[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
rusty105
Registered User
Posts: 18
Joined: Mon Aug 29, 2005 3:16 pm

Re: [Discussion] Downtime and Server Compromise

Post by rusty105 » Fri Feb 06, 2009 7:41 pm

like I said I have no idea how the hash works :( I guess you are saying even if the same password is chosen, they will not come out of the hash the same??

Rusty

Posts
Registered User
Posts: 6
Joined: Thu Feb 05, 2009 6:16 pm

Re: [Discussion] Downtime and Server Compromise

Post by Posts » Fri Feb 06, 2009 8:00 pm

normalhash(password1) equals normalhash(password1)

but
normalhash(username1 + password1) does not equal normalhash(username2 + password1)
(phpbb3 method is more complicated than this and does not use the username)

normalhash(username1 + password1) equals normalhash(username1 + password1)

rusty105
Registered User
Posts: 18
Joined: Mon Aug 29, 2005 3:16 pm

Re: [Discussion] Downtime and Server Compromise

Post by rusty105 » Fri Feb 06, 2009 8:05 pm

Posts wrote:normalhash(password1) equals normalhash(password1)

but
normalhash(username1 + password1) does not equal normalhash(username2 + password1)
(phpbb3 method is more complicated than this and does not use the username)

normalhash(username1 + password1) equals normalhash(username1 + password1)

But would the hash be the same on 2 different sites, if both the username and password were the same?

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy » Fri Feb 06, 2009 8:08 pm

Try for your self: http://www.cs278.org/tools/phpbb/hash.php click hash multiple times and see the differences.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

wGEric
Registered User
Posts: 521
Joined: Wed Jun 11, 2003 2:07 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by wGEric » Fri Feb 06, 2009 8:09 pm

CarolC1 wrote:I in no way even remotely fault anyone on phpbb for not patching something when a patch was not even released till many days later. However, I do wonder if the knowledge of the security hole in phpList was circulating underground for a while before it was posted on milworm, and if it might have been exploited earlier than the hacker claims. If you have ways of checking old backups, etc, you may have found some indication of entry before Jan 14. Perhaps you can clarify this. Is Jan 14 the earliest date you have evidence or suspicion of access by the hacker? If not, what is the earliest date? Thanks.
You have asked for this information but you have never said why you need it. I'm curious as to why you want to know since I don't see how that it is important for you to know.
Eric

rusty105
Registered User
Posts: 18
Joined: Mon Aug 29, 2005 3:16 pm

Re: [Discussion] Downtime and Server Compromise

Post by rusty105 » Fri Feb 06, 2009 8:20 pm

ToonArmy wrote:Try for your self: http://www.cs278.org/tools/phpbb/hash.php click hash multiple times and see the differences.

Nice ! I told you, i have no idea how they work. So How does it know when I log in how to compare the password I entered to what is has in the DB, if the hashes are never the same? If it is sensitive info, I don't need to know.

Rusty

ps if this is wasting time, let me know.

Posts
Registered User
Posts: 6
Joined: Thu Feb 05, 2009 6:16 pm

Re: [Discussion] Downtime and Server Compromise

Post by Posts » Fri Feb 06, 2009 8:22 pm

have/will the users with old password hashes be emailed?

rusty105:
instead of a username, its a random number, this random number is different for each user, and stored for each user. so yeah, different on 2 different sites
see for your self:
phpBB3/includes/functions.php
find: function phpbb_hash($password)
edit: whops, made a big mistake, unique_id != user_id

dowelld
Registered User
Posts: 11
Joined: Fri Feb 06, 2009 10:03 am

Re: [Discussion] Downtime and Server Compromise

Post by dowelld » Fri Feb 06, 2009 10:02 pm

I've seen no sign of bot registrations that I would consider out of the ordinary since this happened, so as has been said those of you who have must be experiencing a coincidental event, as opposed to one that has been caused by this.

As was said earlier simple steps like changing the captcha settings from their defaults will serve you well, by making your site a damned sight harder to use a bot against.

rockeiro
Registered User
Posts: 4
Joined: Wed Feb 04, 2009 7:57 pm

Re: [Discussion] Downtime and Server Compromise

Post by rockeiro » Fri Feb 06, 2009 10:27 pm

At the same time as the *Twit* was hacking, in the 2 weeks prior, perhaps coincidentally, the stock captchas have been cracked by registration robots and as a result, bot registrations suddenly started coming in.

I personally did go back and change the x and y axis settings for the captchas and this seemed to help but not eliminate the registrations. I turned on the forground noise too but found that I could read maybe one in five captchas with it on so I turned it back off.

It would be cool if stuff at Captchas.net could be loaded easily into phpBB so that we had such variety of captchas that it would throw off the registration engines totally. I really like the captcha ESP-PIX concept. Tell me when a computer is going to do image recognition AND pick from a drop down list. See it here: http://www.captcha.net/cgi-bin/esp-pix These might be a cool bunch of peopoe to ally with and incorporate their product into phpBB.

seanieb
Registered User
Posts: 2
Joined: Fri Feb 06, 2009 11:07 pm

Re: [Discussion] Downtime and Server Compromise

Post by seanieb » Fri Feb 06, 2009 11:35 pm

rusty105 wrote:I am also thinking it is a multipronged event. As I have mentioned in a few posts above, I have a forum that has been around for about a year, just sitting, with only 3 real members (we are getting ready to relaunch), ans since Jan 30th almost 2 doz. Spam registrations. Too coincidential for me.

Rusty
Mine too, hundreds of new spam accounts. I activate the accounts manually, none of them have been activated, but yet they(the spammers) are still creating accounts. It has to be a bot.

Could some sort of weakness have been leaked when the phpbb site got hacked?

I really could use some of the anti spam mods right now.

Post Reply