[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
jage
Registered User
Posts: 19
Joined: Fri Feb 06, 2009 6:47 pm

Re: [Discussion] Downtime and Server Compromise

Post by jage »

ToonArmy wrote:You can help by notifying a team member by PM if you find any sites hosting or linking to the stolen data from phpBB.com.
You should put this info on the phpbb.com notice page, I never would have seen it if I wasn't bored and reading thru this thread, where I've read that Maintenance page 20 times or more.

Marshalrusty
Project Manager
Project Manager
Posts: 272
Joined: Thu Oct 27, 2005 1:45 am

Re: [Discussion] Downtime and Server Compromise

Post by Marshalrusty »

seanieb wrote:Could some sort of weakness have been leaked when the phpbb site got hacked?
There is nothing to leak. phpBB is opensource; the code has been publicly available since the beginning.

It seems that there is a new spam initiative that uses a script capable of reading the CAPTCHA. This is entirely unrelated to the incident that this topic is about. Changes to the CAPTCHA have been introduced in SVN for 3.0.5.

Again, spam is NOT a security matter. It's annoying, certainly, but a spam script cannot gain any more permissions than a registered user.
jage wrote:You should put this info on the phpbb.com notice page, I never would have seen it if I wasn't bored and reading thru this thread, where I've read that Maintenance page 20 times or more.
Enough people notify us that it is not necessary to make the message any more pronounced than it is.

User avatar
muggins
Registered User
Posts: 5
Joined: Wed Feb 04, 2009 8:25 pm

Re: [Discussion] Downtime and Server Compromise

Post by muggins »

I'm sorry to parrot the usual questions.

But! I know you have a huge amount of data to pore over..

Is there a news update? A nod to those who love you guys? :D
Muggins

User avatar
Highway of Life
Registered User
Posts: 1399
Joined: Tue Feb 08, 2005 10:18 pm
Location: I'd love to change the World, but they won't give me the Source Code
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Highway of Life »

muggins wrote:Is there a news update? A nod to those who love you guys? :D
Unfortunately not, there is no timeframe to when we will be back online yet.
Image

Phil
Registered User
Posts: 185
Joined: Sun Mar 11, 2007 3:20 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Phil »

We are working to get the website online as quickly as possible. Other than that, there is not much to say ;)
My phpbb.com account
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.

ryandman93
Registered User
Posts: 1
Joined: Sat Feb 07, 2009 1:51 am

Re: [Discussion] Downtime and Server Compromise

Post by ryandman93 »

what if you reg. when the forums were phpbb2 and continued to be active on the phpnn.com forums when they got the new phpbb3 installed. are the passwrods still hashed?

User avatar
muggins
Registered User
Posts: 5
Joined: Wed Feb 04, 2009 8:25 pm

Re: [Discussion] Downtime and Server Compromise

Post by muggins »

K! best luck...
Muggins

User avatar
A_Jelly_Doughnut
Registered User
Posts: 1780
Joined: Wed Jun 04, 2003 4:23 pm

Re: [Discussion] Downtime and Server Compromise

Post by A_Jelly_Doughnut »

ryandman93 wrote:what if you reg. when the forums were phpbb2 and continued to be active on the phpnn.com forums when they got the new phpbb3 installed. are the passwrods still hashed?
Yes, they are.
A_Jelly_Doughnut

User avatar
Highway of Life
Registered User
Posts: 1399
Joined: Tue Feb 08, 2005 10:18 pm
Location: I'd love to change the World, but they won't give me the Source Code
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Highway of Life »

ryandman93 wrote:what if you reg. when the forums were phpbb2 and continued to be active on the phpnn.com forums when they got the new phpbb3 installed. are the passwrods still hashed?
ALL the passwords were hashed, even in phpBB2, but phpBB2 used a simple md5 hash method, which is vulnerable to brute-forcing. Even then, the password would have to be pretty weak to brute-force, and the attacker found 28,000 such weak passwords. Now remember, these 28,000 accounts were from users that never logged in to phpBB.com after .com converted over to phpBB3.
Once the phpBB.com board was converted to phpBB3, all users had to update their password which hashed using the newer phpBB3 algorithm. With phpBB3, the hash method is much more complex making it nearly impossible to brute-force.
Image

Potku
Registered User
Posts: 2
Joined: Sat Feb 07, 2009 5:33 am

Re: [Discussion] Downtime and Server Compromise

Post by Potku »

seanieb wrote: I really could use some of the anti spam mods right now.
There you go: http://www.potku.net/valiaikaiset/AntiBotQuestion.zip

That is the official phpBB MOD. Works like a charm.

That's my temp folder, so I'll keep it there for a few days.

I must say that I have always hated CAPTCHA. It is very, very annoying. Every time I have to register to a site that uses it (like here a minute ago), I automatically and uncontrollably let out a cuss word. To me, this MOD is a million times better - and you can make it very personal, too. As to language, well, you can use a math question to override that problem. Sure, a human-driven bot can crack that, but then, if he couldn't, then couldn't your potential users, either.

Back to the topic: I am very sorry to hear phpBB.com team members have to go through this. I have read, as have many others, what the SOB wrote on the incident, and I have to confess that as a martial artist I would like to have a minute or two with the guy (judging by the way he writes he is a guy, not a gal) Image I hope you can find out who this person is.

Good luck with all the work and hopefully soon you can continue to help the community as you so eagerly have over the years :)


EDIT: Smiley added...
Last edited by Potku on Sat Feb 07, 2009 6:06 am, edited 1 time in total.

Post Reply