

Bitcointalk Forum Hacked - rdl
http://pastebin.com/jg1ysuHT

======
nwh
It should be noted that it appears to be a persistent hack that has been
around for some time. The defacement was quite a lengthy animated video. The
attacker had at least access as the PHP user, which of course has database
access.

There's a video of the defacement here —
[http://youtu.be/LKrOHAfMdxI](http://youtu.be/LKrOHAfMdxI)

A 50BTC bounty has been offered by Theymos (author of the advisory), awarded
to anyone who can find the source of the compromise. It's near impossible for
an outsider though as despite it running SMF, there's been extensive
modifications which may have been the source of the vulnerability.

~~~
citricsquid
Source on the bounty:
[http://www.reddit.com/r/Bitcoin/comments/1nmdq4/bitcointalk_...](http://www.reddit.com/r/Bitcoin/comments/1nmdq4/bitcointalk_hacked/ccjyjti)
also with an update:

    
    
        Update: It's unfortunately worse than I thought. There's a good chance 
        that the attacker(s) could have executed arbitrary PHP code and therefore 
        could have accessed the database, but I'm not  sure yet how difficult 
        this would be. I'm sending out a mass mailing to all Forum users about this.
    

Personally I suspect that it's due to misconfigured nginx which allows
uploaded files to be executed, a user in #bitcoin demonstrated they could
upload a PHP file using an exploit in the avatar uploading system, although
theymos did have someone looking at the nginx configurations about 6 hours ago
and hasn't mentioned finding anything.

------
adamnemecek
The gov't sure has been busy considering it's supposed to be shutdown.

/puts on tin foil hat

~~~
ubernostrum
There are approximately fifty zillion "what exactly gets cut off in a
government shutdown" articles floating around, meaning it's not terribly hard
to actually find out what's still operating and what isn't. Plus, anything
that was going on before the shutdown doesn't get magically back-in-time-un-
happened by it.

~~~
adamnemecek
Because I was being 100% serious.

------
th3ym05
[http://pastebin.com/4Hf37D9H](http://pastebin.com/4Hf37D9H)

~~~
NKCSS
:) nice to have the one responsible confirm that the db was dumped.

------
hmottestad
7500 rounds of sha256 :)

Anyone know how long it would take to crack a 8 character password on a
laptop.

~~~
wereHamster
Yes, use a hash algorithm which the whole bitcoin community races to come up
with ever faster ASICs. Brilliant. scrypt/bcrypt anyone?

~~~
viraptor
Hardware ASICs are specialised for bitcoin. They wouldn't be useful for hash
cracking unless they were modified.

------
davedx
Not a good week for Bitcoin.

~~~
drcross
last time I checked, the bitcoin protocol was doing exactly as it was supposed
to.

~~~
PilateDeGuerre
This sort of reply is a classic sort of reply in which a hacker ignores the
social context of technology.

------
sickpig
Bitcointalk.org users data for sale?

see [http://pastebin.com/6S2H21eF](http://pastebin.com/6S2H21eF)

~~~
scottcanoni
No one has purchased this (yet).

[https://blockchain.info/address/1t4k5Y4NFFkvEAqBPymW2PDA5pZq...](https://blockchain.info/address/1t4k5Y4NFFkvEAqBPymW2PDA5pZqiRm11)

------
dpweb
why is 7500 rounds the optimal number?

~~~
nly
Bitcointalk is a busy site. It's could be the most they could get away with
without burdening their server

~~~
NKCSS
They you just add a CUDA enabled vga card to the server and all of a sudden,
you can handle a lot more load.

~~~
nly
Sure, and that's one of the problems with server-side key strengthening. You
start off making a cracker do a thousand or million fold more work. They go
and get better technology, like a GPU or an ASIC. So then you have to go
upgrade your own hardware, or skimp and make the user wait for 1, 10 or 30
seconds while they login and you strengthen their password. It's an arms race
and not something a star-topology (single server serving potentially thousands
of users) is going to scale well on. You want those cycles rendering your HTML
or doing something valuable.

Client-side password stretching and memoization simply makes more sense.

