PHPBB.com Hacked by Political Hackers

Printable View

February 8th, 2005, 02:11 AM
PuReExcTacy

PHPBB.com Hacked by Political Hackers

Hackers have just hacked phpbb.com's website. The following is a note on their site.

Quote:

Last updated: 7th February 2005, 22:26 GMT

At present www.phpbb.com is offline due to a group of politically motivated hackers wishing to use an opensource project to push their agenda ... shame on them.

We have some possible further details of the events which led to the loss of www.phpbb.com. Though I have not spoken with them myself I have learnt through an intermediary the group that appears to have attacked phpbb.com did indeed use a vulnerability in awstats to gain entry to our server (note that singular, we don't own a server cluster, just a server).

However, while the group who did this say they changed only a single password we have lost all access to the server. Best guess right now is that they, perhaps inadvertently, installed some incompatible applications in the process of rooting the box. This means we cannot access the system even in single user mode.

Since it would be totally inappropriate to simply "restore" we are having the box shipped from its datacenter to our server manager. There it will be analysed so we can confirm just what happened. And of course do a full reinstall after recovering the database. This will take some time. We are hoping to have an intermediate solution but there are no guarantees this is doable, or even worthwhile given the time frames. As I said before, best guesstimates for a return are from tomorrow (8th Feb) through to the end of this week.

Obviously we will confirm, as I state above, the circumstances of the attack on www.phpbb.com just as soon as we can.

Let me say this to the "crew" that attacked phpBB. Why? We are an opensource project, we give our products away freely, we give support freely. We have enabled peoples from around the globe to communicate without restrictive licences or constant threats of action. The only thing you've done here is gain glory ... if that's what you wanted, well task achieved. But you claim to be spreading a message, a message our software has doubtless allowed others to express their opinions on. Sort of self-defeatist really, huh? Now, people who give their time freely (and no, unlike some of the commments I've read we do not rake in thousands of dollars each month!) have to clean up this mess ... time that should be spent helping users, preparing the new release, etc. By attacking our site you've indirectly affected an awful lot of people, people you claim to support. Whatever your motives, good or bad, this wasn't the best way to demonstrate them, was it?

To our community, please do not ask us for further updates as to the situation, its cause, etc. Everything we have to say is said here. Our support channel (#phpbb) on IRC has at times been swamped with "What happened? Any news?" style questions which are making it extremely difficult to support users with real issues. So we appreciate the interest but please, accept that we have nothing else to add.

Users can visit our development board, area51.phpbb.com where they can receive support for phpBB 2.0.x. Of course you can also view the next version of phpBB, 3.0 "Olympus" in the process (minus the new style of course!)

We are also maintaining our IRC support channel, #phpbb on the irc.freenode.net network

We apologise for any problems this may cause our userbase. We obviously take the huge support our community gives phpBB very seriously. And we will do our best to return to "normal operations" just as soon as we can.

psoTFX - phpBB Group

What are you thoughts on this growing trend of attacks on open-source software and sites?

Personally, I'm surprised that the site didn't have better security and administrative processes in place. While this was a politically motivated attack, I can't help but feel that this has something to do with the open-source community. It strikes me odd that a cracker with enough skills to accomplish the attack would go after phpbb. Sure they get lots of traffic, if what they wanted was to get their message acrossed.

This raises another question for me, these crackers decided to make their activities known, how long have they had access to the development source code. Might they not have included a nasty surprise in the code? Time will tell.

PuRe
February 8th, 2005, 02:31 AM
Iron-Kurton

My host's servers were taken down just recently in the past month. They had no clue what happened, but the attackers completely owned the boxes. I'm not sure of the details, but I do know that they installed a root kit, changed all the passwords, and output our old passwords to a file in plain text, erased logs, etc.... Completely took us out.

That said, any sort of attack should be prosecuted to the fullest (though people like jareds411, who point out vulnerabilities, are to be praised), make examples of skiddies who have seen "Hackers" one too many times and glorify cracking. Personally, I despise anyone who is ill intentioned and prevents me from getting my work done on time, especially with the belief that doing so is cool. In the end they are only hurting themselves, because if they don't get caught this time, they will get caught some other time, and for them, I have no sympathy.
February 8th, 2005, 03:03 AM
The Exploit

hrm

Ive been up to date with phpbb for a while now. It surprises me that anyone would want to harm them in anyways. I may be new, but it's open source. Shouldent they be glad of that, and/or appreciate that? Maybe not but, im confused.
February 8th, 2005, 03:17 AM
The Duck

Ugh, you guys, pay attention, they didn't harm phpbb because they don't like them or what they do for the public, the only did it because they wanted a ton of people to listen to their political mumbling and they knew that a ton of people visit phpbb everyday. However, it back fired on them because they installed some incompatable software and now no one can see anything, And I agree with iron kurton and his beleives...
February 8th, 2005, 06:20 AM
prodikal

Mirror of hacked page
February 8th, 2005, 07:13 AM
|3lack|ce

Here's what babel fish translated from the mirror page for those of us who don't speak Portuguese:

