Bitcoin Forum
June 24, 2024, 10:08:47 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Attackers had backdoor code in the forum for the last 2 years?  (Read 1699 times)
rudystyle (OP)
Sr. Member
****
Offline Offline

Activity: 434
Merit: 250



View Profile
October 08, 2013, 12:55:02 PM
 #1

I am surprised that attackers had backdoor code and access to the entire database and scripts for the last 2 years (and still do ?) . No wonder hundreds of scams were taking place everyday.

hivewallet
Sr. Member
****
Offline Offline

Activity: 378
Merit: 325


hivewallet.com


View Profile WWW
October 08, 2013, 01:04:39 PM
 #2

Sorry, but where did you see that?

Hive, a beautiful, secure wallet with an app platform for Mac OS X, Android and Mobile Web. Translators wanted! iOS and OS X devs see BitcoinKit.
Tweets @hivewallet. Skype us here. Donations appreciated at 1HLRg9C1GsfEVH555hgcjzDeas14jen2Cn
Chronikka
Hero Member
*****
Offline Offline

Activity: 658
Merit: 504



View Profile
October 08, 2013, 01:08:49 PM
 #3

Sorry, but where did you see that?


How the attack was done

I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday.

After I found the backdoors, I saw that someone (presumably the attacker) independently posted about his attack method with matching details. So it seems very likely that this was the attack method.

Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.

It was initially suspected by many that the attack was done by exploiting a flaw in SMF which allows you to upload any file to the user avatars directory, and then using a misconfiguration in nginx to execute this file as a PHP script. However, this attack method seems impossible if PHP's security.limit_extensions is set.


https://bitcointalk.org/index.php?topic=306878.msg3290091#msg3290091

"The true sign of intelligence is not knowledge but imagination"  -Albert Einstein
dragonkid
Member
**
Offline Offline

Activity: 84
Merit: 10



View Profile
October 08, 2013, 01:09:12 PM
 #4

I have read it some where as well. But I can't recall the source where I read this. I think from that source they mentioned, that there was a backdoor 2 years ago, then it was removed when forum did a code review, then removed, then backdoor planted again. Then removed. Can't remember what happened after that. I heard the latest attack was not from the backdoor. I could be wrong, I have short memory.  Tongue

Peter Todd
Legendary
*
Offline Offline

Activity: 1120
Merit: 1150


View Profile
October 08, 2013, 01:17:23 PM
 #5

Fascinating bit of timing there - Ulbricht's lawyers could very well try to claim that the attacker could have completely faked the forum posts he was alleged to have made given the level of access to bitcointalk's servers, and now there's a huge window in which that could have happened. There's the issue that he made posts on other forums of course, but shroomery.com may be suspect too, and his stackexchange post is much less incriminating.

I wonder how far back do the backups go?

This is of course one of the dangers raised by having the NSA outright lie to the public, the courts, and congress - damages everyone's credibility and makes conspiracy theories so much more plausible.

Chronikka
Hero Member
*****
Offline Offline

Activity: 658
Merit: 504



View Profile
October 08, 2013, 01:19:54 PM
 #6

Fascinating bit of timing there - Ulbricht's lawyers could very well try to claim that the attacker could have completely faked the forum posts he was alleged to have made given the level of access to bitcointalk's servers, and now there's a huge window in which that could have happened. There's the issue that he made posts on other forums of course, but shroomery.com may be suspect too, and his stackexchange post is much less incriminating.

I wonder how far back do the backups go?

This is of course one of the dangers raised by having the NSA outright lie to the public, the courts, and congress - damages everyone's credibility and makes conspiracy theories so much more plausible.

Which is why digital evidence is very tricky. Anything can be altered, created, or destroyed by a pro.

"The true sign of intelligence is not knowledge but imagination"  -Albert Einstein
Maged
Legendary
*
Offline Offline

Activity: 1204
Merit: 1015


View Profile
October 08, 2013, 06:22:10 PM
 #7

I wonder how far back do the backups go?
Satoshi's might go back further, but we believe that the oldest backup we have is from August 2011. There is no evidence that we were hacked prior to September 3, 2011. Therefore, the database from that backup shouldn't have been tampered with. I personally have a copy of this.

Automatic daily backups started in February, 2012. Most, if not all, of these backups have a timestamped sha-256 hash recorded by me. Therefore, even though I personally only keep a small percentage of the backups, I can still verify that the backup wasn't modified. At some point, a MD5 hash was added on the server side. This was additionally recorded by me, although anyone with copies of the database probably have it as well. Unlike me (because, for me as a non-admin, the database is only useful for disaster recovery), theymos keeps the vast majority of these backups.

Shallow
Sr. Member
****
Offline Offline

Activity: 938
Merit: 255


SmartFi - EARN, LEND & TRADE


View Profile
October 13, 2013, 05:58:14 AM
 #8

Maybe it's time to upgrade from SMF?  Roll Eyes

████
██
██
██
██
██
██
██
██
██
██
██
████
...The Open..............
...Lending Platform...
████
████
████
████
████
████
████
████
████
████
████
████
████
▄▄█████████▄▄
▄█████████████████▄
▄██████████▀▀▀▀███████▄
█████████▀        ███████
████████▀        ▄█████████
█████████       ▄▀▀██████████
█████████     ▄▀   ▀█████████
██████████  ▄▀      █████████
█████████▀▀       ▄████████
███████        ▄█████████
▀███████▄▄▄▄██████████▀
▀█████████████████▀
▀▀█████████▀▀
.SMARTFI..████
████
████
████
████
████
████
████
████
████
████
████
████
...Join the SmartFi.....
...Token Sale...
████
██
██
██
██
██
██
██
██
██
██
██
████
████████████████████████████
████████████████████████████
████████████████████████████
█████████████████▀▀  ███████
█████████████▀▀      ███████
█████████▀▀   ▄▄     ███████
█████▀▀    ▄█▀▀     ████████
█████████ █▀        ████████
█████████ █ ▄███▄   ████████
██████████████████▄▄████████
████████████████████████████
████████████████████████████
████████████████████████████
████████████████████████████
████████████████████████████
████████████████████████████
████████▀▀▄██████▄▀▀████████
███████  ▀        ▀  ███████
██████                ██████
█████▌   ███    ███   ▐█████
█████▌   ▀▀▀    ▀▀▀   ▐█████
██████                ██████
███████▄  ▀██████▀  ▄███████
████████████████████████████
████████████████████████████
████████████████████████████
Chronikka
Hero Member
*****
Offline Offline

Activity: 658
Merit: 504



View Profile
October 13, 2013, 01:41:32 PM
 #9

Maybe it's time to upgrade from SMF?  Roll Eyes

Theymos certainly has the donated funds for it...

"The true sign of intelligence is not knowledge but imagination"  -Albert Einstein
MakeBelieve
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


View Profile
October 14, 2013, 12:14:58 AM
 #10

Maybe it's time to upgrade from SMF?  Roll Eyes

Theymos certainly has the donated funds for it...

There's been a lot of discussions on this. Take a look. There's been multiple flaws pointed out.

On a mission to make Bitcointalk.org Marketplace a safer place to Buy/Sell/Trade
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!