[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
User avatar
Stallyon
Registered User
Posts: 73
Joined: Mon May 31, 2004 1:30 pm
Location: BNE
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Stallyon » Mon Feb 02, 2009 11:28 am

RabXI3oX wrote:ahh i got it yeah

i just a thought phpBB need new up to date 3.0.5 and im wrong.

but i think phpBB should up to date

is there any new software to make more sercurity add like hard Password provice
There is no problems in phpBB 3.0.4, and thus no reason to update. The password security used in phpBB 3.x has already been addressed :)

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy » Mon Feb 02, 2009 11:29 am

Stallyon wrote:
ToonArmy wrote:
Stallyon wrote:I hope this helps clear up some questions. Mods/admin of this forum are welcome to change/remove this message or comment on/correct if information is incorrect.
Very informative post, it is regrettable to correct you that the attacker stole the users database (containing the usernames, emails and password hashes) and the mailing list subscribers address list.
Hmmm I thought I covered that in #5? My apologies.
You said 'possibly' its fact, we know the attacker does.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

User avatar
Stallyon
Registered User
Posts: 73
Joined: Mon May 31, 2004 1:30 pm
Location: BNE
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Stallyon » Mon Feb 02, 2009 11:32 am

Ohhh OK I was just covering my butt/your butt just in case you were still unsure. Well, then it's a fact then. They have that data.

RabXI3oX
Registered User
Posts: 10
Joined: Mon Feb 02, 2009 12:25 am

Re: [Discussion] Downtime and Server Compromise

Post by RabXI3oX » Mon Feb 02, 2009 11:33 am

Stallyon wrote:
RabXI3oX wrote:ahh i got it yeah

i just a thought phpBB need new up to date 3.0.5 and im wrong.

but i think phpBB should up to date

is there any new software to make more sercurity add like hard Password provice
There is no problems in phpBB 3.0.4, and thus no reason to update. The password security used in phpBB 3.x has already been addressed :)
cool i cant wait go phpBB back online that i can have need some download for my site php code :)
Image

shahinavthal
Registered User
Posts: 4
Joined: Mon Feb 02, 2009 7:45 am

Re: [Discussion] Downtime and Server Compromise

Post by shahinavthal » Mon Feb 02, 2009 12:25 pm

Stallyon wrote:Ohhh OK I was just covering my butt/your butt just in case you were still unsure. Well, then it's a fact then. They have that data.
So what do you suggest we do now :cry: I am not sure if we should wait and see what level of information the hacker has, isnt it? I think we need to get over with the data acquired, reset the necessary fields and get back to business..RESET is what we all have been doing since a very long time (especially WINDOWS users like me :D )...Lets do it once more!!!

If we have lost email lists, so be it...I am not sure if the hacker would not use it anyways..So lets move on...

Just pray that nobody used their email passwords the same as the one on phpbb :geek:

User avatar
Nicholas the Italian
Registered User
Posts: 659
Joined: Mon Nov 20, 2006 11:19 pm
Location: 46°8' N, 12°13' E
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Nicholas the Italian » Mon Feb 02, 2009 12:49 pm

Eelke wrote:The problem with a single md5 hash is that, if the hash is known, there are ways to find a string that maybe is not the same as the actual password, but that does generate the same hash (a so-called collision). A common way to do that is to use rainbow tables; huge tables that map from every possible (hence: rainbow) md5 hashed value to a string of characters that yields that particular hash when hashed. If the attacker would put in the colliding string, they could get into the user's account. If that same user used the same password on a different site that too used single md5 hashing, they could get into the user's account on those sites as well.
Exactly.
If I'm correct, this is particoularly true if you use some common word as your password (i.e. vocabulary words, common names, number sequences, dates, inverted words, qwerty-like things, etc.).
Reverse-MD5 tables are freely available even in the public Internet.

A part of the old suggestion of using a different pw for each site, using somewhat complex passwords is also a good advice, for example !waHt+eVer? instead of whatever.

v1R
Registered User
Posts: 1
Joined: Thu Jun 26, 2008 2:07 am

Re: [Discussion] Downtime and Server Compromise

Post by v1R » Mon Feb 02, 2009 12:56 pm

Erik Frèrejean: Removed

The hacker release some notes here, check it out !
shahinavthal wrote:
Stallyon wrote:Ohhh OK I was just covering my butt/your butt just in case you were still unsure. Well, then it's a fact then. They have that data.
So what do you suggest we do now :cry: I am not sure if we should wait and see what level of information the hacker has, isnt it? I think we need to get over with the data acquired, reset the necessary fields and get back to business..RESET is what we all have been doing since a very long time (especially WINDOWS users like me :D )...Lets do it once more!!!

If we have lost email lists, so be it...I am not sure if the hacker would not use it anyways..So lets move on...

Just pray that nobody used their email passwords the same as the one on phpbb :geek:
Last edited by Erik Frèrejean on Mon Feb 02, 2009 1:06 pm, edited 1 time in total.
Reason: Removed link

User avatar
Erik Frèrejean
Registered User
Posts: 207
Joined: Thu Oct 25, 2007 2:25 pm
Location: surfnet
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Erik Frèrejean » Mon Feb 02, 2009 1:06 pm

v1R,
We are aware of those releases. Please don't post them in public view.
If you find anything suspicions please send the link in a pm to myself or any other phpBB team member.

Thank you :).
Available on .com
Support Toolkit developer

Phil
Registered User
Posts: 185
Joined: Sun Mar 11, 2007 3:20 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Phil » Mon Feb 02, 2009 2:10 pm

Indeed, the most you guys can do to help right now is please forward us the link (via PM) of any website found copying the malicious user's blog post or any of the data he uploaded so the proper channels can be contacted to have it removed.
Last edited by ToonArmy on Mon Feb 02, 2009 2:20 pm, edited 1 time in total.
Reason: I can has dictionary
My phpbb.com account
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy » Mon Feb 02, 2009 2:22 pm

Nicholas the Italian wrote:
Eelke wrote:The problem with a single md5 hash is that, if the hash is known, there are ways to find a string that maybe is not the same as the actual password, but that does generate the same hash (a so-called collision). A common way to do that is to use rainbow tables; huge tables that map from every possible (hence: rainbow) md5 hashed value to a string of characters that yields that particular hash when hashed. If the attacker would put in the colliding string, they could get into the user's account. If that same user used the same password on a different site that too used single md5 hashing, they could get into the user's account on those sites as well.
Exactly.
If I'm correct, this is particoularly true if you use some common word as your password (i.e. vocabulary words, common names, number sequences, dates, inverted words, qwerty-like things, etc.).
Reverse-MD5 tables are freely available even in the public Internet.

A part of the old suggestion of using a different pw for each site, using somewhat complex passwords is also a good advice, for example !waHt+eVer? instead of whatever.
Not if the hashes are salted which the new phpBB3 ones are, you would need to generate a rainbow table for each common word plus the salt which is nigh on impossible.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

Post Reply