About the recent attack

[dragonkid]

Some things that should be done (but probably won't be done because Theymos would have to spend some of the money he collected)

-Use a reverse proxy service such as Cloudflare or Akami
-Run vulnerability scanners against the site such as HP web inspect.
-Develop a living risk matrix and list the mitigation steps for each vulnerability.
-Hire a company to do penetration testing.

Posting the code is not a good idea since it would be only for this site and it would not be an "open source" project.  It would be someone looking to get something for free when they should pay an expert. 

Web Inspect is rubbish, since you recommend hiring Pen Tester. It works out cheaper just using Pen Tester then getting Web Inspect.

Also consider using Tripwire, so you know when the code has been modified.

[1714630518]

1714630518

[1714630518]

1714630518

[TravisE]

Good to see it back up!

I'm trying to change my password, but it's confusing because whenever I log in, make changes, etc., I just get a completely blank page, so it's hard to know if it was even successful. Does this happen to anyone else or is it just my browser?

[malevolent]

You mean you've taken this opportunity to force ads on all of us(which are disabled by the actual SMF default theme) by defaulting to your custom theme.

Once you become a Hero Member in two weeks max, you'll be able to disable the ads in the profile settings.

https://bitcointalk.org/index.php?action=profile;u=23737;sa=forumProfile
and scroll down to "Disable ads".

I personally have them enabled, compared with other websites' solutions the ones here are rather unintrusive.

By keeping them disabled you also miss some of the interesting quotes:
https://bitcointalk.org/adrotate.php?adinfo

[deslok]

You mean you've taken this opportunity to force ads on all of us(which are disabled by the actual SMF default theme) by defaulting to your custom theme.

Once you become a Hero Member in two weeks max, you'll be able to disable the ads in the profile settings.

https://bitcointalk.org/index.php?action=profile;u=23737;sa=forumProfile
and scroll down to "Disable ads".

I personally have them enabled, compared with other websites' solutions the ones here are rather unintrusive.

By keeping them disabled you also miss some of the interesting quotes:
https://bitcointalk.org/adrotate.php?adinfo

that's funny, I used to be a hero member with something on the order of 1500 posts, i guess i've been reduced in rank for not liking ads?(the other layout also included a few things not shown with the bitcointalk one that were nice to have on occasion) back on topic i'm glad the forum is back at least

[tysat]

that's funny, I used to be a hero member with something on the order of 1500 posts, i guess i've been reduced in rank for not liking ads?

Your rank is different because it's based off of activity now instead of post count.  Been like this for almost 4 months, see https://bitcointalk.org/index.php?topic=237597.0

[tspacepilot]

In the reddit thread...
[snip]

Theymos says it was someone from SA, How does he know that? If he KNOWS who it was, why not tell us all?

[snip]

What's SA?

[ErebusBat]

In the reddit thread...
[snip]

Theymos says it was someone from SA, How does he know that? If he KNOWS who it was, why not tell us all?

[snip]

What's SA?

Something Awful, often abbreviated to SA, is a comedy website housing a variety of content, including blog entries, forums, feature articles, digitally edited pictures, and humorous media reviews.

[tspacepilot]

In the reddit thread...
[snip]

Theymos says it was someone from SA, How does he know that? If he KNOWS who it was, why not tell us all?

[snip]

What's SA?

Something Awful, often abbreviated to SA, is a comedy website housing a variety of content, including blog entries, forums, feature articles, digitally edited pictures, and humorous media reviews.

Thanks!   "SA" was too generic to google without some further context.

[deepceleron]

I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday.

Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.

Welcome back forum!

Login with only the hash? That basically allows any admin to impersonate another user. How could SMF think that was a good idea??

I think it unlikely that if there was a two-year backdoor, it was placed by the recent defacer. It was most likely used by someone with the discipline to occasionally do a db pull and crack a hash and bring back an old account from the dead for scamming, or employ re-used passwords to make bitcoins mysteriously disappear from an exchange. It also could be used in a way that would never be learned, such as to retrieve IP addresses logs of a suspect account and use account information against a user, while "parallel construction" prevents any revelation of the backdoor.

