[Discussion] Downtime and Server Compromise

[EXreaction]

If you forgot your password you should be able to use the "I forgot my password" link on login, which would send you an email to reset your password.

[gonzoateafly]

Could, perhaps, there be an automated system that handled that?

Something like:
-E-mail goes out informing everyone who was comprimised.
-Go to website to get md5, asks you to enter your e-mail address.
-Confirmation code is sent to e-mail addresss.
-Enter confirmation code... get md5 hash.

Normally this wouldn't be a great idea since it does sort of have the potential to be abused if someone get's ahold of an e-mail account... but considering the full table including the md5s are floating on the internet right now (I refuse to download it on principal.. well, and legality), it's not exactly a giangantic risk.

I only ask because I'd really like to know if my account was affected, and if so which password I was using here so I can lock it down (and the sooner, the better). The attackers could very well use my e-mail to figure out my website and what not... and though I doubt I would have used an important password, I'd rather not take a chance on it. There must be some way for me to do so?

[gonzoateafly]

If you forgot your password you should be able to use the "I forgot my password" link on login, which would send you an email to reset your password.

I'm not sure if you meant me or someone else, but I'll answer incase you were refering to me.

I would, but that doesn't help me determine if a password I use on another site might have been compromised, since I can't remember which password it was I had here. I need to know which password I was using to know if it was one that I use elsewhere.
-of course, that's only if I haven't logged in since they wen't to phpbb3.

[bolverk]

As far as the downtime, it has nothing to do with not having a mirror site. The attacker had access to the server for a 2 week period. This means that we would either have to revert to a 2 week old backup (and lose 2 weeks of information in the process) or run the full investigation that we are running now. This site is available for support while the main board remains offline.

By mirror I mean secondary, not necessarily online but a second source of all available downloads that phpBB.com currently provides. Even a basic ftp site with the converters, mods and styles available would suffice, since these are not available on sourceforge. Would it really be that much work to create a secondary independent storage location for all downloadable packages made available through the main site? The forums being down is not that much of an issue as you do have redundancy with area51 and google's cache of most of the support topics available.

[TGI-ECT]

I was given a link to a blog that would appear to be the blog of the person who did this criminal act (it is a criminal act, right) and I would like to know if we are allowed to use information the blogger posted to ask specific questions related to what the blogger wrote? I'm afraid there are a few things written on that blog which don't set well with my peace of mind. And, yes, I had an account on phpBB Community which I haven't accessed in about 2 plus years, so from what I'm reading I may have a problem, right? Thank you.

[Marshalrusty]

I would, but that doesn't help me determine if a password I use on another site might have been compromised, since I can't remember which password it was I had here. I need to know which password I was using to know if it was one that I use elsewhere.
-of course, that's only if I haven't logged in since they wen't to phpbb3.

Your password on phpBB.com is secured with the new hashing system. You last visited phpBB.com on January 28th, 2009 at 3:58am UTC.

You couldn't remember that?

By mirror I mean secondary, not necessarily online but a second source of all available downloads that phpBB.com currently provides. Even a basic ftp site with the converters, mods and styles available would suffice, since these are not available on sourceforge. Would it really be that much work to create a secondary independent storage location for all downloadable packages made available through the main site? The forums being down is not that much of an issue as you do have redundancy with area51 and google's cache of most of the support topics available.

In order to provide MODs and Styles, the database (or a database of some sort) would need to be provided. The files, after all, need to be somehow identifiable. This all points to mirroring off of the main site. The main site was compromised 2 weeks ago, so anything mirrored from it would be considered compromised. We would not be able to provide the files until an investigation was performed. If not mirroring, then the main server would need to have the ability to write directly to the backup server. An attacker could gain access to the credentials as they would need to be available somewhere on the server (for it to be able to actually connect).

If you're suggesting something else and I'm misunderstanding you, please feel free to correct me.

I was given a link to a blog that would appear to be the blog of the person who did this criminal act (it is a criminal act, right) and I would like to know if we are allowed to use information the blogger posted to ask specific questions related to what the blogger wrote? I'm afraid there are a few things written on that blog which don't set well with my peace of mind. And, yes, I had an account on phpBB Community which I haven't accessed in about 2 plus years, so from what I'm reading I may have a problem, right? Thank you.

I will be happy to take any private questions via PM.

[TGI-ECT]

I was given a link to a blog that would appear to be the blog of the person who did this criminal act (it is a criminal act, right) and I would like to know if we are allowed to use information the blogger posted to ask specific questions related to what the blogger wrote? I'm afraid there are a few things written on that blog which don't set well with my peace of mind. And, yes, I had an account on phpBB Community which I haven't accessed in about 2 plus years, so from what I'm reading I may have a problem, right? Thank you.

I will be happy to take any private questions via PM.

I appreciate that. I know you're busy. But one of your colleagues is doing that right now. But, thank you for the offer.

[Marshalrusty]

I appreciate that. I know you're busy. But one of your colleagues is doing that right now. But, thank you for the offer.

Even better

[gonzoateafly]

I would, but that doesn't help me determine if a password I use on another site might have been compromised, since I can't remember which password it was I had here. I need to know which password I was using to know if it was one that I use elsewhere.
-of course, that's only if I haven't logged in since they wen't to phpbb3.

Your password on phpBB.com is secured with the new hashing system. You last visited phpBB.com on January 28th, 2009 at 3:58am UTC.

You couldn't remember that?

That's actually not the account I'm concerned about... I ended up with two accounts by mistake. I can explain it in full detail if you're interested, but long story short I have no idea when I last logged into the first account. I mentioned that this name and e-mail was different from the one I was referencing in my first post, because I wanted to avoid attention drawn to that account.

I'll send you a PM with a better explanation.

-Correction, I was actually contacted by another one of the team, and they are helping me. Thank you!

[bbrunnrman]

There's a little point I'd like to be totally clear about. In the original "Downtime and Server Compromise" post at viewtopic.php?f=71&t=29973

phpBB3 is set to convert phpBB2 hashes to the new phpBB3 standard during the first user login.

Many of the later posts suggest that users must actually change their passwords following phpBB2 to phpBB3 conversion in order for this hash conversion to take place. Is this true? I interpreted Marshalrusty's original statement as meaning that the hash conversion takes place automatically without requiring the user to change their password. Which is it? Note that while phpBB3 does include an option to require password changes after certain time intervals, that option isn't enabled by default. And users normally aren't prompted to change password following a phpBB2 to phpBB3 conversion.