theymos

Legendary



Offline



Activity: 3892

Merit: 7922







AdministratorLegendaryActivity: 3892Merit: 7922 Info about the recent attack September 11, 2011, 04:17:26 AM

Last edit: September 11, 2011, 04:37:59 AM by theymos Merited by xtraelv (1) #1



The attacker was capable of running arbitrary PHP code, and he could have therefore copied all password hashes and read all personal messages. He also could have done all of the things that admins can normally do, such as editing/deleting/moving posts.



Passwords



It is not known for sure that the attacker copied any password hashes, but it should be assumed that he did.



SMF hashes passwords with SHA-1 and salts the hash with your (lowercase) username. This is unfortunately not an incredibly secure way of hashing passwords.



The password you used on the forum should be assumed to already be compromised if your password had:

- Less than 16 characters, numbers only

- Less than 12 characters, lowercase only

- Less than 11 characters, lowercase+numeric

- Less than 10 characters, lowercase+uppercase

- Less than 9 characters, lowercase+uppercase+numbers

- Less than 8 characters, all standard characters



If you have only 2-3 more characters than what I listed above, then you should assume that your password will be compromised at some point in the future.



No matter how strong your password was, it is a good idea to change your password here and wherever else you used it.



Database state



Backups exist of the previous database state, but it has been decided to continue with the latest state to avoid losing thousands of posts. If you notice that any posts are missing or changed, let me know.



Also, it's possible that the attacker took control of some accounts. If you are being impersonated, email me and I'll reset your password to its previous value.



More attack info



The attacker first paid for a donator account so he could change his displayed username. The displayed username field is not escaped properly, so he was able to inject SQL from there. He took over Satoshi's account, and from Satoshi's administrative interface he was able to inject arbitrary PHP code by modifying the style template.



The attacker probably used these user accounts, though his level of access would allow him to forge this data:

brad

EconomicOracle

Economic Oracle

SwimsuitPaul

BitcoinsInMyLoins



He probably used these IP addresses:

74.242.208.159

74.242.205.69

152.14.219.223

152.14.247.62

74.242.205.161

74.242.206.245

74.242.208.159

74.242.235.132

98.69.157.69

98.69.160.187

41.125.48.26

150.206.212.72



(Thanks to Mark Karpeles for finding most of this info.)



Change of hosting



Mark Karpeles is now hosting the forum's server. The forum is still owned by Sirius, as it has always been. There will be no policy changes.



Signed version of this message On September 3, an attacker used a 0-day exploit in SMF to gain administrative access to the forum. This went unnoticed until September 9, when he inserted some annoying JavaScript into all pages. The forum was at this point shut down.The attacker was capable of running arbitrary PHP code, and he could have therefore copied all password hashes and read all personal messages. He also could have done all of the things that admins can normally do, such as editing/deleting/moving posts.It is not known for sure that the attacker copied any password hashes, but it should be assumed that he did.SMF hashes passwords with SHA-1 and salts the hash with your (lowercase) username. This is unfortunately not an incredibly secure way of hashing passwords.The password you used on the forum should be assumed to already be compromised if your password had:- Less than 16 characters, numbers only- Less than 12 characters, lowercase only- Less than 11 characters, lowercase+numeric- Less than 10 characters, lowercase+uppercase- Less than 9 characters, lowercase+uppercase+numbers- Less than 8 characters, all standard charactersIf you have only 2-3 more characters than what I listed above, then you should assume that your password will be compromised at some point in the future.No matter how strong your password was, it is a good idea to change your password herewherever else you used it.Backups exist of the previous database state, but it has been decided to continue with the latest state to avoid losing thousands of posts. If you notice that any posts are missing or changed, let me know.Also, it's possible that the attacker took control of some accounts. If you are being impersonated, email me and I'll reset your password to its previous value.The attacker first paid for a donator account so he could change his displayed username. The displayed username field is not escaped properly, so he was able to inject SQL from there. He took over Satoshi's account, and from Satoshi's administrative interface he was able to inject arbitrary PHP code by modifying the style template.The attacker probably used these user accounts, though his level of access would allow him to forge this data:bradEconomicOracleEconomic OracleSwimsuitPaulBitcoinsInMyLoinsHe probably used these IP addresses:74.242.205.69152.14.219.223152.14.247.6274.242.205.16174.242.206.24574.242.208.15974.242.235.13298.69.157.6998.69.160.18741.125.48.26150.206.212.72(Thanks to Mark Karpeles for finding most of this info.)Mark Karpeles is now hosting the forum's server. The forum is still owned by Sirius, as it has always been. There will be no policy changes. 1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD