[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
Pollik
Registered User
Posts: 7
Joined: Thu Feb 05, 2009 3:24 pm

Re: [Discussion] Downtime and Server Compromise

Post by Pollik » Thu Feb 05, 2009 5:32 pm

Acyd Burn wrote:ACP -> Post Settings -> Enable queued posts ;)
It didn't come it till 3.0.4 and I have 3.0.2 - and can't upgrade at the moment because of the current issue. :/

But thanks :)




Polly

User avatar
a_o_c
Registered User
Posts: 26
Joined: Mon Feb 02, 2009 8:19 pm
Location: phpbb_
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by a_o_c » Thu Feb 05, 2009 5:35 pm

Pollik wrote:It didn't come it till 3.0.4 and I have 3.0.2 - and can't upgrade at the moment because of the current issue. :/
what current issue? phpbb 3.0.4 currently has no known security flaws. time to upgrade. ;)

Posts
Registered User
Posts: 6
Joined: Thu Feb 05, 2009 6:16 pm

Re: [Discussion] Downtime and Server Compromise

Post by Posts » Thu Feb 05, 2009 6:38 pm

Idea: (assumption: old hashs are exactly the same phpbb2 -> phpbb3)

a third type of password hash for phpbb3

this new hash will store OLD hash in a more secure manner, same way as current(phpbb3) hashes but an extra flag to indicate that the OLD hash must be applied before applying the current hash

the update script will go through the DB and apply the 3rd hash to the OLD hash.
--
keep in mind the worst case scenario, huge chunk of users with old hashes and use the same password for everything, attackers gain access to email accounts, email accounts contain all verification emails, from here you gain admin access to more forums, i'm guessing that the typical phpbb3 admin can download just the user table from the ACP, and spider out from there, etc.
--
edit: btw, i think it would be a big security gain to require a flag to be set in the config.php before any admin can backup the DB through the ACP, kind of like how you have to delete the install directory
edit: same thing goes for clear logs and restore. if someone does do a ACP back user table then clear log there may still be evidence(forum file system, db file, see timestamp), though the ability to change a long inactive admin password and use that to clear the logs adds uncertainty when it comes to tracing the problem.
Last edited by Posts on Thu Feb 05, 2009 7:33 pm, edited 1 time in total.

User avatar
Kellanved
Former Team Member
Posts: 407
Joined: Sun Jul 30, 2006 4:59 pm
Location: Berlin

Re: [Discussion] Downtime and Server Compromise

Post by Kellanved » Thu Feb 05, 2009 7:33 pm

Hashing the old hashes again could be done; the tricky part is not to reduce password security when doing so. It adds another step of complication to conversions, though. We will probably introduce it.

A switch as you propose, sadly, wouldn't have any effect. Admins already need a permission to access the module; an attacker who is already able to read and write the database and to execute arbitrary scripts will get past any such limitation. At this point the horses have already left the stable; reinforcing the doors won't help much.
No support via PM.
Trust me, I'm a doctor.

Pollik
Registered User
Posts: 7
Joined: Thu Feb 05, 2009 3:24 pm

Re: [Discussion] Downtime and Server Compromise

Post by Pollik » Thu Feb 05, 2009 10:05 pm

a_o_c wrote:
Pollik wrote:It didn't come it till 3.0.4 and I have 3.0.2 - and can't upgrade at the moment because of the current issue. :/
what current issue? phpbb 3.0.4 currently has no known security flaws. time to upgrade. ;)
I mean whether I use the phpBB update or whether I use my web host's script installer, the update fails - no connection


Polly

Pollik
Registered User
Posts: 7
Joined: Thu Feb 05, 2009 3:24 pm

Re: [Discussion] Downtime and Server Compromise

Post by Pollik » Thu Feb 05, 2009 10:07 pm

And I wish I understood the conversation between Posts and Kellanved :/

User avatar
Dog Cow
Registered User
Posts: 271
Joined: Wed May 25, 2005 2:14 pm

Re: [Discussion] Downtime and Server Compromise

Post by Dog Cow » Thu Feb 05, 2009 10:19 pm

I read his blog... quite interesting. :)

Stuff posted publicly on the Internet never goes away. Ever.

JThree
Registered User
Posts: 1
Joined: Thu Feb 05, 2009 10:26 pm

Re: [Discussion] Downtime and Server Compromise

Post by JThree » Thu Feb 05, 2009 10:49 pm

Sorry if this is the wrong place but I'm pretty desperate!

My site is planning a major upgrade this spring that will incorporate 3. For now we're still on version 2. And I've been locked out of the forum since Monday. This happened once before and all I need to fix it is the "auto_cookies" mod. but since the PHPBB site is down I can't get it. Does anyone have a copy I can download somewhere? Thanks and apologies if this is the wrong place to ask.

wolf2009
Registered User
Posts: 1
Joined: Thu Feb 05, 2009 10:55 pm

Re: [Discussion] Downtime and Server Compromise

Post by wolf2009 » Thu Feb 05, 2009 10:57 pm

This is really unfortunate. I am so lost without all the support you guys provide and at the same time worried about the SPAM that is coming my way.

Just wanted to let you guys know, the guy who hacked you has written a post of how he did it. maybe this will give you some info of how to prevent it from happening in the future.

<< Link re moved >>

=========================

Edit : ChrisRLG

we do not wish to add to the links to his posts on the net - we are very aware of those blogs/sites with the data.

If anyone else has any info please PM to a team member here instead of posting - thank you : ChrisRLG
Last edited by ChrisRLG on Thu Feb 05, 2009 11:04 pm, edited 1 time in total.
Reason: removed link and added note.

User avatar
ChrisRLG
Registered User
Posts: 160
Joined: Wed Oct 11, 2006 9:47 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ChrisRLG » Thu Feb 05, 2009 11:02 pm

JThree wrote:Sorry if this is the wrong place but I'm pretty desperate!

My site is planning a major upgrade this spring that will incorporate 3. For now we're still on version 2. And I've been locked out of the forum since Monday. This happened once before and all I need to fix it is the "auto_cookies" mod. but since the PHPBB site is down I can't get it. Does anyone have a copy I can download somewhere? Thanks and apologies if this is the wrong place to ask.

Sorry but v2 in not longer in support - even if we had the access to those files, they are suspect to having been altered, so would need to be checked over manually before being available for download.

I do not expect we will be doing that, with anything for v2, as to us that software has been 'end of lifed' and was announced almost a year ago now. We have enough to do with checking everything of v3 without us worring about something we no longer support.

My suggestion to you is to use google or another search engine and find another support site which may still be doing support for v2 versions.

Post Reply