What I know to be true.

6 07 2010

One of  my websites users has had their account hacked into. I don’t really know where to begin with all of this, so I’ll just state the facts as they are and allow readers to draw their own conclusions.

My website keeps a log of all the IP addresses that are used to access users accounts. An IP address is kind of like an online signature, its generally unique to each computer / network used and provides access to all kinds of information such as location or internet service provider. Every time a user signs into the website, a note is made of their IP address.

The victim only ever uses their home computer to access my website and uses Sky Broadband as their internet service provider. Yesterday the following IP address accessed the victims account: . This is not their usual IP address so I put the IP into infosniper; a website that traces information about IPs. You can do it yourself, and see that the information return tells us that the IP registers to Germany and is not provided by Sky Broadband. The victims account was clearly being accessed by somebody else.

I carried on digging, this time using the revolutionary technique of wacking the IP address into Google. You can see the results here. The second result is illuminating. It records that a website with the address of http://www.yoxy.co.uk is registered to the anomalous IP. Visiting this website shows that it is a proxy server website. A proxy server allows you to mask your IP (online identity). Instead of your own IP being viewed by websites, the IP belonging to the proxy server gets viewed.

I tried it out for myself by putting my websites address (www.riftforum.com) into yoxy.co.uk, logging in as myself and then checking the logs to see what IP was recorded. You can see the results:

It can clearly been seen that my IP is now the same as the hackers. It’s therefore obvious that the hacker is not a nefarious German, but someone else pretending to be one. You can have a go at this yourself too, just go to riftforum.com and you will see my site. Go to yoxy.co.uk, input riftforum, and you will see what it looks like to be banned from my site.

The victims account was accessed totally normally, nothing strange other than the IP. They just logged in with the victims account details. I asked the victim if they used the password on any other websites. The answer was yes – on three other phpbb forums but the password was cryptic and unguessable.

I then tried to work out if it was possible to easily obtain the passwords from a forum website. The answer is yes – if you are an Administrator. All the forum data is stored in a database. The database contains a table called users which contains information such as username password etc. Here is an example from a test database I set up:

The password is highlighted in the red box. The account we are looking at has a username of victim and a password of ‘password’. Its been encrypted and garbled beyond use to anyone other than Russel Crowe. To find out how phpbb encrypts passwords, you can consult the documentation here. Scroll down until the security section and find the password hashing line. You will notice two columns, one for phpbb v2, and one for phpbb v3. Both versions encrypt passwords, however if you mouse over the little question mark next to the tick, you find out that the newer version uses an enhanced version of the encryption method (MD5).

Its therefore important to find out what version of the phpbb software the websites the victim used were running. Heres the list-

http://lakemalawicichlids.co.uk/phpBB3/docs/INSTALL.html – phpbb v3

http://lakemalawi.co.uk/forum3/docs/INSTALL.html – phpbb v3

http://malawiforum.co.uk/docs/INSTALL.html – phpbb v2

So there are two types of forum software in operation here. I downloaded phpbb v2 and set up another test database with the same test username and password (victim, password). It looks a bit different with a simpler table structure as you can see.

The password has been encrypted again also. Lets compare the it with the one from my earlier test database which was using phpbb 3.

Phpbb 2 – 5f4dcc3b5aa765d61d8327deb882cf99

Phpbb 3 – $H$9M8q27O74vu2MW5FNjPuIIUXRPWdjc1

They are completely different. We found from the documentation that the passwords are encrypted with MD5, so lets google for a MD5 decrpyter. Putting the encrypted passwords into the decrypter shows that only the passwords from php 2 can be decrypted. Finding this out requires no great expertise, just admin rights to a phpbb 2 forum and google.

To recap.

  • My user had their account accessed by someone hiding their identity with a proxy server.
  • The own account password was used.
  • The password was only used on 4 websites.
  • Only Phpbb v2 forums can have passwords decrypted.

As I stated earlier, readers can draw their own conclusions.




3 responses

11 07 2010

A minor correction on my above comment. You didn’t use a simple password on 4 different sites, the “victim” did. Still a bad idea, of course.

I would also like to note that phpBB and php are different things entirely; you are using them interchangeably. PHP v2 hasn’t been used for 12 years and phpBB v2 has been retired for over 2 years. Neither should be used anymore.

11 07 2010

Yeah, I do understand that hashing and encryption aren’t technically the same thing, but the people reading this blog post (for the most part my forums users) aren’t interested in that level of technical pedantry.

The website I referenced was able to return the correct passwords from hashes in the phpbb v2.x database, both of some random test passwords and the password that the victim used. The victim used a cryptic password containing numbers and eccentrically spelt words (no symbols mind). That’s not really ‘safe’. Your average forum user will use passwords they can remember, so they will only ever be so obscure.

I also know that php and phpbb are not the same thing, I didn’t intend to use them interchangeably, the ‘bb’ that was omitted from one line was a typo.

11 07 2010

md5 is a hashing algorithm, not an encryption algorithm. It is not possible to de-hash something, however there are libraries available online for simple strings up to a certain length. Complex strings that are not in the database cannot be de-hashed, so if your password wasn’t something simple, you would be fine.

md5 was considered ‘safe’ for years and is still largely used today. Many developers now recognize that a simple md5 is not enough and choose to use something stronger. In phpBB3, for example, the algorithm is far more sophisticated.

Also, you used a simple password on 4 different sites. You should know that’s a bad idea.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: