Bitcoin Forum

On October 3, it was discovered that an attacker inserted some JavaScript into forum pages. The forum was shut down soon afterward so that the issue could be investigated carefully. After investigation, I determined that the attacker most likely had the ability to execute arbitrary PHP code. Therefore, the attacker probably could have accessed personal messages, email addresses, and password hashes, though it is unknown whether he actually did so.

Passwords were hashed very strongly. Each password is hashed with 7500 rounds of sha256crypt and a 12-byte random salt (per password). Each password would need to be individually attacked in order to retrieve the password. However, even fairly strong passwords may be crackable after a long period of time, and weak passwords (especially ones composed of only a few dictionary words) may still be cracked quickly, so it is recommended that you change your password here and anywhere else you used the password.

The attacker may have modified posts, PMs, signatures, and registered Bitcoin addresses. It isn't practical for me to check all of these things for everyone, so you should double-check your own stuff and report any irregularities to me.

How the attack was done

I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday.

After I found the backdoors, I saw that someone (presumably the attacker) independently posted about his attack method with matching details. So it seems very likely that this was the attack method.

Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.

It was initially suspected by many that the attack was done by exploiting a flaw in SMF which allows you to upload any file to the user avatars directory, and then using a misconfiguration in nginx to execute this file as a PHP script. However, this attack method seems impossible if PHP's security.limit_extensions is set.

The future

The forum is now on a new server inside of a virtual machine with many extra security precautions which will hopefully provide some security in depth in case there are more exploits or backdoors. Also, I have disabled much SMF functionality to provide less attack surface. In particular, non-default themes are disabled for now.

I'd like to publish the forum's current code so that it can be carefully reviewed and the disabled features can be re-enabled. SMF 1.x's license prohibits publishing the code, though, so I will have to either upgrade to 2.x, get a special copyright exception from SMF, or do the auditing myself. During this investigation, a few security disadvantages to 2.x were brought to my attention, so I don't know whether I want to upgrade if I can help it. (1.x is still supported by SMF.)

Special thanks to these people for their assistance in dealing with this issue:
- warren
- Private Internet Access
- nerta
- Joshua Rogers
- chaoztc
- phantomcircuit
- jpcaissy
- bluepostit
- All others who helped

thanks for the update! Glad the forum is back up.  :D

hmm, isn't it about time you upgrade to second gen smf?

Nice Job Theymos :)

Glad to hear you have new security precautions and that you were able to identify the attack vector.

Pablo.

P.S. As a general suggestion, it would be really cool to be able to use a YubiKey to log into the forum, or at least Google Authenticator :).

Awesome! Glad to hear it's fixed now.

How about a standard password reset for all users?

And after 4 weeks or something; delete all old accounts; could clean up the forum also?

Very happy to see every back and running, thanks Theymos for all the work you do to keep the site going.
Peace.

Any chance the attacker could have modified some of the php scripts temporarily? By that I mean the password checking function so that the user's password is e-mailed to him before hashing it.

Security-wise what does this get you?  Or is this just a 'fyi, we moved' thing.

Was the javascript they entered in the forums harmful? I'd like to know more about that.

Changed my passwords in other places where I used it. It was about time anyway.
This helped a lot:
$ makepasswd --chars 16
uvULbCpFLKg9phb2
...

No, we determined that it was merely fun and completely harmless. We lucked out big time...

Goodjob theymos.

are you fucking kidding me?

What do you mean.
Are you not happy to see forum back again?

very happy at least its back and now I can do again all which I was doing before this closing  :D 

Ignore button is shining upon r3wt.

well i hope that was a sarcastic "good job"

theymos, upgrade smf for the love of Christ.

Anyone care to summarize the 2011 annoyance. Was that the Bill Cosby incident?

http://buttcoin.org/bitcointalk-forums-hacked-bill-cosby-pimping-new-cosbycoins%E2%84%A2-to-all-the-members-breaking

thanks for the update!  ;D

So this site has backdoor since 2011?

Thanks for your vigilance Theymos. I'd also like to thank you for taking the site down quickly and leaving it offline until you could ensure security. Plenty of admins would have just gotten it back up as quickly as possible for the sake of revenue.

I agreed with r3wt. From my understanding there was a security patch for the 2.0 but not 1.1.18 in 1st October. They stop patching 1.1.18. I think it is time to upgrade. Also I suggest you use either Nessus or OpenVAS to scan the forum to see if there are any other problem with the webserver configuration.

