[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
Extra PC
Registered User
Posts: 4
Joined: Fri Feb 06, 2009 12:09 am

Re: [Discussion] Downtime and Server Compromise

Post by Extra PC »

I'm one of phpbb forum user and we are from the arabic support team phpbbarabia.com

we were all very upset about what happened to the Mother Site phpbb.com

but what happened doesn't mean that there some thing wrong so we leave it behind us and move on ..we bow for your hard work ...

you made the internet and the communication between the nations easy and free and we shouldn't stop for a long time for what happened

but only to take a lesson from it...we provide full support even if our language is different ..but we are united by phpbb and I say again that we thank you

User avatar
Lumpy Burgertushie
Registered User
Posts: 1006
Joined: Tue Feb 28, 2006 5:26 pm

Re: [Discussion] Downtime and Server Compromise

Post by Lumpy Burgertushie »

here is a place to get phpbb2 support.
It is in no way associated with phpbb.com, however, many of us long time supporters are involved there.

You can get the cookie MOD from someone ;) over there:
http://www.phpbb2refugees.com/index.php

robert

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: [Discussion] Downtime and Server Compromise

Post by EXreaction »

Yes, that's an idea. One could rehash the old 2.0.x MD5's with the new system and just store a flag saying it's the old password type. If it is the old type, when that user logs in it would check the MD5 of the password they entered as the submitted password, and then reset it using the new method if they got it right.

z2z
Registered User
Posts: 10
Joined: Fri Feb 06, 2009 6:09 am

Re: [Discussion] Downtime and Server Compromise

Post by z2z »

I think we need to learn from this incident ...phpBB admins(users) should be aggressively reported about new updates.May be popup as soon as board Admin logins ..."New Updates Available"! :mrgreen:

User avatar
Lumpy Burgertushie
Registered User
Posts: 1006
Joined: Tue Feb 28, 2006 5:26 pm

Re: [Discussion] Downtime and Server Compromise

Post by Lumpy Burgertushie »

I think some of you are getting confused here.

This "hack" has only affected phpbb.com as far as anyone knows.

It can only affect phpbb3 boards that are on the same server with a version of phplist that is not up to date.

from what I have read here, the only thing the hacker did was to gather the email addresses and old passwords of the database.

if you have ever logged into phpbb.com since it was converted to phpbb3 , then your account at phpbb.com has not been compromised.

YOUR boards have most likely not been compromised and most likely will not.

this IS NOT PHPBB related. It just so happens that phpbb.com was using phplist and that is what has the vulnerability, NOT phpBB.


robert

z2z
Registered User
Posts: 10
Joined: Fri Feb 06, 2009 6:09 am

Re: [Discussion] Downtime and Server Compromise

Post by z2z »

I know that their isn't security issue with phpbb 3 software.

I not talking about specific setup particularly phpbb.com ..but scenario in future if situation ... many board admin can may be patch their board in time!.

[removed] claims to be hacker ...hunt down this #$@#$@#! :x
Last edited by Phil on Fri Feb 06, 2009 2:04 pm, edited 1 time in total.
Reason: We are very aware of said blog, please do not link to it as we do not want to draw any more publicity there than absolutely necessary ;)

User avatar
3Di
Registered User
Posts: 772
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by 3Di »

z2z wrote:many board admin can may be patch their board in time!
the point is the supplier (phplist) provided a patch 'just' after 2 weeks the exploit was discovered. got it? :)
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

dowelld
Registered User
Posts: 11
Joined: Fri Feb 06, 2009 10:03 am

Re: [Discussion] Downtime and Server Compromise

Post by dowelld »

So how about trying to find some constructive improvements from this ? Not now obviously, they're a tad busy at the moment, but kind of ideas for how to improve things for 'worst case' scenarios, in the future. Not that I'm hoping you'll have any worst case scenarios ever again... hell can I dig this hole any deeper :lol:

I'd like to see the knowledge base mirrored somewhere, for example, and maybe even the mod forums, even if only in read-only format.

User avatar
Erik Frèrejean
Registered User
Posts: 207
Joined: Thu Oct 25, 2007 2:25 pm
Location: surfnet
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Erik Frèrejean »

dowelld wrote:I'd like to see the knowledge base mirrored somewhere, for example, and maybe even the mod forums, even if only in read-only format.
The KB is mirrored, see the sticky in the temp support forum here.
MOD forums are a bad idea, as the MODs are stored on the phpBB server, and we don't trust anything that was on the server during the attack. Therefore its a good thing that those MOD files aren't available before they are fully checked.
Available on .com
Support Toolkit developer

dowelld
Registered User
Posts: 11
Joined: Fri Feb 06, 2009 10:03 am

Re: [Discussion] Downtime and Server Compromise

Post by dowelld »

Hi

Yes I understand that, I didn't mean now though. I meant for the future once you've got it all back.

It would surely be easy enough (once it's all back) to have a read-only mirror that was updated nightly somewhere else.

As long as backups were held for a reasonable amount of time, even a compromise such as this one, would be easily worked around by restoring back to a backup of the read-only mirror (on the read-only mirror) from before the compromise, thereby mitigating anything that had been copied over in the nightly updates. It would make that information (albeit backed out to before the compromise of the primary site) available, in the event of bad stuff happening... anyway it was just a thought.

I found the thread about the knowledge base being put up somewhere else. Thanks for that :D

Post Reply