MR2ROC (and others) hacking announcement - PLEASE READ

[aaronjb]

As some of you noticed, some of the details around here changed spontaneously the other day..

The long and short of it is this:

A vulnerability was found in the phpBB Garage software that we are running.  It allows access to the MD5 hash of any users password through a SQL injection attack.

What that means, in layspeak, is that anyone who understands the attack could log in as and impersonate any user here - including the site administrator.

Now, luckily (if you can call it that) it appears that the first person who exploited that attack here was not malicious and used the exploit to disable the Garage browse feature (to prevent others from using the attack)

Of course, there is unfortunately no way of knowing if anyone before this had used the attack and simply not taken any action that resulted in visible traces.


Because of this, I would highly recommend that you change your password here - and anywhere else that you use the same password.


As I say, the exploit gains you access only to the MD5 hash of the user passwords - so that means that you can only use this hash to log into a system using the same hashing algorithm for passwords (which will include any phpBB based board, amongst other things).
(For the pedantic - yes, I know MD5 was cracked recently, so it is no longer a true one-way-hash, so it is theoretically possible to retrieve the original password either through expensive computation or a large enough rainbow table)


Unfortunately, as it was possible to gain access as administrator, it is also possible that email addresses and any other information in your public profile has had the potential to be harvested.



You will notice that for the time being the Garage is largely disabled - this will remain so until a security patch for the exploit is released and installed (it's expected to be released tomorrow, but I cannot guarantee I'll be able to install it then).


Obviously all we can do at this point is apologise - unfortunately security breaches of sites such as this are part and parcel of the Internet.  If we had limitless budget we could afford expensive security hardware in front of the site, and/or the time to install things such as mod_security in the webserver software - unfortunately both time and money are in short supply (yes, we just had a fundraiser - but a hardware based web application firewall runs into the tens of thousands).


Once again - if you take anything away from this post:

1) Change your password here and anywhere else you have used the same password
2) It is good practice to regularly change passwords, and never to use the same password everywhere

[Anonymous]

well i was the one who saved your fourms, just to let you know the md5 hash is easily reversable, thats how i got markiii's password which at the time was  and ekona's password.

 m http://gdataonline.com/seekhash.php m  is the site where you can punch in the hash and get a users password in plane text. but yeah alot of forums got hacked that day, i was just lucky enough to catch this one before it went south. i was actually the one that sent out the mass mail on imoc.co.uk before someone got in and nuked it before i could lock it down. if you have any questions feel free to email me.

[Anonymous]

On the back of this you might want to cange any paswords that are the same as your login passwor on here just as a precaution (not that you should have the same password for 2 things).

I have found this out the hard way!

Apparently, according to my bank, some nigerian cnut has tried to use my debit card to pay for some stuff, i think they might have got the details off paypal, which had th same password as here! Anyway the bank stopped the transaction and have cancelled my card. So it has not been too bad. I needed a new card anyway as my old one was dropping to bits!  s:lol: :lol: s:lol:  

Just a warning to you all, watch out!  s:D s:D

[Two's Company]

My Paypal account has also been hacked because I was lax with the passwords.   s:oops: :oops: s:oops:

[Anonymous]

Whilst having different passwords for different things is more secure it does cause the problem of having to remember loads of passwords and more importantly which password pairs with which site. Perhaps some people may find Keepass useful.

[Silverman]

Hi aaronjb,

Also since about Monday or Tuesday, when I first come onto the Club site and before logging on, I get the page entitled "Information".  Beneath the title it says, "There is no such page.  Please repeat and try again." ??   s:cry: :cry: s:cry:    s:? :? s:?

[DannyN]

Whilst having different passwords for different things is more secure it does cause the problem of having to remember loads of passwords and more importantly which password pairs with which site. Perhaps some people may find Keepass useful.

Something I use sometimes  is old car registration numbers as the contain numbers and letters,  just choose something old and not yours - like your dad's old celica (T-reg Fastback:) ) or mum's mini clubman

[Anonymous]

Hi aaronjb,

Also since about Monday or Tuesday, when I first come onto the Club site and before logging on, I get the page entitled "Information".  Beneath the title it says, "There is no such page.  Please repeat and try again." ??   s:cry: :cry: s:cry:    s:? :? s:?

So what exactly do you do to get that? I've just tried logging out, visiting the club homepage ( w www.mr2roc.org w ), then clicking the forum tab, then logging in and I get nothing of the sort.

[Silverman]

So what exactly do you do to get that? I've just tried logging out, visiting the club homepage ( w www.mr2roc.org w ), then clicking the forum tab, then logging in and I get nothing of the sort.

I've just run another check.  All I have to do to get the "There is no such ..." is to have the computor running and connected, and then as soon as I select the Rocster icon on the desktop, the "Information" page appears with the message.   s:( s:(    s:( s:(    s:( s:(    I clear it by logging on, (possible error in previous post.)  The "Information" page appears as standard Rocster site page, by the way???

[Anonymous]

I'm sorry I neglected to give you a heads up on this.  I saw on lotustalk.com a post by the admin that hackers had attacked moremonkey.com (another lotus forum) using this exploit, so I sent a PM to DaSpyda (spyderchat admin) but it was late at night and I wasn't thinking about mr2roc.  I just went to bed.

[Anonymous]

So what exactly do you do to get that? I've just tried logging out, visiting the club homepage ( w www.mr2roc.org w ), then clicking the forum tab, then logging in and I get nothing of the sort.

I've just run another check.  All I have to do to get the "There is no such ..." is to have the computor running and connected, and then as soon as I select the Rocster icon on the desktop, the "Information" page appears with the message.   s:( s:(    s:( s:(    s:( s:(    I clear it by logging on, (possible error in previous post.)  The "Information" page appears as standard Rocster site page, by the way???

Nope, I still don't get you. Do it this way and see what happens:

Turn on PC/Mac
Log on
Open browser to blank window
Type  w www.mr2roc.org w  in the address bar
Hit enter
Tell me what happens.


From the sound of your post you've got a link set to ROC (but what page I don't know, presumably the main page not the forum) set as a clickable icon on your desktop. Try it my way and see what happens, and also try deleting your link and creating a new one.

What OS you using? Browser?

[Silverman]

So what exactly do you do to get that? I've just tried logging out, visiting the club homepage ( w www.mr2roc.org w ), then clicking the forum tab, then logging in and I get nothing of the sort.

I've just run another check.  All I have to do to get the "There is no such ..." is to have the computor running and connected, and then as soon as I select the Rocster icon on the desktop, the "Information" page appears with the message.   s:( s:(    s:( s:(    s:( s:(    I clear it by logging on, (possible error in previous post.)  The "Information" page appears as standard Rocster site page, by the way???

Nope, I still don't get you. Do it this way and see what happens:

Turn on PC/Mac
Log on
Open browser to blank window
Type  w www.mr2roc.org w  in the address bar
Hit enter
Tell me what happens.


From the sound of your post you've got a link set to ROC (but what page I don't know, presumably the main page not the forum) set as a clickable icon on your desktop. Try it my way and see what happens, and also try deleting your link and creating a new one.

What OS you using? Browser?

Firstly, must say hello to Beanie in 'Jakesonveele', Florida North.  Great to hear from you and don't forget Ann's Diner in Hilliard!!  Hope y'all in good shape.

Now Ekona Vauxhall friend.  (I think.)  OK, did your routine and came up,  on site, no probs.  Bit more fiddly than d'top though?  Afraid I shall have to consult son before attempting link deletion (!), new link creation, OS answer, etc.    s:? :? s:?

[Anonymous]

Definitely an issue with your link then, I reckon. As for creating a new link, it's easy: Highlight the address in the address bar, then drag it to the desktop. This should create a new link direct to the page in question.

[aaronjb]

phpBBGarage is now patched (the patch was released on the 5th), so the Garage has been enabled for use again.

[Anonymous]

Aaron, I can't open the auto-sent PM from the garage so I can verify the items, any chance you could look into this for me when you get a sec please?

[Anonymous]

Aaron

Just noticed that the garage comments have gone, or at least the one I had on my car, also changed the dyno table the other day but as yet it's not shown up on the main table.

Thanks
Rob.