[Discussion] Downtime and Server Compromise

[dcz]

You're probably right about "conspiracy", it's most likely only a coincidence, but the downtime is serving them since no captcha update will occur before phpBB.com gets back on (at least it's what one could think).
I was thinking about the possibility because to me this hack does not demonstrate anything, it's just pure mess.
It's just too bad to have to loose this much time for such non sens.

++

[ToonArmy]

I agree the phpBB software as written was security tested and found to be secure, however they are still investigating the incident itself and may not have had time to complete the investigation, draw final conclusions, and release all findings. I would not make assumptions at this point.

We know what the entry point was (PHPList 0-day), phpBB made it difficult for the guy.

[rusty105]

Ok,
So some questions... a phpBB3 forum that was never a phpBB2 forum will have all its passwords in a salted MD5, right? is this password list venerable?

2nd question, I have a smallish phpBB2 forum that I was in the process of upgrading when this mess happened, how can I protect these passwords? Can the leaked list be used to get into the forums I admin. I do use a different name when I admin. can the list be used to login to my forums as one of my members?

Rusty

[CarolC1]

We know what the entry point was (PHPList 0-day), phpBB made it difficult for the guy.

I in no way even remotely fault anyone on phpbb for not patching something when a patch was not even released till many days later. However, I do wonder if the knowledge of the security hole in phpList was circulating underground for a while before it was posted on milworm, and if it might have been exploited earlier than the hacker claims. If you have ways of checking old backups, etc, you may have found some indication of entry before Jan 14. Perhaps you can clarify this. Is Jan 14 the earliest date you have evidence or suspicion of access by the hacker? If not, what is the earliest date? Thanks.

[darcie]

is this password list venerable?

No.

2nd question, I have a smallish phpBB2 forum that I was in the process of upgrading when this mess happened, how can I protect these passwords? Can the leaked list be used to get into the forums I admin. I do use a different name when I admin. can the list be used to login to my forums as one of my members?

The only way the access was gained in our case was through the phplist vulnerability. If you are not running anything other than the phpBB forum, there is no vulnerability and no way of someone getting the old passwords on your converted forum. If you use a different name and different password there, then there isn't a way that someone has access to that through your account. If, by some chance, you have a member that also had a phpbb.com account, used the same password on your forum, and has not logged in to phpbb.com since our conversion, that password might be a point of compromise. But that person would also have to have an admin account on your board... all highly unlikely.

[Dog Cow]

Ok,
So some questions... a phpBB3 forum that was never a phpBB2 forum will have all its passwords in a salted MD5, right?

Yes.

2nd question, I have a smallish phpBB2 forum that I was in the process of upgrading when this mess happened, how can I protect these passwords? Can the leaked list be used to get into the forums I admin. I do use a different name when I admin. can the list be used to login to my forums as one of my members?

1.) Don't allow your site to be hacked.... the problem was with some other software, not phpBB. Most everyone's web site has the potential to be hacked somehow.
2.) Probably so, if you mean the phpbb.com list, and no passwords have changed
3.) same as 2

[rockeiro]

Thankfully the phpBB 3 software was not the compromised software. I tip my hat to the team that had the forsight to have version 3 audited for security. It is war out there and we appreciate a well armored installation.

As for the incident of the hacking itself, there is no excuse for the irresponsible release of the user database. Trophy hacking is one thing but anarchy and helping the bad buys under the guise of "fun" is just total crap. I am just livid over this.

Even worse, I confirmed our worst fears by doing a little digging and finding the entire user database availalbe as a torrent for all anarchists to download at their leisure. Just lovely. My names and passwords are defintely in there as are all of yours. Expect the worst as they figure out how to parse these files in short order and feed them into the spam and scan machines.

I too, in the last 2 weeks of January, have had an exceptionaly high amount of scanning going on as well as Spam registrations on my server and phpBB installations. I took the safest path and decided to shut down non-essential services unless requested such as terminal services, telnet and especially FTP. I also entered the entire IP range of IPs from which Spam registrations were made which has greatly reduced the number of Spam registrations received this week so far.

Also, I detect a massive release this last week as well of bot-net trojans and the like having picked up two myself while browsing and confirm that so have many other friends and family found the same thing.

An over all bad couple of weeks on the net so far. Be prepared for more as spam operators scramble to recover their installed base they've lost over the last 4 months worldwide.

This was the worst thing this twit could have done with the user list at this point and the worst timing possible.

[ToonArmy]

Worth noting in phpBB 3.0.5 we will be introducing measures to protect the MD5 hashes of unconverted users, this will apply retroactively to conversions performed to a previous version of 3.0. Obviously it won't help phpBB.com all those MD5 hashes are out in the wild.

[rusty105]

If it hasen't been mentioned before, will there be a way for the admin of a forum to use a pass phrase to assist in the creation of the hash. Is this possible? or am I off in space. I know very little about the hashing procedure. I would think with hundreds of different pass phrases, it would limit the damage to just the forum that was hacked.

Rusty

[ToonArmy]

If it hasen't been mentioned before, will there be a way for the admin of a forum to use a pass phrase to assist in the creation of the hash. Is this possible? or am I off in space. I know very little about the hashing procedure. I would think with hundreds of different pass phrases, it would limit the damage to just the forum that was hacked.

phpbb_hash() generates salted hashes as such:

Code: Select all

if (phpbb_hash('passw0rd23!') == phpbb_hash('passw0rd23!'))
{
    echo "Hashes match";
} 

'Hashes match' will never be outputted.