Info about the recent attack

[JonHind]

Any admin hosting a site which deals with discussions of a financial nature who couldn't even be bothered to upgrade along the 1.1.xx path (yet alone switch to v.2) should hang their head in shame.

What are you talking about? This is the latest upgrade in the 1.1.xx path.

Sorry, I stand corrected. Weren't you running 1.1.13 until very recently? I still stand by the other points raised though.

I am not aware of any other vulnerabilities. If vulnerabilities exist, report them to me and I will take the forum down until they are fixed.

How to keep abreast of security vulnerabilities in SMF 1.1.14 - From there you should be able to click your way to discovering less known vulnerabilities. Also, a tip: Check your plugins for holes.

If you need any further help, I normally charge £200ph an hour for IT consultancy, though I've never worked on any site which has ever used SMF. PM me if you are interested and I will forward you my wallet info.

[1714689838]

1714689838

[1714689838]

1714689838

[1714689838]

1714689838

[1714689838]

1714689838

[1714689838]

1714689838

[wumpus]

He is providing free hosting. He is not "taking over Bitcointalk". In that IRC excerpt I even say that Sirius will retain control of the DNS.

Please please please tell him to not host this forum on any server even close to a server for the trading site. I'd hate to see it used as an attack vector.

[TiagoTiago]

Where can i find more information on what exactly is in the way of upgrading to 2.somthing?

[theymos]

Where can i find more information on what exactly is in the way of upgrading to 2.somthing?

I need updated versions of these mods (some of them might already exist or be covered by the new core):
Custom Profile Field Mod
Edit_Display_Name_Permission
Ignore Boards
Prevent Adding Signature Images And Links
Ignore user

There are also two major custom modifications:
- Membergroup membership based on time online as well as posts
- Advanced CAPTCHAs

I'd also like to use the same theme we have now.

I'd really prefer to move to some other forum software rather than upgrade, though. SMF is not well-written.

[pekv2]

Valid question.

theymos, did they have access to our IP's connected to our user accounts by any chance?

[knightmb]

Valid question.

theymos, did they have access to our IP's connected to our user accounts by any chance?

As admin, they would have access to all, including that.

[pekv2]

Valid question.

theymos, did they have access to our IP's connected to our user accounts by any chance?

As admin, they would have access to all, including that.

omy. Well, for the hell of it, I've taken the listed IP's in OP, did whois, got the IP ranges and popped them in my blockzones of my firewall.

[kokjo]

you did say that he paid, right?

are you able to trace his payment back to an account on some of the exchanges?

[mizerydearia]

I cannot recall where I read it, but I think theymos (was it someone else?) mentioned that only a few bitcoin community members were contacted by email regarding volunteers for hosting the forum.  Is it possible to shed some light on the people that were contacted so the community knows who were the only people that had opportunity to volunteer to host the forum?

[theymos]

you did say that he paid, right?

are you able to trace his payment back to an account on some of the exchanges?

He paid to 1JadERuRgxMgrNcpCPmG35wbYkb7d6jZkw.

[im3w1l]

you can go hunter2 my hunter2-ing hunter2!

[Are-you-a-wizard?]

I'm done with this bullshit. Every month my password is leaked by fail bitcoin sites and their shit security.

Yes, I use different passwords for each site. I don't give a flying fuck.

This is unacceptable,
bye

[kokjo]

you did say that he paid, right?

are you able to trace his payment back to an account on some of the exchanges?

He paid to 1JadERuRgxMgrNcpCPmG35wbYkb7d6jZkw.

then can you have some of the exchanges to check, who cashed out to that address.
or trace it back to when the coins last come in contact with an exchange.

make a list of involved addresses, and then check them.

you could get an account/address(real world) of the attacker.

[makomk]

How to keep abreast of security vulnerabilities in SMF 1.1.14 - From there you should be able to click your way to discovering less known vulnerabilities. Also, a tip: Check your plugins for holes.

Ah, so you can't actually point to any then? I even Googled for this specific vulnerability when I noticed theymos's post about it - nada.

