Bitcoin Forum
September 21, 2018, 08:48:26 PM *
News: ♦♦ New info! Bitcoin Core users absolutely must upgrade to previously-announced 0.16.3 [Torrent]. All Bitcoin users should temporarily trust confirmations slightly less. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 6 »  All
  Print  
Author Topic: About the recent attack  (Read 13461 times)
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3150
Merit: 3648


View Profile
October 07, 2013, 05:18:33 AM
 #1

On October 3, it was discovered that an attacker inserted some JavaScript into forum pages. The forum was shut down soon afterward so that the issue could be investigated carefully. After investigation, I determined that the attacker most likely had the ability to execute arbitrary PHP code. Therefore, the attacker probably could have accessed personal messages, email addresses, and password hashes, though it is unknown whether he actually did so.

Passwords were hashed very strongly. Each password is hashed with 7500 rounds of sha256crypt and a 12-byte random salt (per password). Each password would need to be individually attacked in order to retrieve the password. However, even fairly strong passwords may be crackable after a long period of time, and weak passwords (especially ones composed of only a few dictionary words) may still be cracked quickly, so it is recommended that you change your password here and anywhere else you used the password.

The attacker may have modified posts, PMs, signatures, and registered Bitcoin addresses. It isn't practical for me to check all of these things for everyone, so you should double-check your own stuff and report any irregularities to me.

How the attack was done

I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday.

After I found the backdoors, I saw that someone (presumably the attacker) independently posted about his attack method with matching details. So it seems very likely that this was the attack method.

Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.

It was initially suspected by many that the attack was done by exploiting a flaw in SMF which allows you to upload any file to the user avatars directory, and then using a misconfiguration in nginx to execute this file as a PHP script. However, this attack method seems impossible if PHP's security.limit_extensions is set.

The future

The forum is now on a new server inside of a virtual machine with many extra security precautions which will hopefully provide some security in depth in case there are more exploits or backdoors. Also, I have disabled much SMF functionality to provide less attack surface. In particular, non-default themes are disabled for now.

I'd like to publish the forum's current code so that it can be carefully reviewed and the disabled features can be re-enabled. SMF 1.x's license prohibits publishing the code, though, so I will have to either upgrade to 2.x, get a special copyright exception from SMF, or do the auditing myself. During this investigation, a few security disadvantages to 2.x were brought to my attention, so I don't know whether I want to upgrade if I can help it. (1.x is still supported by SMF.)

Special thanks to these people for their assistance in dealing with this issue:
- warren
- Private Internet Access
- nerta
- Joshua Rogers
- chaoztc
- phantomcircuit
- jpcaissy
- bluepostit
- All others who helped

Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

As of October 7 2013, the Bitcoin Forum has been restored to bitcointalk.org.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlJSRF8ACgkQxlVWk9q1keemWgD/WcvrsikPq6AHpEo20KGmQInp
FlyAWNbX74z65KJrsUEBAIcCzYnHZ7gAs49mlhSq1fR9o2LZCETV3BJveCTu7lAi
=b9Xb
-----END PGP SIGNATURE-----

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
1537562906
Hero Member
*
Offline Offline

Posts: 1537562906

View Profile Personal Message (Offline)

Ignore
1537562906
Reply with quote  #2

1537562906
Report to moderator
1537562906
Hero Member
*
Offline Offline

Posts: 1537562906

View Profile Personal Message (Offline)

Ignore
1537562906
Reply with quote  #2

1537562906
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1537562906
Hero Member
*
Offline Offline

Posts: 1537562906

View Profile Personal Message (Offline)

Ignore
1537562906
Reply with quote  #2

1537562906
Report to moderator
1537562906
Hero Member
*
Offline Offline

Posts: 1537562906

View Profile Personal Message (Offline)

Ignore
1537562906
Reply with quote  #2

1537562906
Report to moderator
SPC_Bitcoin
Member
**
Offline Offline

Activity: 111
Merit: 10


Coffee makes it all better!


View Profile
October 07, 2013, 05:27:10 AM
 #2

thanks for the update! Glad the forum is back up.  Cheesy

NEVER GOT PAID.
r3wt
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


always the student, never the master.


View Profile
October 07, 2013, 05:35:17 AM
 #3

hmm, isn't it about time you upgrade to second gen smf?

My negative trust rating is reflective of a personal vendetta by someone on default trust.
fible1
Legendary
*
Offline Offline

Activity: 1092
Merit: 1000



View Profile
October 07, 2013, 05:38:37 AM
 #4

Nice Job Theymos Smiley

Glad to hear you have new security precautions and that you were able to identify the attack vector.

Pablo.

P.S. As a general suggestion, it would be really cool to be able to use a YubiKey to log into the forum, or at least Google Authenticator Smiley.


