Base ended not because its creators had given up doing what they loved but because its creators had succeeded in doing what they loved. My brother found that his passions lay elsewhere, and Josh became a successful reviewer, writer, and critic for larger publications with a larger audience.

Meanwhile, the Phorum continued on as a community of like-minded individuals. Since The Base was no more and we didn’t really advertise anywhere, the active population plateaued. Every now and again an active member would recruit a friend or colleague to join, and then occasionally an active member would leave as the vagaries of life’s fortunes drove him or her in a different direction. But by and large the core population remained the same.

In 2006, a strange thing happened: users began reporting popups and ads appearing. I ran an ad-blocker so I actually didn’t see them myself, but a few users who didn’t sent the admin team messages about these ads. To the credit of our userbase, nobody actually complained about the presence of the ads themselves, but some of the ads were a bit scandalous in nature or, as a flashback to the old EZBoards and Proboards forums, were attempting to install malware. This was of course all very disturbing to us as the admins.

Josh talked with his hosting provider, and quickly discovered that we had been hacked!

We could have upgraded to the most recent version of Invision Power Boards (it was a vulnerability in the archaeological version of IPB we were running that had allowed the hack to happen in the first place), but that would have required more money. Josh and I discussed our options, and we explored some different software. Ultimately, we decided to go with a free and open-source board called Simple Machines Forum, or SMF. It would be possible to migrate the entire database from IPB to SMF, so unlike our previous software changes, we wouldn’t lose any posts and our users would all still have their accounts.

The only other thing I had to do — a thing nobody who runs a website ever wants to do — is send a mass email to every user saying that we’d been hacked. Although most of the 400 or so registered users were no longer active (or in some cases had never been active), it was still the responsible thing to do. After all, some people re-use passwords, and it seems likely that the hackers would have gotten a list of e-mail addresses and passwords.

(If there was any fallout from this hack, I am unaware of it. As far as I can tell today, the hackers’ goal was to install adware onto vulnerable sites and make as much money as they could off the ads that got served before the admins noticed the intrusion. If they did steal the user database, I have no evidence that they did anything with it).

It was a very busy few days, but our tireless hosting provider (Ninja Admin Chuck from FlockHosting) and Josh and I sorted everything out. From then on, it was fairly smooth sailing with the SMF software.

As not just the admin but also the self-appointed historian for the Phorum, I wrote the following in its historical chronicle:

Mid-April 2006, a few users noticed that strange popups were appearing on phorum pages. One user even reported being infected by a trojan thanks to these popups! Concerned, I investigated. I found that the index.php file itself had been altered to display these ads…a disturbing development. I contacted the host, and he quickly informed me that, according to the logs, the phorum had been hacked, the index file compromised, and the database copied. This was accomplished thanks to a flaw in our version of Invision Power Board; IPB is a commercial (read: you have to pay for it) product, and we were back on a version that archaeologists have confirmed was first used by the Piltdown Man. Rather than shell out for the latest and greatest in IPB (and then probably have the same thing happen again three years later…), we switched to a free and open-source board that had most of the features we were used to and that we could upgrade when necessary at no cost (other than the time it takes to apply the upgrades and code patches, of course).

Perhaps it’s telling that it took me several paragraphs and many times as many words to tell the same story again over a decade later.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: