[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
Marshalrusty
Project Manager
Project Manager
Posts: 272
Joined: Thu Oct 27, 2005 1:45 am

Re: [Discussion] Downtime and Server Compromise

Post by Marshalrusty » Wed Feb 04, 2009 10:12 pm

There are multiple ways of handling old passwords. I would rather leave that discussion until later though.

CarolC1
Registered User
Posts: 12
Joined: Mon Feb 02, 2009 12:45 am

Re: [Discussion] Downtime and Server Compromise

Post by CarolC1 » Wed Feb 04, 2009 10:29 pm

There's something I've been wondering since the beginning, but since nobody else asked I figured it must be a dumb question. Are the modifications downloads and the version downloads in a different place where they could not be accessed, so you know they are all OK? Also, he said he started on Jan 14 and the article where he got the idea was dtd Jan 14 so hopefully that is true, but is there any way to be sure that is when he first got in? And this is a little off the subject, but I wonder if there is a way that someone can be notifed every time a database dump of over a certain size is done, no matter who initiated it.

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy » Wed Feb 04, 2009 10:33 pm

CarolC1 wrote:There's something I've been wondering since the beginning, but since nobody else asked I figured it must be a dumb question. Are the modifications downloads and the version downloads in a different place where they could not be accessed, so you know they are all OK? Also, he said he started on Jan 14 and the article where he got the idea was dtd Jan 14 so hopefully that is true, but is there any way to be sure that is when he first got in? And this is a little off the subject, but I wonder if there is a way that someone can be notifed every time a database dump of over a certain size is done, no matter who initiated it.
We have checksums of the MOD and Styles databases which we can verify the integrity of the downloads.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

CarolC1
Registered User
Posts: 12
Joined: Mon Feb 02, 2009 12:45 am

Re: [Discussion] Downtime and Server Compromise

Post by CarolC1 » Wed Feb 04, 2009 10:44 pm

And that includes the version downloads and upgrade downloads as well then? (Thanks)

EDIT: Also is there any way to be sure he did not change a download, leave it that way for a week, then reverse the changes.

Marshalrusty
Project Manager
Project Manager
Posts: 272
Joined: Thu Oct 27, 2005 1:45 am

Re: [Discussion] Downtime and Server Compromise

Post by Marshalrusty » Wed Feb 04, 2009 11:18 pm

We have logs and database backups that provide insight into when the attack was started.

The new system has been built up from scratch and nothing will be moved to it without first being checked. That includes MODs, styles, phpBB packages, avatars, attachments, etc. The downloads hosted on ohloh and sourceforge are in no way affected by this.

User avatar
Nicholas the Italian
Registered User
Posts: 659
Joined: Mon Nov 20, 2006 11:19 pm
Location: 46°8' N, 12°13' E
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Nicholas the Italian » Wed Feb 04, 2009 11:37 pm

Marshalrusty wrote:We have the choice of either reverting to an old "safe" backup or sanitising gigabytes of information.
Out of curiosity, what do you mean by "sanitising"?

Anyway, good luck and thanks for the hard work to all phpbb teams.

Marshalrusty
Project Manager
Project Manager
Posts: 272
Joined: Thu Oct 27, 2005 1:45 am

Re: [Discussion] Downtime and Server Compromise

Post by Marshalrusty » Wed Feb 04, 2009 11:47 pm

Nicholas the Italian wrote:Out of curiosity, what do you mean by "sanitising"?

Anyway, good luck and thanks for the hard work to all phpbb teams.
http://dictionary.reference.com/browse/sanitise

Nothing on the compromised server can be trusted. Every piece of data transferred to the new setup must be cleaned (or sanitised) of possible malicious code. That includes the database.

CarolC1
Registered User
Posts: 12
Joined: Mon Feb 02, 2009 12:45 am

Re: [Discussion] Downtime and Server Compromise

Post by CarolC1 » Thu Feb 05, 2009 12:46 am

Thank you. :)
Last edited by CarolC1 on Thu Feb 05, 2009 6:49 am, edited 1 time in total.

gonzoateafly
Registered User
Posts: 8
Joined: Thu Feb 05, 2009 1:38 am

Re: [Discussion] Downtime and Server Compromise

Post by gonzoateafly » Thu Feb 05, 2009 2:56 am

Howdy,

First off I'd like to say that I'm sorry for the frustrations phpbb is experiencing, and I hope you're all not pulling out your hair (my host was hacked once, and despite having a small site it took me hours upon hours to set everything right again...). :shock:

I have a pair of requests:
1. Could an e-mail be sent out to all those users who have accounts registered that may have been compromised (in other words, those who never logged in after the update)? I can't for the life of me remember if I logged into the forums since the new version and did the password update. I ran some checks on my less secure passwords in md5, that I think I may have used, and their both easily breakable off of a rainbow table I found on google, so I'd really like to know if my password was compromised.

2. If I provide clear evidence of who I am, and handle it by the same e-mail as I had registered, could I get just my password hash if it is in the old MD5 format (if I didn't update)? It's been a long time since I was a regular on phpbb, and I've long since forgotten which password I was using. If I have my hash, I can run comparisons on all of the passwords I use and see which one was compromised, and take steps accordingly.

For the record, this is neither the account name, nor e-mail, for the account I'm referring to... I'd rather not draw attention to the account in case it is insecure.

Phil
Registered User
Posts: 185
Joined: Sun Mar 11, 2007 3:20 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Phil » Thu Feb 05, 2009 3:41 am

Option one may potentially be considered in the future. As for option two, I'm afraid to say that it's really not viable. There were many accounts that had not logged in since RC7, when password hashes were changed. Imagine what would happen if everyone were to make/be granted a request. ;)
My phpbb.com account
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.

Post Reply