I just got a nasty message about this board in my email...

The office of the Mayor of the Frost City. She can hook you up with the Frost Jedi if you have any questions about the board or the Frost Jedi

I just got a nasty message about this board in my email...

Postby hopsterguy » Sat Apr 16, 2005 4:40 pm

The following is an email sent to you by an administrator of "OWNED BY DIV0: PROJECT INFINITY - GREETS TO EVERYONE IN #HACKERS". If this message is spam, contains abusive or other comments you find offensive please contact the webmaster of the board at the following address:

owned@frostjedi.com

Include this full email (particularly the headers).

Message sent to you follows:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dear frostjedi forum user.

Due to the incompetence of the admin 'TerraFrost', your personal details have been compromised and all passwords and referer info stolen. To protect yourself from further harm, please change your password.

username: TerraFrost
password: zel*****

full disclosure: http://www.milw0rm.com/id.php?id=910
if the forum is not updated in two days, it wil be removed


-div0: PROJECT INFINITY
hopsterguy
Traveler
 
Posts: 2
Joined: Wed Mar 16, 2005 7:57 pm

Postby TerraFrost » Sat Apr 16, 2005 5:11 pm

All I see is my old password. Yours may have been compromised, or it may not have been. I, personally, believe it probably hasn't been, though. They got the password through SQL injection - through tricking the board to show them the password hashes in place of something else. The password hashes, however, must be brute forced to be of any use. It does them no good to brute force the password of a normal user and is a waste of their time, in fact.

If it suits you to ignore this on the basis that I'm "incompetent", fine. Change your password.

Also, on the subject of my supposed incompetence, let me say this - that I have released quite a few phpBB MOD-ifications on my own and the vulnerability that was exploited wasn't in any of those.
TerraFrost
Legendary Guard
 
Posts: 12357
Joined: Wed Dec 04, 2002 6:37 am

Postby markus_petrux » Sat Apr 16, 2005 6:40 pm

Yep. I do believe in your competence.

However, one way or the other, they have got access to your user database, which is no good. Once you've been compromissed you don't know exactly what they have really done.

Maybe they did it through a recent security issue in CalPro. IIRC, Martin released a fix a while back.
no sig, yet :)
markus_petrux
Traveler
 
Posts: 19
Joined: Mon Feb 28, 2005 12:49 am

Postby TerraFrost » Sat Apr 16, 2005 6:49 pm

Their "full disclosure" suggests that it was indeed CalPro. Specifically, they used SQL injection.

That said, that which can be done with SQL injection is limited, as far as I know. Consider the following:

$sql2 wrote:SELECT user_id, username, user_email FROM phpbb_users WHERE username = ''; UPDATE phpbb_users SET user_password='098f6bcd4621d373cade4e832627b4f6' WHERE user_id=2 #'


The part in red is the part that was inserted. It only works if ' aren't escaped. Anyway, the above query won't work, because PHP can only do one query at a time with their query commands (ref). As such, people can't, through SQL injection, change data, delete data, or whatever. All they can do is read it, through UNIONs. Now, most information associated with phpbb_users is trivial. The only really important piece of info. stored there is the password, and that's protected with an MD5 hash, which can only be brute forced. Brute forcing is no easy task (it can take days, weeks, months, or even years, depending on the complexity of the password), either, and as such, I believe that the harm that they could have done and could do, in the future, is quite negligable.

Now, they could have done other stuff through the ACP, but off hand, I can't think of anything that they could do that isn't uber reversable.
TerraFrost
Legendary Guard
 
Posts: 12357
Joined: Wed Dec 04, 2002 6:37 am

Postby Drazo » Sat Apr 16, 2005 6:53 pm

Maybe we can report http://www.milw0rm.com as an illegal (hacker scripts) site?
[Don't watch here carefully]
User avatar
Drazo
Heroic Guard
 
Posts: 3935
Joined: Mon Jan 06, 2003 8:59 pm

Postby TerraFrost » Sat Apr 16, 2005 6:58 pm

It wouldn't accomplish a whole lot. There are dozens of such sites out there, and I believe they, ultimately, have their positive uses. They build awareness of security issues. Now, some people may get a little overzealous in their demonstration of a bug, but I don't think there's much that can be done about that. The people who found the bug are most likely not the people who exploited it.

