IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

MrMike

Quote from: exxocet on July 23, 2013, 05:36:41 PM
Yes, if that liquor shop holds my goods just lost them. What you gonna do if a bank get robbed and it holds your economies? You won't ask your money back just because they got robbed?
SM lost our goods (identities) and there is no way to get them back, as now those are public.

Please stop with the hysteria.


Quote from: exxocet on July 23, 2013, 05:36:41 PMRegarding database access, I know the admin have access to the db, but I thought this is a personalized install, not a regular vanilla install.

You really don't understand how a server works, do you? It wouldn't matter what kind of install it was, the forum has to communicate with the database, and to do that it has to store the password somewhere. If you have forum admin access, getting to that password info is child's play.

FrizzleFried

FWIW - I still have NOT gotten an email RE: this issue... but I HAVE gotten an email when "K" PMed me.  How sure how that works...or why...  but I figured I should mention the fact.


Deaks

Quote from: exxocet on July 23, 2013, 05:36:41 PMRegarding database access, I know the admin have access to the db, but I thought this is a personalized install, not a regular vanilla install.

I apologize for using this, I never saw it before, but this is incorrect, I am one of the Admins on here, however I do not have access to the database, I have never had access, so please be careful with spreading inaccurate information.
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

Deaks

Quote from: FrizzleFried on July 23, 2013, 11:18:28 PM
FWIW - I still have NOT gotten an email RE: this issue... but I HAVE gotten an email when "K" PMed me.  How sure how that works...or why...  but I figured I should mention the fact.

So you know I haven't received the email yet either. :)
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

Leto Atreides II

Have the hackers been traced and identified?

Deaks

as far as we can tell its the same ones that have done other large sites, such as  ubuntu, drupal etc over the last few months, however that is as far as we have gotten  at this time :(

The hackers hid there tracks well.
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

Mstcool

Do we have to be subscribed to SMF emails for us to get the email?

vbgamer45

Quote from: Mstcool on July 24, 2013, 12:48:07 AM
Do we have to be subscribed to SMF emails for us to get the email?
Yes
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

inter

:police: idea:

it is necessary to remove an option of a backup of a database from the administrator of a panel
Sorry for my English

Herman's Mixen

That's not an option, as it has nothing to do with this :P
Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

Shambles

"Receive forum newsletters, announcements and important notifications by email."

Ticked, but no message yet.

holodoc

Quote from: Inter on July 24, 2013, 01:48:43 AM
:police: idea:

it is necessary to remove an option of a backup of a database from the administrator of a panel
Strange enough it's the first thing that came to my mind when I heard of the incident. In my opinion providing an option to perform a full database backup/download solely bu trusting that the administrative login is not compromised is plain wrong. There is a reason why database security should be delegated as much as possible to the DB server itself so using phpMyAdmin or any other tool provided by hosting providers should be the only direct way to access forum database.

exxocet

Quote from: MrMike on July 23, 2013, 11:15:09 PM
Quote from: exxocet on July 23, 2013, 05:36:41 PM
Yes, if that liquor shop holds my goods just lost them. What you gonna do if a bank get robbed and it holds your economies? You won't ask your money back just because they got robbed?
SM lost our goods (identities) and there is no way to get them back, as now those are public.

Please stop with the hysteria.


Quote from: exxocet on July 23, 2013, 05:36:41 PMRegarding database access, I know the admin have access to the db, but I thought this is a personalized install, not a regular vanilla install.

You really don't understand how a server works, do you? It wouldn't matter what kind of install it was, the forum has to communicate with the database, and to do that it has to store the password somewhere. If you have forum admin access, getting to that password info is child's play.

  Sorry Micky, your GT5 cheats, Modern war, signature is telling your 15 years old kid story. Unfortunately this is a serious discussion, talking about serious facts. Allow yourself to grow up. See ya in 2015! Eat your corn flakes!
 
  Now, talking about servers, Runic was crystal clear: not all admins have access to the database. The server don't have to publicly display the databse connection password. Neither allowing to modify it or back-up (settings.php cand be CHMOD 644 to disable modify etc). It just happened that the victim admin had access to the database and everything went crazy, bad timing.

Avid Gamer

Fortunately I don't use the same passwords for differing systems, have changed not only my password but also Email address too. I hate spammers as much as hackers.

Quote from: exxocet on July 23, 2013, 05:36:41 PMYou really don't understand how a server works, do you? It wouldn't matter what kind of install it was, the forum has to communicate with the database, and to do that it has to store the password somewhere. If you have forum admin access, getting to that password info is child's play.
Indeed it is!


Keep up the good work, Zap.  ;D
Mess with the Best
Die like the Rest.

Anakin_holland

The mail I received was dated 5 hours past this topic was started.

Sucks that it happened, but I applaud the effort that was shown so far.

To the admin in question: We are all human. I know what you are going through, you will survive! :)

a10

We all know, it's a dangerous world and * does happen, being careful or not.
Email received and pw changed.
2.0.19, php 8.0.30, MariaDB 10.6.18. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

webserfer

I hope you slapped ears to this "admin", which can not on its own safety care?

kat

I have no idea who it was. But, I think it's safe to assume that he probably did that, to himself.

bristol

What did they get exactly?

username and pwd, or did they get the associated email addresses as well?



LiroyvH

Quote from: Inter on July 24, 2013, 01:48:43 AM
it is necessary to remove an option of a backup of a database from the administrator of a panel

Funnily enough, when we do that I don't think many people will shed a tear.
On some servers it gives tons of issues. Not because it's bugged, but simply due to configuration.
We have been recommending for a while not to use it anyway.

On a sidenote though, you can disbable that functionality by limiting the abilities of the SQL user connection to the db.
But with admin action it's just more slowing people down than actually blocking it completely, with a nicely made PHP script it's still possible to obtain information from the database.

Quote
Now, talking about servers, Runic was crystal clear: not all admins have access to the database. The server don't have to publicly display the databse connection password. Neither allowing to modify it or back-up (settings.php cand be CHMOD 644 to disable modify etc). It just happened that the victim admin had access to the database and everything went crazy, bad timing.

Not publicly no, but with admin access you can escalate access to the files through a variety of methods.
From that point on, you can obtain the password to connect to the database...

So whether the admin had direct access to the database or not is completely irrelevant. The forum has to know the password to connect to the database. Get access to the Settings.php file: get access to the database.
It's as simple as that. You make it sound as if you can completely secure yourself against any kind of attack when a administrator account has been compromised; that's not a fact...

Quote
or did they get the associated email addresses as well?

Yes, associated email addresses were obtained as well. It's in the user table.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Advertisement: