Possible md5 brute force password checking hack ?

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Get Involved
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
CosmicD
Registered User
Posts: 67
Joined: Sat Jan 18, 2003 11:31 pm

Possible md5 brute force password checking hack ?

Post by CosmicD » Tue Feb 05, 2008 8:36 pm

Hello,

I'm no programmer, I'm admin of a phpbb3 fdorum and if some of my users report this I think I have the duty to report this right ?

Not that I want to cause any stir, or kick in open doors. SO if this issue is already known you can delete this topic, but appearently it's possible to get passwords from all users in a ceran way. I got this from a german user,

Mit Hilfe von Brute-Force-Angriffen oder vorberechneten Rainbow-Tables ist es möglich, vom MD5-Hash auf das Klartext-Passwort zu schließen. Da Nutzer des Forums das gleiche Passwort unter Umständen auf verschiedenen Seiten benutzen, empfehlen die Betreiber von phpBB.de, diese dort so schnell wie möglich zu ändern.

http://www.picload.org/image/e2821f8295 ... 4ckyou.png

this is a screenshot of someone posting screenshots of ding the hack...

If it's legit, please take not of this, if not.. kick this message out :)

DOn't want to cause trouble, but if experts think this can be legit.. I'll know if this post gets deleted or not :)

Better be safe than sorry?

User avatar
Interlog
Registered User
Posts: 1258
Joined: Sat Jun 11, 2005 4:11 pm
Location: London, UK
Contact:

Re: Possible md5 brute force password checking hack ?

Post by Interlog » Tue Feb 05, 2008 8:41 pm

These rainbow tables have been in existence for a long period of time.

Besides, phpBB3 doesn't use just MD5 hashing for passwords. It is little more sophisticated.

Mark :D
Image

CosmicD
Registered User
Posts: 67
Joined: Sat Jan 18, 2003 11:31 pm

Re: Possible md5 brute force password checking hack ?

Post by CosmicD » Tue Feb 05, 2008 8:55 pm

just want to make sure we're safe, if it's just a hoax, all the better :)

Alexander George
Registered User
Posts: 174
Joined: Tue Oct 24, 2006 7:42 pm
Location: Massachusetts, USA

Re: Possible md5 brute force password checking hack ?

Post by Alexander George » Wed Feb 06, 2008 9:28 pm

Hi. The German website looks pretty serious about it:

http://www.phpbb.de/viewtopic.php?t=164184

Can someone really confirm that this is a hoax? Or for some other reason, nothing to be concerned about?

Thanks.

User avatar
ameeck
Former Team Member
Posts: 6559
Joined: Mon Mar 21, 2005 6:57 pm

Re: Possible md5 brute force password checking hack ?

Post by ameeck » Wed Feb 06, 2008 9:37 pm

The site is running phpBB2. That uses md5 unlike phpBB3, which has a more enhanced hashing mechanism, which isn't possible to brute force with rainbow tables as far as I know.

Also as PhillipK posted in that topic, the hack wasn't caused by a phpBB error, but by other causes, which aren't related to the software forum.

CosmicDee
Registered User
Posts: 42
Joined: Sat Feb 16, 2008 12:45 pm

Re: Possible md5 brute force password checking hack ?

Post by CosmicDee » Sat Feb 16, 2008 12:49 pm

thanx for the answer :)

although I don't know why suddenly my old account is getting without permissions, clearly i have done something wrong....... but it would have been kind if i was notified as to what I've done wrong actually: I've gone out of my way explaining that I didn't create this message to spread lies.

Locked

Return to “[3.0.x] Support Forum”