Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > Announcements and Chat > General Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old 9th March 2005, 12:19   #1  |  Link
BruceL
Registered User
 
BruceL's Avatar
 
Join Date: May 2002
Location: The nearest ski slope
Posts: 125
neuron2's video forum hacked

neuron2's video forum appears to have been crudely hacked.
BruceL is offline   Reply With Quote
Old 9th March 2005, 13:17   #2  |  Link
Sirber
retired developer
 
Sirber's Avatar
 
Join Date: Oct 2002
Location: Canada
Posts: 8,978
Yeah, seems to. Is phpBB secure?

http://neuron2.net/board/
__________________
Detritus Software
Sirber is offline   Reply With Quote
Old 9th March 2005, 13:27   #3  |  Link
dragongodz
....
 
dragongodz's Avatar
 
Join Date: May 2002
Location: Australia
Posts: 2,797
ye, real mature.
__________________
Narrator: And of course, with the birth of the artist came the inevitable afterbirth - the critic. (History of the World part 1)
dragongodz is offline   Reply With Quote
Old 9th March 2005, 14:27   #4  |  Link
Axed
Registered User
 
Join Date: Dec 2004
Posts: 165
Its good to see the way some people treat such a great and productive member of the Video Encoding community. This is a big shame, there was some really useful information on the forums.

Last edited by Axed; 9th March 2005 at 14:30.
Axed is offline   Reply With Quote
Old 9th March 2005, 14:43   #5  |  Link
Doom9
clueless n00b
 
Join Date: Oct 2001
Location: somewhere over the rainbow
Posts: 10,570
phpBB, unfortunately, isn't the safest bulletin board around and you regularly have to upgrade it. A lot of phpBB boards have been hacked in the past few months, and to make things worse, there were worms that automatically attacked known weaknesses of phpBB boards. Those worms also tried to get in here, but not being a phpBB they didn't have any luck.

Also, it's important that you always keep up with the PHP version (also not quite the most secure language there is).
__________________
For the web's most comprehensive collection of DVD backup guides go to www.doom9.org
Doom9 is offline   Reply With Quote
Old 9th March 2005, 15:44   #6  |  Link
mpucoder
Moderator
 
Join Date: Oct 2001
Posts: 3,530
From the looks of it his admin account was broken into. All the defacement is areas that can be changed from the admin panel. ie, no php was altered, nor was MySql broken into. Someone just guessed his password.

Donald, what I did to add some security was put basic authentication on the directory containing the admin scripts. This means you have two usernames and passwords to enter before you can acces the admin panel. Make them different.
mpucoder is offline   Reply With Quote
Old 9th March 2005, 16:37   #7  |  Link
Guest
Guest
 
Join Date: Jan 2002
Posts: 21,924
I've just woken up and find this.

I'm in LA at DirecTV and I don't have time to mess with this. I asked my host to explain, since they had told me the PHPBB was upgraded.

I suppose this means the death of the forum.
Guest is offline   Reply With Quote
Old 9th March 2005, 16:44   #8  |  Link
Sirber
retired developer
 
Sirber's Avatar
 
Join Date: Oct 2002
Location: Canada
Posts: 8,978
Do you have backups?
__________________
Detritus Software
Sirber is offline   Reply With Quote
Old 9th March 2005, 17:01   #9  |  Link
Guest
Guest
 
Join Date: Jan 2002
Posts: 21,924
Yes, but I won't bring it back up unless I can be assured that I won't have to spend my life patching PHPBB vulnerabilities and worrying about whether I will wake up to find all my efforts wiped out by some low-life.
Guest is offline   Reply With Quote
Old 9th March 2005, 17:06   #10  |  Link
mpucoder
Moderator
 
Join Date: Oct 2001
Posts: 3,530
As I said, simple password hack. They managed to figure out your password and access the board as you, with admin priviledges.
mpucoder is offline   Reply With Quote
Old 9th March 2005, 17:52   #11  |  Link
Sirber
retired developer
 
Sirber's Avatar
 
Join Date: Oct 2002
Location: Canada
Posts: 8,978
yeah. the best is a combinaison of letter and numbers

a-z, A-Z and 0-9.

Adding other caracters is hazardeous if you have keyboard problems
__________________
Detritus Software
Sirber is offline   Reply With Quote
Old 9th March 2005, 18:43   #12  |  Link
Guest
Guest
 
Join Date: Jan 2002
Posts: 21,924
Quote:
Originally posted by mpucoder
As I said, simple password hack. They managed to figure out your password and access the board as you, with admin priviledges.
That's speculation on your part.

The board is back up now.
Guest is offline   Reply With Quote
Old 9th March 2005, 18:53   #13  |  Link
mpucoder
Moderator
 
Join Date: Oct 2001
Posts: 3,530
Quote:
Originally posted by neuron2
That's speculation on your part
Yes, based on the fact that no php was changed, only the content that can be changed from the admin panel. The only other way to change the contents is to break into the database, and I doubt that your host has exposed the MySql interface, although I could check if you like.
I also run a phpBB, so it's easy to spot what was changed. I also added a log file to mine to record, among other things, bad password attempts. If you have such a log you can look for the break in.
And ask your host if basic authentication can be added to the admin directory, it adds another level of security.

