Quote
The attacker reportedly used SQL injection to exploit a vulnerability in the way the forum software handled escape characters in usernames
If the original flaw used to exploit the forum software in 2011 was fixed and the only reason the attacker succeeded this time was because they left behind backdoors (which were removed and then replaced)? If that's the case (and the forum software has been re-installed with fresh files) then we should be secure. But personally I wouldn't be against upgrading to a newer version of SMF.Don't fool yourself into a false sense of security. SMF v2.0.2 has many vulnerabilities.
Quote
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerabilities are located in the package manager, smiley sets, newsletter and edit members or groups with the vulnerable bound post parameters local path url, username, url, emails & title. Exploitation requires low user inter action & privileged application user account. Successful exploitation of the vulnerability can lead to session hijacking (admin/mod/user) or stable (persistent) manipulation of the web application context.
Package Manager > Download New Packages > FTP Information Required (Listing)
<[PERSISTENT SCRIPT CODE]' <"="" class="input_text">
class="input_text" />
URL: http://127.0.0.1:133...5f26c102fff9626
Smiley Sets > Add
Akyhne's Set
"><[PERSISTENT SCRIPT CODE]' <=""
akyhne/...
Review: Newsletter > Add
<[PERSISTENT SCRIPT CODE])' <"="">
Edit Membergroups & User/Groups Listing
Edit Membergroup - "><[PERSISTENT SCRIPT CODE])' <"=""><[PERSISTENT SCRIPT CODE]) <"
I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written.
Theymos reviewed a diff between the files from a fresh SMF install and our setup. Therefore, we effectively reinistalled and re-applied our modifications. Theymos then went on to do a full code review and only re-enabled the absolute minimum functionality for the forum to operate.
If you had access to the moderation tools, you'd realize just how much is missing...
I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written. Or does the code need to be reviewed to figure out that hole in the avatar system? If that's the case then I find highly surprising is that this bug seems to be undocumented. How is it that such a crucial flaw in SMF could go unnoticed so long, or was this the first time this exploit has been used to hack a website?
My understanding the hack comprised of a couple vectors not just one point. This vector also had to do with a previous hack so it really wasn't SMF's software.
But the first attack was facilitated by a flaw in the FMS software, which allowed the attackers to install backdoors in the first place. It sounds to me like the method used in the 2011 attack is not fully understood even now, but some people suspect the avatar system was exploited. It seems to me like the attacker is using an undocumented flaw in the SMF software.
That's not true:
The attacker reportedly used SQL injection to exploit a vulnerability in the way the forum software handled escape characters in usernames and eventually purchased a donor account, using it to gain access to various user accounts and change their names, including that of the administrator, Satoshi.
Theymos verified that this is correct.
I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written. Or does the code need to be reviewed to figure out that hole in the avatar system? If that's the case then I find highly surprising is that this bug seems to be undocumented. How is it that such a crucial flaw in SMF could go unnoticed so long, or was this the first time this exploit has been used to hack a website?
My understanding the hack comprised of a couple vectors not just one point. This vector also had to do with a previous hack so it really wasn't SMF's software.
But the first attack was facilitated by a flaw in the SMF software, which allowed the attackers to install backdoors in the first place. It sounds to me like the method used in the 2011 attack is not fully understood even now, but some people suspect the avatar system was exploited. It seems to me like the attacker is using an undocumented flaw in the SMF software.
I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written. Or does the code need to be reviewed to figure out that hole in the avatar system? If that's the case then I find highly surprising is that this bug seems to be undocumented. How is it that such a crucial flaw in SMF could go unnoticed so long, or was this the first time this exploit has been used to hack a website?
My understanding the hack comprised of a couple vectors not just one point. This vector also had to do with a previous hack so it really wasn't SMF's software.
I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written. Or does the code need to be reviewed to figure out that hole in the avatar system? If that's the case then I find highly surprising is that this bug seems to be undocumented. How is it that such a crucial flaw in SMF could go unnoticed so long, or was this the first time this exploit has been used to hack a website?
I'm pretty sure that they did.
In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.
Are you the same surebet that's a member of this exploit database site http://1337day.com that has a private section containing SMF exploits?
Yes, that was a scray run, hopefullyw on't happen again. Any *cough* um, accusations of who attacked?
The big question is why was the backdoor revealed? Just for the lulz? Or was it a second hax0r?
No, I verified its existence using my old forum backups.
I'm not doubting it's existence, I'm saying that unless there is specific evidence, it was likely not placed by the same entity that uploaded dancing javascript.
Maybe Theymos is an NSA plant putting back doors from the 1990's into the forum?
http://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf
We at the NSA thank you for your contribution to our signals intelligence efforts:
69.249.73.204 - - [07/Oct/2013:05:02:10 -0400] "GET www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf HTTP/1.1" 200 79951 "https://bitcointalk.org/index.php?topic=306878.40" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"
No, I verified its existence using my old forum backups.
Are those code changes stored in a database or are the files themselves edited?
If it's the files, that'd be easy to monitor.
Database snippets, on the other hand, might be a little more tricky.
Welcome back forum!
Login with only the hash? That basically allows any admin to impersonate another user. How could SMF think that was a good idea??
I think it unlikely that if there was a two-year backdoor, it was placed by the recent defacer. It was most likely used by someone with the discipline to occasionally do a db pull and crack a hash and bring back an old account from the dead for scamming, or employ re-used passwords to make bitcoins mysteriously disappear from an exchange. It also could be used in a way that would never be learned, such as to retrieve IP addresses logs of a suspect account and use account information against a user, while "parallel construction" prevents any revelation of the backdoor.
My last post on this forum before it went down, about a rooted Bitcoin casino. How novel:
What's SA?
Something Awful, often abbreviated to SA, is a comedy website housing a variety of content, including blog entries, forums, feature articles, digitally edited pictures, and humorous media reviews.
Thanks! "SA" was too generic to google without some further context.
Package Manager > Download New Packages > FTP Information Required (Listing)
<[PERSISTENT SCRIPT CODE]' <"="" class="input_text">
class="input_text" />
URL: http://127.0.0.1:133...5f26c102fff9626
Smiley Sets > Add
akyhne/...
Review: Newsletter > Add
<[PERSISTENT SCRIPT CODE])' <"="">
Edit Membergroups & User/Groups Listing
Edit Membergroup - "><[PERSISTENT SCRIPT CODE])' <"=""><[PERSISTENT SCRIPT CODE]) <"
>
have you checked to make sure that image sanitazation is working properly?
In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.
My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return.If you had access to the moderation tools, you'd realize just how much is missing...
Quote
The attacker reportedly used SQL injection to exploit a vulnerability in the way the forum software handled escape characters in usernames
So the original flaw used to exploit the forum software in 2011 was fixed and the only reason the attacker succeeded this time was because they left behind backdoors (which were removed and then replaced)? If that's the case (and the forum software has been re-installed with fresh files) then we should be secure. But personally I wouldn't be against upgrading to a newer version of SMF. 
Glad it's back up. I lost a lot of contact with the Bitcoin world because all other Bitcoin forums are not active enough.
In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.
My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return.My understanding the hack comprised of a couple vectors not just one point. This vector also had to do with a previous hack so it really wasn't SMF's software.
That's not true:
The attacker reportedly used SQL injection to exploit a vulnerability in the way the forum software handled escape characters in usernames and eventually purchased a donor account, using it to gain access to various user accounts and change their names, including that of the administrator, Satoshi.
Theymos verified that this is correct.
In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.
My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return.My understanding the hack comprised of a couple vectors not just one point. This vector also had to do with a previous hack so it really wasn't SMF's software.
In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.
My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return.My understanding the hack comprised of a couple vectors not just one point. This vector also had to do with a previous hack so it really wasn't SMF's software.
