[Discussion] Downtime and Server Compromise

[Phil]

The amount of data that was leaked has been detailed a few times in this topic -- the user table was released in its entirety, as well as the contents of the PHPList mailing list. Any spam you have received to your email address is completely unrelated -- an email address that was used only on phpbb.com (and was listed in both the users table and a separate piece of information that was leaked concerning team members) has yet to be targeted. As for forum spam, this too is unrelated: no information within the users table that was not available openly on the web could possibly point to your website. It's just a very poorly timed coincidence, nothing more.

[SamG]

It's just sad that it took someone stealing 100 of 1000's of user e-mails for the epiphany.

The real epiphany here is people should have to look both ways before crossing the road. I can't imagine any scenario where crossing the road safely isn't a cooperative effort between driver and pedestrian.

That said, suppose your overall argument holds -- there are automated tools that reliably detect website vulnerabilities. Let's go so far as to stipulate that one of these tools could have found the vulnerability in PHPList.

But let's forget about phpBB.com, because you seem to argue that all website operators can reliably and without exception use these tools and prevent a big mess. This I don't buy. There are several reasons I don't buy it.

For starters, by your argument, it's my responsibility to confirm before use that every element of my desktop OS and applications are not vulnerable. After all, they could turn my desktop box into a zombie and be the source of male enhancement spam up to killing your in-box entirely, yes? To get even close to securing my house, let alone my web hosting, I need to independently confirm the reliability of my virus scanner, my firewall, my router's firmware, my network appliances, my Palm OS and software, just to name a few -- and that on every update. Frankly, I'm just not that smart.

But, my website is a little less complex and involved. Or is it? Have I independently confirmed the integrity of the installed versions of PHP, MySQL, Apache, and CPanel I'm using? What about the ClamAV they're using to scan e-mail running through my account, to contain infections?

Or did you mean just user-installed and "one click" (e.g., Fantastico-installed) software when it comes to websites? Well, that might be straightforward enough. Every time I upload a script I just run the scanner. But, as we all know from phpBB alone, a background PHP version upgrade might open a hole in an otherwise acceptably secure piece of software. So what I really need is a on-demand vulnerability scanner, since 0-day exploits are really not my area of expertise as an ordinary shared hosting user. Not to mention that I do have a life...

To be honest, I get your point. I think the phpBB Team would have loved to have caught this before it got exploited. It may well be that the phpBB Team will be a little sharper for having gone through this experience. But the bad guy here is the bad guy, and not anybody else. Like drivers and pedestrians, an individual finding a hole in a site can work with the site operator to remedy the situation rather than driver and pedestrian playing the blame game when somebody gets run over. I really do object to the very idea that typical website owners can reliably, perpetually, and without exception secure their sites against intrusion, so necessarily and without exception it is their responsibility. If it was that easy, between them, hosting companies and software authors would be already making it unnecessary for me to do so.

Just my plugged nickel's worth.

[deadeye536]

Ouch, hope you get the website back up and running soon , if you need help in the area of hosting, I'll be more than glad to help. I feel lucky that 2 weeks ago I had to change my password when I accidentally typed it into an AIM window , and forgot to update my password on phpBB.com.

[ToonArmy]

Ouch, hope you get the website back up and running soon , if you need help in the area of hosting, I'll be more than glad to help. I feel lucky that 2 weeks ago I had to change my password when I accidentally typed it into an AIM window , and forgot to update my password on phpBB.com.

We are quite good for hosting, we require a little more than your average user as well.

[Highway of Life]

ounce of prevention. pound of cure. The thing is you're right you shouldn't have to, I shouldn't have to look both ways before crossing a road either, but I know if I don't their is a chance for an accident. It's just sad that it took someone stealing 100 of 1000's of user e-mails for the epiphany.

Let me ask you something: Do you, or anyone you know, as a server administrator or webmaster do a line-by-line security code audit of scripts that you install or use on your sites or server? If you, or they... do not, how do you know that you are going to be absolutely safe from an attack such as this? This is not a case of looking both ways to cross the road, that’s actually a really bad analogy.
This is a case of where scripts or web applications that you install you trust to have taken security precautions, just as you would board an airplane and trust that the flight crew have taken security precautions to ensure the plane can takeoff, fly and land without incident. In our case, we are like passengers that have to get out and inspect the airplane ourselves. Should passengers have to do that? ...

