[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
User avatar
kber
Registered User
Posts: 1
Joined: Thu Oct 04, 2007 11:13 am

Re: [Discussion] Downtime and Server Compromise

Post by kber » Fri Feb 06, 2009 11:57 am

the better things to do is leave the team recover the phpbb site . and keep our eyes if any other site in the web should share the phpbb database

User avatar
ChrisRLG
Registered User
Posts: 160
Joined: Wed Oct 11, 2006 9:47 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ChrisRLG » Fri Feb 06, 2009 1:31 pm

dowelld wrote:It would surely be easy enough (once it's all back) to have a read-only mirror that was updated nightly somewhere else.
The hacker gained access on (or by) the 14th January - and was not kicked out till the the 1st February.

So all the backups during that period are suspect.

We do take backups on a regular basis, but to lose 2-3 weeks of post was not felt to be in the best interests of the community. We are thierfor using the latest backup, but sanitizing it. That takes more time.

I can tell you the whole team is working flat out to get that sanitizing done, but making doubly sure nothing is left which is suspect.

A mirror with nightly backups would NOT have solved this as both would still have been suspect.

rusty105
Registered User
Posts: 18
Joined: Mon Aug 29, 2005 3:16 pm

Re: [Discussion] Downtime and Server Compromise

Post by rusty105 » Fri Feb 06, 2009 1:36 pm

I might have a clue,

Has anyone see a post like this in their Fourms?

Hello!
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
And Bye!
Where the xxx's look like a session ID??


I found this on my board Feb 5th, 10:00 PM

If a MOD or ADMIN wants more info such as IP address of poster PM me

Rusty

dowelld
Registered User
Posts: 11
Joined: Fri Feb 06, 2009 10:03 am

Re: [Discussion] Downtime and Server Compromise

Post by dowelld » Fri Feb 06, 2009 2:11 pm

@ rusty105
A clue about what ?

The hack was nothing to do with phpBB3, other than it being done to the people who write the code, so whatever you found posted on your phpBB board isn't relevant in anyway to the fact that phpBB.com was hacked.

@ ChrisRLG
I was only suggesting restoring an old copy of the mod database somewhere else, and restoring that as read only access in the event of the worst case scenario. In read only mode the latest posts to the mod database wouldn't be massively relevant anyway.

As it stands phpBB has all but vanished from the web. Now I know you're all working hard to fix that, and thank you all for your efforts... but my original point stands, no one can modify their boards with the mods that are available, so they'll go install SMF or some other board, which will allow them to at least read how to change their board to do what they want.

It's about the provision of information, in the worst case scenario, and if you don't think it's worth it that's fine, it won't stop me using phpBB.

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy » Fri Feb 06, 2009 2:14 pm

rusty105 wrote:If a MOD or ADMIN wants more info such as IP address of poster PM me
PMed.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

User avatar
Dog Cow
Registered User
Posts: 271
Joined: Wed May 25, 2005 2:14 pm

Re: [Discussion] Downtime and Server Compromise

Post by Dog Cow » Fri Feb 06, 2009 2:31 pm

EXreaction wrote:Yes, that's an idea. One could rehash the old 2.0.x MD5's with the new system and just store a flag saying it's the old password type. If it is the old type, when that user logs in it would check the MD5 of the password they entered as the submitted password, and then reset it using the new method if they got it right.
Are you offering this as a solution for phpbb.com? If so, there's one problem: the plain-old MD5 password hashes are out there, no doubt being cracked. Just changing the hash doesn't help at all now, since it's going to be the exact same password anyway.

It's a rather huge problem, the fact that the users table was released publicly. There's basically no fix, now that all 300,000 user ID, emails, usernames, passwords, etc are out there. :| Even if you say, "Well, let's just delete/lock/ban those accounts, there are still many many people who can be traced by email or username (outside of phpbb.com), and use the same usename/password everywhere, often some moronic phrase such as an english word, or the exact same as the username.

bolverk
I've been banned
Posts: 280
Joined: Mon Feb 02, 2009 5:39 pm

Re: [Discussion] Downtime and Server Compromise

Post by bolverk » Fri Feb 06, 2009 3:03 pm

dowelld wrote:I was only suggesting restoring an old copy of the mod database somewhere else, and restoring that as read only access in the event of the worst case scenario. In read only mode the latest posts to the mod database wouldn't be massively relevant anyway.