My last post on this forum before it went down, about a rooted Bitcoin casino. How novel:

You are lucky that the hacker couldn't think of anything interesting to do; however that machine is not 100% secure unless it can be image-restored or reloaded. An intrusion detection system would have alerted to any system changes or the downtime. The hacker's goal may not have been to steal Bitcoins, it may have been to discover the site owner's identity or that of players or to log credentials.

[qwk]

How about a standard password reset for all users?
And after 4 weeks or something; delete all old accounts; could clean up the forum also?

Yeah, that "satoshi" guy hasn't logged in for quite a while, get rid of him

It is somewhat scary that admins can modify forum code from within the forum itself if I understand correctly.

That's how Satoshi set it up (maybe the SMF default), but I fixed it a while ago.

Are those code changes stored in a database or are the files themselves edited?
If it's the files, that'd be easy to monitor.
Database snippets, on the other hand, might be a little more tricky.

[theymos]

I think it unlikely that if there was a two-year backdoor, it was placed by the recent defacer.

No, I verified its existence using my old forum backups.

[deepceleron]

I think it unlikely that if there was a two-year backdoor, it was placed by the recent defacer.

No, I verified its existence using my old forum backups.

I'm not doubting it's existence, I'm saying that unless there is specific evidence, it was likely not placed by the same entity that uploaded dancing javascript.

Maybe Theymos is an NSA plant putting back doors from the 1990's into the forum?

http://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf

We at the NSA thank you for your contribution to our signals intelligence efforts:

69.249.73.204 - - [07/Oct/2013:05:02:10 -0400] "GET www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf HTTP/1.1" 200 79951 "https://bitcointalk.org/index.php?topic=306878.40" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"

[phelix]

I think it unlikely that if there was a two-year backdoor, it was placed by the recent defacer. It was most likely used by someone with the discipline to occasionally do a db pull and crack a hash and bring back an old account from the dead for scamming, or use the credentials to make bitcoins mysteriously disappear from an exchange. It also could be used in a way that would never be learned, such as to retrieve IP addresses logs of a suspect account and use account information against a user, while "parallel construction" prevents any revelation of the backdoor.

Are there any logs of hacking action? When was the backdoor placed again?

The big question is why was the backdoor revealed? Just for the lulz? Or was it a second hax0r?

[monbux]

thanks for the update! Glad the forum is back up. 

Yes, that was a scray run, hopefullyw on't happen again.  Any *cough* um, accusations of who attacked?

[QuestionAuthority]

Cloudflare was identified on our end as well.

Are you the same surebet that's a member of this exploit database site http://1337day.com that has a private section containing SMF exploits?

[r3wt]

theymos is a competent administrator. tradefortress told me so 

[bitfreak!]

Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.

The attacker could have potentially made a lot of money by monitoring our personal messages and getting insider information. I'm sure a lot of people on this forum send important information to each through the PM system, and don't take the time to encrypt it or secure it in any way.

In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.

[Maged]

Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.

The attacker could have potentially made a lot of money by monitoring our personal messages and getting insider information. I'm sure a lot of people on this forum send important information to each through the PM system, and don't take the time to encrypt it or secure it in any way.

I'm pretty sure that they did.

In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.

My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return.

[bitfreak!]

In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.

My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return.

I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written. Or does the code need to be reviewed to figure out that hole in the avatar system? If that's the case then I find highly surprising is that this bug seems to be undocumented. How is it that such a crucial flaw in SMF could go unnoticed so long, or was this the first time this exploit has been used to hack a website?

[gweedo]

In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.

My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return.

I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written. Or does the code need to be reviewed to figure out that hole in the avatar system? If that's the case then I find highly surprising is that this bug seems to be undocumented. How is it that such a crucial flaw in SMF could go unnoticed so long, or was this the first time this exploit has been used to hack a website?

My understanding the hack comprised of a couple vectors not just one point. This vector also had to do with a previous hack so it really wasn't SMF's software.