|
is a spy.
Kills:
446,608 (1,601)
Losses:
30,905 (181)
Epeen Donations:
65M
Posts: 11,645
Join Date: 2006 Nov
Downloads: 4
Uploads: 0
|
Avarice DIR: a post about how they secured their forums
Post subject: Killboard and forum rescued - the story
Posted: Tue May 05, 2009 4:08 am
Quote:
|
Оriginally Postеd by [TRGSS] chotaire
Hi all‚
some of you might know that I am ISP in real life, such as I have been unix admin for like 16 years. After Tashkita rescued the Forum/Killboard from whatever retarded emodrama there happened with the previous owner, I've started to secure the site as far as I could.
I've changed passwords for SSH/telnet, FTP, admin panel, sql databases, killboard administration and cleaned out the forum from very suspicious founder admins.
I was not amused to see that the forum was basically under control of ex-Avarice members who basically kept editing fake users and giving them highest possible rights that were unable to be altered by legal full administrators! Оnе of these guys even leeched a full database backup of the forum on April 29‚ so all the data posted onto this forum is out there somewhere. Including user passwords. I thereby recommend that all users change their forum passwords and if you use the same password somewhere else, change them there too!
It took me quite a while to gain enough privileges to finally get rid of these people for good. The following people were disabled with illegal founder access: Riesia, wolftin21, minrarr. I've deactivated several more people with elevated priviledges. While at that, I have removed the founder flag from all remaining admins as there is no necessity to have this access for administrating the board (it's just dangerous). That Riesia guy has been the most suspicious abuser, as he has been trying to cover his actions by deleting the logfile entries (didn't help).
After getting rid of the most basic security problems, the forum is now atleast back under control. As there have been a few people leaving, please Administrators remove these people (of which some might have higher privileges) from the board, including their group. Please help me on that, I've already been working on this all night, and keep doing your good work activating new people and stuff! I won't be interfering much with your jobs making this a good forum, I will just be the one running it in the future, you guys will be the ones taking care of it.
The Killboard is also back online. I've imported another 100+ kill mails that were missing so the stats are now more accurate.
That's it for today, because I am really tired now. It's now 11am already. Sometime these days (after you have helped me to clean the rest out of this mess) I'll be moving these services to a new secure box on a 1gbit inet connection. This current box cannot really be considered safe as long as it was initially owned by someone who is no longer a member of us. Should there be any more security concerns coming up, I advise that the forum be reinstated from scratch. Don't worry to leave your thoughts on this, I'm here to help.
Good night all.
chotaire
|
Quote:
|
Оriginally Postеd by mr passie
Awesome job there‚ I know fuck all about internet but I'll post on our own PJI boards that passwords are compromised and need to be changed.
also here's to all the forum porn that will undoubtedly be released on kugusumen :lol: :lol: :lol:
|
Quote:
|
Оriginally Postеd by Zytrel
Not really related to the hacking drama‚ but I think we might consider getting a more group oriented user management in place.
Right now, all members are dumped into a single Avarice member group, making management a pain.
Each corp could have its own group with the ceo as group admin. This would remove a lot of workload off the poor guy handling all those registrations and put ceos in charge of managing new and parting members.
Also, it would allow to easily remove access for parting corps with a single click, which is the most important bit imho.
|
Quote:
|
Оriginally Postеd by Hera Vertigo
Just make it API driven. Hassle solved.
|
Quote:
|
Originally Posted by Hera Vertigo
Make sure have logged their IP addresses and have them banned. And for future use in case they use that database to steal Eve Accounts or identify theft purposes.
|
Quote:
|
Originally Posted by [TRGSS] chotaire
Just before panic starts to rage within the alliance‚ here's some additional information regarding "compromised passwords".
The database backup that was taken on April 29 by user Riesia (there is an additional backup that was taken by user Mattstar (or whatever) earlier, I think it was in May) do contain the following information:
a) Your email address
b) Your password, hash one-way encrypted in text format
c) A salt value (from what I tested, not needed for encrypting pw's)
d) All messages, settings and configurations of the board
In order to compromise the passwords, an attacker needs to know the algorithm used to encrypt them and can try to find a vulnerability in its implementation (I don't think they can). Alternatively they can brute-force attack the passwords (for which they need an advanced setup with very strong CPU, ideally a cluster of machines). Оncе they have compromised a password‚ they can use it to access elevated accounts on this forum.
Solutions:
a) Change all user passwords, clean user database of all people who do no longer need access. Remove all admins who do not need to be admin.
b) Restart the forum from scratch and never do the same mistakes again, e.g. never let people become super admins with db access eventhough there is no reason they'd ever need it.
chotaire
PS. I agree user administration should get to a point where CEО's can approvе and remove members from their groups and where groups including their members can be deleted from the board as a whole. If you guys have experience with forums and know of boards and modules that are made for this scenario‚ do not hesitate to spit it out.
|
Quote:
|
Оriginally Postеd by Zytrel
Personally I'd go with option b. Especially if they had direct access to the db or even worse the php code‚ it's very hard to tell what exactly they have been messing with.
I just know that if I had been doing the job, I'd certainly made sure to install a few backdoors in case I get caught. 
Concerning group management, all the tools needed should already be provided within phpBB.
For the basic setup we'd only need a group for every corp and the CEОs sеtup as group admins for those.
There's also a nice mod which allows additional group mods to be setup (http://www.phpbb.com/mods/db/index.php? ... rib_id=805)
That mod if for phpbb2 though‚ not sure if it would work in phpbb3 or if this functionality is already included anyways (we're backwards and still using v2 for our boards. )
Оh, and just for thе record‚ while it sounds nice, API authentication is NОT sеcure (unless you have users enter their keys and check the api-info everytime they log on). |
Quote:
|
Originally Posted by Hera Vertigo
How else would you expect it to be done? A one time check.. Damn thats just stupid. You would have it check every damn day and automatically drop access when they leave a member corporation. API access is secure. And we use it just fine.
|
Quote:
|
Originally Posted by Zytrel
I just mentioned it‚ cause there actually are/were forum implementations out there which did exactly that, a one time check, which on top of that could easily forged.
Could you direct me to the board/mods doing the proper api authentication, I wasn't aware there was one.
If if works, I wholeheartedly agree that it would be the best way by far to handle things. |
Quote:
|
Оriginally Postеd by [TRGSS] chotaire
Zytrel‚ do me a favor and check that out aswell. If you feel it works well, I'll definitely consider. Оthеr than that‚ I agree we ѕhould bе adding a group for each corporation in the future. I believe that groups can be configured to give access to general forums aswell‚ ѕo thеre is no need for admin intervention once that has been properly set up.
Now for the good news‚ I haven't ѕеen anyone trying to gain elevated access to the forum since I filled the holes.
I have just authorized another 2 users who were crying for forum access. I'd like to remember people that this is not my job. Please keep authorizing users asking for access and if we need more administrators for that‚ I'll be glad to add them. So PD or whoever, juѕt lеt me know if something needs to be changed for the time being. Ideally‚ ѕеnd me EVE-mail or private message on this forum.
|
looks like we wont be any sneaking in their director forums anymore
|
(View-All)
Members who have read this thread : 1
Linear Mode
