Hey guys, first I want to say that this is a great concept. I'm new here and like a lot of what I see. BUT.... There are some issues. pHp injection is the problem here and is done with remote shell scripts like c99 and r57. This happens when you "allow_URL_fopen" I have it turned off. Everyone says it must be turned on, but this is not entirely true. I suggest if you really want to stop these attacks to turn that off. There are cgi scripts that can prevent this by side stepping pHp see more in the call function and that will perform the same function in the code, while maintaining security. Mod ReWrites like the one suggested above will help as well. But, the best recommendation I can make is turn off allow_URL_fopen. Use a differnet forum platform or incorporate a cgi script. It will take a little time to sort through the code to replace, but will be well worth your time. Banning IP addresses does little help unless you block, the entire block as most of these bad guys are on dynamic accounts where the IP changes everytime they get online. These attacks are done by putting remote shell access scripts on a server. The bad guys are running bots that scan websites and find that you are using a vulnerable platform (ie Dolphin). Once they know that, they inject the code through allow_URL_fopen. These scripts are in text format, so any server allowing people to post on them is vulnerable to assisting in these attacks with out their knowledge. Most of these attacks are done by placing a script in a public place and then calling the script from another. Allowing URL_fopen poses a risk. It's just a matter of time before those of you on "dedicated servers" start experiencing these same issues. BTW- I am going through this code with a fine tooth comb and am finding that allow_URL_fopen is being used for more than just the ORCA forum. I will post more as I inspect the code. As I said in my opening statement, I like this concept and I would love to see it improved and made more secure.
Oh one other thing, most of these bad guys are using wwwlib or indy library as the user agent, blocking these agents in your .htaccess file will slow down the attacks. The only problem with that is the user agent name in the attacking library can be modified.