One of my websites users has had their account hacked into. I don’t really know where to begin with all of this, so I’ll just state the facts as they are and allow readers to draw their own conclusions.
My website keeps a log of all the IP addresses that are used to access users accounts. An IP address is kind of like an online signature, its generally unique to each computer / network used and provides access to all kinds of information such as location or internet service provider. Every time a user signs into the website, a note is made of their IP address.
The victim only ever uses their home computer to access my website and uses Sky Broadband as their internet service provider. Yesterday the following IP address accessed the victims account: 212.48.121.183 . This is not their usual IP address so I put the IP into infosniper; a website that traces information about IPs. You can do it yourself, and see that the information return tells us that the IP registers to Germany and is not provided by Sky Broadband. The victims account was clearly being accessed by somebody else.
I carried on digging, this time using the revolutionary technique of wacking the IP address into Google. You can see the results here. The second result is illuminating. It records that a website with the address of http://www.yoxy.co.uk is registered to the anomalous IP. Visiting this website shows that it is a proxy server website. A proxy server allows you to mask your IP (online identity). Instead of your own IP being viewed by websites, the IP belonging to the proxy server gets viewed.
I tried it out for myself by putting my websites address (www.riftforum.com) into yoxy.co.uk, logging in as myself and then checking the logs to see what IP was recorded. You can see the results:
It can clearly been seen that my IP is now the same as the hackers. It’s therefore obvious that the hacker is not a nefarious German, but someone else pretending to be one. You can have a go at this yourself too, just go to riftforum.com and you will see my site. Go to yoxy.co.uk, input riftforum, and you will see what it looks like to be banned from my site.
The victims account was accessed totally normally, nothing strange other than the IP. They just logged in with the victims account details. I asked the victim if they used the password on any other websites. The answer was yes – on three other phpbb forums but the password was cryptic and unguessable.
I then tried to work out if it was possible to easily obtain the passwords from a forum website. The answer is yes – if you are an Administrator. All the forum data is stored in a database. The database contains a table called users which contains information such as username password etc. Here is an example from a test database I set up:
The password is highlighted in the red box. The account we are looking at has a username of victim and a password of ‘password’. Its been encrypted and garbled beyond use to anyone other than Russel Crowe. To find out how phpbb encrypts passwords, you can consult the documentation here. Scroll down until the security section and find the password hashing line. You will notice two columns, one for phpbb v2, and one for phpbb v3. Both versions encrypt passwords, however if you mouse over the little question mark next to the tick, you find out that the newer version uses an enhanced version of the encryption method (MD5).
Its therefore important to find out what version of the phpbb software the websites the victim used were running. Heres the list-
http://lakemalawicichlids.co.uk/phpBB3/docs/INSTALL.html – phpbb v3
http://lakemalawi.co.uk/forum3/docs/INSTALL.html – phpbb v3
http://malawiforum.co.uk/docs/INSTALL.html – phpbb v2
So there are two types of forum software in operation here. I downloaded phpbb v2 and set up another test database with the same test username and password (victim, password). It looks a bit different with a simpler table structure as you can see.
The password has been encrypted again also. Lets compare the it with the one from my earlier test database which was using phpbb 3.
Phpbb 2 – 5f4dcc3b5aa765d61d8327deb882cf99
Phpbb 3 – $H$9M8q27O74vu2MW5FNjPuIIUXRPWdjc1
They are completely different. We found from the documentation that the passwords are encrypted with MD5, so lets google for a MD5 decrpyter. Putting the encrypted passwords into the decrypter shows that only the passwords from php 2 can be decrypted. Finding this out requires no great expertise, just admin rights to a phpbb 2 forum and google.
To recap.
- My user had their account accessed by someone hiding their identity with a proxy server.
- The own account password was used.
- The password was only used on 4 websites.
- Only Phpbb v2 forums can have passwords decrypted.
As I stated earlier, readers can draw their own conclusions.