Fantastic FREE BOOK: "Investing in Cryptocurrency for the Long Term - Tips and Tricks": goo.gl/pj2cvr
PGP Key(s):
Pablo@Pablo-Lema.com: http://pastebin.com/V8Z4WxUE
mufa23
Legendary
*
Offline Offline

Activity: 1022
Merit: 1000


I'd fight Gandhi.


View Profile
October 07, 2013, 06:07:29 AM
 #5

Awesome! Glad to hear it's fixed now.

Positive rep with: pekv2, AzN1337c0d3r, Vince Torres, underworld07, Chimsley, omegaaf, Bogart, Gleason, SuperTramp, John K. and guitarplinker
demzie
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250



View Profile
October 07, 2013, 06:13:27 AM
 #6

How about a standard password reset for all users?

And after 4 weeks or something; delete all old accounts; could clean up the forum also?
medicine
Hero Member
*****
Offline Offline

Activity: 696
Merit: 500



View Profile WWW
October 07, 2013, 06:26:10 AM
 #7

Very happy to see every back and running, thanks Theymos for all the work you do to keep the site going.
Peace.

btc: 1GhVNYuPskEjX79oECB8KF53uvcKMhpNHW
Bitfinex referral code: KvlvfZYCdQ
Seoul Bitcoin Meetup
Hyena
Legendary
*
Offline Offline

Activity: 1960
Merit: 1002



View Profile WWW
October 07, 2013, 06:28:55 AM
 #8

Any chance the attacker could have modified some of the php scripts temporarily? By that I mean the password checking function so that the user's password is e-mailed to him before hashing it.

ldrgn
Member
**
Offline Offline

Activity: 118
Merit: 10


View Profile
October 07, 2013, 06:40:04 AM
 #9

The forum is now on a new server inside of a virtual machine

Security-wise what does this get you?  Or is this just a 'fyi, we moved' thing.
Abdussamad
Legendary
*
Offline Offline

Activity: 1862
Merit: 1064



View Profile WWW
October 07, 2013, 07:18:09 AM
 #10

Was the javascript they entered in the forums harmful? I'd like to know more about that.

Hyena
Legendary
*
Offline Offline

Activity: 1960
Merit: 1002



View Profile WWW
October 07, 2013, 07:22:55 AM
 #11

Changed my passwords in other places where I used it. It was about time anyway.
This helped a lot:
$ makepasswd --chars 16
uvULbCpFLKg9phb2
...

Maged
Legendary
*
Offline Offline

Activity: 1260
Merit: 1004


View Profile
October 07, 2013, 07:23:51 AM
 #12

Was the javascript they entered in the forums harmful? I'd like to know more about that.
No, we determined that it was merely fun and completely harmless. We lucked out big time...

escrow.ms
Legendary
*
Offline Offline

Activity: 1204
Merit: 1003

GPG Key-ID: B82BA7E1 | I don't use skype.


View Profile
October 07, 2013, 07:27:39 AM
 #13

Goodjob theymos.
r3wt
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


always the student, never the master.


View Profile
October 07, 2013, 07:41:21 AM
 #14

Goodjob theymos.

are you fucking kidding me?

My negative trust rating is reflective of a personal vendetta by someone on default trust.
escrow.ms
Legendary
*
Offline Offline

Activity: 1204
Merit: 1003

GPG Key-ID: B82BA7E1 | I don't use skype.


View Profile
October 07, 2013, 07:49:17 AM
 #15

Goodjob theymos.

are you fucking kidding me?

What do you mean.
Are you not happy to see forum back again?
ReBoRn
Sr. Member
****
Offline Offline

Activity: 392
Merit: 250

Bitcoin will survive


View Profile
October 07, 2013, 07:54:07 AM
 #16

very happy at least its back and now I can do again all which I was doing before this closing  Cheesy 

superresistant
Legendary
*
Offline Offline

Activity: 1890
Merit: 1071



View Profile
October 07, 2013, 08:00:40 AM
 #17

Goodjob theymos.

are you fucking kidding me?

What do you mean.
Are you not happy to see forum back again?


Ignore button is shining upon r3wt.
r3wt
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


always the student, never the master.


View Profile
October 07, 2013, 08:12:15 AM
 #18

Goodjob theymos.

are you fucking kidding me?

What do you mean.
Are you not happy to see forum back again?

well i hope that was a sarcastic "good job"

theymos, upgrade smf for the love of Christ.



My negative trust rating is reflective of a personal vendetta by someone on default trust.
jarhed
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250



View Profile
October 07, 2013, 08:27:43 AM
 #19

(.......)
How the attack was done

I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in.
(.......)

Anyone care to summarize the 2011 annoyance. Was that the Bill Cosby incident?
greyhawk
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1000


View Profile
October 07, 2013, 08:33:18 AM
 #20

Anyone care to summarize the 2011 annoyance. Was that the Bill Cosby incident?

http://buttcoin.org/bitcointalk-forums-hacked-bill-cosby-pimping-new-cosbycoins%E2%84%A2-to-all-the-members-breaking
Pages: [1] 2 3 4 5 6 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!