Attackers had backdoor code in the forum for the last 2 years?

[rudystyle]

I am surprised that attackers had backdoor code and access to the entire database and scripts for the last 2 years (and still do ?) . No wonder hundreds of scams were taking place everyday.

[hivewallet]

Sorry, but where did you see that?

[Chronikka]

Sorry, but where did you see that?

How the attack was done

I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday.

After I found the backdoors, I saw that someone (presumably the attacker) independently posted about his attack method with matching details. So it seems very likely that this was the attack method.

Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.

It was initially suspected by many that the attack was done by exploiting a flaw in SMF which allows you to upload any file to the user avatars directory, and then using a misconfiguration in nginx to execute this file as a PHP script. However, this attack method seems impossible if PHP's security.limit_extensions is set.

https://bitcointalk.org/index.php?topic=306878.msg3290091#msg3290091

[dragonkid]

I have read it some where as well. But I can't recall the source where I read this. I think from that source they mentioned, that there was a backdoor 2 years ago, then it was removed when forum did a code review, then removed, then backdoor planted again. Then removed. Can't remember what happened after that. I heard the latest attack was not from the backdoor. I could be wrong, I have short memory.  

[Peter Todd]

Fascinating bit of timing there - Ulbricht's lawyers could very well try to claim that the attacker could have completely faked the forum posts he was alleged to have made given the level of access to bitcointalk's servers, and now there's a huge window in which that could have happened. There's the issue that he made posts on other forums of course, but shroomery.com may be suspect too, and his stackexchange post is much less incriminating.

I wonder how far back do the backups go?

This is of course one of the dangers raised by having the NSA outright lie to the public, the courts, and congress - damages everyone's credibility and makes conspiracy theories so much more plausible.

[Chronikka]

Fascinating bit of timing there - Ulbricht's lawyers could very well try to claim that the attacker could have completely faked the forum posts he was alleged to have made given the level of access to bitcointalk's servers, and now there's a huge window in which that could have happened. There's the issue that he made posts on other forums of course, but shroomery.com may be suspect too, and his stackexchange post is much less incriminating.

I wonder how far back do the backups go?

This is of course one of the dangers raised by having the NSA outright lie to the public, the courts, and congress - damages everyone's credibility and makes conspiracy theories so much more plausible.

Which is why digital evidence is very tricky. Anything can be altered, created, or destroyed by a pro.

[Maged]

I wonder how far back do the backups go?

Satoshi's might go back further, but we believe that the oldest backup we have is from August 2011. There is no evidence that we were hacked prior to September 3, 2011. Therefore, the database from that backup shouldn't have been tampered with. I personally have a copy of this.

Automatic daily backups started in February, 2012. Most, if not all, of these backups have a timestamped sha-256 hash recorded by me. Therefore, even though I personally only keep a small percentage of the backups, I can still verify that the backup wasn't modified. At some point, a MD5 hash was added on the server side. This was additionally recorded by me, although anyone with copies of the database probably have it as well. Unlike me (because, for me as a non-admin, the database is only useful for disaster recovery), theymos keeps the vast majority of these backups.

[Shallow]

Maybe it's time to upgrade from SMF? 

[Chronikka]

Maybe it's time to upgrade from SMF? 

Theymos certainly has the donated funds for it...

[MakeBelieve]

Maybe it's time to upgrade from SMF? 

Theymos certainly has the donated funds for it...

There's been a lot of discussions on this. Take a look. There's been multiple flaws pointed out.