In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.
My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return.Quote
Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.
The attacker could have potentially made a lot of money by monitoring our personal messages and getting insider information. I'm sure a lot of people on this forum send important information to each through the PM system, and don't take the time to encrypt it or secure it in any way.In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.
My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return. Quote
Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.
The attacker could have potentially made a lot of money by monitoring our personal messages and getting insider information. I'm sure a lot of people on this forum send important information to each through the PM system, and don't take the time to encrypt it or secure it in any way.In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.
theymos is a competent administrator. tradefortress told me so 
Cloudflare was identified on our end as well.
Are you the same surebet that's a member of this exploit database site http://1337day.com that has a private section containing SMF exploits?
thanks for the update! Glad the forum is back up.
Yes, that was a scray run, hopefullyw on't happen again. Any *cough* um, accusations of who attacked?
I think it unlikely that if there was a two-year backdoor, it was placed by the recent defacer. It was most likely used by someone with the discipline to occasionally do a db pull and crack a hash and bring back an old account from the dead for scamming, or use the credentials to make bitcoins mysteriously disappear from an exchange. It also could be used in a way that would never be learned, such as to retrieve IP addresses logs of a suspect account and use account information against a user, while "parallel construction" prevents any revelation of the backdoor.
Are there any logs of hacking action? When was the backdoor placed again?The big question is why was the backdoor revealed? Just for the lulz? Or was it a second hax0r?
I think it unlikely that if there was a two-year backdoor, it was placed by the recent defacer.
No, I verified its existence using my old forum backups.
Maybe Theymos is an NSA plant putting back doors from the 1990's into the forum?
http://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf
We at the NSA thank you for your contribution to our signals intelligence efforts:
69.249.73.204 - - [07/Oct/2013:05:02:10 -0400] "GET www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf HTTP/1.1" 200 79951 "https://bitcointalk.org/index.php?topic=306878.40" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"
I think it unlikely that if there was a two-year backdoor, it was placed by the recent defacer.
No, I verified its existence using my old forum backups.
How about a standard password reset for all users?
And after 4 weeks or something; delete all old accounts; could clean up the forum also?
Yeah, that "satoshi" guy hasn't logged in for quite a while, get rid of him And after 4 weeks or something; delete all old accounts; could clean up the forum also?
It is somewhat scary that admins can modify forum code from within the forum itself if I understand correctly.
That's how Satoshi set it up (maybe the SMF default), but I fixed it a while ago.If it's the files, that'd be easy to monitor.
Database snippets, on the other hand, might be a little more tricky.
I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday.
Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.
Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.
Welcome back forum!
Login with only the hash? That basically allows any admin to impersonate another user. How could SMF think that was a good idea??
I think it unlikely that if there was a two-year backdoor, it was placed by the recent defacer. It was most likely used by someone with the discipline to occasionally do a db pull and crack a hash and bring back an old account from the dead for scamming, or employ re-used passwords to make bitcoins mysteriously disappear from an exchange. It also could be used in a way that would never be learned, such as to retrieve IP addresses logs of a suspect account and use account information against a user, while "parallel construction" prevents any revelation of the backdoor.
My last post on this forum before it went down, about a rooted Bitcoin casino. How novel:
You are lucky that the hacker couldn't think of anything interesting to do; however that machine is not 100% secure unless it can be image-restored or reloaded. An intrusion detection system would have alerted to any system changes or the downtime. The hacker's goal may not have been to steal Bitcoins, it may have been to discover the site owner's identity or that of players or to log credentials.
In the reddit thread...
[snip]
Theymos says it was someone from SA, How does he know that? If he KNOWS who it was, why not tell us all?
[snip]
[snip]
Theymos says it was someone from SA, How does he know that? If he KNOWS who it was, why not tell us all?
[snip]
What's SA?
Thanks! "SA" was too generic to google without some further context.
Jump to: