Changing md5 hash for password stored to something safe

Looking for a MOD? Have a MOD request? Post here for help. (Note: This forum is community supported; phpBB does not have official MOD authors)
Get Involved
Locked
iBotPeaches
Registered User
Posts: 131
Joined: Tue Jul 24, 2007 12:38 am
Location: Vahalla
Contact:

Changing md5 hash for password stored to something safe

Post by iBotPeaches » Sat Jul 05, 2008 12:43 pm

I had my board compromised, no clue how but it did. Thats out of the discussion. And that compromiser decoded the passwords and now has just a handful of my users passwords. He had direct mySQL access and would run queries picking up whoevers password. Thank god, he only got a few, but point being he decoded them! I thought they were salted or something. I did some reading and is it possible to switch the storing to a sha1. Or decode the md5 into a sha1, then when checking auth. You make md5, then encode in sha1. Or any of the sha family. I was just wondering if anyone could lead me where to start (file wise), so I could do it, or take it upon yourself.
Image

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51824
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Changing md5 hash for password stored to something safe

Post by Brf » Sat Jul 05, 2008 12:45 pm

phpBB3 passwords are not stored in md5.

iBotPeaches
Registered User
Posts: 131
Joined: Tue Jul 24, 2007 12:38 am
Location: Vahalla
Contact:

Re: Changing md5 hash for password stored to something safe

Post by iBotPeaches » Sat Jul 05, 2008 12:47 pm

Okay, then never mind. Whoever helped me, didn't know what he was talking about. How was it crackable then?
Image

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51824
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Changing md5 hash for password stored to something safe

Post by Brf » Sat Jul 05, 2008 12:50 pm

I doubt it was.
If your host's security was not up-to-date someone can hack into your site that way.

iBotPeaches
Registered User
Posts: 131
Joined: Tue Jul 24, 2007 12:38 am
Location: Vahalla
Contact:

Re: Changing md5 hash for password stored to something safe

Post by iBotPeaches » Sat Jul 05, 2008 1:23 pm

I could tell you how the whole thing happened. I gave out a sub-domain with FTP access to someone who wanted to upload some "new template" I fell for the trap and they uploaded phpMINIadmin and many shell files, which then allowed them to upload to my root. They then placed shells everywhere, and I had to scan and remove everything. It was security flaw on my part, but I didn't know you could gain access into a root domain from a sub-domain through a shell. The "hacker" was posting real time users passwords on my forum, so he had to have a way to decode them or something because all I have is the phpBB3 password table in mySQL, otherwise theres no other place for the passwords, but thanks for the help.
Image

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51824
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Changing md5 hash for password stored to something safe

Post by Brf » Sat Jul 05, 2008 1:46 pm

He may have used a logger to capture them on the way in.

opalelement
Registered User
Posts: 315
Joined: Wed Dec 27, 2006 4:05 am

Re: Changing md5 hash for password stored to something safe

Post by opalelement » Sat Jul 05, 2008 6:14 pm

Yeah if he has access to your root he could easily just modify the ucp login part to email him the passwords or save them in a text file or something... Before assuming you are safe again I would check that.

Locked

Return to “[3.0.x] MOD Requests”