[Discussion] Downtime and Server Compromise
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Re: [Discussion] Downtime and Server Compromise
The amount of data that was leaked has been detailed a few times in this topic -- the user table was released in its entirety, as well as the contents of the PHPList mailing list. Any spam you have received to your email address is completely unrelated -- an email address that was used only on phpbb.com (and was listed in both the users table and a separate piece of information that was leaked concerning team members) has yet to be targeted. As for forum spam, this too is unrelated: no information within the users table that was not available openly on the web could possibly point to your website. It's just a very poorly timed coincidence, nothing more.
My phpbb.com account
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.
Note that any of my opinions expressed in RFC topics are my own and not necessarily representative of the opinion of the phpBB Team.
Re: [Discussion] Downtime and Server Compromise
The real epiphany here is people should have to look both ways before crossing the road. I can't imagine any scenario where crossing the road safely isn't a cooperative effort between driver and pedestrian.dsiembab wrote:It's just sad that it took someone stealing 100 of 1000's of user e-mails for the epiphany.
That said, suppose your overall argument holds -- there are automated tools that reliably detect website vulnerabilities. Let's go so far as to stipulate that one of these tools could have found the vulnerability in PHPList.
But let's forget about phpBB.com, because you seem to argue that all website operators can reliably and without exception use these tools and prevent a big mess. This I don't buy. There are several reasons I don't buy it.
For starters, by your argument, it's my responsibility to confirm before use that every element of my desktop OS and applications are not vulnerable. After all, they could turn my desktop box into a zombie and be the source of male enhancement spam up to killing your in-box entirely, yes? To get even close to securing my house, let alone my web hosting, I need to independently confirm the reliability of my virus scanner, my firewall, my router's firmware, my network appliances, my Palm OS and software, just to name a few -- and that on every update. Frankly, I'm just not that smart.
But, my website is a little less complex and involved. Or is it? Have I independently confirmed the integrity of the installed versions of PHP, MySQL, Apache, and CPanel I'm using? What about the ClamAV they're using to scan e-mail running through my account, to contain infections?
Or did you mean just user-installed and "one click" (e.g., Fantastico-installed) software when it comes to websites? Well, that might be straightforward enough. Every time I upload a script I just run the scanner. But, as we all know from phpBB alone, a background PHP version upgrade might open a hole in an otherwise acceptably secure piece of software. So what I really need is a on-demand vulnerability scanner, since 0-day exploits are really not my area of expertise as an ordinary shared hosting user. Not to mention that I do have a life...
To be honest, I get your point. I think the phpBB Team would have loved to have caught this before it got exploited. It may well be that the phpBB Team will be a little sharper for having gone through this experience. But the bad guy here is the bad guy, and not anybody else. Like drivers and pedestrians, an individual finding a hole in a site can work with the site operator to remedy the situation rather than driver and pedestrian playing the blame game when somebody gets run over. I really do object to the very idea that typical website owners can reliably, perpetually, and without exception secure their sites against intrusion, so necessarily and without exception it is their responsibility. If it was that easy, between them, hosting companies and software authors would be already making it unnecessary for me to do so.
Just my plugged nickel's worth.
"I hate trolls!" - Willow Ufgood
-
- Registered User
- Posts: 1
- Joined: Tue Feb 10, 2009 3:33 am
Re: [Discussion] Downtime and Server Compromise
Ouch, hope you get the website back up and running soon , if you need help in the area of hosting, I'll be more than glad to help. I feel lucky that 2 weeks ago I had to change my password when I accidentally typed it into an AIM window , and forgot to update my password on phpBB.com.
Re: [Discussion] Downtime and Server Compromise
We are quite good for hosting, we require a little more than your average user as well.deadeye536 wrote:Ouch, hope you get the website back up and running soon , if you need help in the area of hosting, I'll be more than glad to help. I feel lucky that 2 weeks ago I had to change my password when I accidentally typed it into an AIM window , and forgot to update my password on phpBB.com.
- Highway of Life
- Registered User
- Posts: 1399
- Joined: Tue Feb 08, 2005 10:18 pm
- Location: I'd love to change the World, but they won't give me the Source Code
- Contact:
Re: [Discussion] Downtime and Server Compromise
Let me ask you something: Do you, or anyone you know, as a server administrator or webmaster do a line-by-line security code audit of scripts that you install or use on your sites or server? If you, or they... do not, how do you know that you are going to be absolutely safe from an attack such as this? This is not a case of looking both ways to cross the road, that’s actually a really bad analogy.dsiembab wrote:ounce of prevention. pound of cure. The thing is you're right you shouldn't have to, I shouldn't have to look both ways before crossing a road either, but I know if I don't their is a chance for an accident. It's just sad that it took someone stealing 100 of 1000's of user e-mails for the epiphany.
This is a case of where scripts or web applications that you install you trust to have taken security precautions, just as you would board an airplane and trust that the flight crew have taken security precautions to ensure the plane can takeoff, fly and land without incident. In our case, we are like passengers that have to get out and inspect the airplane ourselves. Should passengers have to do that? ...
