[Discussion] Downtime and Server Compromise

[dsiembab]

@3di
What I am trying to say is the exploit was always their. So day zero is an excuse for writing bad code? check this link out it might help you out understanding what I mean http://www.onlamp.com/pub/a/php/2003/03 ... urity.html. Yeah 2003 so does that make the exploit day zero. I don't think so. I am LMFAO because a day zero excuse is a bad excuse for bad coding practices. Look at the exploit.

Code: Select all

Code Snippet:
/lists/admin.php #line:10-18

if (!ini_get("register_globals") || ini_get("register_globals") == "off") {
  # fix register globals, for now, should be phased out gradually
  # sure, this gets around the entire reason that regLANGUAGE_SWITCHister globals
  # should be off, but going through three years of code takes a long time....

  foreach ($_REQUEST as $key => $val) {
    $$key = $val;
  }
}

/lists/admin.php #line:41-56

if (isset($_SERVER["ConfigFile"]) && is_file($_SERVER["ConfigFile"])) {
  print '<!-- using '.$_SERVER["ConfigFile"].'-->'."\n";
  include $_SERVER["ConfigFile"];
} elseif (isset($cline["c"]) && is_file($cline["c"])) {
  print '<!-- using '.$cline["c"].' -->'."\n";
  include $cline["c"];
} elseif (isset($_ENV["CONFIG"]) && is_file($_ENV["CONFIG"])) {
#  print '<!-- using '.$_ENV["CONFIG"].'-->'."\n";
  include $_ENV["CONFIG"];
} elseif (is_file("../config/config.php")) {
  print '<!-- using ../config/config.php -->'."\n";
  include "../config/config.php";
} else {
  print "Error, cannot find config file\n";
  exit;
}

Please don't defend people for not checking code they use on their websites.

[3Di]

zomg.. please provide a snippet of the phpbb3 code that's poorly written if you can, I doubt that.

the hack has been issued through a thirdy party software, phplist. DEVeloppers are enough smart and pro to recognise a bad written software, being myself a former MOD Team validator I can say it is not so easy to catch a bug or a security issue also if you read the code twice in some case, I believe I'm an human being like they are.

Please don't defend people for not checking code they use on their websites.

Yes I do because of the reasons I above explained.

awaiting.

[PerfectReign]

Although it is very nice to discuss the level of testing needed in third party libraries, I'd be curious if there's an ETA as to when phpbb.com might be back online. I searched and didn't see anything.

[Highway of Life]

There is still no timeframe for getting the site back online. As stated on the podcast, the hope is this week, but don’t hold your breath.

@dsiembab, the point is that we (the phpBB Teams) should not have to validate 3rd-party scripts. It’s a travesty that because not all developers hold the same high standards that the phpBB Developers do, that we will have to validate these third-party scripts.

[JRSweets]

Although it is very nice to discuss the level of testing needed in third party libraries, I'd be curious if there's an ETA as to when phpbb.com might be back online. I searched and didn't see anything.

Acyd Burn posted this yesterday...

At the moment everything is going quite smooth. Depending on the time we are able to work on it (we all have day jobs too ) i predict(!) 1-3 days. It will definitely not be an additional week.

[EXreaction]

@3di
What I am trying to say is the exploit was always their. So day zero is an excuse for writing bad code?

Yes, it DOES make it a 0 day attack. http://en.wikipedia.org/wiki/Zero_day_attack

A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit unknown, undisclosed or patchfree computer application vulnerabilities. The term Zero Day is also used to describe unknown or Zero day viruses.

Zero-day exploits are released before the vendor patch is released to the public. Zero-day exploits generally circulate through the ranks of attackers until finally being released on public forums. The term derives from the age of the exploit. A zero-day exploit is usually unknown to the public and to the product vendor .

[blueprins]

Hello

When will phpbb.com open is there any date ? However I see , my old posts is deleted. Will be the any posts deleted or will they readd

thanks

[stickerboy]

Read the post above yours

[dsiembab]

https://samate.nist.gov/index.php/Web_A ... rabilities
http://www.owasp.org/index.php/Phoenix/Tools
I am going to use some of these against phplist 2.10.8 and if none of them pick it up then hey you are all right and I am wrong. If any of these programs show the exploit I will show the program name and the date the program was last updated. Better to check on something that could have been prevented instead of playing the I'm right, you're wrong game. But, if I'm right you'll never hear the end of it. not, I'm only kidding.

@Highway of Life -

@dsiembab, the point is that we (the phpBB Teams) should not have to validate 3rd-party scripts. It’s a travesty that because not all developers hold the same high standards that the phpBB Developers do, that we will have to validate these third-party scripts.

ounce of prevention. pound of cure. The thing is you're right you shouldn't have to, I shouldn't have to look both ways before crossing a road either, but I know if I don't their is a chance for an accident. It's just sad that it took someone stealing 100 of 1000's of user e-mails for the epiphany.

@EXreaction - You are exactly right. here's one for ya trickle down effect. used in a sentence: The trickle down effect from the zero day attack has caused me to wonder if I need male enhancement from the spam that I am receiving. : trickle down effect.

I am just saying that it could have been prevented and now I am going to research how.

[neilwiththedeal]

Can people please post what the personal effects of the compromise have been? Most notable for me is that my email was clearly included on a sale list to spammers (however it creeps me out that each one I get states that I signed up from my work IP, which it displays in the spam email...how was that # retrieved?).

Also just what information was leaked and posted? Just email/pw/forum site im assuming. Are people still saying the spam influx on forums isn't related to the hack? My site is so small, I can't imagine spammers would have interest if it were not related to the leaking of our info. Also we just opened in Sept 08, not really enough time for word about our forum to circulate...?

Besides all that, thank you phpbb your site had been great for us and made everything possible.