Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

In response to Avast's recent hack

Started by Kindred, May 28, 2014, 08:48:22 AM

Previous topic - Next topic


OK Folks, I have been away from the computer, dealing with my real life job and haven't been able to respond.

I am somewhat disappointed in the behavior in this thread.
I went out of my way, in the original post, to avoid hyperbole and direct attacks or name-calling. Let's not let the comment degenerate into that either.

Motoko hit the nail on the head.
This statement was made to put a clear statement forth regarding accusations that Avast has publicly and privately made regarding SMF (comments which, I will note, have been picked up by several news services). This is not an attack on Avast.
And no. There is no need for lawyers to get involved, unless this goes a lot further downhill (which I hope it does not)

I understand that many of you also want to defend SMF. We appreciate your support, but please keep it professional.

AllanD, as to your statements. This was a clearly needed statement to address accusations against our software.

I will also note... If Avast does share their server logs and we discover that this does turn out to be due to a previously undiscovered vulnerability, we will promptly and clearly update the statement and our position (although the accusation of secret/silent updates is still unjustified)

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."


Quote from: AllanD on May 28, 2014, 10:47:15 AM
The problem isn't the software, anyone can get hacked it's just a fact. That being said I don't think this post is really called for. I am taking it that you more are less saying it's not us it's you. Which will result in hurting SMF far more then saying nothing at all.

^ I have to agree with this.

ANY website OR software can be hacked, regardless of whatever they are using. Avast is a "bigger" company and were probably targeted for some reason by those hackers.
It hurts me to see them making such blaming towards SMF while they are in fact a security company. If I'd be using their software and see that they got hacked, I'd step aside and took other software just because they blame someone else and are unable to secure it back. Also uncalled that they blame it on the patch. If they manage their forum properly then they should see the newest patches inside their admin screen.

Nevertheless, I will stick with SMF for all of my forum websites.
Sorry to hear about this, I wish everyone good luck with solving this issue and problems.
Useful paid mod: Badge Awards - Award members for actions


The thing is, while software can and does have faults, you'd be surprised how often it's not the software that's *actually* at fault. All too often it's an account that's compromised - the people being the weakest part of the system.

There's still no evidence that it actually *is* the SMF software at fault.


Hi there,

It's Vlk, a global moderator from the Avast forums and a senior executive at Avast.

I'd like to jump in to this discussion and share my point of view.

First, I have to say that I really like SMF as we have relied on it for many years (and before that, used its predecessor, YaBB SE). During all those years, it served us really well and I'd like to thank all the good people who created and have maintained the product for their generosity,making the software available for free.

Now I think it's sort of pointless to blame each other, especially in public. If you found the statements we have released after the incident offensive, I apologize. The point we were making was that we were running SMF 2.0.6 (not upgrading to 2.0.7 because there were no security updates documented in this version). The server only had ports 80 and 443 open, and we're quite confident there was no other hole through which the attacker could possibly get in. Plus, when doing the post-mortem analysis, we found that hacker forum which talked about the RCE vulnerability in 2.0.6 (which we forwarded to you) and so our preliminary conclusion was that that must have been it.

I think it is really premature to draw any definitive conclusions at this time. We have now shared all the log files from the affected server with you (AFAIK) and would love to work with you on finding the real vector the attacker used for the hack.

Until then, I propose we stop any public commenting on the issue and move to private discussion / investigation. Of course, once this is finished, I'm certainly OK with sharing our findings with the general public.



Maybe this topic should be locked then?
DO NOT pm me for support!


Hi Vlk,

Thank you for your comment and reaching out. It is good to hear you have been using it for so long. :) I'm locking this topic for now.
Kindred will make a short statement shortly.

Kind regards,
- Liroy
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.


Hi Vik,

I would also like to thank you for reaching out. We were dismayed by the statements originally made and felt it important to make a statement, given the media coverage that this incident is garnering. However, I agree whole-heartedly with you that playing the blame game helps no one.

I do confirm that what Vik said is correct and Avast is now working WITH us to analyze the server logs and the code from the server to determine the vector and the payload of the attack.
Once we are out of the realm of supposition and guessing, and have some evidence, we will put together a clear statement on our findings.

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."