[Discussion] Downtime and Server Compromise
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Re: [Discussion] Downtime and Server Compromise
the better things to do is leave the team recover the phpbb site . and keep our eyes if any other site in the web should share the phpbb database
Re: [Discussion] Downtime and Server Compromise
The hacker gained access on (or by) the 14th January - and was not kicked out till the the 1st February.dowelld wrote:It would surely be easy enough (once it's all back) to have a read-only mirror that was updated nightly somewhere else.
So all the backups during that period are suspect.
We do take backups on a regular basis, but to lose 2-3 weeks of post was not felt to be in the best interests of the community. We are thierfor using the latest backup, but sanitizing it. That takes more time.
I can tell you the whole team is working flat out to get that sanitizing done, but making doubly sure nothing is left which is suspect.
A mirror with nightly backups would NOT have solved this as both would still have been suspect.
Starfoxtj Toolkit
ASAP member since 2004 - MS MVP (Windows Security) member since 2005
Live phpBB3 Forum
ASAP member since 2004 - MS MVP (Windows Security) member since 2005
Live phpBB3 Forum
Re: [Discussion] Downtime and Server Compromise
I might have a clue,
Has anyone see a post like this in their Fourms?
I found this on my board Feb 5th, 10:00 PM
If a MOD or ADMIN wants more info such as IP address of poster PM me
Rusty
Has anyone see a post like this in their Fourms?
Where the xxx's look like a session ID??Hello!
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
And Bye!
I found this on my board Feb 5th, 10:00 PM
If a MOD or ADMIN wants more info such as IP address of poster PM me
Rusty
Re: [Discussion] Downtime and Server Compromise
@ rusty105
A clue about what ?
The hack was nothing to do with phpBB3, other than it being done to the people who write the code, so whatever you found posted on your phpBB board isn't relevant in anyway to the fact that phpBB.com was hacked.
@ ChrisRLG
I was only suggesting restoring an old copy of the mod database somewhere else, and restoring that as read only access in the event of the worst case scenario. In read only mode the latest posts to the mod database wouldn't be massively relevant anyway.
As it stands phpBB has all but vanished from the web. Now I know you're all working hard to fix that, and thank you all for your efforts... but my original point stands, no one can modify their boards with the mods that are available, so they'll go install SMF or some other board, which will allow them to at least read how to change their board to do what they want.
It's about the provision of information, in the worst case scenario, and if you don't think it's worth it that's fine, it won't stop me using phpBB.
A clue about what ?
The hack was nothing to do with phpBB3, other than it being done to the people who write the code, so whatever you found posted on your phpBB board isn't relevant in anyway to the fact that phpBB.com was hacked.
@ ChrisRLG
I was only suggesting restoring an old copy of the mod database somewhere else, and restoring that as read only access in the event of the worst case scenario. In read only mode the latest posts to the mod database wouldn't be massively relevant anyway.
As it stands phpBB has all but vanished from the web. Now I know you're all working hard to fix that, and thank you all for your efforts... but my original point stands, no one can modify their boards with the mods that are available, so they'll go install SMF or some other board, which will allow them to at least read how to change their board to do what they want.
It's about the provision of information, in the worst case scenario, and if you don't think it's worth it that's fine, it won't stop me using phpBB.
Re: [Discussion] Downtime and Server Compromise
PMed.rusty105 wrote:If a MOD or ADMIN wants more info such as IP address of poster PM me
Re: [Discussion] Downtime and Server Compromise
Are you offering this as a solution for phpbb.com? If so, there's one problem: the plain-old MD5 password hashes are out there, no doubt being cracked. Just changing the hash doesn't help at all now, since it's going to be the exact same password anyway.EXreaction wrote:Yes, that's an idea. One could rehash the old 2.0.x MD5's with the new system and just store a flag saying it's the old password type. If it is the old type, when that user logs in it would check the MD5 of the password they entered as the submitted password, and then reset it using the new method if they got it right.
It's a rather huge problem, the fact that the users table was released publicly. There's basically no fix, now that all 300,000 user ID, emails, usernames, passwords, etc are out there. Even if you say, "Well, let's just delete/lock/ban those accounts, there are still many many people who can be traced by email or username (outside of phpbb.com), and use the same usename/password everywhere, often some moronic phrase such as an english word, or the exact same as the username.
Re: [Discussion] Downtime and Server Compromise
Exactly the point I was trying to make earlier in the week, my last response was ignored however.dowelld wrote:I was only suggesting restoring an old copy of the mod database somewhere else, and restoring that as read only access in the event of the worst case scenario. In read only mode the latest posts to the mod database wouldn't be massively relevant anyway.
As it stands phpBB has all but vanished from the web. Now I know you're all working hard to fix that, and thank you all for your efforts... but my original point stands, no one can modify their boards with the mods that are available, so they'll go install SMF or some other board, which will allow them to at least read how to change their board to do what they want.
People visit phpbb.com for two reasons, to get support and to get software. The real accomplishment of this hacker is not that he exploited a vulnerable script or that he grabbed emails, usernames and passwords, it happens all the time and almost anybody can do it. The real achievement of this whole fiasco is that he's managed to cripple the main site of the most widely used BB system in the world for almost a week now. Had there not been a single point of failure for software delivery this whole thing could have had much less of an impact.bolverk » Yesterday 4:26 am wrote: Re: [Discussion] Downtime and Server CompromiseBy mirror I mean secondary, not necessarily online but a second source of all available downloads that phpBB.com currently provides. Even a basic ftp site with the converters, mods and styles available would suffice, since these are not available on sourceforge. Would it really be that much work to create a secondary independent storage location for all downloadable packages made available through the main site? The forums being down is not that much of an issue as you do have redundancy with area51 and google's cache of most of the support topics available.Marshalrusty wrote:As far as the downtime, it has nothing to do with not having a mirror site. The attacker had access to the server for a 2 week period. This means that we would either have to revert to a 2 week old backup (and lose 2 weeks of information in the process) or run the full investigation that we are running now. This site is available for support while the main board remains offline.
Re: [Discussion] Downtime and Server Compromise
I had someone type something similar.rusty105 wrote:I might have a clue,
Has anyone see a post like this in their Fourms?
Where the xxx's look like a session ID??Hello!
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
And Bye!
I found this on my board Feb 5th, 10:00 PM
If a MOD or ADMIN wants more info such as IP address of poster PM me
Rusty
Hello!
(gibberish)
And bye!
The title of the topic was testing. I deleted that member off of my forums, though.
Re: [Discussion] Downtime and Server Compromise
I would like to know the earliest date you currently have indications or suspicions he was in, and as your investigation continues and that date may change, I would like to be updated on any change of the earliest date in a timely manner.ChrisRLG wrote:The hacker gained access on (or by) the 14th January - and was not kicked out till the the 1st February.
Could you please post the earliest date you have at this time? Thank you.
I agree the phpBB software as written was security tested and found to be secure, however they are still investigating the incident itself and may not have had time to complete the investigation, draw final conclusions, and release all findings. I would not make assumptions at this point.dowelld wrote:The hack was nothing to do with phpBB3, other than it being done to the people who write the code, so whatever you found posted on your phpBB board isn't relevant in anyway to the fact that phpBB.com was hacked.
Re: [Discussion] Downtime and Server Compromise
That's not true at all! Tools are readily available for defeating the original Captcha.RMcGirr83 wrote:IIRC, no non-human bot has broken the captcha.
http://blogs.zdnet.com/security/?p=1418
There is a newer version, called Captcha2 which is completely different, that still "appears" OK.