Last edited by mpucoder; 9th March 2005 at 18:57.
mpucoder is offline   Reply With Quote
Old 9th March 2005, 19:48   #14  |  Link
Sirber
retired developer
 
Sirber's Avatar
 
Join Date: Oct 2002
Location: Canada
Posts: 8,978
Can I have your tweaks?
__________________
Detritus Software
Sirber is offline   Reply With Quote
Old 9th March 2005, 20:46   #15  |  Link
bond
Registered User
 
Join Date: Nov 2001
Posts: 9,779
seems the bsplayer forum (phpbb) has also been hacked:
http://forum.bsplayer.org/viewtopic.php?t=6426

according to betaboy (corecodec) thats fake
__________________
Between the weak and the strong one it is the freedom which oppresses and the law that liberates (Jean Jacques Rousseau)
I know, that I know nothing (Socrates)

MPEG-4 ASP FAQ | AVC/H.264 FAQ | AAC FAQ | MP4 FAQ | MP4Menu stores DVD Menus in MP4 (guide)
Ogg Theora | Ogg Vorbis
use WM9 today and get Micro$oft controlling the A/V market tomorrow for free
bond is offline   Reply With Quote
Old 9th March 2005, 21:17   #16  |  Link
Sirber
retired developer
 
Sirber's Avatar
 
Join Date: Oct 2002
Location: Canada
Posts: 8,978
What's going on?

[edit]

I upgraded mine to 2.0.13. I have the latest php too. I think I will set some .htaccess on /admin ...
__________________
Detritus Software

Last edited by Sirber; 9th March 2005 at 21:41.
Sirber is offline   Reply With Quote
Old 9th March 2005, 23:58   #17  |  Link
rjamorim
Blah!
 
Join Date: Jul 2002
Location: Brazil
Posts: 337
phpBB is a terrible, buggy and unsafe forum platform. I know of at least 6 forums that have been hacked (counting neuron2's and BSplayer's). I'm advising all people I know that are using phpBB to move to something else. vBulletin or Invision 2.0x if they are willing to pay, or Invision 1.3.1 if they aren't.

No wonder they are changing their forum name to "Olympus" in an attempt to get rid of the huge bad karma they have...
__________________
Get latest LAME, Vorbis and more binaries at RareWares:
http://www.rarewares.org

Last edited by rjamorim; 10th March 2005 at 00:02.
rjamorim is offline   Reply With Quote
Old 10th March 2005, 05:49   #18  |  Link
Neo Neko
Registered User
 
Neo Neko's Avatar
 
Join Date: Mar 2002
Location: Kansas City, Missouri
Posts: 1,812
Quote:
Originally posted by rjamorim
phpBB is a terrible, buggy and unsafe forum platform. I know of at least 6 forums that have been hacked (counting neuron2's and BSplayer's). I'm advising all people I know that are using phpBB to move to something else. vBulletin or Invision 2.0x if they are willing to pay, or Invision 1.3.1 if they aren't.

No wonder they are changing their forum name to "Olympus" in an attempt to get rid of the huge bad karma they have...
I have to disagree with you quite a bit. It is not that buggy. And it's not that unsafe. No more so than any of the alternates you have mentioned. Frankly I think PHPBB is just having a bad go. This recent vulnerability has turned out bad. Unfortunatly with all the other BBS software either pay or going pay. This leaves PHPBB free and clear in the rather large field of users who can't afford the alternate solutions. Unfortunatly these are also the people that often don't do that well patching their desktop OS let alone PHP based forum software.

The only real gripe I have ever seen as reasonable are the lack of some features etc. But as far as that is concerned it's not that big a deal. I mean after all you get what you pay for. And in this case more. This is just yet another case of people not keeping up with patches or their web hosts not keeping up in Donald's case. But Don appears to be a good admin with backups handy and his host should have their patches up to date now.
__________________
Opensource will not take over the world. But it will sure improve the lives of most of it!
_______________________________________________
Inkscape - Scallable Vector Graphics for everyone.
The GIMP - Free raster graphics and photo editing software.
Planeshift - Free 3D MMORPG. Cause everyone needs some fun.
Neo Neko is offline   Reply With Quote
Old 10th March 2005, 14:05   #19  |  Link
BlackSun
CoreCodec
 
BlackSun's Avatar
 
Join Date: Oct 2001
Location: Toulouse
Posts: 726
I confirm that story was totally a fake and I was the first surprised to see that and didn't found it funny, that someone in the audio/video world use my name like that.
__________________
BlackSun
The Concentric Circles of Audio and Video
BlackSun is offline   Reply With Quote
Old 10th March 2005, 14:07   #20  |  Link
Sirber
retired developer
 
Sirber's Avatar
 
Join Date: Oct 2002
Location: Canada
Posts: 8,978
Why did he do that?
__________________
Detritus Software
Sirber is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 12:50.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.