Bitcoin Forum
December 13, 2024, 03:03:41 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 »  All
  Print  
Author Topic: Info about the recent attack  (Read 52596 times)
theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5404
Merit: 13498


View Profile
September 11, 2011, 04:17:26 AM
Last edit: September 11, 2011, 04:37:59 AM by theymos
Merited by vapourminer (1), xtraelv (1), PowerGlove (1)
 #1

On September 3, an attacker used a 0-day exploit in SMF to gain administrative access to the forum. This went unnoticed until September 9, when he inserted some annoying JavaScript into all pages. The forum was at this point shut down.

The attacker was capable of running arbitrary PHP code, and he could have therefore copied all password hashes and read all personal messages. He also could have done all of the things that admins can normally do, such as editing/deleting/moving posts.

Passwords

It is not known for sure that the attacker copied any password hashes, but it should be assumed that he did.

SMF hashes passwords with SHA-1 and salts the hash with your (lowercase) username. This is unfortunately not an incredibly secure way of hashing passwords.

The password you used on the forum should be assumed to already be compromised if your password had:
- Less than 16 characters, numbers only
- Less than 12 characters, lowercase only
- Less than 11 characters, lowercase+numeric
- Less than 10 characters, lowercase+uppercase
- Less than 9 characters, lowercase+uppercase+numbers
- Less than 8 characters, all standard characters

If you have only 2-3 more characters than what I listed above, then you should assume that your password will be compromised at some point in the future.

No matter how strong your password was, it is a good idea to change your password here and wherever else you used it.

Database state

Backups exist of the previous database state, but it has been decided to continue with the latest state to avoid losing thousands of posts. If you notice that any posts are missing or changed, let me know.

Also, it's possible that the attacker took control of some accounts. If you are being impersonated, email me and I'll reset your password to its previous value.

More attack info

The attacker first paid for a donator account so he could change his displayed username. The displayed username field is not escaped properly, so he was able to inject SQL from there. He took over Satoshi's account, and from Satoshi's administrative interface he was able to inject arbitrary PHP code by modifying the style template.

The attacker probably used these user accounts, though his level of access would allow him to forge this data:
brad
EconomicOracle
Economic Oracle
SwimsuitPaul
BitcoinsInMyLoins

He probably used these IP addresses:
74.242.208.159
74.242.205.69
152.14.219.223
152.14.247.62
74.242.205.161
74.242.206.245
74.242.208.159
74.242.235.132
98.69.157.69
98.69.160.187
41.125.48.26
150.206.212.72

(Thanks to Mark Karpeles for finding most of this info.)

Change of hosting

Mark Karpeles is now hosting the forum's server. The forum is still owned by Sirius, as it has always been. There will be no policy changes.

Signed version of this message

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
c_k
Donator
Full Member
*
Offline Offline

Activity: 242
Merit: 100



View Profile
September 11, 2011, 04:49:59 AM
 #2

Everyone should use lastpass.com and generate the longest password a site will accept (or just 32 random characters/numbers is sufficient imo) plus save that on lastpass.com

It's too easy and there is no excuse not to do it.

johnj
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
September 11, 2011, 04:58:00 AM
 #3

I'm curious as to how it is a "0 day" attack when it's been patched in SMF 2.x and a few other versions previous of that, long long LONG ago.

This needs to be addressed, if true.

1AeW7QK59HvEJwiyMztFH1ubWPSLLKx5ym
TradeHill Referral TH-R120549
deepceleron
Legendary
*
Offline Offline

Activity: 1512
Merit: 1036



View Profile WWW
September 11, 2011, 05:03:08 AM
 #4

Everyone should use lastpass.com and generate the longest password a site will accept (or just 32 random characters/numbers is sufficient imo) plus save that on lastpass.com

It's too easy and there is no excuse not to do it.

https://www.grc.com/passwords.htm or http://www.random.org/passwords/?mode=advanced
If you want a random password like Sj|y.f@6CMIOO|:*+aFa}8OWYqWR(o<B4. No gox hacker would have been able to crack your passwords if they were that strong.
Cryptoman
Hero Member
*****
Offline Offline

Activity: 726
Merit: 500



View Profile
September 11, 2011, 05:14:52 AM
 #5

theymos, thanks for getting the site back up so quickly.  I'm sure it ruined your weekend.