(It looks like SMF 2.0 probably doesn't have this vulnerability due to a much-needed restructuring of how they handle the database, but I'm not sure I'd trust it to be secure; whoever rewrote SMF should've spotted there was something fishy about the existing code if they were security-conscious.)

[haploid23]

my password has 11 characters total: 1 symbol, 8 letters, and 2 numbers. what are the chances it gets broken into after it's hashed?

[ovidiusoft]

my password has 11 characters total: 1 symbol, 8 letters, and 2 numbers. what are the chances it gets broken into after it's hashed?

After hashing, very little. But:

The attacker was capable of running arbitrary PHP code, and he could have therefore copied all password hashes and read all personal messages. He also could have done all of the things that admins can normally do, such as editing/deleting/moving posts.

You should assume that if you entered your password while logging in after sept 3rd, it was intercepted while still in plaintext. Change it.

[EskimoBob]

DO NOT USE WEBSITES TO GENERATE YOUR PASSWORDS

There is a good chance that your new and shiny password is stored for later attacks!

Create 4 random passwords which contains no special characters and are 10 characters long:

Code:

cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4

Create 4 random passwords which DO contains special characters and are 12 characters long:

Code:

$ cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]' 

[fadisaaida]

The vulnerabilities in 1.1.14 have been known for a LONG time. You can hardly call what SA did a 0-day exploit. While 1.1.14 might still be 'supported', it is full of security holes. The admins of this site have been aware of these vulnerabilities for a while, as quite a few people (myself included) have pointed out the dangers of using 1.1.14.

Seriously i spent 5 minutes trying to see where did you point it out before ? am i blind ?

[deepceleron]

He paid to 1JadERuRgxMgrNcpCPmG35wbYkb7d6jZkw.

That address was funded with exactly 10BTC with this transaction on 9-3.
We see that wallet that funded the 10BTC sent a remainder back to itself at address 1GzKzdZ7KxXboxz6ehJFqJ9vv6EFdvuBYm. Those remainder coins get sent around for a while with wallet-aggregating payments, and then they are sent to a new address with all the other little coins on 9-4 to 1FLipaPNU3FHWJz6NFetzTN6xBsjvRXKhS. Current balance? 4500BTC. That kinda looks like an exchange savings account too, so they could have gone into an exchange.

I followed a few of the coins into the sending wallet all the way back to them being mined and sent from a pool account (if the haxor was the one who mined them, the pool address owner could reveal the account), and googled some of the addresses, and they haven't been posted prominently as 'donation' addresses or such. A more extensive dump than my manual exploring could get a picture of all the addresses in the wallet and what else they've been doing, and if any of the addresses have leaked out on the internet to be matched to an identity, or have coins that have gone through an exchange.

[kokjo]

He paid to 1JadERuRgxMgrNcpCPmG35wbYkb7d6jZkw.

That address was funded with exactly 10BTC with this transaction on 9-3.
We see that wallet that funded the 10BTC sent a remainder back to itself at address 1GzKzdZ7KxXboxz6ehJFqJ9vv6EFdvuBYm. Those remainder coins get sent around for a while with wallet-aggregating payments, and then they are sent to a new address with all the other little coins on 9-4 to 1FLipaPNU3FHWJz6NFetzTN6xBsjvRXKhS. Current balance? 4500BTC.

I followed a few of the coins into the sending wallet all the way back to them being mined and sent from a pool account (if the haxor was the one who mined them, the pool address owner could reveal the account), and googled some of the addresses, and they haven't been posted prominently as 'donation' addresses or such. A more extensive dump than my manual exploring could get a picture of all the addresses in the wallet and what else they've been doing, and if any of the addresses have leaked out on the internet to be matched to an identity, or have coins that have gone through an exchange.

ithink that its most likely that the coins came direcly from an exchange. i dont know why, but the acount balances are odd, and the timing between the transactions is fast(indicating some kind of online wallet, at least in my mind)