PHPBB Admin ToolKit v2.1b - Starfoxtj
Note: If you need an MD5 generator to hash your passwords, you can use the one here, or seach for one on google.
The PHPBB Admin ToolKit is designed for administrators of the popular phpbb software.
This toolkit allows administrators to perform a stunning array of options to the PHPBB database while remaining completely independent of PHPBB itself.
This design allows administrators to gain access to their forum and make database alterations even if they have been banned or demoted from their own forum or had their password changed.
Consider,
"Someone hacked my forum and banned/demoted me!"
Simply login to the toolkit, click your username and promote it to admin/unban it. Then run the security scanner to list ALL administrator and moderator accounts, then simply ban/demote/delete the imposters.
"My forum has been hacked and defaced!"
Login to the toolkit, run the security scanner and "sanitize" any red or yellow descriptions.
The hacked music, video and images are gone. You can login like normal and reset the descriptions to what they should be.
Dont forget to look at the admin list in the security scan to make sure the hacker didnt create a backdoor account.
"Some spam bot registered 50 million accounts and posted their site all over my forum!"
Login to the toolkit, use search option to type in site they are promoting, all the fake accounts will be listed. Then simply select "check all", and choose "Clear Posts" in the delete options, click "Delete", and there gone! All fake accounts are deleted, and even the posts made by them will be replaced by the word "DELETED".
This is only a sample of the many options and features this toolkit supports, but as you can see, it only takes about 30 seconds to perform all the common actions needed by a board administrator. Other alternatives may take hours (manually deleting the fake accounts, digging through the database looking and unbanned/promoting your admin back to an admin etc).
This toolkit greatly simplifies the process leaving you with more time to spend on the things that matter, instead of the tedious and aggravating process of recovering manually.
There is no need to even enter phpbb, or to install and run phpmyadmin.
Many many hours have been invested in this tool to help forum administrators in their daily work. I use this toolkit to help me manage my boards and I hope you find this toolkit useful yourself!
|
|
General:
|
|
| • | Easy to use interface. |
| • | Entire toolkit is contained within one file. (Optional toolkit-config.php for automatic installations) |
| • | Completely independent from PHPBB. (It only needs the config.php file. Even if your PHPBB files are corrupt, it will still work.) |
| • | Automatically reads the database information from the config.php file, so no need to specify the dbname, location or table prefix. |
| • | Separate passwords for Admin and Moderator login. |
| • | Uses a double-hashed password authentication system, making it almost impossible to crack, even if they have the password hash. |
| • | The admin login has full access to all the toolkit functions, the mod login allows access to only certain options. (Customizable) |
| • | Includes a security scanner which automatically scans your forum descriptions for defaced or otherwise harmful information and more. |
| • | All users in the database are listed, including hidden users and the anonymous account. |
| • | Powerful user search capabilities. Can search by full or partial username, user id, email, website, occupation, interests or signature. |
| • | Sortable user listing by: username, user id, email, user level, post count or active status; in ascending or descending order. |
| • | Customizable user-per-page listing, from 25, 50, 100, 200 and all users one each page. |
| • | Can filter the list to show only: banned members, administrators, moderators, inactive users and hidden user. |
| • | Includes a "Banlist" which lists all banned user accounts and email addresses on a single page which users can use add/subtract bans. |
| • | Includes MD5 password generator for manually setting a user's password hash. (Or for any application that uses md5) |
| • | Supports exporting all/selected users in multiple CSV formats for many popular email clients or Excel (Outlook, Yahoo, Hotmail, Gmail and 1&1 Newsletter). |
|
User Specific:
|
|
| • | Can mass delete all/selected users. Includes additional options to clear the user's posts and/or retain their PMs. (Great for spammers!) |
| • | Can mass Ban/Unban all/selected users. |
| • | Can mass activate/deactivate all/selected users, including dropping their activation key. (So they cant use the email activation) |
| • | Can mass promote/demote all/selected users to Administrators. |
| • | Can mass recync all/selected user post counts. |
| • | Can change individual user post count. |
| • | Can mass clear all/selected user signatures fields. (Great for spammers!) |
| • | Can mass clear all/selected user website fields. (Great for spammers!) |
| • | Change user's password, either by typing a new one, or setting the raw hash. |
| • | Change user's rank. |
| • | Change user's website. |
| • | Change user's location. |
| • | Change user's occupation. |
| • | Change user's Interests. |
| • | Change user's signature. |
| • | Change user's Hidden status. |
| • | Change/Disable user's avatar. (Can also specify whether its disabled, remote, local or gallary). |
|
Board Config:
|
|
| • | Auto-detect and change the domain, port and script path. |
| • | Change site name and site description. |
| • | Enable/Disable PHPBB. |
| • | Change account activation settings. (None, User and Admin) |
| • | Enable/Disable Email via Board. |
| • | Enable/Disable GZip |
| • | Enable/Disable Pruning. |
| • | Specify Default board style. |
| • | Enable/Disable default style override. (Can be used with the next option to repair the "Nigga" hack). |
| • | Supports resetting/rebuilding of the Subsilver template in the event it has been hacked/altered. (Useful for recovering from certain hacks) |
| • | Auto-detect and change the cookie domain and name. |
| • | Change cookie name. |
| • | Enable/Disable Secure cookies. (For https connections) |
| • | Configure all smtp email settings, including: board email address, email sig, enable/disable smtp, specify smtp address, username and password. |
|
Security Scan:
This security scan tool is designed to quickly summarize and display all important security related information in one page. It will check if your phpbb installation is up-to-date and (if permitted in the settings) if the Admin ToolKit is up-to-date. It will list all administrator accounts and moderator accounts, allowing you to easily spot imposters.
