like I said I have no idea how the hash works I guess you are saying even if the same password is chosen, they will not come out of the hash the same??
Rusty
[Discussion] Downtime and Server Compromise
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Re: [Discussion] Downtime and Server Compromise
normalhash(password1) equals normalhash(password1)
but
normalhash(username1 + password1) does not equal normalhash(username2 + password1)
(phpbb3 method is more complicated than this and does not use the username)
normalhash(username1 + password1) equals normalhash(username1 + password1)
but
normalhash(username1 + password1) does not equal normalhash(username2 + password1)
(phpbb3 method is more complicated than this and does not use the username)
normalhash(username1 + password1) equals normalhash(username1 + password1)
Re: [Discussion] Downtime and Server Compromise
Posts wrote:normalhash(password1) equals normalhash(password1)
but
normalhash(username1 + password1) does not equal normalhash(username2 + password1)
(phpbb3 method is more complicated than this and does not use the username)
normalhash(username1 + password1) equals normalhash(username1 + password1)
But would the hash be the same on 2 different sites, if both the username and password were the same?
Re: [Discussion] Downtime and Server Compromise
Try for your self: http://www.cs278.org/tools/phpbb/hash.php click hash multiple times and see the differences.
Re: [Discussion] Downtime and Server Compromise
You have asked for this information but you have never said why you need it. I'm curious as to why you want to know since I don't see how that it is important for you to know.CarolC1 wrote:I in no way even remotely fault anyone on phpbb for not patching something when a patch was not even released till many days later. However, I do wonder if the knowledge of the security hole in phpList was circulating underground for a while before it was posted on milworm, and if it might have been exploited earlier than the hacker claims. If you have ways of checking old backups, etc, you may have found some indication of entry before Jan 14. Perhaps you can clarify this. Is Jan 14 the earliest date you have evidence or suspicion of access by the hacker? If not, what is the earliest date? Thanks.
Eric
Re: [Discussion] Downtime and Server Compromise
ToonArmy wrote:Try for your self: http://www.cs278.org/tools/phpbb/hash.php click hash multiple times and see the differences.
Nice ! I told you, i have no idea how they work. So How does it know when I log in how to compare the password I entered to what is has in the DB, if the hashes are never the same? If it is sensitive info, I don't need to know.
Rusty
ps if this is wasting time, let me know.
Re: [Discussion] Downtime and Server Compromise
have/will the users with old password hashes be emailed?
rusty105:
instead of a username, its a random number, this random number is different for each user, and stored for each user. so yeah, different on 2 different sites
see for your self:
phpBB3/includes/functions.php
find: function phpbb_hash($password)
edit: whops, made a big mistake, unique_id != user_id
rusty105:
instead of a username, its a random number, this random number is different for each user, and stored for each user. so yeah, different on 2 different sites
see for your self:
phpBB3/includes/functions.php
find: function phpbb_hash($password)
edit: whops, made a big mistake, unique_id != user_id
Re: [Discussion] Downtime and Server Compromise
I've seen no sign of bot registrations that I would consider out of the ordinary since this happened, so as has been said those of you who have must be experiencing a coincidental event, as opposed to one that has been caused by this.
As was said earlier simple steps like changing the captcha settings from their defaults will serve you well, by making your site a damned sight harder to use a bot against.
As was said earlier simple steps like changing the captcha settings from their defaults will serve you well, by making your site a damned sight harder to use a bot against.
Re: [Discussion] Downtime and Server Compromise
At the same time as the *Twit* was hacking, in the 2 weeks prior, perhaps coincidentally, the stock captchas have been cracked by registration robots and as a result, bot registrations suddenly started coming in.
I personally did go back and change the x and y axis settings for the captchas and this seemed to help but not eliminate the registrations. I turned on the forground noise too but found that I could read maybe one in five captchas with it on so I turned it back off.
It would be cool if stuff at Captchas.net could be loaded easily into phpBB so that we had such variety of captchas that it would throw off the registration engines totally. I really like the captcha ESP-PIX concept. Tell me when a computer is going to do image recognition AND pick from a drop down list. See it here: http://www.captcha.net/cgi-bin/esp-pix These might be a cool bunch of peopoe to ally with and incorporate their product into phpBB.
I personally did go back and change the x and y axis settings for the captchas and this seemed to help but not eliminate the registrations. I turned on the forground noise too but found that I could read maybe one in five captchas with it on so I turned it back off.
It would be cool if stuff at Captchas.net could be loaded easily into phpBB so that we had such variety of captchas that it would throw off the registration engines totally. I really like the captcha ESP-PIX concept. Tell me when a computer is going to do image recognition AND pick from a drop down list. See it here: http://www.captcha.net/cgi-bin/esp-pix These might be a cool bunch of peopoe to ally with and incorporate their product into phpBB.
Re: [Discussion] Downtime and Server Compromise
Mine too, hundreds of new spam accounts. I activate the accounts manually, none of them have been activated, but yet they(the spammers) are still creating accounts. It has to be a bot.rusty105 wrote:I am also thinking it is a multipronged event. As I have mentioned in a few posts above, I have a forum that has been around for about a year, just sitting, with only 3 real members (we are getting ready to relaunch), ans since Jan 30th almost 2 doz. Spam registrations. Too coincidential for me.
Rusty
Could some sort of weakness have been leaked when the phpbb site got hacked?
I really could use some of the anti spam mods right now.