[Discussion] Downtime and Server Compromise

[Erik Frèrejean]

What is captcha2? Something like web2 :S.

Anyhow, Rich was referring to the phpBB captcha, your article talks about the captchas from Gmail, Yahoo and Hotmail which are completely different as the one used by phpBB.
But as I've stated earlier in this thread we have suspicions that the phpBB captcha is broken we however don't know this for sure yet.

[woodp]

What is captcha2? Something like web2 :S.

Sorry, I meant to say reCaptcha (http://recaptcha.net/). I've had it in use in one application for six months and so far no problems. (famous last words.) And I'm even getting reasonably favorable comments from the usual Captcha-hating crowd.

Anyhow, Rich was referring to the phpBB captcha, your article talks about the captchas from Gmail, Yahoo and Hotmail which are completely different as the one used by phpBB.
But as I've stated earlier in this thread we have suspicions that the phpBB captcha is broken we however don't know this for sure yet.

I won't sit here and exclaim "captcha is captcha" but there are similarities in both structure and implementation that tell me your concerns are well founded. Glad to see you're thinking about it.

Good Luck!

[Erik Frèrejean]

What is captcha2? Something like web2 :S.

Sorry, I meant to say reCaptcha (http://recaptcha.net/). I've had it in use in one application for six months and so far no problems. (famous last words.) And I'm even getting reasonably favorable comments from the usual Captcha-hating crowd.

reCaptcha is doing a good job indeed. But as you need to sign up for it reCaptha will never ship as the default phpBB captcha. phpBB3.2 will however have the reCaptcha included (its in the trunk right now).

But let us now go back on topic and discuss the Downtime. Captcha discussions are fine, but please start a different topic regarding this.
Especially as the breaking of the captcha isn't related to the hack.

[EXreaction]

Yes, that's an idea. One could rehash the old 2.0.x MD5's with the new system and just store a flag saying it's the old password type. If it is the old type, when that user logs in it would check the MD5 of the password they entered as the submitted password, and then reset it using the new method if they got it right.

Are you offering this as a solution for phpbb.com? If so, there's one problem: the plain-old MD5 password hashes are out there, no doubt being cracked. Just changing the hash doesn't help at all now, since it's going to be the exact same password anyway.

It's a rather huge problem, the fact that the users table was released publicly. There's basically no fix, now that all 300,000 user ID, emails, usernames, passwords, etc are out there. Even if you say, "Well, let's just delete/lock/ban those accounts, there are still many many people who can be traced by email or username (outside of phpbb.com), and use the same usename/password everywhere, often some moronic phrase such as an english word, or the exact same as the username.

No, that wouldn't help for phpbb.com, but could be included with an update to phpbb3 in the future to prevent passwords from leaking in case their server got hacked as well.

There is nothing you can do about the released information, all you can do is reset the passwords (forcing them to get a new password with the I forgot my password link) for those users on phpbb.com and send them all emails notifying them of what happened with the email address they used.

[dcz]

It really seems that the phpBB GD captcha went circumvented and worst, that some script was released to use the trick to massively spam phpBB3.0.4 forums.

This was probably already raised elsewhere, but I'm wondering if the current phpbb.com downtime was not part of the spamming plan, which seemed to have started around the same time. As a way to win time for spam.

Because even though the data stolen is a lot, it's not like visa account number where compromised, I don't think that many of the unconverted passwords where in deed interesting, a portion of it maybe, but among many other that really where not most likely.

Anyway, good luck with putting things back on !

++

[3Di]

There is nothing you can do about the released information

Indeed.

all you can do is reset the passwords (forcing them to get a new password with the I forgot my password link) for those users on phpbb.com and send them all emails notifying them of what happened with the email address they used.

Agreed, that's a good point. What about all of the Team Members private infos and telephone numbers and real-life data, though? They are all public now.
Another good point could be the fact the "hacker" promised to spread some topic found into the private forums. No skeleton at all I guess, but.. it's really a huge inconvenient this time IMHO.

Anyway, show must go on. Keep up the great work guys, c'mon.

[rusty105]

I am also thinking it is a multipronged event. As I have mentioned in a few posts above, I have a forum that has been around for about a year, just sitting, with only 3 real members (we are getting ready to relaunch), ans since Jan 30th almost 2 doz. Spam registrations. Too coincidential for me.

Rusty

[3Di]

I am also thinking it is a multipronged event. As I have mentioned in a few posts above, I have a forum that has been around for about a year, just sitting, with only 3 real members (we are getting ready to relaunch), ans since Jan 30th almost 2 doz. Spam registrations. Too coincidential for me.

Rusty

Being phpbb.com and PHPBB itself the best and more used GPLed BBS around the world, indeed the fact it has been hacked (also if via an external app) got the attention of the spambots/spammers, that's because the WEB. got it? Nothing less nothing more, IMHO.

[darcie]

I am absolutely convinced that the sudden influx of spam registration and the hacking event occurring at the same time are a complete coincidence. It is unfortunate that they have both taken place at the same time, but there is no way to link the two. A test board I have set up online with no posts, no members, no inward links (other than Google knowing it exists), and no relation to the information I have at phpbb.com has also incurred the same problem. There is absolutely no way to link it to the release of information taken from phpbb.com, and therefore I see no relation between the two events.

Sometimes coincidence is just that.
So let's please leave the spam discussion to the topic existing in the support forum. Thanks.

[rusty105]

I am not knocking phpBB at all. I started with phpBB, and I never see myself using anything else! I am just saying that I think it might be related, wether intentional or not, by the same party(s) or not. We the phpBB comunity have been attacked. Our boards are getting spammed hard, and our 'Mother' support forum is down, HARD! I know the admins are doing their best, and I would rather wait longer to be sure everything is sanitized before it comes back up.

Sorry to be beating this horse


Rusty