[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
User avatar
Erik Frèrejean
Registered User
Posts: 207
Joined: Thu Oct 25, 2007 2:25 pm
Location: surfnet
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Erik Frèrejean »

RabXI3oX,
as stated in the announcement phpBB is not vulnerable, the hack was done through a third party script we use.
Available on .com
Support Toolkit developer
ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy »

RabXI3oX wrote:i feel that phpBB is doing offline at mo becos of what happen that hacker has been attacker them and they try to fixxing more sercurity could be they make new one phpBB 3.0.5 add more sercurity to prevent from hacker attack wont ever again

i hope that hacker will be caught...................
There are no plans for an urgent 3.0.5 release because there are no security issues in 3.0.4. We are working on restoring the site but this takes time because we have to verify the data and ensure the attacker has not tampered with anything.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image
moltendorf
Posts: 7
Joined: Sat Aug 26, 2006 11:00 am
Location: San Ramon, California
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by moltendorf »

RabXI3oX wrote:i feel that phpBB is doing offline at mo becos of what happen that hacker has been attacker them and they try to fixxing more sercurity could be they make new one phpBB 3.0.5 add more sercurity to prevent from hacker attack wont ever again

i hope that hacker will be caught...................
phpBB 3.0.4 has no known security vulnerabilities. phpbb.com was not hacked through the phpBB software running on phpbb.com, it was hacked through another piece of software running on phpbb.com that was completely unrelated to phpBB. PHPList is the cause of the phpbb.com hack (it was not updated in time), not phpBB itself. Read the full announcement, it explains what I just did, but in a more concise form.
Last edited by moltendorf on Mon Feb 02, 2009 11:09 am, edited 1 time in total.
User avatar
MasterZ
Registered User
Posts: 28
Joined: Sat Jan 29, 2005 8:23 pm

Re: [Discussion] Downtime and Server Compromise

Post by MasterZ »

Eelke wrote:Why is the phpBB3 password storing more secure? Because the password is not the entire thing that is hashed; when the password is submitted, a secret "salt" string (just a random squence of characters) is added to the password before hashing. Even if the attacker were to get both the hash and the salt, he'd still not be much further, because he would have to search for a collision that includes the salt. In effect, he would need a completely new set of rainbow tables for every different salt employed by different sites.
Interesting way to do it, I never thought of that before. Good ideas for my future sites :)
Last edited by ToonArmy on Mon Feb 02, 2009 11:11 am, edited 1 time in total.
Reason: Fixed quote
User avatar
Eelke
Registered User
Posts: 606
Joined: Thu Dec 20, 2001 8:00 am
Location: Bussum, NL
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Eelke »

You got your quote-tags mixed up there :)
ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy »

MasterZ wrote:Interesting way to do it, I never thought of that before. Good ideas for my future sites :)
See Portable PHP password hashing framework, this is what we use.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image
User avatar
Stallyon
Registered User
Posts: 73
Joined: Mon May 31, 2004 1:30 pm
Location: BNE
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Stallyon »

As a long time user and lover of phpBB software, I will attempt to explain all this in plain English where possible and cover the FACTS that is known by the phpBB Group.

Firstly, I will start of with the most important disclaimer: I am in no way affiliated with phpBB Group, phpBB.com, OSUOSL, PHPList or any of these company's affiliates. I am just a user with years of experience in both development of hacks (mods or addons) and templates (how phpBB looks) and this is my own attempt at explaining a few things for you. Some of these things may be obvious to you, so please don't be offended if I go back to basics to help people to understand.

Here are some facts:
  1. PHP: Hypertext Preprocessor is a scripting language that phpBB is "coded" in. There are many different pieces of software with PHP in the name. This does not mean they are automatically affiliated or developed by the PHP Group (the developers of PHP) or the phpBB Group (the developers of phpBB). These companies are in no way affiliated or connected, except the fact that phpBB uses the PHP scripting language. There is no problem/exploit with PHP: Hypertext Preprocessor at this time.
  2. MySQL is widely used database software, developed and supported by MySQL AB and owned by Sun Microsystems. Both phpBB and PHPList use this database software to store their data. This is their only tie to MySQL. There is no exploit/problem with MySQL at this time.
  3. phpBB is developed and supported by the phpBB Group (the software we are currently using). It is in no way affiliated with any of the other companies mentioned in this post. There is NO exploit/problem with phpBB 3.x at this time, however, there is an exploit in phpBB 2.x in the way it stores users passwords. phpBB.com does NOT use phpBB 2.x on it's site. If you use phpBB 2.x I can only suggest you upgrade to phpBB 3.x, or there could be a patch for phpBB 2.x (this I am unsure, so do your research!).
  4. The software with the exploit is separate 3rd party software NOT developed by, supported by, nor affiliated with phpBB Group. It is called called PHPList. phpBB.com simply uses this piece of software to manage it's separate user database of newsletter subscribers. I will say again, this software is NOT supported by the phpBB Group.
  5. The current issue with the phpBB.com site is that the "hackers" used an exploit in PHPList to access the MySQL databases of both PHPList and the phpBB board itself. They could possibly have the emails from the PHPList database, and emails and passwords from the phpBB database. The passwords are useless IF you have logged in and changed your password SINCE the phpBB.com board was upgraded to version 3.x. If you have NOT logged in since the upgrade, then your password may be at risk of being compromised due to a great weakness in the MD5 method of password encryption. phpBB 3.x does NOT use this version of encryption. When (or if) you first logged into the phpBB community board after the upgrade to 3.x in around mid December 2007, you would have been requested to change your password. You are SAFE in this case, except the fact the "hackers" may have your email address.
  6. If you are running version 3.x of phpBB on your website, then you are SAFE unless you are running the unpatched version PHPList on the same server. You should know if you're doing this, or ask your Web Host if you're unsure.
  7. If you are running version 2.x of phpBB on your website, I highly recommend you consider upgrading to phpBB 3.x, because all your users are in danger of the MD5 password encryption weakness. If you are running both phpBB 2.x and the unpatched PHPList, then you are in extreme danger of being exploited.
  8. The only reason this whole mess has occurred is because the developers or administrators of phpBB, most likely swamped with work, didn't patch the exploit in the 3rd party software PHPList on their server in time.
I hope this helps clear up some questions. Mods/admin of this forum are welcome to change/remove this message or comment on/correct if information is incorrect.
Last edited by Stallyon on Mon Feb 02, 2009 11:23 am, edited 1 time in total.
ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy »

Stallyon wrote:I hope this helps clear up some questions. Mods/admin of this forum are welcome to change/remove this message or comment on/correct if information is incorrect.
Very informative post, it is regrettable to correct you that the attacker stole the users database (containing the usernames, emails and password hashes) and the mailing list subscribers address list.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image
RabXI3oX
Registered User
Posts: 10
Joined: Mon Feb 02, 2009 12:25 am

Re: [Discussion] Downtime and Server Compromise

Post by RabXI3oX »

ahh i got it yeah

i just a thought phpBB need new up to date 3.0.5 and im wrong.

but i think phpBB should up to date

is there any new software to make more sercurity add like hard Password provice
Image
User avatar
Stallyon
Registered User
Posts: 73
Joined: Mon May 31, 2004 1:30 pm
Location: BNE
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Stallyon »

ToonArmy wrote:
Stallyon wrote:I hope this helps clear up some questions. Mods/admin of this forum are welcome to change/remove this message or comment on/correct if information is incorrect.
Very informative post, it is regrettable to correct you that the attacker stole the users database (containing the usernames, emails and password hashes) and the mailing list subscribers address list.
Hmmm I thought I covered that in #5? My apologies.
Post Reply