I got a problem... my useres are using the PHPBB forum witch got a big bug... - but how do i fix it, so if my users website is being hacked, the hacker dosn't get access to all the other users directoryes?
If your using suExec, they shouldn't be able to access anything outside of their home directory (and system tools, which may include a compiler and fetch like utilities; oh, and /tmp). As far as data, you should be safe if your using suExec and have your permissions right. If your just using mod_php, then you defintly could have a big problem as the apache user would have at least read access to everyone else's home directory.
So, take my thoughts into consideration:
1) Use suExec for CGI and PHP
2) Use mod_security, it's just a good thing to do
3) Secure /tmp, /var/tmp and /dev/shm
4) Use chkrootkit
5) Lock down system utilities
Also, if you know which files contain the bug, just find those files and replace them with the fixed ones (and tell your customers your doing that).
We fighting with PhpBB bugs since version of 2.0.1 using mod_security, securing /tmp and chmod 700 *cc *fetching utils - somehow it's still get in, run fake ebay/paypal sites, start bots for IRC (./pl) - even they cannot do any good, it's just annoying us a lot.
What we decide to do is REMOVE all installations of PhpBB and ask customers to use VBulletin instead - even guys from PhpBB who "know" all security holes of PhpBB and blame server side setting got hacked (www.phpbb.com) few months ago and whole server just wipe-out.