Theymos - Thank you for keeping the forum warm. If people complain, maybe they should go camping with another forum ;)

Any idea what this is about?

https://i.imgur.com/vsHh8eB.jpg

http://www.reddit.com/r/Bitcoin/comments/1nw4py/something_awful_forums_admit_responsibility_for/

If only all those thousands of dollars in donations had actually been put to purpose hey  ::)

Thank you for the information, theymos. I'm glad the forum is back.

Great to see the site back up. While it was down there was a lot of media mischief to the effect that "BTC is dead and will never recover". (I won't dignify the FUD with sample links). With that in mind, for "next time", I'd suggest putting up a brb splash page of some kind during an outage. This time people could go to reddit if they knew how, but otherwise were left in the dark to be spun by the FUDsters.

Also, given the nature of some of the spin out there, is there an informed "official" position on the (lack of?) correlation between the forum attack and the SR takedown? Is there an "official" position on the absence of a major BTC price crash during the dark period?

Mhhh,... the only ones to know what they got are the attackers, I guess.
To say that they did not get anything is just speculation.

Bounties for reporting future vulnerabilities would be nice.

It is somewhat scary that admins can modify forum code from within the forum itself if I understand correctly.

I guess it means you guys shouldn't only screen cap the gibbis thread.

In case anyone missed it, here's a backup of the assets of the hack.

http://crymore.com/btc/

I guess I should mention that I didn't do it.

In the reddit thread...
https://i.imgur.com/VSzWPID.jpg
Theymos says it was someone from SA, How does he know that? If he KNOWS who it was, why not tell us all?

Aside from that little peice of wonder, IM HAPPY THE FORUMS ARE BACK! ;D
http://pinkie.ponychan.net/chan/files/src/134022904560.jpg

Because all the "zOMG FBI ARE WATCHING!!!" threads amuse him?

That's how Satoshi set it up (maybe the SMF default), but I fixed it a while ago.

Cloudflare was identified on our end as well.

Thanks Admin, Glad to see this forum is back again.

You mean you've taken this opportunity to force ads on all of us(which are disabled by the actual SMF default theme) by defaulting to your custom theme.

You need to see the ads. The forums need money to upgrade their security.

Web Inspect is rubbish, since you recommend hiring Pen Tester. It works out cheaper just using Pen Tester then getting Web Inspect.

Also consider using Tripwire, so you know when the code has been modified.

Good to see it back up!

I'm trying to change my password, but it's confusing because whenever I log in, make changes, etc., I just get a completely blank page, so it's hard to know if it was even successful. Does this happen to anyone else or is it just my browser?

Once you become a Hero Member in two weeks max, you'll be able to disable the ads in the profile settings.

https://bitcointalk.org/index.php?action=profile;u=23737;sa=forumProfile
and scroll down to "Disable ads".

I personally have them enabled, compared with other websites' solutions the ones here are rather unintrusive.

By keeping them disabled you also miss some of the interesting quotes:
https://bitcointalk.org/adrotate.php?adinfo

that's funny, I used to be a hero member with something on the order of 1500 posts, i guess i've been reduced in rank for not liking ads?(the other layout also included a few things not shown with the bitcointalk one that were nice to have on occasion) back on topic i'm glad the forum is back at least

Your rank is different because it's based off of activity now instead of post count.  Been like this for almost 4 months, see https://bitcointalk.org/index.php?topic=237597.0

What's SA?

Something Awful, often abbreviated to SA, is a comedy website housing a variety of content, including blog entries, forums, feature articles, digitally edited pictures, and humorous media reviews.

Thanks!   "SA" was too generic to google without some further context. :)

Welcome back forum!

Login with only the hash? That basically allows any admin to impersonate another user. How could SMF think that was a good idea??

I think it unlikely that if there was a two-year backdoor, it was placed by the recent defacer. It was most likely used by someone with the discipline to occasionally do a db pull and crack a hash and bring back an old account from the dead for scamming, or employ re-used passwords to make bitcoins mysteriously disappear from an exchange. It also could be used in a way that would never be learned, such as to retrieve IP addresses logs of a suspect account and use account information against a user, while "parallel construction" prevents any revelation of the backdoor.

My last post on this forum before it went down, about a rooted Bitcoin casino. How novel:

Yeah, that "satoshi" guy hasn't logged in for quite a while, get rid of him ;D


Are those code changes stored in a database or are the files themselves edited?
If it's the files, that'd be easy to monitor.
Database snippets, on the other hand, might be a little more tricky.

