[Discussion] Downtime and Server Compromise

[Mobious]

I am absolutely convinced that the sudden influx of spam registration and the hacking event occurring at the same time are a complete coincidence. It is unfortunate that they have both taken place at the same time, but there is no way to link the two. A test board I have set up online with no posts, no members, no inward links (other than Google knowing it exists), and no relation to the information I have at phpbb.com has also incurred the same problem. There is absolutely no way to link it to the release of information taken from phpbb.com, and therefore I see no relation between the two events.

Sometimes coincidence is just that.
So let's please leave the spam discussion to the topic existing in the support forum. Thanks.

I wouldn't assume that the two would be connected in the way you describe, as they are infact separate incidents. I would however consider the possibility that the relation is rather a coordinated attack on the overall integrity of phpBB and the support of your userbase. Consider this, if I light your house on fire while you are at work, and then go to your job and slash the tires on your car. The two are completely separate. Infact, it may have been an accomplice of mine that does the slashing on your car. And maybe he did it on a different day. Our intention is the same though. To do you harm...

One doesn't need access to protected information to locate phpBB forums on the internet. The term "phpBB" is included in every footer, and therefore can be easily located through search engines, just as you describe. If someone wanted to do a mass attack on every phpBB forum out there, it wouldn't be too difficult to locate them. So when this initiative is launched, what will user's first reaction be when they realize something is wrong? How convenient is it then, that when those users immediately go to phpbb.com looking for support, as I did this morning, they see that your main website has even been compromised.

It may be coincidence as you say, but if not, I'd say that's quite a successful attack on phpBB.

At any rate...

It seems that there is a new spam initiative that uses a script capable of reading the CAPTCHA. This is entirely unrelated to the incident that this topic is about. Changes to the CAPTCHA have been introduced in SVN for 3.0.5.

I know you guys have a lot on your plate, so I wouldn't think of asking for an ETA. But is it possible to release a quick patch to address this CAPTCHA issue, rather than wait for all the touch ups and polishing of a full featured patch?

Thanks for the hard work

[shahinavthal]

It seems that there is a new spam initiative that uses a script capable of reading the CAPTCHA. This is entirely unrelated to the incident that this topic is about. Changes to the CAPTCHA have been introduced in SVN for 3.0.5.

This is very much true and we are facing 80% of traffic by spam on site...Nearly 100 spam posts (Mostly Russian stuff) and 30 banned users in 2 days - This is with Captch enabled

[battye]

You can try adding background noise, etc to the captcha in the ACP settings. Also, the lower the number you use the more difficult the captcha is to read. This might help in the meantime to stem the flow of bots.

[Kellanved]

We will re-start development ASAP. Sadly, our time is mostly spent with cleaning up the mess and that can't change for some time to come. We don't have the infrastructure to roll out updates at the moment. All team members are investing a lot of their time to get things in order again; this sad example of vandalism against non-profit volunteers has causes tremendous damage. It hurts my belief in humanity.

[asinshesq]

We will re-start development ASAP. Sadly, our time is mostly spent with cleaning up the mess and that can't change for some time to come. We don't have the infrastructure to roll out updates at the moment. All team members are investing a lot of their time to get things in order again; this sad example of vandalism against non-profit volunteers has causes tremendous damage. It hurts my belief in humanity.

I understand your point about humanity. But balance that against the developers (like you!), people who give support, people who validate mods (and people who write them), etc., all for free because they are doing something helpful to others. Seems to me that the people who are selflessly doing good far outnumbers the creeps.

[SamG]

The problem is that it takes only a handful of creeps to disenfranchise the many people who contribute positively to phpBB. If our current creep is to be taken at face value, s/he was looking for an exploit at phpBB.com. Why? Then we have the disgruntled approving such behavior, even by at least one person who is an avid supporter of phpBB 2. To me this whole thing is well beyond belief, both the exploit and the "they had it coming" attitude. You have to wonder when even 10 or 20 people say that the only thing our creep did wrong was to release their personal information into the wild.

If phpBB.com was brought down once a year (and it seems to me that that's not beyond the realm of possibility), the very viability of the project would be brought into question. The creeps do damage far greater than the sum of their numbers. It's difficult even to count the costs.

Any effort to shift blame on software authors and users (as our creep did), especially open source software and users, isn't very convincing when you look at the mess made of the work of countless people who have been very generous with their time, knowledge, and wisdom. It just underscores, I think, the twisted notions of right and wrong that people can entertain.

[dcz]

It hurts my belief in humanity.

Well said, but do not give up, that's how it is, the fight between civilization and barbarism indeed never ended.
But be sure that there is a lot of silent people sharing the same feeling around, with in addition a true feel of gratitude to the phpBB Group for all the efforts.
Barbarians may be hordes, we are legions

++

[rockeiro]

Then we have the disgruntled approving such behavior, even by at least one person who is an avid supporter of phpBB 2. To me this whole thing is well beyond belief, both the exploit and the "they had it coming" attitude. You have to wonder when even 10 or 20 people say that the only thing our creep did wrong was to release their personal information into the wild.

This was the part I really didn't understand. I'm not digging for details either by the way, I'm just asking, who elected this *twit* the judge and jury against so called infractions by the phpBB staff? Who's got the real bad attitude in the end? Can anyone justify this criminal action in any way by pointing at the behavior of certain phpBB staff members?

Yet the answer is <sadly> yes. The new age of internet (in)justice. If they don't like you then they're going to riducule you and call you names on a web site or upload an outrageuos video of you to YouTube or come and hack your site. Groupthink unleashed. Post modern madness. Tiny tot terrorism. Lord of the Flies validated.

The phpBB staff has my sincerest regrets for the incident. Now is the time to rally and rebuild though, not finger point and infight. Don't let "them" win by causing the foundation to crumble and dissention to permently damage remaining relationships.

And always remember, we are all weak. Sooner or later everyone you know will disappoint you at some level. That's why forgiveness was invented. Use it and move on. We certainly appreciate you and the rest of the developers efforts and so do the hundreds of people that use use my forum powered by your software everyday to socialize and work together on other collaborative efforts.

And thanks for sharing that in the first place because it shows how much more human you are today than the guy who hacked your site and created a blog to brag about how he hurt you guys.

[3Di]

It hurts my belief in humanity.

Well said, but do not give up, that's how it is, the fight between civilization and barbarism indeed never ended.
But be sure that there is a lot of silent people sharing the same feeling around, with in addition a true feel of gratitude to the phpBB Group for all the efforts.
Barbarians may be hordes, we are legions

++

Very well said. Thank you.

[Lumpy Burgertushie]

if the bots have cracked the default captcha, you can make it harder from within the admi panel.

and/or, create a new required field for registration using the custom profile field section of the admin panel.

this will stop them cold.


robert