7 replies to this topic

[2072]

I have the regret to inform you that a hacker exploited a security flaw in our forum system which allowed him to access the forum database. The hacker did not attempt to break anything. He just planted an hidden script in several core source files of our system while leaving the modification time of these file untouched (to make the detection harder).
The planted script itself is a very well disguised remote shell: http://pastebin.com/zjhFcrkP (The payload is actually contained in the fake hashes spread out in the class, upon execution, the class fetches its own source code, extract the "hashes" and rebuild the code it's intended to execute, this code varies of course.)

All the modifications made by the hacker have been removed but it's safe to assume that he grabbed whatever he could. He probably snatched our member database which includes your email address as well as a hashed (and salted) version of your password. Your actual password can't be easily known by the hacker but it might be possible for the hacker to trick the forum into thinking he is you using the hashed version of the password.
This is why we we'll have to trigger a reset of all the passwords in the following days.
Moreover the forum still uses the MD5 hash algorithm which is no longer considered secure, while the chances for the hacker to crack your password are very low it is recommended to change your password. This might be particularly important if you use the same password elsewhere (which you shouldn't).

[2072]

All the members' password have been reset, you need to use the lost password recovery procedure to get a new one. If you can't because your email address is not available any more, use the following form to contact us:
http://www.casiocalc...ilwebmaster.php

Before setting your password you should test its strength using this great tool: https://passfault.ap...ength.html#menu

[Dream of Omnimaga]

This is why I was always relunctant about using InvisionBoard in the past on any forum I ran. IPB/IB has a long history of security problems, like PhpBB used to have back in the PhpBB2 days. Of course if you keep your software up to date the second an update comes out, you are usually fine, but as soon as you forget it seems like your site can get hacked immediately. Of course it has way more features than SMF and PhpBB, though.

[Forty-Two]

All the members' password have been reset, you need to use the lost password recovery procedure to get a new one. If you can't because your email address is not available any more, use the following form to contact us:
http://www.casiocalc...ilwebmaster.php

Before setting your password you should test its strength using this great tool: https://passfault.ap...ength.html#menu

That's a fairly poor analyzer. It disregards spaces, misses common words such as "autocratic" "cream" and "with" (don't judge ), and fails at guessing the language. The only real indicator of strength is length.

[flyingfisch]

well, at least make sure you dont have a bad password.

[2072]

That's a fairly poor analyzer. It disregards spaces, misses common words such as "autocratic" "cream" and "with" (don't judge ), and fails at guessing the language. The only real indicator of strength is length.

It does detect those words as part of the English language, the fact that a word is common has little impact when using a dictionary attack (the number of words in the English language is quite small for a computer anyway...)

But you are right, length is the only real indicator of strength. In my opinion, the best passwords are meaningless sentences such as "I always feed the table before putting it in the fridge!". It makes absolutely no sense but for some reason it's very easy to remember and according to the analyser I posted it would take 2.8e+39 centuries to crack for a super computer...

[flyingfisch]

[Forty-Two]

I love that comic.