[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
dsiembab
Registered User
Posts: 4
Joined: Mon Feb 09, 2009 5:40 pm

Re: [Discussion] Downtime and Server Compromise

Post by dsiembab »

It just happens that I was going to use phpbb for my site, I have used it in the past and do understand that the exploit was from a third party extension. But some people do not and I think that this will hurt your community, well not the established community but anyone new to web development looking for a forum program.
It's ironic that the main phpbb site was not following their own mantra of security. The hacker just seems like a stupid schmuck. If he was smart he would've not let anyone know that the site was being hacked in the first place and covered his tracks.
I will still use phpbb's software, but others might feel scorned especially if they didn't have a third party e-mail address instead of their ISP.
This can happen to any application that utilizes third party software, you don't have to have a bs in computer sciences to write a third party add-on or plugin. Their are a lot of scripts out their to check php software for vulnerabilities, but my rule of thumb when writing php scripts is use full directory paths and url paths at all times. A template file, a parser, in the install directory and a command to write the file to the directory. Drop the get requests, you are just asking for trouble.

User avatar
3Di
Registered User
Posts: 771
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by 3Di »

dsiembab wrote:But some people do not and I think that this will hurt your community, well not the established community but anyone new to web development looking for a forum program.
that's understandable, but you?
dsiembab wrote:It's ironic that the main phpbb site was not following their own mantra of security.
It was a 0-days exploits, remember that.
dsiembab wrote:If he was smart he would've not let anyone know that the site was being hacked in the first place and covered his tracks.
2 weeks are enough? Tracks have been covered very well AFAIK.
dsiembab wrote:you don't have to have a bs in computer sciences to write a third party add-on or plugin.
Do you thinks the Developers here are so noobs? Don't you think they have (free software = free spare time to use for..) a lot of things to do, a very lot. ?
dsiembab wrote:Their are a lot of scripts out their to check php software for vulnerabilities
Would you mind to share all of those links?
dsiembab wrote:but my rule of thumb when writing php scripts is use full directory paths and url paths at all times. A template file, a parser, in the install directory and a command to write the file to the directory.
Please check the core code.. you're a coder, have fun.
dsiembab wrote:Drop the get requests, you are just asking for trouble.
It's never too late in order to learn, be my teacher please.

Regards.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

dsiembab
Registered User
Posts: 4
Joined: Mon Feb 09, 2009 5:40 pm

Re: [Discussion] Downtime and Server Compromise

Post by dsiembab »

3Di wrote:It was a 0-days exploits, remember that.
Thanks for the info. Even though I already knew that appreciate it. A zero day exploit, how is that? it is only a zero day exploit when someone finds it and reports it.
dsiembab wrote:you don't have to have a bs in computer sciences to write a third party add-on or plugin.

What I meant was anyone can write a plugin with no sense of security.
3Di wrote:Do you thinks the Developers here are so noobs? Don't you think they have (free software = free spare time to use for..) a lot of things to do, a very lot. ?
Did I say that, no. The person who hacked the site checked a website for the exploit. I know the average joe somebody will just drop a add-on or plugin in their website and forget about it. But the lesson I think learned here is check the plugin before you use it and if it needs tweaking tweak it and tell the developer of the script. Did you see the exploit and how it was used. It was php security day one stuff. I know grandma and here bridge pals are not writing this software, but they could be writing the plugins. :lol:
3Di wrote:Would you mind to share all of those links?
Google is your friend. I don't use them I look at the code first. I'm not joe somebody, especially when it comes to my users and their privacy. I know it adds development time, but without the trust of the users, forum are nothing.
3Di wrote:It's never too late in order to learn, be my teacher please.
LOL :lol: lesson 1: Look at the third party code before implementing it into your site. Patience daniel-san.

User avatar
RMcGirr83
Registered User
Posts: 357
Joined: Fri Mar 09, 2007 1:51 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by RMcGirr83 »

dsiembab wrote:Patience daniel-san.
:)

His name is "Marco". ;)
Do not hire Christian Bullock he won't finish the job and will keep your money

User avatar
darcie
Community Team
Community Team
Posts: 189
Joined: Mon Mar 12, 2007 7:32 pm
Location: Davis, California
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by darcie »

dsiembab wrote:
3Di wrote:It was a 0-days exploits, remember that.
Thanks for the info. Even though I already knew that appreciate it. A zero day exploit, how is that? it is only a zero day exploit when someone finds it and reports it.
The exploit was posted on January 14th, and within hours the attacker found it and used it to gain entrance. A patch was not released until January 28th. Hence, zero day exploit.

User avatar
3Di
Registered User
Posts: 771
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by 3Di »

RMcGirr83 wrote:
dsiembab wrote:Patience daniel-san.
:)

His name is "Marco". ;)
Yes, and very patient. :)
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

User avatar
3Di
Registered User
Posts: 771
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by 3Di »

Darcie wrote:
dsiembab wrote:
3Di wrote:It was a 0-days exploits, remember that.
Thanks for the info. Even though I already knew that appreciate it. A zero day exploit, how is that? it is only a zero day exploit when someone finds it and reports it.
The exploit was posted on January 14th, and within hours the attacker found it and used it to gain entrance. A patch was not released until January 28th. Hence, zero day exploit.
Exactly, on a side note it was released on the 29th of January: http://www.phplist.com/?lid=274 ..
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

User avatar
darcie
Community Team
Community Team
Posts: 189
Joined: Mon Mar 12, 2007 7:32 pm
Location: Davis, California
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by darcie »

I stand corrected, then. Psh, time zones. I was partly right- It was still the 28th for me. :P

jimhap
Registered User
Posts: 1
Joined: Mon Feb 09, 2009 8:48 pm

Re: [Discussion] Downtime and Server Compromise

Post by jimhap »

I still yet wonder- who was the hacker, and is there any logs of the hacker's evildoing?

jimhap

User avatar
Dog Cow
Registered User
Posts: 271
Joined: Wed May 25, 2005 2:14 pm

Re: [Discussion] Downtime and Server Compromise

Post by Dog Cow »

jimhap wrote:I still yet wonder- who was the hacker
Do a Google search for "phpbb.com hacked" and you can read his blog plus other peoples' blogs.
jimhap wrote:and is there any logs of the hacker's evildoing?
Read this topic. In a word, no.

Post Reply