Jump to content
FHannes

Forum database compromised!

By FHannes, in Announcements

Recommended Posts

FHannes God Member

 FHannes

Posted
Posted (edited)

It just came to light that the forum database has been compromised.

 

An attack through access of a low level staff account and exploits in the forum software allowed a malicious entity to gain access to my account and access the database. Only the scar-divi.com domain was vulnerable during the attack, and it's fairly unlikely any part of the site other than the forums was compromised.

 

Everyone should change their passwords IMMEDIATELY, as well as change it anywhere else you might use the same password. Any confidential information you may have shared on the forums or sent through the private messaging system was likely also compromised.

 

Currently I've purged all of the forum software from the server and I'm reinstalling everything to avoid having any backdoors left behind. The forums are already fully functional, but should be restored to their original state in a couple of days.

 

~Freddy

Edited by Freddy
Link to comment
Share on other sites
FHannes God Member

 FHannes

Posted
  • Author
Posted (edited)
How interesting. First the SRL crowd gets hacked then this. Somebody hoping to glean RS logins most likely.

 

At least you are back up and running. The other folks are still down although the damage there seems to be more extensive.

 

Well, the hack took place about 10 days ago, actually. But I've only just figured out that the forums were actually hacked, due to them malfunctioning all over the place. As my time has been limited lately, I haven't had the chance to properly check out what the issue was, but as I continuously failed to fix it, it quickly became apparent that there was more going on than a random malfunction.

 

I can only guess that they got access to a moderator account on these forums, by obtaining the password hash from another forum. How they got on from that point is somewhat of a mystery, they seemed to have found an exploit to access parts of the forums, normally only accessible by me, using said account. After that, it was of course easy to get into my account and cause all kinds of mayhem...

Edited by Freddy
Link to comment
Share on other sites
LordJashin God Member

LordJashin

Posted
Posted (edited)

Interesting, Villavu - Villavu Breach July 06 by Merlijn Wajer, is still down. Good Job Freddy! We beat them finally! The SCAR wars are over!

 

Hopefully u still have those themes!

 

Once he got access to the AdminCP, the attacker changed the faq.php file; which can apparently be modified from the Admin CP. Once he had done this; he could execute any command by passing "?faq=welcome&c=COMMAND".

 

Through the FAQ? What a weird hack. Not surprising though considering how flaky the internet is. PHP, and software especially. Should make it so no1 can run commands on anything even associated with the database.

 

35w66u.jpg

Edited by LordJashin
Link to comment
Share on other sites
slacky Senior Member

 slacky

Posted
Posted

You ****** you reset my password!! How can you do that?? I am so hurt! :'( Now I don't even know which password I used on this site... Makes it hard to figure out if I should change it on any other page as well... :o Oh wait.. I got a "godzillion" passwords so GL abusing what ever pw i used here :-D

Link to comment
Share on other sites
slacky Senior Member

 slacky

Posted
Posted (edited)

For about every normal hash function you can find a "rainbow-table", this table connects a lot of hashes to a password. The tables are far from complete, but i would figure that they got all short passwords solved (it takes a lot of power and time to create a big rainbow-table). Seen that there are approx 3.402823669209387e+38 (16^32) possibilities in the often used md5. But the passwords on forums are usually stored as ether: md5(md5(password) + randomint(x)), or sha256(sha256(pw) + randomint(x)) , only a few passwords will be solved with a rainbow table due to the passwords new length (salt and double hash), and each password (stored this way) requires two rows in the rainbow-table to exist to be solve it.

 

Take for example this dictionary of "md5(pass): pass", it could be called a rainbow table (but a very small one):

//rainbowtable
rainbow_table = {
   '2646f14f955f3f0af84989b9783d689b':  'PiRCm54WU',
   'a4f47d34c0ae74f00e919afbe5c07214':  'Uldpa3Iwm',
   '0eeda36ded50e2a96319a033767ea764':  'bOieOQt7r',
   '8be3c90485a163e376d825d8c2eddde5':  'Nm7mRfO3j',
   '093033088d6538e90fe73d112b07e879':  'cra78ZZ0w',
   '16de66933cbe9bc1c320bab32ed8e6c9':  '5vv2vyalc',
   '399037361417ea462e0fed60a40e628e':  'xOW4OKn59',
   '1e3674a82da0d420032df4a780516ad6':  'AFL9OfkqE'
}

So if your password is in there I know the md5 hash for it (if it's not salted)... If it's salted we would need a much bigger rainbow table... And even with the biggest md5-rainbow table out there we might now find the corresponding password..

