

Several of the web servers powering phpBB.com were compromised - thepanamus
https://www.phpbb.com/community/viewtopic.php?f=64&t=1186015

======
akersten
Is it just me, or does anyone wish that compromise disclosures should be
hosted somewhere other than the site that has been compromised? What if
there's a persistent threat and their webserver is still hosed, injecting
0days into responses? Not that it's happening here - I still clicked it - but
I was hesitant.

~~~
protomyth
It is the one site you know the users will come to. I would do the new web
server at old address. Hacked machines should not be put back in service.

~~~
couchwire
I think what you want is the "Full Disclosure" mailing list:

    
    
      http://nmap.org/mailman/listinfo/fulldisclosure

~~~
protomyth
I'm pretty sure the affected people will visit the original site, and I'm not
sure they will visit the site you mention.

------
anw
Other than the obvious, some things worry me.

> We have confirmed that initial entry was made via a team member's
> compromised login details and not as the result of a vulnerability in the
> phpBB software.

> The attackers were able to obtain access to the phpBB.com and area51
> databases, meaning that user information, including hashed salted passwords,
> was compromised. Additionally, all logins on area51 between Dec. 12th and
> Dec. 15th were logged in plaintext. While the hashing algorithm utilized in
> phpBB will make it difficult to obtain those passwords, you should not take
> any chances.

A bit of clarification should be given. The staff's login information was
stolen, allowing someone to get a dump of the database containing user info.
What kind of login information was stolen? Is this an shell account, was an
SSH key stolen, was this an admin panel account?

Secondly, "all logins [...] were logged in plaintext". Does this mean the
username and password were logged, the password hashes and sessions? What
actual information was plaintext to the user?

It's great that groups are willing to own up to these kinds of events, but
without specific information, it's hard to understand how broad a compromise
we're talking.

~~~
ars
The hacker probably modified the code to log all passwords.

If you logged in on the dates specified you should assume your password has
been stolen.

------
couchwire
PhpBB, the gift that keeps on giving. Isn't phpBB one of the most compromised
pieces of software installed?

~~~
knieveltech
I'm pretty sure sendmail still wears that crown.

~~~
astrodust
Unpatched Exim was giving it a pretty good run for a while.

~~~
porker
Well well well. A sysadmin friend swears by exim as the safest mailserver
software ever. I will enjoy ribbing him at the pub on Friday :)

~~~
astrodust
Not a bad track record, but not flawless:
[http://www.cvedetails.com/vulnerability-
list/vendor_id-10919...](http://www.cvedetails.com/vulnerability-
list/vendor_id-10919/product_id-19563/Exim-Exim.html)

The 9.3 one was world-destroying, nuke-from-orbit type bad.

"execute arbitrary code via an SMTP session" is not what you want to hear in a
bug report.

~~~
porker
Yikes!

I'm still impressed by qmail's track record:
[http://www.cvedetails.com/vulnerability-
list/vendor_id-86/pr...](http://www.cvedetails.com/vulnerability-
list/vendor_id-86/product_id-143/Dan-Bernstein-Qmail.html)

~~~
astrodust
As good as qmail is, the official release is so far behind the times it's
ridiculous. The unofficial patches, made unofficial by a stubborn refusal on
the part of the author to merge them in, have fixed most of these issues, but
then what's the point of using qmail if you have to use the untrusted version?

Sadly qmail is a lesson of how you can be correct and completely wrong at the
same time.

Imagine a completely secure operating system that only runs on 32-bit systems.
Could you actually advocate using it in a serious production capacity?

------
webo
I have a Google App Engine instance, and it started getting a lot of random
requests, which may be related to this. My website had 5,000 requests
yesterday (normally less than 50). The logs indicate a lot of these:

    
    
        221.145.183.89 - - [16/Dec/2014:04:11:43 -0800] "GET /bbs/zboard.php?id=notice&
        no=41&PHPSESSID=98802904391cd2920f0473f7956305be HTTP/1.1" 404
    

Might be some kind of DNS forwarding issue, but I don't my server handling
unnecessary requests. What can I do?

~~~
McGlockenshire
That's an unrelated probe for a different, surely vulnerable, script -
Zeroboard.

If the attack probes disturb you, begin gathering their patterns and plonking
their IPs into a black hole using something like fail2ban. Er, well, that's
what I'd do on a normal system. Not sure what to do about that on GAE.

~~~
webo
Thanks for the heads up. Didn't know about Zeroboard.

In case anybody is wondering, it is pretty easy block IPs as well.

------
ikeboy
Can I point out that there's no need to link to a specific subforum when the
same message is on the homepage?

