FHannes Posted July 9, 2013 Share Posted July 9, 2013 (edited) It just came to light that the forum database has been compromised. An attack through access of a low level staff account and exploits in the forum software allowed a malicious entity to gain access to my account and access the database. Only the scar-divi.com domain was vulnerable during the attack, and it's fairly unlikely any part of the site other than the forums was compromised. Everyone should change their passwords IMMEDIATELY, as well as change it anywhere else you might use the same password. Any confidential information you may have shared on the forums or sent through the private messaging system was likely also compromised. Currently I've purged all of the forum software from the server and I'm reinstalling everything to avoid having any backdoors left behind. The forums are already fully functional, but should be restored to their original state in a couple of days. ~Freddy Edited July 9, 2013 by Freddy Quote Link to comment Share on other sites More sharing options...
Bixby Sayz Posted July 9, 2013 Share Posted July 9, 2013 How interesting. First the SRL crowd gets hacked then this. Somebody hoping to glean RS logins most likely. At least you are back up and running. The other folks are still down although the damage there seems to be more extensive. Quote Link to comment Share on other sites More sharing options...
FHannes Posted July 9, 2013 Author Share Posted July 9, 2013 (edited) How interesting. First the SRL crowd gets hacked then this. Somebody hoping to glean RS logins most likely. At least you are back up and running. The other folks are still down although the damage there seems to be more extensive. Well, the hack took place about 10 days ago, actually. But I've only just figured out that the forums were actually hacked, due to them malfunctioning all over the place. As my time has been limited lately, I haven't had the chance to properly check out what the issue was, but as I continuously failed to fix it, it quickly became apparent that there was more going on than a random malfunction. I can only guess that they got access to a moderator account on these forums, by obtaining the password hash from another forum. How they got on from that point is somewhat of a mystery, they seemed to have found an exploit to access parts of the forums, normally only accessible by me, using said account. After that, it was of course easy to get into my account and cause all kinds of mayhem... Edited July 9, 2013 by Freddy Quote Link to comment Share on other sites More sharing options...
LordJashin Posted July 9, 2013 Share Posted July 9, 2013 (edited) Interesting, Villavu - Villavu Breach July 06 by Merlijn Wajer, is still down. Good Job Freddy! We beat them finally! The SCAR wars are over! Hopefully u still have those themes! Once he got access to the AdminCP, the attacker changed the faq.php file; which can apparently be modified from the Admin CP. Once he had done this; he could execute any command by passing "?faq=welcome&c=COMMAND". Through the FAQ? What a weird hack. Not surprising though considering how flaky the internet is. PHP, and software especially. Should make it so no1 can run commands on anything even associated with the database. Edited July 9, 2013 by LordJashin Quote Link to comment Share on other sites More sharing options...
slacky Posted July 9, 2013 Share Posted July 9, 2013 You ****** you reset my password!! How can you do that?? I am so hurt! :'( Now I don't even know which password I used on this site... Makes it hard to figure out if I should change it on any other page as well... Oh wait.. I got a "godzillion" passwords so GL abusing what ever pw i used here :-D Quote Link to comment Share on other sites More sharing options...
Vicarious Posted July 9, 2013 Share Posted July 9, 2013 What I'm concerned about is, even if the database was hacked, they should still not know the password we used because they should be appropriately encrypted, or is that not the case? Quote Link to comment Share on other sites More sharing options...
slacky Posted July 9, 2013 Share Posted July 9, 2013 (edited) For about every normal hash function you can find a "rainbow-table", this table connects a lot of hashes to a password. The tables are far from complete, but i would figure that they got all short passwords solved (it takes a lot of power and time to create a big rainbow-table). Seen that there are approx 3.402823669209387e+38 (16^32) possibilities in the often used md5. But the passwords on forums are usually stored as ether: md5(md5(password) + randomint(x)), or sha256(sha256(pw) + randomint(x)) , only a few passwords will be solved with a rainbow table due to the passwords new length (salt and double hash), and each password (stored this way) requires two rows in the rainbow-table to exist to be solve it. Take for example this dictionary of "md5(pass): pass", it could be called a rainbow table (but a very small one): //rainbowtable rainbow_table = { '2646f14f955f3f0af84989b9783d689b': 'PiRCm54WU', 'a4f47d34c0ae74f00e919afbe5c07214': 'Uldpa3Iwm', '0eeda36ded50e2a96319a033767ea764': 'bOieOQt7r', '8be3c90485a163e376d825d8c2eddde5': 'Nm7mRfO3j', '093033088d6538e90fe73d112b07e879': 'cra78ZZ0w', '16de66933cbe9bc1c320bab32ed8e6c9': '5vv2vyalc', '399037361417ea462e0fed60a40e628e': 'xOW4OKn59', '1e3674a82da0d420032df4a780516ad6': 'AFL9OfkqE' } So if your password is in there I know the md5 hash for it (if it's not salted)... If it's salted we would need a much bigger rainbow table... And even with the biggest md5-rainbow table out there we might now find the corresponding password.. Your password SHOULD be safe, but the hash for pw(+ salt) might just be in a rainbow-table. Edited July 9, 2013 by slacky Quote Link to comment Share on other sites More sharing options...