 

Your password SHOULD be safe, but the hash for pw(+ salt) might just be in a rainbow-table.

Edited by slacky
Link to comment
Share on other sites
Vicarious Junior Member

Vicarious

Posted
Posted

@slacky:

 

(quote system doesn't seem to be working)

 

MD5 shouldn't even be mentioned, it was deemed cryptographically broken years ago:

MD5 - Wikipedia, the free encyclopedia

 

If our passwords are being encrypted with MD5 some serious alarm bells should be ringing.

 

I would expect nothing less than sha512, in which case having the hash and the salt leaves them no better off than anyone simply trying to guess your password.

Link to comment
Share on other sites
slacky Senior Member

 slacky

Posted
Posted (edited)

i mentioned md5 because it's relevant since a lot of CMS still use it. Take for example Simbas forum, they used md5(md5(pw) + salt), they just got hacked.. now there are a lot of passwords connected to usernames, and emails on the loose. I believe md5(md5(pw) + salt) is default in vBulletin.

 

You might expect sha512, but the fact is that there's not much software (CMS, blog or forums) which uses it. Sha256 + salt is on the other hand normal to use. In general I would suggest using sha(256 or 512): BUT it's vulnerable to bruteforce (Thinkin' about the time it uses to create a key), generating small rainbow-tables won't take as much time, better alternatives are PBKDF2, scrypt, bcrypt.

Edited by slacky
Link to comment
Share on other sites
FHannes God Member

 FHannes

Posted
  • Author
Posted (edited)
What I'm concerned about is, even if the database was hacked, they should still not know the password we used because they should be appropriately encrypted, or is that not the case?

 

VBulletin does hash passwords obviously, but it uses md5, as "md5(md5(password) + salt)".

 

(quote system doesn't seem to be working)

 

Inline ajax quotes work, but for some reason they don't work in Firefox. I'm trying to figure out why.

 

EDIT: I've reuploaded the client-side javascript files. It seems to be working now.

 

EDIT2: On an important note, the attacker did manage to get some raw passwords from some recent logins by modifying the forum software.

Edited by Freddy
Link to comment
Share on other sites
FHannes God Member

 FHannes

Posted
  • Author
Posted (edited)

Well, it's fairly easy to get your hands on exploits and such,you don't have to be talented to do that. Once you have a point of entry, it's pretty easy to proceed from there. A couple of weeks ago I did detect an attack on forums.freddy1990.com as well. The forum software there had gotten somewhat outdated, and they were trying to use an exploit to get in. But I disabled the entire site at the time to stop the attack.

 

Though only forums.scar-divi.com was compromised with the forum software as entry point, I'm auditing the security of the entire server to make the chance of future breaches as small as possible.

Edited by Freddy
Link to comment
Share on other sites
FHannes God Member

 FHannes

Posted
  • Author
Posted
Well if you find his IP address, let me know. I can get him blasted. Take down his internet for good.

 

EDIT: according to Wizzup or whoever's log file: 91.236.116.109. That is the one, and its from Sweden.

 

The attack on these forums was carried out with 2 IPs from Sweden, one very similar to that one, and also an IP from London. But I don't want to disclose any details until I've had a chance to contact the authorities.

Link to comment
Share on other sites
iiirickyiii Junior Member

iiirickyiii

Posted
Posted
VBulletin does hash passwords obviously, but it uses md5, as "md5(md5(password) + salt)".

 

 

 

Inline ajax quotes work, but for some reason they don't work in Firefox. I'm trying to figure out why.

 

EDIT: I've reuploaded the client-side javascript files. It seems to be working now.

 

EDIT2: On an important note, the attacker did manage to get some raw passwords from some recent logins by modifying the forum software.

 

yeah my "iirickyii" password is different and i can't login now but im too lazy to try and recover it via email

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...