Post by C3PO » Wed Oct 12, 2011 1:23 am

Hello Jwhite,Could you share the encryption procedure your system was using to store the hashes in the database? Was it using the secret wordwhich all so became a public domain? Was it a default Bugzilla authorization method? How much time it would require to brute force the passwords?In the future try to avoid using "out of the box" encryption which allows passwords to be brute forced. If an attacker wouldn't knowthe algorithm the hash was generated with it would be nearly impossible to brute force the hashes.I recommend to move the authorization mechanics out of the host directories in a way which would prevent an attackerwho gained control over the virtual host files to read authorization algorithms.How is it possible that you don't know how the passwords were stolen but you know that they were stolen? Aren't there HTTP secure log archive?Check out host secure log. It's important to understand how the info leaked to close the leak. May be an attacker gainedaccess to another virtual host and through that access downloaded the database. In this case you may loose information again.The key to the answer HOW is apache & mysql logs, scrutinize them and you'll understand what happened. If there is an unknown bug in mysqladmin youwill immediately catch it. At least you will know if an attacker got DB access through your host.Many people around here might be interested if it's really worth changing passwords which are at least 6 letters in length.You told us that phpmyadmin was obfuscated, it excludes a scanner getting access over the database.Hacking WINE bugzilla is a foul job and only a teenager kid (or an man which is still young in his soul) would ever do that.Kids are usually gaining access to the filesystem first. Check out if there is a change in templates... which leakedthe cookies or passwords in files which could be read.The worst thing that could happen is that the passwords would be decrypted and added to the automatic scanners which probethe online services but I doubt that kind of intelligence from a person hacking bugzillas.Thanks for letting us know most of the services prefer to keep silence over these problems.--Best regards,Igor mailto: sprog@online.ru -------------- next part --------------An HTML attachment was scrubbed...URL: < http://www.winehq.org/pipermail/wine-us ... hment.html