News:

Wondering if this will always be free?  See why free is better.

Main Menu

IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

SD-X

Every person who does their part makes this project great. :)

NanoSector

Quote from: Ddnhf on July 27, 2013, 05:01:25 PM
Quote from: Yoshi on July 27, 2013, 04:28:56 PM
We are using sha1. Also this has nothing to do with security of the software, but keeping passwords unique and secure. Salting the SHA1 password *should* make it more secure.

Using nested encryption methods will just slow things down for the hacker.
SHA1 itself is not completely secure, there are websites that offer to decrypt SHA1 passwords.


$salt = rand(1000000,99999999);
$hashed_pwd = sha1($password . $salt);

Nothing is completely secure, which is the point.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

kat

More caffeine in coffee, though. They're probably on espresso triple-shots, by now.

live627

Quote from: K@ on July 27, 2013, 05:55:13 PM
More caffeine in coffee, though. They're probably on espresso triple-shots, by now.
wow, they'd be shaking so much that they wouldn't be able to type!

SD-X

Then they need more of me to balance them out while still giving them a rush! :D

Burke ♞ Knight

Quote from: K@ on July 27, 2013, 05:55:13 PM
More caffeine in coffee, though. They're probably on espresso triple-shots, by now.

Hmm... So it is actually coffee that has caffeine???

I always told the waitress to add a little coffee to my caffeine...   :P

brynn

Quote from: tassie73 on July 27, 2013, 12:05:58 AMAnd to the admin whose password was compromised, s**t happens.
HUH???

Well first, I should said that I haven't had time to read all 21 pages of this topic. (I only got the email just now!)  But what I wonder (after I finish wondering why an admin was sharing a password in the first place) is why that admin didn't change his or her shared password when the other site was compromised?

xrunner

As an aside - why is the Ubuntu forum still down if the same thing happened to them? It went down on the 20th. Why can't they open it up and just tell everyone to reset passwords?  :-\

tumbleweed

Quote from: xrunner on July 27, 2013, 07:07:39 PM
As an aside - why is the Ubuntu forum still down if the same thing happened to them? It went down on the 20th. Why can't they open it up and just tell everyone to reset passwords?  :-\

That forum got hacked. This was a case of poor password care and usage.
G.C. SOLUTIONS - Hosting Quality Sites Since 2006. Experience Your Forums On A Whole New Level
Elastic Sites Stress Fast CPU/Ram Upgrades- More Info Here.
Reviews By SMF Forum Owners - Read Our Rev

Kindred

brynn,

because he was not aware that the other site had been compromised. The reason that we put this out as fast as we did after confirming the issue was to avoid just that scenario...  the hacker's goal was to acquire the information as quietly as possible, thus avoiding anyone knowing and resetting their passwords on other sites.

Actually, tumbleweed, early evidence suggests that a similar method may have been used across multiple sites, including ubuntu.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Burke ♞ Knight

Ubuntu is in process of changing forum software is what I heard.
That's why so long there.

xrunner

Quote from: BurkeKnight on July 27, 2013, 07:22:38 PM
Ubuntu is in process of changing forum software is what I heard.
That's why so long there.

Ah OK that accounts for the delay.

tumbleweed

Quote from: Kindred on July 27, 2013, 07:18:13 PM
brynn,

because he was not aware that the other site had been compromised. The reason that we put this out as fast as we did after confirming the issue was to avoid just that scenario...  the hacker's goal was to acquire the information as quietly as possible, thus avoiding anyone knowing and resetting their passwords on other sites.

Actually, tumbleweed, early evidence suggests that a similar method may have been used across multiple sites, including ubuntu.

I am still waiting to see some sort of report from sources about the multisite theory. Of course I am not in the loop of such things I just tend to visit sites whom main content is security. Right now the only one I know of is Ubuntu.

G.C. SOLUTIONS - Hosting Quality Sites Since 2006. Experience Your Forums On A Whole New Level
Elastic Sites Stress Fast CPU/Ram Upgrades- More Info Here.
Reviews By SMF Forum Owners - Read Our Rev

spydercanopus

How do you find out if your forum was compromised?  Not implying that this relates to other SMF installs, but how did you find out?

bluedragon2k9

i think that this is a sorry excuse for security.We all knwo that hackers post that stuff on multiple sites.SO [nofollow] all of our data is floating around cyberspace.They are no excuse for this ******.You guys need to take steps to protect your forum users.And i bet they are a security hole in smf forum software.Way to go smf i hope u feel a lot of butthurt.I know for one my days of using smf is over and if anyone is smart they will do the same.
So you keyboard cowboys go ahead and defend them i could give 2 ******s.But you all know they are no excuse for this.And there forum runs off there own software.
see you around guys ,,!,, you smf thanks for the big ****** of my data

evgueni

I fail to find how to change my community password here...
Is anybody else has troubles changing it?