Vicarious Posted July 9, 2013 Share Posted July 9, 2013 @slacky: (quote system doesn't seem to be working) MD5 shouldn't even be mentioned, it was deemed cryptographically broken years ago: MD5 - Wikipedia, the free encyclopedia If our passwords are being encrypted with MD5 some serious alarm bells should be ringing. I would expect nothing less than sha512, in which case having the hash and the salt leaves them no better off than anyone simply trying to guess your password. Quote Link to comment Share on other sites More sharing options...
slacky Posted July 9, 2013 Share Posted July 9, 2013 (edited) i mentioned md5 because it's relevant since a lot of CMS still use it. Take for example Simbas forum, they used md5(md5(pw) + salt), they just got hacked.. now there are a lot of passwords connected to usernames, and emails on the loose. I believe md5(md5(pw) + salt) is default in vBulletin. You might expect sha512, but the fact is that there's not much software (CMS, blog or forums) which uses it. Sha256 + salt is on the other hand normal to use. In general I would suggest using sha(256 or 512): BUT it's vulnerable to bruteforce (Thinkin' about the time it uses to create a key), generating small rainbow-tables won't take as much time, better alternatives are PBKDF2, scrypt, bcrypt. Edited July 9, 2013 by slacky Quote Link to comment Share on other sites More sharing options...
FHannes Posted July 9, 2013 Author Share Posted July 9, 2013 (edited) What I'm concerned about is, even if the database was hacked, they should still not know the password we used because they should be appropriately encrypted, or is that not the case? VBulletin does hash passwords obviously, but it uses md5, as "md5(md5(password) + salt)". (quote system doesn't seem to be working) Inline ajax quotes work, but for some reason they don't work in Firefox. I'm trying to figure out why. EDIT: I've reuploaded the client-side javascript files. It seems to be working now. EDIT2: On an important note, the attacker did manage to get some raw passwords from some recent logins by modifying the forum software. Edited July 9, 2013 by Freddy Quote Link to comment Share on other sites More sharing options...
Wanted Posted July 10, 2013 Share Posted July 10, 2013 I find it hard to believe someone with considerable talent is wasting their time with small potatoes... there's clearly a hidden motive we are all overlooking one of which we may never be sure of. Quote Link to comment Share on other sites More sharing options...
footballjds Posted July 10, 2013 Share Posted July 10, 2013 I find it hard to believe someone with considerable talent is wasting their time with small potatoes... there's clearly a hidden motive we are all overlooking one of which we may never be sure of. i agree. Quote Link to comment Share on other sites More sharing options...
FHannes Posted July 10, 2013 Author Share Posted July 10, 2013 (edited) Well, it's fairly easy to get your hands on exploits and such,you don't have to be talented to do that. Once you have a point of entry, it's pretty easy to proceed from there. A couple of weeks ago I did detect an attack on forums.freddy1990.com as well. The forum software there had gotten somewhat outdated, and they were trying to use an exploit to get in. But I disabled the entire site at the time to stop the attack. Though only forums.scar-divi.com was compromised with the forum software as entry point, I'm auditing the security of the entire server to make the chance of future breaches as small as possible. Edited July 10, 2013 by Freddy Quote Link to comment Share on other sites More sharing options...
LordJashin Posted July 10, 2013 Share Posted July 10, 2013 (edited) Well if you find his IP address, let me know. I can get him blasted. Take down his internet for good. EDIT: according to Wizzup or whoever's log file: 91.236.116.109. That is the one, and its from Sweden. Edited July 10, 2013 by LordJashin Quote Link to comment Share on other sites More sharing options...
FHannes Posted July 10, 2013 Author Share Posted July 10, 2013 Well if you find his IP address, let me know. I can get him blasted. Take down his internet for good. EDIT: according to Wizzup or whoever's log file: 91.236.116.109. That is the one, and its from Sweden. The attack on these forums was carried out with 2 IPs from Sweden, one very similar to that one, and also an IP from London. But I don't want to disclose any details until I've had a chance to contact the authorities. Quote Link to comment Share on other sites More sharing options...
iiirickyiii Posted July 11, 2013 Share Posted July 11, 2013 VBulletin does hash passwords obviously, but it uses md5, as "md5(md5(password) + salt)". Inline ajax quotes work, but for some reason they don't work in Firefox. I'm trying to figure out why. EDIT: I've reuploaded the client-side javascript files. It seems to be working now. EDIT2: On an important note, the attacker did manage to get some raw passwords from some recent logins by modifying the forum software. yeah my "iirickyii" password is different and i can't login now but im too lazy to try and recover it via email Quote Link to comment Share on other sites More sharing options...
FHannes Posted July 11, 2013 Author Share Posted July 11, 2013 yeah my "iirickyii" password is different and i can't login now but im too lazy to try and recover it via email Everyone was assigned a new password, it should have been mailed to you. Quote Link to comment Share on other sites More sharing options...