Quote:

For A Better World If we could have conscience of how much our life is ephemeral, perhaps we thought two times before playing outside to the chances, that we have of being happy and to make the other felizes.Muitas flowers they are harvested early excessively, Some exactly still in botão.Há seeds that never sprout and have those flowers that live the entire life, until petal for petal calm, lived, if éden delivers vento.Mas people does not know adivinhar.Agente does not know for how much time will be decorating this, and neither those flowers that had been planted to our redor. E we descuidamos.Cuidamos little of us, of the outros.Nos we sadden for small things e we lose minutes and precious hours. We lose days, to the anos.Nos times we are silent when we would have to speak, we speak excessively when we would have to be in silence. We do not give the arm that as much our soul asks for, because something in us hinders this aproximação.Não gives an affectionate kiss "because we are not accustomed with this", and does not say that we like because we find that the other knows automatically what we feel. E passes the night and arrives the day, the sun is born and adormece and continues the same ones, closed in we nós.Reclamamos of that we do not have, or finds that we do not have sufficients, Charges of the others, the life, of we ourselves, in consumimos.Costumamos them to compare our lives with the ones of that they possess more than people. E if we tried to compare with that they possess little? This would make a great difference! E the time passes... We pass for the life, we do not vivemos.Sobrevivemos, because we do not know to make another thing until, unexpectedly, we wake up and we look at pra trás.E then in asking them: e now? Now, today, still it is time to reconstruct some thing, to give to the arm friend, to say an affectionate word, to thank for that we have. He is never old excessively or young excessively to love, to say a gentile word or to make a gesture carinhoso.Não it looks at for trás.O that it passed, passed. What we lose, we lose. It looks at for front! Still it is time to appreciate the flowers that are entire to ours redor.Ainda are time to turn God and to be thankful for the life, that exactly ephemeral, still is in us. It thinks... It does not lose it more...
February 8th, 2005, 07:16 AM
PuReExcTacy

I just also wanted to add that it appears this simiens crew has been busy as of Feb. 1 sweeping the net for vulnerable Awstats installations, I just banned the IP address 24.226.36.32 for probing my server. I don't run awstats, and I'm glad I don't today.

Here are a few sites that were affected by these recent awstats exploit:
http://jeremy.zawodny.com/blog/archives/004107.html
http://www.russellbeattie.com/notebook/1008284.html
http://www.lin5.com/blogs/index.php/...h_monkey_attac

There seems to be too many more potential victims to this awstats hack

All hands to battlestations, this is digital warfare.

PuRe
February 8th, 2005, 08:07 AM
Soda_Popinsky

Quote:

All hands to battlestations, this is digital warfare.

Hardly warfare, more like survival of the fittest? A skiddie taking down a vulnerable page through a google hack and perl script doesn't show superiority over that victim, however it does reveal the discipline the victim has towards upgrading. (I'm guessing here that this exploit was patched and was never a zero day?)
February 8th, 2005, 10:53 AM
Tiger Shark

Yeah... And the bastiges take it down right when I am implementing PHPBB on my intranet and go back to get this nice "purdy" style that I saw the other day.....

I hate haxxors.... :mad:
February 8th, 2005, 11:40 AM
|3lack|ce

Since I'm still unknowing of the website end of things I did a bit of googling on awstat and started surfing - after hitting page after page of 'my site was hacked' blogs and stuff that read 'awstat is vulnerable' but telling the world neither why nor how, I stumbled into a link which I think might be relevant. Not possessing much knowledge of PhP though, I'm not truly sure, but I'm sure enough to know it doesn't need to get posted here for all to see. PM me, and if I trust you, I'll send the link. (TS and Soda, yours are on the way soon as this gets posted - if you'll review and at least tell me if I'm on the right track, I'd surely appreciate it.)
February 8th, 2005, 04:50 PM
RoadClosed

This will be down for some time. Which one you want Tiger? Some of us may have the package?
February 8th, 2005, 05:55 PM
Tiger Shark

I can't remember... :rolleyes:

It appeared to have a nice large area across the top that I could place the header of our website in.... I'll have to look when it comes back up.
February 8th, 2005, 06:14 PM
Soda_Popinsky

Hi BlackIce-

The links you sent me were for old vuln's in phpnuke and phpbb specifically, while this vulnerability was in third party (statistics?) software on the phpbb site. Here's the vulnerability in detail.

http://www.k-otik.com/exploits/20050124.awexpl.c.php
February 8th, 2005, 07:01 PM
Negative

cPanel, one of the most wide-spread hosting control panel utilities, has AWstats ("Advanced Web Statistics") in it be default. I'm not sure what the new cPanel comes with - AWstats 6.2 or 6.3 - but it doesn't really matter: most hosts still have 6.2, and are vulnerable...
February 8th, 2005, 07:42 PM
|3lack|ce

Thanks much Soda. Told yas I knew next to nothing about php - sorry to throw ya off track.