You should put this info on the phpbb.com notice page, I never would have seen it if I wasn't bored and reading thru this thread, where I've read that Maintenance page 20 times or more.ToonArmy wrote:You can help by notifying a team member by PM if you find any sites hosting or linking to the stolen data from phpBB.com.
[Discussion] Downtime and Server Compromise
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Re: [Discussion] Downtime and Server Compromise
-
- Project Manager
- Posts: 273
- Joined: Thu Oct 27, 2005 1:45 am
Re: [Discussion] Downtime and Server Compromise
There is nothing to leak. phpBB is opensource; the code has been publicly available since the beginning.seanieb wrote:Could some sort of weakness have been leaked when the phpbb site got hacked?
It seems that there is a new spam initiative that uses a script capable of reading the CAPTCHA. This is entirely unrelated to the incident that this topic is about. Changes to the CAPTCHA have been introduced in SVN for 3.0.5.
Again, spam is NOT a security matter. It's annoying, certainly, but a spam script cannot gain any more permissions than a registered user.
Enough people notify us that it is not necessary to make the message any more pronounced than it is.jage wrote:You should put this info on the phpbb.com notice page, I never would have seen it if I wasn't bored and reading thru this thread, where I've read that Maintenance page 20 times or more.
Re: [Discussion] Downtime and Server Compromise
I'm sorry to parrot the usual questions.
But! I know you have a huge amount of data to pore over..
Is there a news update? A nod to those who love you guys?
But! I know you have a huge amount of data to pore over..
Is there a news update? A nod to those who love you guys?
Muggins
- Highway of Life
- Registered User
- Posts: 1399
- Joined: Tue Feb 08, 2005 10:18 pm
- Location: I'd love to change the World, but they won't give me the Source Code
- Contact:
Re: [Discussion] Downtime and Server Compromise
Unfortunately not, there is no timeframe to when we will be back online yet.muggins wrote:Is there a news update? A nod to those who love you guys?
Re: [Discussion] Downtime and Server Compromise
We are working to get the website online as quickly as possible. Other than that, there is not much to say
My phpbb.com account
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.
-
- Registered User
- Posts: 1
- Joined: Sat Feb 07, 2009 1:51 am
Re: [Discussion] Downtime and Server Compromise
what if you reg. when the forums were phpbb2 and continued to be active on the phpnn.com forums when they got the new phpbb3 installed. are the passwrods still hashed?
- A_Jelly_Doughnut
- Registered User
- Posts: 1780
- Joined: Wed Jun 04, 2003 4:23 pm
Re: [Discussion] Downtime and Server Compromise
Yes, they are.ryandman93 wrote:what if you reg. when the forums were phpbb2 and continued to be active on the phpnn.com forums when they got the new phpbb3 installed. are the passwrods still hashed?
A_Jelly_Doughnut
- Highway of Life
- Registered User
- Posts: 1399
- Joined: Tue Feb 08, 2005 10:18 pm
- Location: I'd love to change the World, but they won't give me the Source Code
- Contact:
Re: [Discussion] Downtime and Server Compromise
ALL the passwords were hashed, even in phpBB2, but phpBB2 used a simple md5 hash method, which is vulnerable to brute-forcing. Even then, the password would have to be pretty weak to brute-force, and the attacker found 28,000 such weak passwords. Now remember, these 28,000 accounts were from users that never logged in to phpBB.com after .com converted over to phpBB3.ryandman93 wrote:what if you reg. when the forums were phpbb2 and continued to be active on the phpnn.com forums when they got the new phpbb3 installed. are the passwrods still hashed?
Once the phpBB.com board was converted to phpBB3, all users had to update their password which hashed using the newer phpBB3 algorithm. With phpBB3, the hash method is much more complex making it nearly impossible to brute-force.
Re: [Discussion] Downtime and Server Compromise
There you go: http://www.potku.net/valiaikaiset/AntiBotQuestion.zipseanieb wrote: I really could use some of the anti spam mods right now.
That is the official phpBB MOD. Works like a charm.
That's my temp folder, so I'll keep it there for a few days.
I must say that I have always hated CAPTCHA. It is very, very annoying. Every time I have to register to a site that uses it (like here a minute ago), I automatically and uncontrollably let out a cuss word. To me, this MOD is a million times better - and you can make it very personal, too. As to language, well, you can use a math question to override that problem. Sure, a human-driven bot can crack that, but then, if he couldn't, then couldn't your potential users, either.
Back to the topic: I am very sorry to hear phpBB.com team members have to go through this. I have read, as have many others, what the SOB wrote on the incident, and I have to confess that as a martial artist I would like to have a minute or two with the guy (judging by the way he writes he is a guy, not a gal) I hope you can find out who this person is.
Good luck with all the work and hopefully soon you can continue to help the community as you so eagerly have over the years
EDIT: Smiley added...
Last edited by Potku on Sat Feb 07, 2009 6:06 am, edited 1 time in total.