[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
User avatar
Erik Frèrejean
Registered User
Posts: 207
Joined: Thu Oct 25, 2007 2:25 pm
Location: surfnet
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Erik Frèrejean »

What is captcha2? Something like web2 :S.

Anyhow, Rich was referring to the phpBB captcha, your article talks about the captchas from Gmail, Yahoo and Hotmail which are completely different as the one used by phpBB.
But as I've stated earlier in this thread we have suspicions that the phpBB captcha is broken we however don't know this for sure yet.
Available on .com
Support Toolkit developer

woodp
Registered User
Posts: 3
Joined: Wed Dec 22, 2004 1:45 am

Re: [Discussion] Downtime and Server Compromise

Post by woodp »

Erik Frèrejean wrote:What is captcha2? Something like web2 :S.
Sorry, I meant to say reCaptcha (http://recaptcha.net/). I've had it in use in one application for six months and so far no problems. (famous last words.) And I'm even getting reasonably favorable comments from the usual Captcha-hating crowd.
Erik Frèrejean wrote:Anyhow, Rich was referring to the phpBB captcha, your article talks about the captchas from Gmail, Yahoo and Hotmail which are completely different as the one used by phpBB.
But as I've stated earlier in this thread we have suspicions that the phpBB captcha is broken we however don't know this for sure yet.
I won't sit here and exclaim "captcha is captcha" but there are similarities in both structure and implementation that tell me your concerns are well founded. Glad to see you're thinking about it.

Good Luck!

User avatar
Erik Frèrejean
Registered User
Posts: 207
Joined: Thu Oct 25, 2007 2:25 pm
Location: surfnet
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Erik Frèrejean »

woodp wrote:
Erik Frèrejean wrote:What is captcha2? Something like web2 :S.
Sorry, I meant to say reCaptcha (http://recaptcha.net/). I've had it in use in one application for six months and so far no problems. (famous last words.) And I'm even getting reasonably favorable comments from the usual Captcha-hating crowd.
reCaptcha is doing a good job indeed. But as you need to sign up for it reCaptha will never ship as the default phpBB captcha. phpBB3.2 will however have the reCaptcha included (its in the trunk right now).

But let us now go back on topic and discuss the Downtime. Captcha discussions are fine, but please start a different topic regarding this.
Especially as the breaking of the captcha isn't related to the hack.
Available on .com
Support Toolkit developer

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: [Discussion] Downtime and Server Compromise

Post by EXreaction »

Dog Cow wrote:
EXreaction wrote:Yes, that's an idea. One could rehash the old 2.0.x MD5's with the new system and just store a flag saying it's the old password type. If it is the old type, when that user logs in it would check the MD5 of the password they entered as the submitted password, and then reset it using the new method if they got it right.
Are you offering this as a solution for phpbb.com? If so, there's one problem: the plain-old MD5 password hashes are out there, no doubt being cracked. Just changing the hash doesn't help at all now, since it's going to be the exact same password anyway.

It's a rather huge problem, the fact that the users table was released publicly. There's basically no fix, now that all 300,000 user ID, emails, usernames, passwords, etc are out there. :| Even if you say, "Well, let's just delete/lock/ban those accounts, there are still many many people who can be traced by email or username (outside of phpbb.com), and use the same usename/password everywhere, often some moronic phrase such as an english word, or the exact same as the username.
No, that wouldn't help for phpbb.com, but could be included with an update to phpbb3 in the future to prevent passwords from leaking in case their server got hacked as well.

There is nothing you can do about the released information, all you can do is reset the passwords (forcing them to get a new password with the I forgot my password link) for those users on phpbb.com and send them all emails notifying them of what happened with the email address they used.

dcz
Registered User
Posts: 27
Joined: Sat Feb 12, 2005 9:03 pm
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by dcz »

It really seems that the phpBB GD captcha went circumvented and worst, that some script was released to use the trick to massively spam phpBB3.0.4 forums.

This was probably already raised elsewhere, but I'm wondering if the current phpbb.com downtime was not part of the spamming plan, which seemed to have started around the same time. As a way to win time for spam.

Because even though the data stolen is a lot, it's not like visa account number where compromised, I don't think that many of the unconverted passwords where in deed interesting, a portion of it maybe, but among many other that really where not most likely.

Anyway, good luck with putting things back on !

++

User avatar
3Di
Registered User
Posts: 762
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by 3Di »

EXreaction wrote:There is nothing you can do about the released information
Indeed.
EXreaction wrote:all you can do is reset the passwords (forcing them to get a new password with the I forgot my password link) for those users on phpbb.com and send them all emails notifying them of what happened with the email address they used.
Agreed, that's a good point. What about all of the Team Members private infos and telephone numbers and real-life data, though? They are all public now. :o
Another good point could be the fact the "hacker" promised to spread some topic found into the private forums. :? No skeleton at all I guess, but.. it's really a huge inconvenient this time IMHO.

Anyway, show must go on. Keep up the great work guys, c'mon. :)
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

rusty105
Registered User
Posts: 18
Joined: Mon Aug 29, 2005 3:16 pm

Re: [Discussion] Downtime and Server Compromise

Post by rusty105 »

I am also thinking it is a multipronged event. As I have mentioned in a few posts above, I have a forum that has been around for about a year, just sitting, with only 3 real members (we are getting ready to relaunch), ans since Jan 30th almost 2 doz. Spam registrations. Too coincidential for me.

Rusty

User avatar
3Di
Registered User
Posts: 762
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by 3Di »

rusty105 wrote:I am also thinking it is a multipronged event. As I have mentioned in a few posts above, I have a forum that has been around for about a year, just sitting, with only 3 real members (we are getting ready to relaunch), ans since Jan 30th almost 2 doz. Spam registrations. Too coincidential for me.

Rusty
Being phpbb.com and PHPBB itself the best and more used GPLed BBS around the world, indeed the fact it has been hacked (also if via an external app) got the attention of the spambots/spammers, that's because the WEB. got it? Nothing less nothing more, IMHO.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

User avatar
darcie
Community Team
Community Team
Posts: 189
Joined: Mon Mar 12, 2007 7:32 pm
Location: Davis, California
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by darcie »

I am absolutely convinced that the sudden influx of spam registration and the hacking event occurring at the same time are a complete coincidence. It is unfortunate that they have both taken place at the same time, but there is no way to link the two. A test board I have set up online with no posts, no members, no inward links (other than Google knowing it exists), and no relation to the information I have at phpbb.com has also incurred the same problem. There is absolutely no way to link it to the release of information taken from phpbb.com, and therefore I see no relation between the two events.

Sometimes coincidence is just that. :)
So let's please leave the spam discussion to the topic existing in the support forum. Thanks.

rusty105
Registered User
Posts: 18
Joined: Mon Aug 29, 2005 3:16 pm

Re: [Discussion] Downtime and Server Compromise

Post by rusty105 »

I am not knocking phpBB at all. I started with phpBB, and I never see myself using anything else! I am just saying that I think it might be related, wether intentional or not, by the same party(s) or not. We the phpBB comunity have been attacked. Our boards are getting spammed hard, and our 'Mother' support forum is down, HARD! I know the admins are doing their best, and I would rather wait longer to be sure everything is sanitized before it comes back up.

Sorry to be beating this horse


Rusty

Post Reply