That said, if someone finds anything I've said to be in error, please do correct me.
TerraFrost
Legendary Guard
 
Posts: 12357
Joined: Wed Dec 04, 2002 6:37 am

Postby markus_petrux » Sat Apr 16, 2005 7:28 pm

SQL injection can be used to retrieve the admin hash, so they can get access to the ACP and do a backup restore... for instance.
no sig, yet :)
markus_petrux
Traveler
 
Posts: 19
Joined: Mon Feb 28, 2005 12:49 am

Postby TerraFrost » Sat Apr 16, 2005 7:39 pm

hmmm. That's a good point. In that way, they could also change stuff. Thankfully, phpBB's backup restores don't work to well for large databases (ie. most servers have http uploads capped at 2mb). :)

Is there anything else that's not uber reversable that they could have done? Like I said, I can't think of any, off hand...
TerraFrost
Legendary Guard
 
Posts: 12357
Joined: Wed Dec 04, 2002 6:37 am

Postby TerraFrost » Sat Apr 16, 2005 7:45 pm

Actually, I guess they could just run any arbitrary SQL at that point. The backup they restore doesn't necessarily have to be a backup, persay.
TerraFrost
Legendary Guard
 
Posts: 12357
Joined: Wed Dec 04, 2002 6:37 am

Postby markus_petrux » Sat Apr 16, 2005 7:52 pm

I would check apache logs and try to analize all strange requests, specially those performed with the same IP used to exploit that CalPro vulnerability.

You'll probably identify such requests easilly, apache logs contain the whole URLs with all get vars used.

If they got a DB backup, make sure you don't have sensitive information posted in hidden forums.

Also, it is not too difficult to brute force MD5 hashes these days. Make sure your admin password here IS different than the one used to access your control panel, FTP account, etc.

If your webserver is NOT running latest PHP; MySQL versions, they could have exploited any vulnerability in those components as well by trying to restore harmful data via your ACP.
no sig, yet :)
markus_petrux
Traveler
 
Posts: 19
Joined: Mon Feb 28, 2005 12:49 am

Postby markus_petrux » Sat Apr 16, 2005 9:33 pm

markus_petrux wrote:I would check apache logs and try to analize all strange requests, specially those performed with the same IP used to exploit that CalPro vulnerability.

In fact, Martin thought about this as well. You might find his little tool posted here really handy:
http://www.snailsource.com/forum/viewtopic.php?t=2975

Quoting the first part of the message for those with no access to above mentioned topic, which is restricted to CalPro users, I think.

Following on from the exploit issue with CalPro I've realised it would be very useful to have a tool that could parse the apache log(s) and provide you with quick information on:

* Which users accounts were targetted
* The IP addresses for any hits that were attempted

To that end I've written a rough and ready hack to do just that.
no sig, yet :)
markus_petrux
Traveler
 
Posts: 19
Joined: Mon Feb 28, 2005 12:49 am

Postby ~HG~ » Sun Apr 17, 2005 12:26 am

I would be interested to hear if this occurred before the release of 2.0.14 and if 2.0.14 was released as a result (not necessarily on this board) of such a hacking ???
~HG~
~HG~
Traveler
 
Posts: 7
Joined: Sun Jan 02, 2005 4:23 am
Location: Australia

Postby TerraFrost » Sun Apr 17, 2005 12:51 am

This occured due a vulnerability in this modificiation and this modification alone.

phpBB 2.0.13 is, for the most part, quite secure, as evidenced by the fact that phpBB 2.0.14 is not a "critical release" (whereas 2.0.13 was).

Anyway, thanks for the links, markus :)
TerraFrost
Legendary Guard
 
Posts: 12357
Joined: Wed Dec 04, 2002 6:37 am

Postby Geoffreak » Fri May 20, 2005 2:54 pm

I contacted the hoster personally and this is the message I got:
Dear Valued Network Solutions Customer,

Thank you for contacting Network Solutions.


We appreciate the sensitive nature of some of the content that is included on certain Web sites. As an accredited registrar of domain names our responsibilities are limited to the registration of a specific domain name. We have no jurisdiction over the how that domain name may be used.



On November 1, 1999, a three-judge panel of the U. S. Court of Appeals for the Ninth-Circuit ruled that Network Solutions has no

responsibility or duty to police the rights of trademark owners concerning domain names.



If the domain owner in question is conducting criminal activity we would ask you to defer to either the police or the proper authorities.


Thank you for choosing Network Solutions.

Sincerely,

Ferdinand005

Network Solutions Customer Support

(c) Copyright 2005 Network Solutions, LLC. All rights reserved.

User avatar
Geoffreak
Traveler
 
Posts: 1
Joined: Tue Mar 08, 2005 7:53 pm


Return to The Foyer

Who is online

Users browsing this forum: No registered users and 1 guest

cron