Bad news - downtime / security breach

[TrevHead (TVR)]

Im sure BF wont mind me saying this:

But I just thought it might be an idea for all current trader members to contact any inactive or banned members they've had dealings with, or atleast the most prolific ex traders. I know its like looking for a needle in a haystack but if folk could jog their memory (which for shmuppers cant be that hard can it ) as to if anyone has sent YOU any private info using PM and anyone who you know or suspect should be contacted if possible (although ppl usually change their passwords and credit cards expire so old timers dont need to check all though their history.)

I know its a pain but Its better been safe then sorry and will probably help BF from an early grave due to a nervious brakedown or over exhaustion

Good job on getting it back up! I almost didn't know what I was gonna do with myself last night. Shmups forum is my facebook

I know what you mean as I rarly bother with other forums, (As most other forums are full of dicks or have too little or too many active members posting) infact Ive only just 4 days ago started Facebook and Twitter accounts only because I wanted to keep tabs on Cave World and Shmups twitter properlly

[Sumez]

Shmupface

[system11]

and credit cards expire

I really hope nobody has been sending credit card details via PMs on any forum. I did look around at one point but came up blank looking for a PHP mod that would automatically censor anything matching a LUHN check (for those wo don't know, it's a check for valid CC numbers).

[TrevHead (TVR)]

Your right nobody would be dumb enough to send CC info in a forums pm, its just me been paranoid and expecting the worst in other ppl

[spadgy]

Someone noted to me that it's probably worth explaining something I took for granted.

I can't prove they didn't take a copy of the database. It seems unlikely given that they wanted to use the box as a spamhost, but it's impossible to prove. Members who regularly use the trading forum might want to check through their saved messages to see if they've sent anything sensitive. I would hope they haven't, it should mostly be ways for other people to give you money, after all.

I'll ask a couple of very basic questions because I imagine a lot of people less familiar with the technical language about what's happened may want to know.

1) The only details any of my PMs (inbox and sent) contain are email addresses for Paypal (my own and people I've paid) and postage address (again, my own, and people I've sent stuff to). Does that count as 'sensitive' in the context of this hack? I think the answer's 'no'.

2) Presumably sensitive data would be passwords, card details etc. I'm lucky not to have anything like that in my PMs, but for those who may have something like that, what should they do? Change details with that card provider/website etc?

[system11]

2) Presumably sensitive data would be passwords, card details etc. I'm lucky not to have anything like that in my PMs, but for those who may have something like that, what should they do? Change details with that card provider/website etc?

That's a risk they'll have to evaluate. Having them there in the first place would be really, really bad since web traffic is easily sniffed and that last thing in the worst you want to do is transmit a card number without SSL. I doubt anyone has done this though..

[jonny5]

Well do I feel like an ass!

I just spent the last 2 days trying to log in, reset my password dozens of times, before I realized I had to click the link in the email to activate the new password.

Thanks for getting everything back up and running BF!

PS - The administrator link when you fail login is bouncing back undeliverable.

[system11]

Well do I feel like an ass!

I just spent the last 2 days trying to log in, reset my password dozens of times, before I realized I had to click the link in the email to activate the new password.

Thanks for getting everything back up and running BF!

PS - The administrator link when you fail login is bouncing back undeliverable.

I need to fix that - I kind of left it broken on purpose for a while, spambots just /love/ to send email to it.

[null1024]

Hey bloodf, were the passwords salted?

You'll have to look up what PHP does by default.

I think I've fixed the session handling problem now, it's a change in PHP which is now the newest version, I've had to put a workaround in for now but the correct fix is going to take a little longer.

It looks like it generates a salt if you don't provide one [if the passwords were hashed with crypt()].
http://php.net/manual/en/function.crypt.php

[Thunder Force]

Kudos to bloodf for spotting this and fixing it, with clear communication to users throughout. If only all internet forums were run so professionally.

[Skykid]

It was time for a password overhaul anyway, so I changed all my accounts etc.

However, some odd activity: Prior to the server migration I was having issues with cookies not being recognised for this forum (or something), as I would keep getting logged out all the time. Sometimes browsing between pages.

After the server migration, I can't actually log in at all on Safari (my main browser). Each time it says I'm logged in successfully, and then immediately logs me out again.

Weirdly, I've got no issues of this with Firefox (what I'm on now.)

Any ideas. I tried clearing my Safari cache, but it didn't do anything.

[xris]

Well that just sucks. I'm sorry that this is such a hassle for you, sometimes people just suck.
Thank you very much for the continuing hard work, we really appreciate it!
And, thank you for the fair warning!

[system11]

It was time for a password overhaul anyway, so I changed all my accounts etc.

However, some odd activity: Prior to the server migration I was having issues with cookies not being recognised for this forum (or something), as I would keep getting logged out all the time. Sometimes browsing between pages.

After the server migration, I can't actually log in at all on Safari (my main browser). Each time it says I'm logged in successfully, and then immediately logs me out again.

Weirdly, I've got no issues of this with Firefox (what I'm on now.)

Any ideas. I tried clearing my Safari cache, but it didn't do anything.

Manually kill any cookies with system11.org in them and try again.

[idchappy]

Quite afew places seem to have been hit like this since christmas, Play.com got ripped aswell didnt they?.
I think thats how they got the/guessed the sign in password to my msn account and started trying ti spam everyone on my contacts list

[Herr Schatten]

Kudos to bloodf for spotting this and fixing it, with clear communication to users throughout. If only all internet forums were run so professionally.

I second this.

[Krimzon Kitzune]

Good job on getting it back up! I almost didn't know what I was gonna do with myself last night. Shmups forum is my facebook.

Same here. I haven't posted terribly often before, but I find myself frequenting the forums as of late and posting at that.

[Rock Man]

Dammit, I can't recall whether I re-used the same password or not. This is gonna be hell trying to cycle through all of my possibles to determine whether or not the password used here is at other forums. Being that I don't frequent certain other places anymore. Drag.

I'm sorry everyone else is suffering too. I wondered why the site went down the other day. Didn't realize it also happened yesterday, what a violent incursion.

[ASK]

What version of Exim were you running? I remember the advisory, I'd been running 4.69 for many years, but on FreeBSD so I don't think we were vulnerable -- went through with upgrading ASAP anyways. Worthwhile to subscribe to the mailing lists of the software you run, especially if they have a security list!

[ncc1701p]

Not for anything and i rarely post here. I lurk mostly..

But Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

Ive ran/admin'd these types of boards in the past and I reckon that this is a tad bit out of date. Have there been upgrades/maintenance?

last version 3.0.8 dated 11/20/2010

[system11]

That's just a text string in a theme footer - we're not quite at the latest revision, but very close. I do have an upgraded test copy on the latest but typically for PHPbb they've made subrevision changes which significantly alter the code, and I'm not sure I trust it yet. When the switch happens it will be very difficult to go backwards from without a total data rollback, possibly weeks after the fact.

[StarCreator]

Also, I take it from this thread that phpBB wasn't the attack vector anyway.

I run a phpBB instance or two myself and have held back on upgrades because of how hard it is to maintain custom code in the process - extending phpBB is still a hacky proposition that often involves instructions like "insert this code at line 46 of includes.php". At this point I'm probably waiting for a major/minor release rather than bumping up to merely the next revision.