"A small body of determined spirits fired by an unquenchable faith in their mission can alter the course of history." --Gandhi
phelix
Legendary
*
Offline Offline

Activity: 1708
Merit: 1020



View Profile
September 11, 2011, 05:21:53 AM
 #6

thanks for the info, theymos. please continue to keep things as transparent as possible.
BkkCoins
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
September 11, 2011, 05:37:13 AM
Last edit: September 11, 2011, 06:10:25 AM by BkkCoins
 #7

I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.

theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5404
Merit: 13498


View Profile
September 11, 2011, 05:43:57 AM
 #8

I'm curious as to how it is a "0 day" attack when it's been patched in SMF 2.x and a few other versions previous of that, long long LONG ago.

This needs to be addressed, if true.

It may be fixed in 2.0, but 1.1.14 is still officially supported by SMF.

If we're ever willing to upgrade to 2.0, we'll probably just use some other forum software.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
BkkCoins
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
September 11, 2011, 05:45:41 AM
Last edit: September 11, 2011, 05:58:16 AM by BkkCoins
 #9

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?

BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...

(Not a big problem for me as all my passwords are different and random 25 char strings)

hightax
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
September 11, 2011, 05:56:18 AM
 #10

Wow.  Well I would claim surprise but this is a bitcoin project... so...

Also, simple injection is hardly a "0-day" exploit.  The fact that you guys had completely unsanitized input on your forums software means you're every bit as responsible for the hack.
The Script
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250


View Profile
September 11, 2011, 06:04:51 AM
 #11

This is so irritating.  So if I have a 14 character password with lower case + numbers + symbols what are the odds it will be cracked?  I guess I should probably just change it anyway, to be safe.  Good thing I don't use it anywhere else otherwise this would be even more irritating.
Incomer
Newbie
*
Offline Offline

Activity: 26
Merit: 0


View Profile
September 11, 2011, 06:05:50 AM
 #12

Wow.  Well I would claim surprise but this is a bitcoin project... so...

Also, simple injection is hardly a "0-day" exploit.  The fact that you guys had completely unsanitized input on your forums software means you're every bit as responsible for the hack.

Not a zero day exploit anyway. This problem was identified ages ago and patched in SMF 2.x, if you are only running 1.x you are pretty much walking around with your pants down waiting to have your nuts twisted.
c_k
Donator
Full Member
*
Offline Offline

Activity: 242
Merit: 100



View Profile
September 11, 2011, 06:12:00 AM
 #13

Wow.  Well I would claim surprise but this is a bitcoin project... so...

*yawn* anything on the Internet related to money is a target Smiley

pekv2
Hero Member
*****
Offline Offline

Activity: 770
Merit: 502



View Profile
September 11, 2011, 06:13:09 AM
 #14

Great to see it back up.
theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5404
Merit: 13498


View Profile
September 11, 2011, 06:22:28 AM
 #15

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
ataranlen
Hero Member
*****
Offline Offline

Activity: 846
Merit: 1000


The One and Only


View Profile WWW
September 11, 2011, 06:28:15 AM
 #16

Glad to see things are back up and running. Thanks for the update on what happened!

MineTexas.com Minecraft Server We accept Bitcoin and Dogecoin.
Deepbit on Facebook: http://www.facebook.com/pages/Deepbit/151108048294815
Transisto
Donator
Legendary
*
Offline Offline

Activity: 1731
Merit: 1008



View Profile WWW
September 11, 2011, 06:29:21 AM
 #17

I had some hope the forum would stay closed for longer,
To show people this place is is no way essential to the Bitcoin system.
It would have allowed people to look for alternative sources of information and would have stabilized/strengthened the value of BTC in the long run.

This place has become such a hell with noobs and the #1 target of fear mongering speculators.

Thanks for the day off Wink
BkkCoins
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
September 11, 2011, 06:36:13 AM
 #18

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.
Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5404
Merit: 13498


View Profile
September 11, 2011, 06:39:03 AM
 #19

Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The name of the password field has changed. Maybe that affects it?

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
BitcoinStars.com
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
September 11, 2011, 06:45:37 AM
 #20

Great Job Guys  Cool
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!