[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
User avatar
RMcGirr83
Registered User
Posts: 357
Joined: Fri Mar 09, 2007 1:51 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by RMcGirr83 »

The download for phpBB can be found on sourceforge or ohloh, fwiw.

Also, you will always have human spammers. IIRC, no non-human bot has broken the captcha.
Do not hire Christian Bullock he won't finish the job and will keep your money

User avatar
Erik Frèrejean
Registered User
Posts: 207
Joined: Thu Oct 25, 2007 2:25 pm
Location: surfnet
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Erik Frèrejean »

NexusV2 wrote:Hey, just wondering if you guys had any updates on how the revival is coming along?
The only update I can give is that various team member are working around the clock on various tasks. I'm sorry, but much further into detail I can't go right now.

@Pollik:
We are aware that some spam bots seem to have broken the captcha (there are improvements coming in 3.0.5). This is however in no way related to the hack. The timing is really bad, but they would have broken it if the hack wasn't been done.
For now your best defence against them is setting your board up that every first post has to be approved by a moderator (the same thing we do here), as you will recognize most (if not all) spammers on their first post
Available on .com
Support Toolkit developer

MartinTruckenbrodt
Posts: 171
Joined: Sun Jan 29, 2006 1:00 pm
Location: Germany
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by MartinTruckenbrodt »

Hello,
it seems the spam-bots are able to fill out required custom profile fields, too!

Bye Martin
Advanced Block MOD 1.1.1 has been released! - Prevent spam on your phpBB3 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists! - My MODs

User avatar
ChrisRLG
Registered User
Posts: 160
Joined: Wed Oct 11, 2006 9:47 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ChrisRLG »

Pollik wrote:I am not wholly convinced.

Since that post was made, I have had half a dozen applications to join my board that are prima facie spam - somehow squeezing past the anti-bot test.
My own board has not been hit at all - although that may well be because "they" know that we report EVERY instance to the ISP or hoster of those who post (or even try to) spam or any hack attempts.

It may well be that spammers are taking advantage of the main phpBB.com site being off the air. Perhaps even the attack was timed to be just before a major push by the spammers. But that would all be speculation.
Pollik wrote:" It is important to stress that no vulnerabilities have been found in the phpBB software itself."
That is true - the hack was via other software and we have not had any reports of confirmed (or otherwise) hacks via the phpBB3 software.

runicwarrior
Registered User
Posts: 1
Joined: Thu Feb 05, 2009 4:36 pm
Location: Scotland
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by runicwarrior »

its a shame to see any forum hacked specially when its due to an third party software, I do hope your main site will be up soon :)
Bryan "Runic Warrior" Deakin
Owner = SMFThemes.org
Customizer Simple Machines Forum

Pollik
Registered User
Posts: 7
Joined: Thu Feb 05, 2009 3:24 pm

Re: [Discussion] Downtime and Server Compromise

Post by Pollik »

RMcGirr83 wrote:Also, you will always have human spammers. IIRC, no non-human bot has broken the captcha.
I accept that. However, the timing is suspicious - months of operation without observable spammers followed by a small flood (on two entirely separate forums) starting on 2 February, the date of the post I referenced.

I am passing data that may or may not help. Please do not rule out the (remote) possibility that a way round or through captcha can be found. I can recall banks telling us that ATMs were fraud proof (they are not) and that credit cards with PINS are fraud proof (they are not, either). For the villains, a block or a barrier is a challenge to be beaten and I think it may be unwise to be complacement. I grant that other explanations may be more likely and should be explored first.


Polly

Pollik
Registered User
Posts: 7
Joined: Thu Feb 05, 2009 3:24 pm

Re: [Discussion] Downtime and Server Compromise

Post by Pollik »

Erik Frèrejean wrote:
NexusV2 wrote:Hey, just wondering if you guys had any updates on how the revival is coming along?
The only update I can give is that various team member are working around the clock on various tasks. I'm sorry, but much further into detail I can't go right now.

@Pollik:
We are aware that some spam bots seem to have broken the captcha (there are improvements coming in 3.0.5). This is however in no way related to the hack. The timing is really bad, but they would have broken it if the hack wasn't been done.
For now your best defence against them is setting your board up that every first post has to be approved by a moderator (the same thing we do here), as you will recognize most (if not all) spammers on their first post
Thank you Erik, that is extremely helpful :)


Polly

Pollik
Registered User
Posts: 7
Joined: Thu Feb 05, 2009 3:24 pm

Re: [Discussion] Downtime and Server Compromise

Post by Pollik »

For now your best defence against them is setting your board up that every first post has to be approved by a moderator (the same thing we do here), as you will recognize most (if not all) spammers on their first post
Thank you Erik, that is extremely helpful
...if I can work out how. :/




Polly

User avatar
Acyd Burn
Posts: 1838
Joined: Tue Oct 08, 2002 5:18 pm
Location: Behind You
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Acyd Burn »

ACP -> Post Settings -> Enable queued posts ;)

Image

MartinTruckenbrodt
Posts: 171
Joined: Sun Jan 29, 2006 1:00 pm
Location: Germany
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by MartinTruckenbrodt »

Hello,
Double Activation cannot prevend human spam-bots from registering but from posting: http://www.martin-truckenbrodt.com/cgi/ ... m.php?f=22

1.2.4 is in validation process for the phpbb.com MODDB.
1.0.8 is the last validated version. But it's not working correctly with phpBB 3.0.4.

Bye Martin
Advanced Block MOD 1.1.1 has been released! - Prevent spam on your phpBB3 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists! - My MODs

Post Reply