No, I verified its existence using my old forum backups.

I'm not doubting it's existence, I'm saying that unless there is specific evidence, it was likely not placed by the same entity that uploaded dancing javascript.

---

We at the NSA thank you for your contribution to our signals intelligence efforts:

69.249.73.204 - - [07/Oct/2013:05:02:10 -0400] "GET www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf HTTP/1.1" 200 79951 "https://bitcointalk.org/index.php?topic=306878.40" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"

Are there any logs of hacking action? When was the backdoor placed again?

The big question is why was the backdoor revealed? Just for the lulz? Or was it a second hax0r?

Yes, that was a scray run, hopefullyw on't happen again.  Any *cough* um, accusations of who attacked?

Are you the same surebet that's a member of this exploit database site http://1337day.com (http://1337day.com) that has a private section containing SMF exploits?

theymos is a competent administrator. tradefortress told me so :D

The attacker could have potentially made a lot of money by monitoring our personal messages and getting insider information. I'm sure a lot of people on this forum send important information to each through the PM system, and don't take the time to encrypt it or secure it in any way.

In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.

I'm pretty sure that they did.
My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return.

I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written. Or does the code need to be reviewed to figure out that hole in the avatar system? If that's the case then I find highly surprising is that this bug seems to be undocumented. How is it that such a crucial flaw in SMF could go unnoticed so long, or was this the first time this exploit has been used to hack a website?

My understanding the hack comprised of a couple vectors not just one point. This vector also had to do with a previous hack so it really wasn't SMF's software.

But the first attack was facilitated by a flaw in the SMF software, which allowed the attackers to install backdoors in the first place. It sounds to me like the method used in the 2011 attack is not fully understood even now, but some people suspect the avatar system was exploited. It seems to me like the attacker is using an undocumented flaw in the SMF software.

That's not true:

The attacker reportedly used SQL injection to exploit a vulnerability in the way the forum software handled escape characters in usernames and eventually purchased a donor account, using it to gain access to various user accounts and change their names, including that of the administrator, Satoshi.

Theymos verified that this is correct.

Glad it's back up. I lost a lot of contact with the Bitcoin world because all other Bitcoin forums are not active enough.

So the original flaw used to exploit the forum software in 2011 was fixed and the only reason the attacker succeeded this time was because they left behind backdoors (which were removed and then replaced)? If that's the case (and the forum software has been re-installed with fresh files) then we should be secure. But personally I wouldn't be against upgrading to a newer version of SMF.

Theymos reviewed a diff between the files from a fresh SMF install and our setup. Therefore, we effectively reinistalled and re-applied our modifications. Theymos then went on to do a full code review and only re-enabled the absolute minimum functionality for the forum to operate.

If you had access to the moderation tools, you'd realize just how much is missing...

have you checked to make sure that image sanitazation is working properly?

Don't fool yourself into a false sense of security. SMF v2.0.2 has many vulnerabilities.

It seems like you are referring to the same vulnerabilities referenced in this thread:

http://www.simplemachines.org/community/index.php?topic=482530.0

The SMF Project Manager had this to say about it:

Not that I really care if we update or not, because I can understand the advantages and disadvantages of both actions. But I would like to see something happen to make this forum a bit more secure.

Yeah. SMF 2.x is basically 1.x with more features (ie. more attack area) and a slightly more secure database escaping scheme. Upgrading probably isn't worthwhile unless we want the better license.

Securing the forum requires fewer people with access not upgrading to an unknown quantity. At least using an older version means most of the vulnerabilities are known.

iirc the latest build is 2.0.5 and is quite secure....

It's got more features which are means more vulnerabilities. He's right, it's more than likely better to stay on this version. Although, upgrading to a different forum system may be better but would require more downtime and more hassle. 

My forum is back thank god. I felt so empty without my BTC talk  :-\.

Great work theymos!!

I'm all for an upgrade. Also, why do we need ads seeing as we have a huge fund to pay for the forum? They are really annoying.

Revealed as explained or used? I'd would probably be a mixture of courtesy, "wtf the two year old backdoor still works" factor and just sharing knowledge.


https://i.imgur.com/TRlRdRp.gif


No.

Why not reveal it?  It was going to be discovered eventually by those trying to fix the forum and revealing that a two year old backdoor was used made it more difficult for theymos to claim it was some new, previously unheard of exploit.  There's some lulz to be had when you tell someone how you did something just after it happens and it still takes them days to find and fix the problem.

As a side note is there any new restrictions on avatars now, namely the ability to change them?

