[Discussion] Downtime and Server Compromise
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
-
- Project Manager
- Posts: 273
- Joined: Thu Oct 27, 2005 1:45 am
Re: [Discussion] Downtime and Server Compromise
There are multiple ways of handling old passwords. I would rather leave that discussion until later though.
Re: [Discussion] Downtime and Server Compromise
There's something I've been wondering since the beginning, but since nobody else asked I figured it must be a dumb question. Are the modifications downloads and the version downloads in a different place where they could not be accessed, so you know they are all OK? Also, he said he started on Jan 14 and the article where he got the idea was dtd Jan 14 so hopefully that is true, but is there any way to be sure that is when he first got in? And this is a little off the subject, but I wonder if there is a way that someone can be notifed every time a database dump of over a certain size is done, no matter who initiated it.
Re: [Discussion] Downtime and Server Compromise
We have checksums of the MOD and Styles databases which we can verify the integrity of the downloads.CarolC1 wrote:There's something I've been wondering since the beginning, but since nobody else asked I figured it must be a dumb question. Are the modifications downloads and the version downloads in a different place where they could not be accessed, so you know they are all OK? Also, he said he started on Jan 14 and the article where he got the idea was dtd Jan 14 so hopefully that is true, but is there any way to be sure that is when he first got in? And this is a little off the subject, but I wonder if there is a way that someone can be notifed every time a database dump of over a certain size is done, no matter who initiated it.
Re: [Discussion] Downtime and Server Compromise
And that includes the version downloads and upgrade downloads as well then? (Thanks)
EDIT: Also is there any way to be sure he did not change a download, leave it that way for a week, then reverse the changes.
EDIT: Also is there any way to be sure he did not change a download, leave it that way for a week, then reverse the changes.
-
- Project Manager
- Posts: 273
- Joined: Thu Oct 27, 2005 1:45 am
Re: [Discussion] Downtime and Server Compromise
We have logs and database backups that provide insight into when the attack was started.
The new system has been built up from scratch and nothing will be moved to it without first being checked. That includes MODs, styles, phpBB packages, avatars, attachments, etc. The downloads hosted on ohloh and sourceforge are in no way affected by this.
The new system has been built up from scratch and nothing will be moved to it without first being checked. That includes MODs, styles, phpBB packages, avatars, attachments, etc. The downloads hosted on ohloh and sourceforge are in no way affected by this.
- Nicholas the Italian
- Registered User
- Posts: 659
- Joined: Mon Nov 20, 2006 11:19 pm
- Location: 46°8' N, 12°13' E
- Contact:
Re: [Discussion] Downtime and Server Compromise
Out of curiosity, what do you mean by "sanitising"?Marshalrusty wrote:We have the choice of either reverting to an old "safe" backup or sanitising gigabytes of information.
Anyway, good luck and thanks for the hard work to all phpbb teams.
-
- Project Manager
- Posts: 273
- Joined: Thu Oct 27, 2005 1:45 am
Re: [Discussion] Downtime and Server Compromise
http://dictionary.reference.com/browse/sanitiseNicholas the Italian wrote:Out of curiosity, what do you mean by "sanitising"?
Anyway, good luck and thanks for the hard work to all phpbb teams.
Nothing on the compromised server can be trusted. Every piece of data transferred to the new setup must be cleaned (or sanitised) of possible malicious code. That includes the database.
Re: [Discussion] Downtime and Server Compromise
Thank you.
Last edited by CarolC1 on Thu Feb 05, 2009 6:49 am, edited 1 time in total.
-
- Registered User
- Posts: 8
- Joined: Thu Feb 05, 2009 1:38 am
Re: [Discussion] Downtime and Server Compromise
Howdy,
First off I'd like to say that I'm sorry for the frustrations phpbb is experiencing, and I hope you're all not pulling out your hair (my host was hacked once, and despite having a small site it took me hours upon hours to set everything right again...).
I have a pair of requests:
1. Could an e-mail be sent out to all those users who have accounts registered that may have been compromised (in other words, those who never logged in after the update)? I can't for the life of me remember if I logged into the forums since the new version and did the password update. I ran some checks on my less secure passwords in md5, that I think I may have used, and their both easily breakable off of a rainbow table I found on google, so I'd really like to know if my password was compromised.
2. If I provide clear evidence of who I am, and handle it by the same e-mail as I had registered, could I get just my password hash if it is in the old MD5 format (if I didn't update)? It's been a long time since I was a regular on phpbb, and I've long since forgotten which password I was using. If I have my hash, I can run comparisons on all of the passwords I use and see which one was compromised, and take steps accordingly.
For the record, this is neither the account name, nor e-mail, for the account I'm referring to... I'd rather not draw attention to the account in case it is insecure.
First off I'd like to say that I'm sorry for the frustrations phpbb is experiencing, and I hope you're all not pulling out your hair (my host was hacked once, and despite having a small site it took me hours upon hours to set everything right again...).
I have a pair of requests:
1. Could an e-mail be sent out to all those users who have accounts registered that may have been compromised (in other words, those who never logged in after the update)? I can't for the life of me remember if I logged into the forums since the new version and did the password update. I ran some checks on my less secure passwords in md5, that I think I may have used, and their both easily breakable off of a rainbow table I found on google, so I'd really like to know if my password was compromised.
2. If I provide clear evidence of who I am, and handle it by the same e-mail as I had registered, could I get just my password hash if it is in the old MD5 format (if I didn't update)? It's been a long time since I was a regular on phpbb, and I've long since forgotten which password I was using. If I have my hash, I can run comparisons on all of the passwords I use and see which one was compromised, and take steps accordingly.
For the record, this is neither the account name, nor e-mail, for the account I'm referring to... I'd rather not draw attention to the account in case it is insecure.
Re: [Discussion] Downtime and Server Compromise
Option one may potentially be considered in the future. As for option two, I'm afraid to say that it's really not viable. There were many accounts that had not logged in since RC7, when password hashes were changed. Imagine what would happen if everyone were to make/be granted a request.
My phpbb.com account
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.