A successful attack on SMF

In an attempt to be as open about it as possible, I will tell you that JGO was compromised 2010/12/31 at 02:30 AM.

A successful attack on SMF has been made through a moderator account, of which the attacker knew the password. That moderator has been notified. Stupid as SMF is, it allows the Moderator account to change the password of an Admin, giving the hacker full access to SMF by logging in as that admin. Apparently this is a well known attack vector, as the attacker was an admin in roughly 5 seconds.

This was a very specific attack where the hacker tried to find out as much about this person as possible. Several seemingly innocent changes (yet obviously harmful as there is no other reason for these changes) to JGO have been made, which are getting restored right now.

Among other things, I am also doing a rollback to just before the infection. About two hours of messages are lost as a result of this rollback. No attempt will be made to retrieve these messages.

For the moment all moderators have lost their permissions, to prevent this from happening again.

Although the http-log (and the sum of tcp-traffic during the attack) strongly indicates there were no database dumps made, please consider your (salted hash) password and your emailaddress compromised.

Sorry guys.

Appreciate the openness. Its seems forum software across the board is pretty poor at security. I understand why GitHub forces ssh keys

Ok, who was the moderator that got pwned? Let’s all throw rocks at them!

As a side benefit, the thread title doesn’t have a ridiculously long list of moderators in it anymore. Though I still have to see Riven’s name on every thread. My god Riven, so vain! ;D

to be honest, this doesn’t really come as a surprise.
JGO has been running on an OOLDD SMF installation for a long time. This installation was compromised before - and there is no telling what happened back then.

As a result, I have since then disabled JS from JGO.

As with this attack and others (gawker springs to mind) I really encourage everybody to use a per-site password. Yes, its a lot more cumbersome, but it does provide a much better security than using global username and password.

IMO, all accounts should be forced a reset. At the very least admin accounts.

That really sucks, just when you thought SMF couldn’t get any worse.

[quote=“Matzon,post:4,topic:36126”]
Too bad (the current integrated version of) the wiki requires javascript to be injected into an iframe.

I removed all moderator roles from the members, and invalidated all passwords of the (three) admins. Further, I changed the passwords on the server and locked down some previously publicly available webservices. :persecutioncomplex:

The problem with SMF is that its themes are PHP functions, which are directly editable from within the admin interface. The attacker modified the theme (fact!) to (probably!) dump the variables that held the username/password to the database, as a few moments later he logged in. Right then and there SMF was wide open, as now he could execute any query on the SMF database, using the same theme ‘templates’ (php functions).

hmm, looks like a pretty organised and targeted attack, rather then your bog standard mass exploit script. If he was dumb enough to use his real ip, maybe report him, such hacking is illegal in most countries and hopefully he’ll end up behind bars.

SMF 1.x has just been in bug fixing mode for the last 5 years so has fallen somewhat behind, SMF 2.0 does look a lot better, secure and has a lot more features to prevent this sort of stuff (also has much better features to prevent/control signature spam).

SMF 2.0 is still in development, currently in the ‘Release Candidate’ phase and it is explicitly stated it must not be used in a production environment.

Too bad.

It was a UK based ip address. Who knows if that’s a bounced ip address or not. Going after the person might result in nothing but bunch of trouble for anyone willing to pursue it. Why bother? And law enforcement isn’t quite adept at dealing with these matters, nor care. Someone hacking a internet forum? They’ll laugh at you.

Let’s just hope this person gets burned by fireworks tonight, that’s karma.

Much better than a password per site, is trying to get all sites to use an openid like solution.

The best implementation that I know of is the one in the stackoverflow/stackexchange sites.

Some of us won’t touch openID with a barge pole. So no, moving over to only openID is not a good idea.

I want my logins separate.

I don’t get this open id stuff.

At this one site I had to log in with either my openid, yahoo, google or aol account or whatever.

Why the f. would I use my gmail account to login to some forum? SERIOUSLY. Who really thought this was a good idea? Just imagine the login thefts possible with all sorts of smoke and mirror phishing popups claiming to be google or whatever.

Every internet user has been taught not to give other websites their login. And now suddenly it becomes OK to give your account details to whatever popup that comes along?

So, what happens when your only account gets stolen? You’re royally screwed.

Don’t put all your eggs in one basket. Have multiple accounts with many distinct passwords. Use your gmail account to login to gmail, don’t use it to log into newbiehax0rs.freeforums.info.

Gawwwddd… insanity I tell you. Common sense isn’t that common after all.

Well this is a bummer. Any idea how the hacker got that one password? Was it phishing or something else?

I’m personally not really worried - I already gave my JGO account its own password the last time the site was hacked.

I think http://xkcd.com/792/ explains the reality far better than I ever could.

People don´t use one password for each site, and there is a huge list of sites who have been compromised and the usernames and passwords where not stored safely (hashed and salted).

With the openid, google, facebook, etc solution, I don´t have to trust some random site to be secure, and even a site that is important and which I would trust with some of my secure passwords could be implemented by a moron who stores the passwords in an usafe way.

Using the openid solution, the only thing I have to do to make sure I am not getting screwed is checking the url bar, seeing that the domain is the one I think, and checking if the certificate is fine. I don´t depend on how well the forum/page/wiki etc was programmed.

The only way to have custom not easy to guess passwords for every site is using some digital wallet, something like keypass, but that is a hassle very few people are willing to have.

As long as sites feel they have the right to ask the users to generate some user/pass to access their site, things like the Gawker compromised accounts will keep happening.

some extra info: http://www.codinghorror.com/blog/2010/12/the-dirty-truth-about-web-passwords.html

As much as I agree with you and that article, I find the advice at the end somewhat impractical:

[quote]Demand that they allow you to use your internet driver’s license – that is, your existing Twitter, Facebook, Google, or OpenID credentials – to log into their website.
[/quote]
Previously I wrote something that needed log-in, and since it was built on top of google-app-engine, it was trivial to let users log in with google credentials (or anything google accept as a google id). However this is worse than asking people to make a new username and password. Ie. directly contradicting the codinghorror advice. The simple fact is that users (even dumb users) are very reluctant to enter one set of login details for an entirely unrelated site. Even from a tech-savvy person’s point of view, it looks like a bad phishing attempt.

All attempts to use a common login fail like this - google id, openid and even Verified By Visa (which is a whole catalogue of fail on it’s own) all look, feel and smell like a bad phishing attempt. I’d be extremely uncomfortable trying to distinguish a genuine google/openid redirection login from a spoofed one, so goat knows how likely J Random User is going to do it.

Banhammers have (almost all of) their powers back!

yay.

The new jgo activation page is super effective, not a single spam account created since it was added, only two new accounts and both look genuine.

As the IP address was from the UK, is the admin user also from the UK. If so it might be possible that he auto-saved his login details in a browser, in which case any person could come along and log into the site via any computer he visited.

The person that was infected has reset his password, just like the admins.

Oh, and I deleted all sessions.