I have a 80x80 gif I'd like to use that comes out to either 21 or 28k depending, no mention in the usercp about restrictions.

So, if there are so many problems with SMF, why does thermos still use it?  There must be some open-source forum software that could be used.   At least in that case the skills of the thousands of people using this forum and offering opinions about the code could be put to some profitable use.  Right? 

2011 Wow that is an old exploit, whoever broke into the system bided their time executing that code.

Well, this could well be coincidence, but someone's been trying very hard to get in to my iCloud account the past day or so.  The iCloud username is the same as the email I used here (a GMail account).

I've reset both the GMail and iCloud account passwords, and put double auth on the GMail, but it's annoying getting "iForgot" emails every 15 minutes...

Usually laziness.  Most forums software will import the database from other forums.  There's plenty - phpBB is the biggest one, OK it has it's problems too, but it's being worked on constantly by the developers.

1.x makes perfect sense then. Maybe the sanitizing part can be backported/improved.

Are there any logs of hacking action? When was the backdoor placed again?


Because it will be fixed if you reveal it and you lose access.

There are plenty of other much worse things the hacker could have done, that would even have made him money. Hopefully we are lucky and it was a gray hat. On the other hand side - who would like to really call for the wrath of this forum...

re enable BlackBox theme, this one is way too white

+1.

Not if you've got more than the backdoor you revealed.

The backdoor is specific to the forum. It's probably something as simple as eval() with certain arguments passed in obscure and unintended methods.

You would have to have an additional whole SMF exploit to safely reveal your access, because when backdoors are suspected, people usually sanitize everything - just as we did here. Not even a backdoor embedded in the BIOS would have survived the cleanup that theymos did, since we completely changed hardware and rebuilt everything from the ground up. A backdoor in the database might still exist, but theymos looked pretty hard for those. So, other than that, the only way this guy is getting back in is if he has an exploit that anyone could have found.

Probably...

very happy the forum is back up :) keep up the good work

Great job recovering from the hack!

I know how hard it is to keep an SMF forum secure. I ran a much smaller forum on SMF, and it was a constant battle (both SMF 1 and 2). Eventually, I switched to something else that was easier (for me) to keep secure.

(I'm not suggesting changing to another forum package is the right thing to do here as it sounds like you have a really good understanding of SMF security vulnerabilities and how to mitigate attacks now, and that's really the most important thing).

Glad it's back up I lost all information on bitcoin because this is where I get most of it

This reads to me like they don't understand the dangers of XSS. Which is kinda worrying if that is an official response.

The advisory describes a persistent XSS flaw in the Admin section. The comment about admins already having access is completely off the mark. XSS attacks are always executed in the context of the privileged user. The validation flaw could be behind bloody Fort Knox -- it doesn' t matter in the slightest; the attack is still exactly the same as if it were in the front-end.

That forum thread is a face-palm.

If you need a reason to move away from SMF, there it is.

Thanks Theymos and others who help maintained this forum.

Someone must have a good answer.

Glad BTCT is up and running again :)

Lock all staff/admin accounts to 1 IP.  Thats one way to prevent exploits if someone was to get the password for a admin account.
Admins would be forced to use the same IP via VPN or proxy service

You may want to take another look at that.

Heh.. well I use it without any plugins or addons and whatnot. Access to the forum is all I need :)

:( it was such an awesome site. I hate it.

I wonder if the fact that this site was brought down at the same time as silk road was anymore of a coincidence.

An administrator can by definition do anything.  It is sometimes useful if you want to do something on a user's behalf or for testing whether permissions are respected correctly.

By default the administrator has the power to do that. If not the admin can go to phpadmin and change the hash with other known hash and login using  the new password and change the hash again after the login.

thanks for your hard work

Is there anyone else that feels that it's a hell of a coincidence that this happened at almost the exact same time that Silk Road was taken down?

My initial guess was that it was someone with a fairly sizeable amount of cash, who wanted to buy Bitcoins cheap. Just my opinion anyway, is that it was someone who sold their BTC high right after the SR news, saw the price go down by $40 per coin, and stood to make thousands if not more by panicking people further and dropping the BTC price more before buying in.

That or just because they felt like it.

Surprised no one in this thread has a comment on open-source forum software and potential alternatives to SMF. 

i think guys be secure
i recomend make strong pasw

and i hope admin fix this bug and we be secure place peace  ::)

Maybe we should use Discourse.

I doubt Theymos will make an exception for you. Many have asked before.