As it stands phpBB has all but vanished from the web. Now I know you're all working hard to fix that, and thank you all for your efforts... but my original point stands, no one can modify their boards with the mods that are available, so they'll go install SMF or some other board, which will allow them to at least read how to change their board to do what they want.
Exactly the point I was trying to make earlier in the week, my last response was ignored however.
bolverk » Yesterday 4:26 am wrote: Re: [Discussion] Downtime and Server Compromise
Marshalrusty wrote:As far as the downtime, it has nothing to do with not having a mirror site. The attacker had access to the server for a 2 week period. This means that we would either have to revert to a 2 week old backup (and lose 2 weeks of information in the process) or run the full investigation that we are running now. This site is available for support while the main board remains offline.
By mirror I mean secondary, not necessarily online but a second source of all available downloads that phpBB.com currently provides. Even a basic ftp site with the converters, mods and styles available would suffice, since these are not available on sourceforge. Would it really be that much work to create a secondary independent storage location for all downloadable packages made available through the main site? The forums being down is not that much of an issue as you do have redundancy with area51 and google's cache of most of the support topics available.
People visit phpbb.com for two reasons, to get support and to get software. The real accomplishment of this hacker is not that he exploited a vulnerable script or that he grabbed emails, usernames and passwords, it happens all the time and almost anybody can do it. The real achievement of this whole fiasco is that he's managed to cripple the main site of the most widely used BB system in the world for almost a week now. Had there not been a single point of failure for software delivery this whole thing could have had much less of an impact.

Brandon07
Registered User
Posts: 21
Joined: Mon Feb 02, 2009 1:09 pm
Location: Michigan
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Brandon07 » Fri Feb 06, 2009 3:42 pm

rusty105 wrote:I might have a clue,

Has anyone see a post like this in their Fourms?

Hello!
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
And Bye!
Where the xxx's look like a session ID??


I found this on my board Feb 5th, 10:00 PM

If a MOD or ADMIN wants more info such as IP address of poster PM me

Rusty
I had someone type something similar.

Hello!
(gibberish)
And bye!

The title of the topic was testing. I deleted that member off of my forums, though.

CarolC1
Registered User
Posts: 12
Joined: Mon Feb 02, 2009 12:45 am

Re: [Discussion] Downtime and Server Compromise

Post by CarolC1 » Fri Feb 06, 2009 4:42 pm

ChrisRLG wrote:The hacker gained access on (or by) the 14th January - and was not kicked out till the the 1st February.
I would like to know the earliest date you currently have indications or suspicions he was in, and as your investigation continues and that date may change, I would like to be updated on any change of the earliest date in a timely manner.

Could you please post the earliest date you have at this time? Thank you. :)
dowelld wrote:The hack was nothing to do with phpBB3, other than it being done to the people who write the code, so whatever you found posted on your phpBB board isn't relevant in anyway to the fact that phpBB.com was hacked.
I agree the phpBB software as written was security tested and found to be secure, however they are still investigating the incident itself and may not have had time to complete the investigation, draw final conclusions, and release all findings. I would not make assumptions at this point.

woodp
Registered User
Posts: 3
Joined: Wed Dec 22, 2004 1:45 am

Re: [Discussion] Downtime and Server Compromise

Post by woodp » Fri Feb 06, 2009 4:46 pm

RMcGirr83 wrote:IIRC, no non-human bot has broken the captcha.
That's not true at all! Tools are readily available for defeating the original Captcha.

http://blogs.zdnet.com/security/?p=1418

There is a newer version, called Captcha2 which is completely different, that still "appears" OK.

Post Reply