I am just saying that it could have been prevented and now I am going to research how.

That is called hindsight.

Also just what information was leaked and posted? Just email/pw/forum site im assuming. Are people still saying the spam influx on forums isn't related to the hack? My site is so small, I can't imagine spammers would have interest if it were not related to the leaking of our info. Also we just opened in Sept 08, not really enough time for word about our forum to circulate...?

Information leaked from the attack:

1. Passwords used by users for PHPList.
2. E-mail addresses listed on PHPList.
3. E-mail addresses used for users who signed up on the forums of phpBB.com
4. Passwords for users who were on phpBB.com and had not logged in since phpBB.com converted to phpBB3.
5. Private Team Member information.

The spam influx timing is a coincidence to the attack. There was (at about the same time) a spambot piece of software that posted an update where it was able to break the phpBB3 GD CAPTCHA. We knew this would eventually happen, but anticipated it to happen several months ago. The timing of it was just really bad to coincide with the attack on phpBB.com

[PerfectReign]

Although it is very nice to discuss the level of testing needed in third party libraries, I'd be curious if there's an ETA as to when phpbb.com might be back online. I searched and didn't see anything.

Acyd Burn posted this yesterday...

At the moment everything is going quite smooth. Depending on the time we are able to work on it (we all have day jobs too ) i predict(!) 1-3 days. It will definitely not be an additional week.

Many thanks! I didn't see Acyd Burn's post. I thought I'd seen all the posts in this thread for the past few days.

[sevenalive]

I say to save some time, just delete all posts that are over 2 years old, and delete all phpBB 2.x posts/forums. I mean, really do we need information that is that old?
Delete all MODS and have author's resubmit using the current MODX standard.
Since 2.x is not supported, why not just delete posts pertaining to that, delete the discussion posts since those are mostly useless anyway. Delete all the users inactive for over a year too. If your worried about losing post counts, i am sure you can easily make it so, deleting a post does not change post count.

That would:

• Lower the DB size quite a bit and speed up the site.
• Ensure all mods are easier to install manually and using installers, and make sure all mods work with 3.0.4 and beyond.
• Remove the outdated information and useless posts.

I am sure ill be flamed for this post, but whats the use besides data preservation. Before you say, we can't delete 2.x because people still use it. I say delete it for that reason alone, v3 is out, time to move on. Maybe it's just me, but i like minimal and clean. On my site, i do delete users 0 posts, never been active or inactive for xx time. How much would the database size change if you did all of that, probably would reduce 70% and i am sure few would miss the old stuff.

[Erik Frèrejean]

The posts will not be removed. The 2.0.x forums will go into archive mode until further notice then they will be hidden for public view but maintained, there is just to much (useful) information there to just throw that out of the window. IIRC the phpBB 1 forums are still @ .com .

Before you say, we can't delete 2.x because people still use it. I say delete it for that reason alone, v3 is out, time to move on.

You can't force users to update when it comes to open source software. If we remove it they will have to find their information on uncontrolled sites, and chances are that the information isn't correct there and complications will be blamed on the phpBB group. Therefore we will be providing an archive as really every possible question is asked and answered on .com.

[Potku]

dsiembab, it is an interesting utopia you paint. Surely, that would be nice. However, let's see if you practice what you preach - I mean, this philosophy of yours can and absolutely should be expanded to all areas of life, right?

Have you ever eaten anything to make you sick? I would bet you have. According to your view, that's your fault because you didn't check the food properly. Don't ask me how you should have done it, this is your idea.

OK, food is a necessity, hosting a forum isn't. Well, neither is a driving a car, not to most people at least. Has anything ever happened to your car by someone else? Your fault again, you should have protected your car better.

How about something even less essential, say having a child. If you have a child and something happens to him or her, is it again your fault for not having protected him of her well enough?

Of course, everyone understands your point, but you are presenting it in a manner that reminds me of a certain blogger to whom has been referred in this thread multiple times. Now, there's a thought...

[dcz]

Potku, you made my day