Re: phpbb.com hacked...

[Martin Zember <martin.zember () matfyz cz>]

And here is the other post. Not technical anymore. Only some sort of a
self-interview.

------

  Hacked PHPBB(dot)COM


    Thursday, February 12, 2009


      Aftermath <http://hackedphpbb.blogspot.com/2009/02/aftermath.html>

So phpbb.com is backup, congrats it only took a week to prove that I
didn?t modify anything. But it sounds like they are still investigating
on their old server and are running on a temp one. This is pointless as
I can not be caught.

So I am going to try and answer a few questions, (there may be an
interview in the future)
*Why did you do it*: already stated, boredom? To see if I could make a
change to an upcoming release package.
*Why did you release what you released*: To prove that the site was
compromised
*Why didn't you email the staff/post on the forums like a good hacker
should do*: Because they would have patched the system and nothing more
would have come from it, no thank you Mr. Wonderful.
*Why are you such a script kiddy*: I used an exploit off milw0rm, so
what? I found phpbb.com, not some scanner; I found the log files to
include so code could be ran. I found the salt/hash. I found a way to
include my avatar/uploaded files. Nothing was automated.
*Why didn't you leave a calling sign/handle/team name*: First reason,
because I didn?t want any sort of credit for it. Second so I couldn?t be
traced.
*Why did it take you so long:* I work for a living. And in one of
phpbb.com server configurations, they have filters that excluding remote
files. Also it took a while to locate a writable directory on phpbb.com
not just a temp or server directory. This was only really achieved when
I was able to alter the layout using the Admin panel.
*Am I going to enjoy jail*: That is a funny one; all evidence has been
removed on my end. All hard drives have been wiped, multiple times. Also
the wireless network has been patched; I have flown back to my home
country, and destroyed my network card (replaced with a new one). So
good luck finding me, and on top of that good luck extraditing to USA,
as my country doesn't have extradition laws with the US.
*Have the admins offered you a job*: No they have not, nor would I wont
one. I have tried to contact staff, about the break-in, but no one would
respond.
*The admins didn't get a chance to patch, why hack them*: the only
damage that was done before the patch was downloading 160,000 user names
and passwords to try and crack, which turned in to the 40,000 released
to the public. The only damage after the patch was compromising the
admin account, reading the forums, dumping the user table, and dropping
the mail list table and user table. So I could have been locked out, if
the admins had been on top of their patches. But I would place a bet
that they wouldn't have know they were running un-patched until someone
told them.
*Am I sorry*: I am sorry it has taken the admins this long, I am sorry I
released the names and phone numbers of the staff.

Thanks for reading, and keep checking back here for the interview that
should be coming down the pipes.

Posted by Hacked PHPBB(dot)com at 1:48 AM

<http://hackedphpbb.blogspot.com/2009/02/aftermath.html> 8 comments
<http://hackedphpbb.blogspot.com/2009/02/aftermath.html#comments>
<http://www.blogger.com/post-edit.g?blogID=3546060595490394543&postID=7275309739870507466>
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave