Locking "I've been hacked" topics

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
Post Reply
User avatar
AmigoJack
Registered User
Posts: 5557
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Locking "I've been hacked" topics

Post by AmigoJack » Fri Feb 22, 2019 8:49 am

What exactly are the reasons that topics like Tiger Security attack : corrupted files uploaded using POST are locked? There are at least 3 disadvantages that easily come to my mind:
  1. The average user surely feels rejected - he still has questions but can't ask them anymore.
  2. Other users can't help - while the average moderator might neither know nor need to be qualified to know what the culprit may have been other users may know that (in this case everything points to a Drupal installation).
  3. It is psychologically contradictive to the argument "phpBB hasn't been vulnerable in years" since average users might interpret locked topics as silencing (if not censoring) such reports.
As for #1 I'd also like to know if moderators are then usually contacted thru PM by the topic authors.

User avatar
KevC
Support Team Member
Support Team Member
Posts: 68958
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Locking "I've been hacked" topics

Post by KevC » Fri Feb 22, 2019 8:56 am

I believe it's so that people don't suggest fixes to immediately get the site going again that would overwrite any evidence that might help determine a potential vulnerability or how the person got in to the site.

When the person submits to the incident tracker they get the ability to communicate directly with the investigator, so they are not 'rejected'.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21009
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket - probably.

Re: Locking "I've been hacked" topics

Post by Mick » Fri Feb 22, 2019 9:15 am

As per Kev and you can see the investigation is already underway https://tracker.phpbb.com/browse/INCIDENT-788
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
AmigoJack
Registered User
Posts: 5557
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Locking "I've been hacked" topics

Post by AmigoJack » Fri Feb 22, 2019 10:16 am

KevC wrote:
Fri Feb 22, 2019 8:56 am
that people don't suggest fixes to immediately get the site going again that would overwrite any evidence
Yes, that might be the crucial point which makes all others less important. I'm just afraid people don't make the extra step of logging into yet another software to then have lots of fields to fill to create a ticket - and all that while they're more or less in panic.

Mick wrote:
Fri Feb 22, 2019 9:15 am
you can see the investigation
No, I have no view permission to that ticket. Likewise I can't comment on it either, or worse: learn from it. Even a read-only permission would help.

User avatar
KevC
Support Team Member
Support Team Member
Posts: 68958
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Locking "I've been hacked" topics

Post by KevC » Fri Feb 22, 2019 10:21 am

AmigoJack wrote:
Fri Feb 22, 2019 10:16 am
Yes, that might be the crucial point which makes all others less important. I'm just afraid people don't make the extra step of logging into yet another software to then have lots of fields to fill to create a ticket - and all that while they're more or less in panic.
Every one I've seen on here with such a topic has created a ticket within 24hrs of the incident info being posted.
AmigoJack wrote:
Fri Feb 22, 2019 10:16 am
No, I have no view permission to that ticket. Likewise I can't comment on it either, or worse: learn from it. Even a read-only permission would help.
I guess that's to stop any potential vulnerability being publicised for other hackers to make use of before it's fixed.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21009
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket - probably.

Re: Locking "I've been hacked" topics

Post by Mick » Fri Feb 22, 2019 11:25 am

AmigoJack wrote:
Fri Feb 22, 2019 10:16 am
No, I have no view permission to that ticket
Apologies, I was under the misapprehension it was public domain but looking again I believe it to be correct the way it is.
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
AmigoJack
Registered User
Posts: 5557
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Locking "I've been hacked" topics

Post by AmigoJack » Fri Feb 22, 2019 11:38 am

Great that creating tickets is no problem.

However, I can't see any INCIDENT ticket, unrelated to their status. Since none of them should have to do with phpBB and even the other software should have been fixed inbetween again this is counter productive to learn from it. Yes, learning can go both ways (making use of it against other hosts to break in, too), but it also keeps me/us dumb at being able to improve from that.

User avatar
Meldane
Registered User
Posts: 68
Joined: Fri Mar 30, 2018 12:11 pm
Location: France

Re: Locking "I've been hacked" topics

Post by Meldane » Fri Feb 22, 2019 12:51 pm

Thanks AmigoJack for opening a subject about locking "I have been hacked' topics".

I think it was a pity indeed, that my original topic got locked, as it could definitely help others to read the answers, I believe.

Before posting my topic, I tried to look for the best place to post it and noticed the warning on the support forum about not posting bug reports there. I went to the bug tracker report page. Got confused about how it worked, didn't understand why it couldn't be an open discussion on the forum, so I decided to post it publicly on the support forum instead, since I previously received great help there.

After Mick locked the subject and advised me to report it on the bug tracker, I did it. But I have to admit I wasn't too comfortable sending all the documents requested (the copy of the files and the copy of the database). I thought all the answers could probably be found from the log only.

I did receive an answer (thanks Noxwizard for taking the time to look into it), which confirmed which files had been added, corrupted, and in need to be replaced, but it didn't explain how it happen though.
I had already checked my ftp logs, and I knew it wasn't the protocol that had been used : it had only been used recently to access my server by me, when rectifying the issue. Only the http logs looked suspicious and were revealing.

AmigoJack contacted me by MP to explain it to me, just using the initial info posted : googling the code injected, he guessed that I had an other project hosted only server that could have been used as a back door to inject the malicious files and then access my board.

So his advice was really useful to help me remove the vulnerability I had on my server. The security breach wasn't linked to any phpbb bug in the end, but I wouldn't have known if I hadn't posted the issue publicly, and I would have left with the feeling it was...

In other words, I think it is essential to keep these topics open, to carry on sharing knowledge. And if a dangerous code or compromising code get posted, maybe the message could be edited to hide it ?

User avatar
Lumpy Burgertushie
Registered User
Posts: 66147
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Locking "I've been hacked" topics

Post by Lumpy Burgertushie » Fri Feb 22, 2019 4:23 pm

editing only happens after the fact so that would not be a good idea.
also, in order for the staff to help they need to be able to access your files to see what is going on. the logs do not tell you much relvant info if the phpbb files have actually been hacked somehow.

I think another reason for locking the topics is to keep a lot of misinformation from being posted that might and likely would cause you even more problems.

many people think they have been hacked when it is actually spam , or, like your case, when it is some other software on the server.

if left open to discussion you could get all sorts of ideas posted that if followed could make you lose your whole board.

remember, you really have no way of knowing the knowledge level of any given poster at any given time.

glad you got it sorted out.

robert

User avatar
david63
Registered User
Posts: 15946
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Locking "I've been hacked" topics

Post by david63 » Fri Feb 22, 2019 5:31 pm

But if the topics were to be read only except for the OP and Team then others could see what the problem was.

User avatar
Meldane
Registered User
Posts: 68
Joined: Fri Mar 30, 2018 12:11 pm
Location: France

Re: Locking "I've been hacked" topics

Post by Meldane » Fri Feb 22, 2019 7:53 pm

Lumpy Burgertushie wrote:
Fri Feb 22, 2019 4:23 pm
glad you got it sorted out.
I managed to sort it out because I shared the issue publicly though and then received a personal message with the solution...
Lumpy Burgertushie wrote:
Fri Feb 22, 2019 4:23 pm
I think another reason for locking the topics is to keep a lot of misinformation from being posted that might and likely would cause you even more problems.
[..]
if left open to discussion you could get all sorts of ideas posted that if followed could make you lose your whole board.
remember, you really have a way of knowing the knowledge level of any given poster at any given time.
Indeed, we don't have a way of knowing the level of knowledge of people, or even of being sure their intentions are good. But that's true for everything that is posted on the net, though... (or even in life in general, actually).

People need to learn to be cautious as they go along and, as grown ups, they should be left responsible for that, I think. ;)

I believe I am not unique in not following an advice just because it is given. I will do so, only if it matches other elements I have perceived or can recognised.
And the right advice I received in forum or in real life, haven't always been by the most knowledgeable ones, but usually by the ones who pay the most attention to the situation.

User avatar
KevC
Support Team Member
Support Team Member
Posts: 68958
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Locking "I've been hacked" topics

Post by KevC » Fri Feb 22, 2019 8:22 pm

Meldane wrote:
Fri Feb 22, 2019 7:53 pm
I managed to sort it out because I shared the issue publicly though and then received a personal message with the solution...
To be fair to the incident team you don't know if they would have found the same solution as well. You just happened to get it before they had fully responded. From what I've seen of other incident reports they're extremely thorough, when given access to all of the available information.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

User avatar
Meldane
Registered User
Posts: 68
Joined: Fri Mar 30, 2018 12:11 pm
Location: France

Re: Locking "I've been hacked" topics

Post by Meldane » Fri Feb 22, 2019 10:00 pm

KevC wrote:
Fri Feb 22, 2019 8:22 pm
To be fair to the incident team you don't know if they would have found the same solution as well. You just happened to get it before they had fully responded. From what I've seen of other incident reports they're extremely thorough, when given access to all of the available information.
I know because I received their answer :
Your access log shows several failed attempts to hack your site, but it doesn't show how it occurred. There was just suddenly accesses to "mini.php" which is a shell which was used to create other files and make changes. You should check your FTP logs for unauthorized accesses.
The issue was presented slightly differently, though :
  • When I posted my first message, I pointed to the first suspicious code I noticed on the log (I was taking part of trying to find the solution), so the private answer I received focused on that information, and found that the code was related to infecting Drupal like platforms and helped me look further in the right direction.
  • When reporting the incident to the bug tracker team, I tried to follow the steps I was told : I provided the documents asked, but didn't feel my own analysis of the code starting the issue was needed, so I didn't point to that suspicious code, and just gave the full http log with the files.

    I didn't insist either on the fact that I knew the http protocol had been used and the answer lied there, because again, I didn't think my analysis was needed.
    And I didn't provide any ftp log, because none was generated for that time, since it hadn't been used.
The person who dealt with the issue, then spent more time going through all the documents to inspect what had been done, than focusing on that one code. It doesn't mean he wouldn't have had the ability to work it out if focusing straight on it, but that his time was used less efficiently, because he started from scratch.

Post Reply

Return to “General Discussion”