That is called hindsight.dsiembab wrote:I am just saying that it could have been prevented and now I am going to research how.
Information leaked from the attack:neilwiththedeal wrote:Also just what information was leaked and posted? Just email/pw/forum site im assuming. Are people still saying the spam influx on forums isn't related to the hack? My site is so small, I can't imagine spammers would have interest if it were not related to the leaking of our info. Also we just opened in Sept 08, not really enough time for word about our forum to circulate...?
- Passwords used by users for PHPList.
- E-mail addresses listed on PHPList.
- E-mail addresses used for users who signed up on the forums of phpBB.com
- Passwords for users who were on phpBB.com and had not logged in since phpBB.com converted to phpBB3.
- Private Team Member information.
-
- Registered User
- Posts: 2
- Joined: Thu Feb 10, 2005 10:40 pm
Re: [Discussion] Downtime and Server Compromise
Many thanks! I didn't see Acyd Burn's post. I thought I'd seen all the posts in this thread for the past few days.JRSweets wrote:Acyd Burn posted this yesterday...PerfectReign wrote:Although it is very nice to discuss the level of testing needed in third party libraries, I'd be curious if there's an ETA as to when phpbb.com might be back online. I searched and didn't see anything.Acyd Burn wrote:At the moment everything is going quite smooth. Depending on the time we are able to work on it (we all have day jobs too ) i predict(!) 1-3 days. It will definitely not be an additional week.
-
- Registered User
- Posts: 3
- Joined: Sat Feb 07, 2009 6:39 am
Re: [Discussion] Downtime and Server Compromise
I say to save some time, just delete all posts that are over 2 years old, and delete all phpBB 2.x posts/forums. I mean, really do we need information that is that old?
Delete all MODS and have author's resubmit using the current MODX standard.
Since 2.x is not supported, why not just delete posts pertaining to that, delete the discussion posts since those are mostly useless anyway. Delete all the users inactive for over a year too. If your worried about losing post counts, i am sure you can easily make it so, deleting a post does not change post count.
That would:
Delete all MODS and have author's resubmit using the current MODX standard.
Since 2.x is not supported, why not just delete posts pertaining to that, delete the discussion posts since those are mostly useless anyway. Delete all the users inactive for over a year too. If your worried about losing post counts, i am sure you can easily make it so, deleting a post does not change post count.
That would:
- Lower the DB size quite a bit and speed up the site.
- Ensure all mods are easier to install manually and using installers, and make sure all mods work with 3.0.4 and beyond.
- Remove the outdated information and useless posts.
Last edited by sevenalive on Tue Feb 10, 2009 7:56 am, edited 1 time in total.
- Erik Frèrejean
- Registered User
- Posts: 207
- Joined: Thu Oct 25, 2007 2:25 pm
- Location: surfnet
- Contact:
Re: [Discussion] Downtime and Server Compromise
The posts will not be removed. The 2.0.x forums will go into archive mode until further notice then they will be hidden for public view but maintained, there is just to much (useful) information there to just throw that out of the window. IIRC the phpBB 1 forums are still @ .com .
You can't force users to update when it comes to open source software. If we remove it they will have to find their information on uncontrolled sites, and chances are that the information isn't correct there and complications will be blamed on the phpBB group. Therefore we will be providing an archive as really every possible question is asked and answered on .com.sevenalive wrote:Before you say, we can't delete 2.x because people still use it. I say delete it for that reason alone, v3 is out, time to move on.
Available on .com
Support Toolkit developer
Support Toolkit developer
Re: [Discussion] Downtime and Server Compromise
dsiembab, it is an interesting utopia you paint. Surely, that would be nice. However, let's see if you practice what you preach - I mean, this philosophy of yours can and absolutely should be expanded to all areas of life, right?
Have you ever eaten anything to make you sick? I would bet you have. According to your view, that's your fault because you didn't check the food properly. Don't ask me how you should have done it, this is your idea.
OK, food is a necessity, hosting a forum isn't. Well, neither is a driving a car, not to most people at least. Has anything ever happened to your car by someone else? Your fault again, you should have protected your car better.
How about something even less essential, say having a child. If you have a child and something happens to him or her, is it again your fault for not having protected him of her well enough?
Of course, everyone understands your point, but you are presenting it in a manner that reminds me of a certain blogger to whom has been referred in this thread multiple times. Now, there's a thought...
Have you ever eaten anything to make you sick? I would bet you have. According to your view, that's your fault because you didn't check the food properly. Don't ask me how you should have done it, this is your idea.
OK, food is a necessity, hosting a forum isn't. Well, neither is a driving a car, not to most people at least. Has anything ever happened to your car by someone else? Your fault again, you should have protected your car better.
How about something even less essential, say having a child. If you have a child and something happens to him or her, is it again your fault for not having protected him of her well enough?
Of course, everyone understands your point, but you are presenting it in a manner that reminds me of a certain blogger to whom has been referred in this thread multiple times. Now, there's a thought...
Re: [Discussion] Downtime and Server Compromise
Potku, you made my day