Lost accounts
Posted: Wed Mar 29, 2006 9:41 am
Just a few things to think about for who ever is running the site these days…
DB tables don’t selectively just get dropped for no reason. If the DB had become corrupted the server would have either used its backup or started spitting CSV or pack errors (MS SQL, MySQL and, Oracle that I know of thou I don’t think the latter is support by PHPBB). Either someone was tinkering with the DB that had no idea what he/she was doing or someone has access to it and is having some fun. I did not bother to lookup what version of PHPBB or version of PHP Nuke your running but most of the older versions have SQL injection holes that can be exploited by the average script kiddy allowing for anything from DB user creation to delete functions where they could be guessing ID’s. I would highly recommend that unless you know someone who had no idea what he/she was doing was in the DB you change the user name pass and updated the forum and Nuke. The other easy way into the forum would be via a file upload and using the PHP function file_get_contents() to echo the DB file (this can also be exploited on shared hosting if he is able to know your server root and its hard to block with out encrypting your DB file and its not hard to figure out your root). So disabling most types of uploads is recommended. I did not check but if you can use JavaScript in the sig your “safe linker” (a real pain for me since it does not auto forward to the page) is worthless since a simple JavaScript function could be used to hijack your session key and gain admin rights. Might be a good idea to check and see if any new users have admin that should not have it. Also I would double check to make sure no other users where added to the DB (via SQL injection) and disable the current DB user from being able to create users if it’s enabled. Best thing is to lock the DB to localhost access then it does not matter even if he/she has access unless he/she is really good (in that case you’re screwed anyway). But that only works if one you know how to do it and second that you’re hosted on the same server as your SQL. Not to say you can’t add hosts but if you know how to do that you don’t need my help.
On the user side of things, people tend to panic when they hear the word “hacker”. Plus most people only use one password for everything (just thing how many things are tied to your email account) and I think a lot of people here like to be anon. Don’t worry too much, even if someone did get access to the SQL all passwords are stored in SHA-1 hashes (can’t really be reversed) and are worthless to anyone but a very skilled hacker (in that case your fucked anyway). The only really useful info would be email accounts.
Just my thoughts... take it or leave it...
DB tables don’t selectively just get dropped for no reason. If the DB had become corrupted the server would have either used its backup or started spitting CSV or pack errors (MS SQL, MySQL and, Oracle that I know of thou I don’t think the latter is support by PHPBB). Either someone was tinkering with the DB that had no idea what he/she was doing or someone has access to it and is having some fun. I did not bother to lookup what version of PHPBB or version of PHP Nuke your running but most of the older versions have SQL injection holes that can be exploited by the average script kiddy allowing for anything from DB user creation to delete functions where they could be guessing ID’s. I would highly recommend that unless you know someone who had no idea what he/she was doing was in the DB you change the user name pass and updated the forum and Nuke. The other easy way into the forum would be via a file upload and using the PHP function file_get_contents() to echo the DB file (this can also be exploited on shared hosting if he is able to know your server root and its hard to block with out encrypting your DB file and its not hard to figure out your root). So disabling most types of uploads is recommended. I did not check but if you can use JavaScript in the sig your “safe linker” (a real pain for me since it does not auto forward to the page) is worthless since a simple JavaScript function could be used to hijack your session key and gain admin rights. Might be a good idea to check and see if any new users have admin that should not have it. Also I would double check to make sure no other users where added to the DB (via SQL injection) and disable the current DB user from being able to create users if it’s enabled. Best thing is to lock the DB to localhost access then it does not matter even if he/she has access unless he/she is really good (in that case you’re screwed anyway). But that only works if one you know how to do it and second that you’re hosted on the same server as your SQL. Not to say you can’t add hosts but if you know how to do that you don’t need my help.
On the user side of things, people tend to panic when they hear the word “hacker”. Plus most people only use one password for everything (just thing how many things are tied to your email account) and I think a lot of people here like to be anon. Don’t worry too much, even if someone did get access to the SQL all passwords are stored in SHA-1 hashes (can’t really be reversed) and are worthless to anyone but a very skilled hacker (in that case your fucked anyway). The only really useful info would be email accounts.
Just my thoughts... take it or leave it...