ARG01

Quote from: bluedragon2k9 on July 27, 2013, 08:14:07 PM
i think that this is a sorry excuse for security.We all knwo that hackers post that stuff on multiple sites.SO all of our data is floating around cyberspace.They are no excuse for this ******.You guys need to take steps to protect your forum users.And i bet they are a security hole in smf forum software.Way to go smf i hope u feel a lot of butthurt.I know for one my days of using smf is over and if anyone is smart they will do the same.
So you keyboard cowboys go ahead and defend them i could give 2 ******s.But you all know they are no excuse for this.And there forum runs off there own software.
see you around guys ,,!,, you smf thanks for the big ****** of my data

LOL! So, what is all this data of yours that you believe is " floating around cyberspace"? Did you fail to read through this thread before commenting? Ignorance is bliss and it surly shows in this thread.
No, I will not offer free downloads to Premium DzinerStuido themes. Please stop asking.

Burke ♞ Knight

bluedragon2k9

If you bothered to read, instead of being rude and obnoxious, you'd see that this is NOT a security issue with the SMF forum.
This hack at this site originated at another site, and it just so happened that a user there is an admin here and used the same password.

Clean up your language and attitude.
If this was my site, you'd be banned by now.

LiroyvH

Quote from: tumbleweed on July 27, 2013, 07:15:57 PM
Quote from: xrunner on July 27, 2013, 07:07:39 PM
As an aside - why is the Ubuntu forum still down if the same thing happened to them? It went down on the 20th. Why can't they open it up and just tell everyone to reset passwords?  :-\

That forum got hacked. This was a case of poor password care and usage.

Ours was evidently hacked as well. Although you may find "cracked" a more preferable term.
And yes, multiple sites that were hacked are related to this.

And the Ubuntu forum is still down, so I was told, because it was ran by a third party and Canonical now wants to run it themselves to prevent (further) damage to their brand. (In the future) They want to ensure it's safe.


Quote from: bluedragon2k9 on July 27, 2013, 08:14:07 PM
i think that this is a sorry excuse for security.We all knwo that hackers post that stuff on multiple sites.SO all of our data is floating around cyberspace.They are no excuse for this ******.You guys need to take steps to protect your forum users.And i bet they are a security hole in smf forum software.Way to go smf i hope u feel a lot of butthurt.I know for one my days of using smf is over and if anyone is smart they will do the same.
So you keyboard cowboys go ahead and defend them i could give 2 ******s.But you all know they are no excuse for this.And there forum runs off there own software.
see you around guys ,,!,, you smf thanks for the big ****** of my data

The only one that seems to be butthurt around here is you. Let it flow through you.

Anyway, a password being stolen from another community is not a flaw in the SMF software.
Although I think I'm wasting my time trying to explain anything to you anyway, judging by the way you write.


Quote from: spydercanopus on July 27, 2013, 08:03:01 PM
How do you find out if your forum was compromised?  Not implying that this relates to other SMF installs, but how did you find out?

If you're concerned you might be hacked, scan your home directory for recently changed files.
Anything that wasn't modified by yourself: check it out for suspicious code.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

tumbleweed

Hold up here. So SMF was cracked as well? (yes I do know the difference between both terms).

In the OG post I read.
Per your words CoreISP
QuoteUnfortunately for us, a Administrator used the same password elsewhere on another site and access to our site was obtained when the password from the other hacked site was successfully decrypted. As a result, the hacker was able to login here with admin rights.

Soo... which is the case? and did you mean "cracker" not "hacker?

Just trying not to be confused to what has occurred.

*fixed my poor choice of words*
G.C. SOLUTIONS - Hosting Quality Sites Since 2006. Experience Your Forums On A Whole New Level
Elastic Sites Stress Fast CPU/Ram Upgrades- More Info Here.
Reviews By SMF Forum Owners - Read Our Rev

Advertisement: