04 May 2006

IPB <=2.1.5 critical security hole

As if we didn't have enough problems in the last past days, we've just discovered that our forums have been compromised.
We were using version 2.1.4, and, in all honesty, I did get an e-mail from IPB a few days ago, recommending us to upgrade and apply a patch. :/
Today we've noticed a post in the newbie section, which looked like a hack (a strange series of characters).
Upon further investigation, we've found this:
http://groups.google.com/group/Vietnamese/browse_thread/thread/4d05b1108f069745/5b4666f65990e9b4?lnk=st&q=r57ipbxplhohohoeval&rnum=1&hl=en#5b4666f65990e9b4
Later on, one of our forum admins (Soldus) have found a new admin, named aaa1, from the IP 58.187.1.141, using the e-mail janerds@yahoo.com
That IP is from Vietnam, and a google search after the e-mail address returned some Vietnamese forums.

From our investigations, it appears that our new admin didn't do anything, at least it's not in the logs. However, it is possible that the hashed forum passwords have been compromised, which is not really good. We've advised our players to change their forum passwords, and if they use the same passwords for other sites they were advised to change those passwords as well.

Upon updating to the new secure version (2.1.5 patched) we had some problems with the forum, but they should pose no security threat. We've contacted IPB and asked them to solve the problem for us (hey, we are paying 30 USD/year for customer support, and we used it before only once).

You can find the IPB security note here.

P.S. While we did receive some DDoS threats recently, we don't have any reasons to believe this incident is related to those threats, which were of a different nature.

3 Comments:

Anonymous Anonymous said...

That's an old and well known exploit. Rumor is that a number of 0 day exploits for Invision are to be released in the next couple of weeks. IPB admins, stay alert!

4/5/06 02:01  
Blogger Radu said...

If by old you mean less than a week since it wast fixed, then I guess it is old :)
Anyway, if we get hax0red again, I'm going to switch to some other forum software.

4/5/06 03:47  
Blogger Donny said...

One reason why running forums isn't much fun, always trying to keep ahead of the script kiddies. I hate those people, nothing better to do but ruin lives of others and make things more difficult. I know one of my friends uses vBulletin. Not how good they are with updating their code I will have to ask him, but I know he has quite a few users running a community for counter-strike:source and hasn't had too many problems with it.

4/5/06 09:35  

Post a Comment

<< Home