It will also scan all forum descriptions showing you the actual text it contains, and will highlight any potentially harmful information. The vast majority of defacements resulting from hacked boards are stored in the forums descriptions; using javascript, iframes and the like. You can then quickly check and remove any harmful information stored in these areas.
Security Scan Features:
|
|
| • | Easily determine your boards security status by listing the major causes to insecurity. (Fake admin accounts, outdated boards and harmful code) |
| • | PHPBB Version check makes sure your PHPBB installation is updated. (99% of all hacks resulted from using outdated versions) |
| • | Toolit Version check makes sure your Admin ToolKit installation is updated. (Can be disabled) |
| • | Single-page listing of ALL administrator and moderator accounts on your forum. Making it easy to spot and ban/demote/delete any intruders. |
| • | Scans ALL of your forum and site descriptions for any malicious information that can be used to "deface" a website. (The "Hacked By" messages are an example of a defaced site) |
| • | Detected malicious descriptions can be "Sanitized". This converts the harmful code into non-harmful characters which can then be edited like normal text. |
|
|
|
Installing the toolkit is very simple, just upload toolkit.php into your forum folder, and run it in a browser.
It will then create a password file (toolkit-config.php) which will store the admin and mod passwords for the toolkit to use.
You can customize the default installation options by opening toolkit.php in notepad or similar. Or if you want to create the passwords yourself.
A full and detailed install.txt file is contained in the toolkit.zip file which includes all configuration options and settings.
Automatic:
1: Download the latest version of the toolkit zip file, and extract toolkit.php.
2: Upload it to your forum's directory. (usually 'forum', or 'phpbb')
3: Access the php file from a browser. It will then prompt you to create the toolkit admin and mod passwords.
That's it! You can now just run the php file whenever you need to. Enjoy!
Manual:
You may be required to install the toolkit manually if your host prevents write-access to your server for php scripts.
(All settings are at the top of the file and are easy to locate.)
1: Download the latest version of the toolkit zip file, and extract toolkit.php.
2: Open toolkit.php in notepad or wordpad, and look for the following line:
$use_toolkit_config_file = 'yes';
Because you will be using "infile" passwords, you must set this to 'no' This will disable the toolkit from creating the toolkit-config.php file.
3: Next, you have an option of using either double-hashed, or plain text passwords:
$use_hashed_in_file_passwords = 'no';
I always recommend double-hashed passwords, as they are very difficult to crack, even if a hacker has the hashes. Set this to 'no' or 'yes'. Just keep in mind, if you set it to 'yes', you must first double-hash the password you want to use and use that resulting hash in steps 4 and 5. To do this, you may use my hash generator, or one of the many free ones online.
4: Look for the following two lines:
$adminpassword = 'ENTER_ADMIN_PASSWORD_HERE';
$modpassword = 'ENTER_MOD_PASSWORD_HERE';
Reaplace 'ENTER_ADMIN_PASSWORD_HERE' with a password of your choosing for the admin login.
(I highly recommend something at least 10 characters long. I also recommend double-hashing the password)
5: Also replace 'ENTER_MOD_PASSWORD_HERE' with a password of your choosing.
If you want to disable the mod login option, use a blank password: $modpassword = '';
(Note: the admin/mod passwords are independent from phpbb.)
6: Save the file, and upload it to your forum's directory. (usually 'forum', or 'phpbb')
Optional Steps:
This steps shown below are optional changes you may make to enable or disable certain mod functions.
Simply type 'yes' or 'no' in the following fields:
$modban = 'yes'; // 'yes' : 'no'
This option allows mods to ban/unban users. Set this to 'no' to disable that functionality for mods.
$modrank = 'yes'; // 'yes' : 'no'
This option allows mods to change and remove user's ranks. Set this to 'no' to disable that functionality for mods.
$moddelete = 'no'; // 'yes' : 'no'
This option allows mods to delete users. Set this to 'no' to disable that functionality for mods
Note: ONLY set this to 'yes' if you trust the moderators that have access to this script! This script, nor phpbb provide an "undelete" function!
How do I access the toolkit?
Once uploaded, you can access the toolkit by typing the full URL to the file.
This is your forum address, followed by a foward slash, then toolkit.php
If you saved the file as toolkit.php and phpbb is stored in the 'forum' folder, the path would be:
http://www.yourdomain.com/forum/toolkit.php
|
|
You may NOT hold Starfoxtj liable for any direct or indirect consequences of using this script.
The admin toolkit has been tested extensively on many different server configurations. As with almost any php script, it is generally recommend that register_globals is disabled;
even though this script has been tested under both circumstances and no security holes have been found on either configuration.
A great deal of time has been invested to ensure that this toolkit is as secure as possible to prevent any unauthorized access or other security issues.
In the event that a security hole is found, please contact me IMMEDIATELY so I can release an update.
|
|
|