[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
shahinavthal
Registered User
Posts: 4
Joined: Mon Feb 02, 2009 7:45 am

Re: [Discussion] Downtime and Server Compromise

Post by shahinavthal »

This is really sad as we knew of the threat before hand itself..

nevertheless...I am sure you guys would up all nyt to get this worked out...

We should also appreciate the transparency shown by phpbb team on the problem

But wouldnt the phpbb team have some old backups :? ? Maybe they should just put in the backup and flush the bugs out...The Mod/Style authors could just update their intial posts if they had updated after the backup was taken..People with support would ask their questions again..I dont think that should be an issue

Wouldnt that be just fine? Or is it even more complicated than that :?:

Thanks for all the great efforts you are putting in now..
User avatar
Erik Frèrejean
Registered User
Posts: 207
Joined: Thu Oct 25, 2007 2:25 pm
Location: surfnet
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Erik Frèrejean »

shahinavthal,
We want to be absolutely sure what data the attacker had, where he has been on the server and what he has done. Therefore the server will stay down until we've done a full investigation on what has happened.
Available on .com
Support Toolkit developer
shahinavthal
Registered User
Posts: 4
Joined: Mon Feb 02, 2009 7:45 am

Re: [Discussion] Downtime and Server Compromise

Post by shahinavthal »

Okay..that explains it well..We all are ready to wait...(Especially people could open their support tickets here as well..So i feel all's fair :) )

Edit:

Just a suggestion : If you feel there is a password hack threat..Best possible way would be to make phpbb.com to generate random passwords and then send to the member's email. And a password request change on the first login (with current password send from phpbb)

Why am i disturbing you guys anways...Go do your job boys :mrgreen: (You all know better than me anyways ;) )
User avatar
Gofer01
Registered User
Posts: 3
Joined: Mon Feb 02, 2009 6:07 am
Location: ALBuquerque, NM. USA
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Gofer01 »

Well my question was nevered answered. It's a simple question. what type of database does the forum software uses. MS Access database, MS-SQL Server database or MySQL database. Depending on the answer I will concidered installing the forum software.

I'm sorry for the site attact but I'm not here for that
ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy »

Gofer01 wrote:Well my question was nevered answered. It's a simple question. what type of database does the forum software uses. MS Access database, MS-SQL Server database or MySQL database. Depending on the answer I will concidered installing the forum software.

I'm sorry for the site attact but I'm not here for that
If you have any further questions please start a new topic in the support forum, you can find your answer here: http://www.cs278.org/phpbb/docs/quickst ... ments.html
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image
User avatar
Gofer01
Registered User
Posts: 3
Joined: Mon Feb 02, 2009 6:07 am
Location: ALBuquerque, NM. USA
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Gofer01 »

So be it to much attitude here. Testing this forum is to much of a problem. Expecially from the moderators appears to be angry
ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy »

Gofer01 wrote:So be it to much attitude here. Testing this forum is to much of a problem. Expecially from the moderators appears to be angry
Yikes! Nobody is angry, I've directed you to the answer to the question you asked. I also asked if you have any more queries you post them in the correct forum, so people will respond to them quicker. ;)
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image
moltendorf
Posts: 7
Joined: Sat Aug 26, 2006 11:00 am
Location: San Ramon, California
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by moltendorf »

Sad thing, this is one of the things I fear the most in the world. :(

Due to this, I was inspired to look at all my scripts I have made on my own to ensure they were secure. Even though this is a bad thing that has happened, it has reminded me of what importance it is to not overlook anything. Which I feel is a good thing. I actually found and corrected some serious holes on my part. A little sub-domain containing a bunch of test scripts made by you and your friends that are not as secure as you'd want them to be can really hurt you later on. I have never actually had my website compromised, but I feel the pain from the phpBB.com incident.

If I remember correctly, my password here on area51.phpbb.com was "america" for the longest time, I used it on another website that was so insecure that it didn't even store the data using a hash, it was just plain text (and my password by itself was already insecure). The website was compromised, and it lead to the compromise of my Steam account, and all those games I bought! That incident is long gone (resolved it), and I have since used a secure password (generated randomly is my new motto for making passwords) including updating almost all my passwords on other websites. Reason I didn't update the password here I guess is because I was never really too concerned about losing it (no real sensitive information on it), but better to not lose it anyways.

Just a little story I felt like sharing. :)
User avatar
Eelke
Registered User
Posts: 606
Joined: Thu Dec 20, 2001 8:00 am
Location: Bussum, NL
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Eelke »

onehundredandtwo wrote:
Shamisen wrote:Someone got into the Database and saw not only our logins and passwords, but also knows our Email addresses, If we signed up for further correspondence from PhPBB?
Not the passwords. Passwords are encrypted by one of the phpBB files and the hacker would have to know the hash key to get in. The hash key is in one of the phpBB files [...]
This is what the announcement explains about; if there are still people that had registered in the old phpBB2 days and never logged into phpbb.com since it was converted to phpBB3, their password will still be in the database in the old md5 hash format. The problem with a single md5 hash is that, if the hash is known, there are ways to find a string that maybe is not the same as the actual password, but that does generate the same hash (a so-called collision). A common way to do that is to use rainbow tables; huge tables that map from every possible (hence: rainbow) md5 hashed value to a string of characters that yields that particular hash when hashed. If the attacker would put in the colliding string, they could get into the user's account. If that same user used the same password on a different site that too used single md5 hashing, they could get into the user's account on those sites as well.

Why is the phpBB3 password storing more secure? Because the password is not the entire thing that is hashed; when the password is submitted, a secret "salt" string (just a random squence of characters) is added to the password before hashing. Even if the attacker were to get both the hash and the salt, he'd still not be much further, because he would have to search for a collision that includes the salt. In effect, he would need a completely new set of rainbow tables for every different salt employed by different sites.
RabXI3oX
Registered User
Posts: 10
Joined: Mon Feb 02, 2009 12:25 am

Re: [Discussion] Downtime and Server Compromise

Post by RabXI3oX »

i feel that phpBB is doing offline at mo becos of what happen that hacker has been attacker them and they try to fixxing more sercurity could be they make new one phpBB 3.0.5 add more sercurity to prevent from hacker attack wont ever again

i hope that hacker will be caught...................
Image
Post Reply