I'm one of phpbb forum user and we are from the arabic support team phpbbarabia.com
we were all very upset about what happened to the Mother Site phpbb.com
but what happened doesn't mean that there some thing wrong so we leave it behind us and move on ..we bow for your hard work ...
you made the internet and the communication between the nations easy and free and we shouldn't stop for a long time for what happened
but only to take a lesson from it...we provide full support even if our language is different ..but we are united by phpbb and I say again that we thank you
[Discussion] Downtime and Server Compromise
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
- Lumpy Burgertushie
- Registered User
- Posts: 1006
- Joined: Tue Feb 28, 2006 5:26 pm
Re: [Discussion] Downtime and Server Compromise
here is a place to get phpbb2 support.
It is in no way associated with phpbb.com, however, many of us long time supporters are involved there.
You can get the cookie MOD from someone over there:
http://www.phpbb2refugees.com/index.php
robert
It is in no way associated with phpbb.com, however, many of us long time supporters are involved there.
You can get the cookie MOD from someone over there:
http://www.phpbb2refugees.com/index.php
robert
- EXreaction
- Registered User
- Posts: 1555
- Joined: Sat Sep 10, 2005 2:15 am
Re: [Discussion] Downtime and Server Compromise
Yes, that's an idea. One could rehash the old 2.0.x MD5's with the new system and just store a flag saying it's the old password type. If it is the old type, when that user logs in it would check the MD5 of the password they entered as the submitted password, and then reset it using the new method if they got it right.
Re: [Discussion] Downtime and Server Compromise
I think we need to learn from this incident ...phpBB admins(users) should be aggressively reported about new updates.May be popup as soon as board Admin logins ..."New Updates Available"!
- Lumpy Burgertushie
- Registered User
- Posts: 1006
- Joined: Tue Feb 28, 2006 5:26 pm
Re: [Discussion] Downtime and Server Compromise
I think some of you are getting confused here.
This "hack" has only affected phpbb.com as far as anyone knows.
It can only affect phpbb3 boards that are on the same server with a version of phplist that is not up to date.
from what I have read here, the only thing the hacker did was to gather the email addresses and old passwords of the database.
if you have ever logged into phpbb.com since it was converted to phpbb3 , then your account at phpbb.com has not been compromised.
YOUR boards have most likely not been compromised and most likely will not.
this IS NOT PHPBB related. It just so happens that phpbb.com was using phplist and that is what has the vulnerability, NOT phpBB.
robert
This "hack" has only affected phpbb.com as far as anyone knows.
It can only affect phpbb3 boards that are on the same server with a version of phplist that is not up to date.
from what I have read here, the only thing the hacker did was to gather the email addresses and old passwords of the database.
if you have ever logged into phpbb.com since it was converted to phpbb3 , then your account at phpbb.com has not been compromised.
YOUR boards have most likely not been compromised and most likely will not.
this IS NOT PHPBB related. It just so happens that phpbb.com was using phplist and that is what has the vulnerability, NOT phpBB.
robert
Re: [Discussion] Downtime and Server Compromise
I know that their isn't security issue with phpbb 3 software.
I not talking about specific setup particularly phpbb.com ..but scenario in future if situation ... many board admin can may be patch their board in time!.
[removed] claims to be hacker ...hunt down this #$@#$@#!
I not talking about specific setup particularly phpbb.com ..but scenario in future if situation ... many board admin can may be patch their board in time!.
[removed] claims to be hacker ...hunt down this #$@#$@#!
Last edited by Phil on Fri Feb 06, 2009 2:04 pm, edited 1 time in total.
Reason: We are very aware of said blog, please do not link to it as we do not want to draw any more publicity there than absolutely necessary ;)
Reason: We are very aware of said blog, please do not link to it as we do not want to draw any more publicity there than absolutely necessary ;)
- 3Di
- Registered User
- Posts: 951
- Joined: Tue Nov 01, 2005 9:50 pm
- Location: Milano 🇮🇹 Frankfurt 🇩🇪
- Contact:
Re: [Discussion] Downtime and Server Compromise
the point is the supplier (phplist) provided a patch 'just' after 2 weeks the exploit was discovered. got it?z2z wrote:many board admin can may be patch their board in time!
Free support for our extensions also provided here: phpBB Studio
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Re: [Discussion] Downtime and Server Compromise
So how about trying to find some constructive improvements from this ? Not now obviously, they're a tad busy at the moment, but kind of ideas for how to improve things for 'worst case' scenarios, in the future. Not that I'm hoping you'll have any worst case scenarios ever again... hell can I dig this hole any deeper
I'd like to see the knowledge base mirrored somewhere, for example, and maybe even the mod forums, even if only in read-only format.
I'd like to see the knowledge base mirrored somewhere, for example, and maybe even the mod forums, even if only in read-only format.
- Erik Frèrejean
- Registered User
- Posts: 207
- Joined: Thu Oct 25, 2007 2:25 pm
- Location: surfnet
- Contact:
Re: [Discussion] Downtime and Server Compromise
The KB is mirrored, see the sticky in the temp support forum here.dowelld wrote:I'd like to see the knowledge base mirrored somewhere, for example, and maybe even the mod forums, even if only in read-only format.
MOD forums are a bad idea, as the MODs are stored on the phpBB server, and we don't trust anything that was on the server during the attack. Therefore its a good thing that those MOD files aren't available before they are fully checked.
Available on .com
Support Toolkit developer
Support Toolkit developer
Re: [Discussion] Downtime and Server Compromise
Hi
Yes I understand that, I didn't mean now though. I meant for the future once you've got it all back.
It would surely be easy enough (once it's all back) to have a read-only mirror that was updated nightly somewhere else.
As long as backups were held for a reasonable amount of time, even a compromise such as this one, would be easily worked around by restoring back to a backup of the read-only mirror (on the read-only mirror) from before the compromise, thereby mitigating anything that had been copied over in the nightly updates. It would make that information (albeit backed out to before the compromise of the primary site) available, in the event of bad stuff happening... anyway it was just a thought.
I found the thread about the knowledge base being put up somewhere else. Thanks for that
Yes I understand that, I didn't mean now though. I meant for the future once you've got it all back.
It would surely be easy enough (once it's all back) to have a read-only mirror that was updated nightly somewhere else.
As long as backups were held for a reasonable amount of time, even a compromise such as this one, would be easily worked around by restoring back to a backup of the read-only mirror (on the read-only mirror) from before the compromise, thereby mitigating anything that had been copied over in the nightly updates. It would make that information (albeit backed out to before the compromise of the primary site) available, in the event of bad stuff happening... anyway it was just a thought.
I found the thread about the knowledge base being put up somewhere else. Thanks for that