[Discussion] Downtime and Server Compromise

[jage]

You can help by notifying a team member by PM if you find any sites hosting or linking to the stolen data from phpBB.com.

You should put this info on the phpbb.com notice page, I never would have seen it if I wasn't bored and reading thru this thread, where I've read that Maintenance page 20 times or more.

[Marshalrusty]

Could some sort of weakness have been leaked when the phpbb site got hacked?

There is nothing to leak. phpBB is opensource; the code has been publicly available since the beginning.

It seems that there is a new spam initiative that uses a script capable of reading the CAPTCHA. This is entirely unrelated to the incident that this topic is about. Changes to the CAPTCHA have been introduced in SVN for 3.0.5.

Again, spam is NOT a security matter. It's annoying, certainly, but a spam script cannot gain any more permissions than a registered user.

You should put this info on the phpbb.com notice page, I never would have seen it if I wasn't bored and reading thru this thread, where I've read that Maintenance page 20 times or more.

Enough people notify us that it is not necessary to make the message any more pronounced than it is.

[muggins]

I'm sorry to parrot the usual questions.

But! I know you have a huge amount of data to pore over..

Is there a news update? A nod to those who love you guys?

[Highway of Life]

Is there a news update? A nod to those who love you guys?

Unfortunately not, there is no timeframe to when we will be back online yet.

[Phil]

We are working to get the website online as quickly as possible. Other than that, there is not much to say

[ryandman93]

what if you reg. when the forums were phpbb2 and continued to be active on the phpnn.com forums when they got the new phpbb3 installed. are the passwrods still hashed?

[muggins]

K! best luck...

[A_Jelly_Doughnut]

what if you reg. when the forums were phpbb2 and continued to be active on the phpnn.com forums when they got the new phpbb3 installed. are the passwrods still hashed?

Yes, they are.

[Highway of Life]

what if you reg. when the forums were phpbb2 and continued to be active on the phpnn.com forums when they got the new phpbb3 installed. are the passwrods still hashed?

ALL the passwords were hashed, even in phpBB2, but phpBB2 used a simple md5 hash method, which is vulnerable to brute-forcing. Even then, the password would have to be pretty weak to brute-force, and the attacker found 28,000 such weak passwords. Now remember, these 28,000 accounts were from users that never logged in to phpBB.com after .com converted over to phpBB3.
Once the phpBB.com board was converted to phpBB3, all users had to update their password which hashed using the newer phpBB3 algorithm. With phpBB3, the hash method is much more complex making it nearly impossible to brute-force.

[Potku]

I really could use some of the anti spam mods right now.

There you go: http://www.potku.net/valiaikaiset/AntiBotQuestion.zip

That is the official phpBB MOD. Works like a charm.

That's my temp folder, so I'll keep it there for a few days.

I must say that I have always hated CAPTCHA. It is very, very annoying. Every time I have to register to a site that uses it (like here a minute ago), I automatically and uncontrollably let out a cuss word. To me, this MOD is a million times better - and you can make it very personal, too. As to language, well, you can use a math question to override that problem. Sure, a human-driven bot can crack that, but then, if he couldn't, then couldn't your potential users, either.

Back to the topic: I am very sorry to hear phpBB.com team members have to go through this. I have read, as have many others, what the SOB wrote on the incident, and I have to confess that as a martial artist I would like to have a minute or two with the guy (judging by the way he writes he is a guy, not a gal) I hope you can find out who this person is.

Good luck with all the work and hopefully soon you can continue to help the community as you so eagerly have over the years


EDIT: Smiley added...