There is no problems in phpBB 3.0.4, and thus no reason to update. The password security used in phpBB 3.x has already been addressedRabXI3oX wrote:ahh i got it yeah
i just a thought phpBB need new up to date 3.0.5 and im wrong.
but i think phpBB should up to date
is there any new software to make more sercurity add like hard Password provice
[Discussion] Downtime and Server Compromise
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Re: [Discussion] Downtime and Server Compromise
Re: [Discussion] Downtime and Server Compromise
You said 'possibly' its fact, we know the attacker does.Stallyon wrote:Hmmm I thought I covered that in #5? My apologies.ToonArmy wrote:Very informative post, it is regrettable to correct you that the attacker stole the users database (containing the usernames, emails and password hashes) and the mailing list subscribers address list.Stallyon wrote:I hope this helps clear up some questions. Mods/admin of this forum are welcome to change/remove this message or comment on/correct if information is incorrect.
Re: [Discussion] Downtime and Server Compromise
Ohhh OK I was just covering my butt/your butt just in case you were still unsure. Well, then it's a fact then. They have that data.
Re: [Discussion] Downtime and Server Compromise
cool i cant wait go phpBB back online that i can have need some download for my site php codeStallyon wrote:There is no problems in phpBB 3.0.4, and thus no reason to update. The password security used in phpBB 3.x has already been addressedRabXI3oX wrote:ahh i got it yeah
i just a thought phpBB need new up to date 3.0.5 and im wrong.
but i think phpBB should up to date
is there any new software to make more sercurity add like hard Password provice
-
- Registered User
- Posts: 4
- Joined: Mon Feb 02, 2009 7:45 am
Re: [Discussion] Downtime and Server Compromise
So what do you suggest we do now I am not sure if we should wait and see what level of information the hacker has, isnt it? I think we need to get over with the data acquired, reset the necessary fields and get back to business..RESET is what we all have been doing since a very long time (especially WINDOWS users like me )...Lets do it once more!!!Stallyon wrote:Ohhh OK I was just covering my butt/your butt just in case you were still unsure. Well, then it's a fact then. They have that data.
If we have lost email lists, so be it...I am not sure if the hacker would not use it anyways..So lets move on...
Just pray that nobody used their email passwords the same as the one on phpbb
- Nicholas the Italian
- Registered User
- Posts: 659
- Joined: Mon Nov 20, 2006 11:19 pm
- Location: 46°8' N, 12°13' E
- Contact:
Re: [Discussion] Downtime and Server Compromise
Exactly.Eelke wrote:The problem with a single md5 hash is that, if the hash is known, there are ways to find a string that maybe is not the same as the actual password, but that does generate the same hash (a so-called collision). A common way to do that is to use rainbow tables; huge tables that map from every possible (hence: rainbow) md5 hashed value to a string of characters that yields that particular hash when hashed. If the attacker would put in the colliding string, they could get into the user's account. If that same user used the same password on a different site that too used single md5 hashing, they could get into the user's account on those sites as well.
If I'm correct, this is particoularly true if you use some common word as your password (i.e. vocabulary words, common names, number sequences, dates, inverted words, qwerty-like things, etc.).
Reverse-MD5 tables are freely available even in the public Internet.
A part of the old suggestion of using a different pw for each site, using somewhat complex passwords is also a good advice, for example !waHt+eVer? instead of whatever.
Re: [Discussion] Downtime and Server Compromise
Erik Frèrejean: Removed
The hacker release some notes here, check it out !
The hacker release some notes here, check it out !
shahinavthal wrote:So what do you suggest we do now I am not sure if we should wait and see what level of information the hacker has, isnt it? I think we need to get over with the data acquired, reset the necessary fields and get back to business..RESET is what we all have been doing since a very long time (especially WINDOWS users like me )...Lets do it once more!!!Stallyon wrote:Ohhh OK I was just covering my butt/your butt just in case you were still unsure. Well, then it's a fact then. They have that data.
If we have lost email lists, so be it...I am not sure if the hacker would not use it anyways..So lets move on...
Just pray that nobody used their email passwords the same as the one on phpbb
Last edited by Erik Frèrejean on Mon Feb 02, 2009 1:06 pm, edited 1 time in total.
Reason: Removed link
Reason: Removed link
- Erik Frèrejean
- Registered User
- Posts: 207
- Joined: Thu Oct 25, 2007 2:25 pm
- Location: surfnet
- Contact:
Re: [Discussion] Downtime and Server Compromise
v1R,
We are aware of those releases. Please don't post them in public view.
If you find anything suspicions please send the link in a pm to myself or any other phpBB team member.
Thank you .
We are aware of those releases. Please don't post them in public view.
If you find anything suspicions please send the link in a pm to myself or any other phpBB team member.
Thank you .
Available on .com
Support Toolkit developer
Support Toolkit developer
Re: [Discussion] Downtime and Server Compromise
Indeed, the most you guys can do to help right now is please forward us the link (via PM) of any website found copying the malicious user's blog post or any of the data he uploaded so the proper channels can be contacted to have it removed.
Last edited by ToonArmy on Mon Feb 02, 2009 2:20 pm, edited 1 time in total.
Reason: I can has dictionary
Reason: I can has dictionary
My phpbb.com account
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.
Re: [Discussion] Downtime and Server Compromise
Not if the hashes are salted which the new phpBB3 ones are, you would need to generate a rainbow table for each common word plus the salt which is nigh on impossible.Nicholas the Italian wrote:Exactly.Eelke wrote:The problem with a single md5 hash is that, if the hash is known, there are ways to find a string that maybe is not the same as the actual password, but that does generate the same hash (a so-called collision). A common way to do that is to use rainbow tables; huge tables that map from every possible (hence: rainbow) md5 hashed value to a string of characters that yields that particular hash when hashed. If the attacker would put in the colliding string, they could get into the user's account. If that same user used the same password on a different site that too used single md5 hashing, they could get into the user's account on those sites as well.
If I'm correct, this is particoularly true if you use some common word as your password (i.e. vocabulary words, common names, number sequences, dates, inverted words, qwerty-like things, etc.).
Reverse-MD5 tables are freely available even in the public Internet.
A part of the old suggestion of using a different pw for each site, using somewhat complex passwords is also a good advice, for example !waHt+eVer? instead of whatever.