As many of you are aware we have had some security issues with the BBS recently. This all started in November when a flaw in phpBB was discovered that granted an attacker access to the system as the same user that runs the web server. Due to the size of our board we became a target and several individuals gained access before I was able to patch the problem. Once the problem was patched I assumed everything was OK.
On Sunday evening our site was again defaced, inserting a redirect command into the header of the BBS that took the user to a cleverly worded page that caused some of our members to install a "client" program that was in fact a key logging trojan. After disabling the entire BBS and examining the log files I was able to discern the attack vector and fix the problem, then bring the site back up live.
It turns out there is a flaw in phpBB whereby if an attacker knows the encrypted form of the user's password (i.e. that which is stored in the database) they could easily log in as that user. Most multi user systems store passwords in encrypted form so that if an attacker does gain access to the system it is difficult for them to get the actual passwords. As a result of the November attack the attackers had my encrypted password (since they had access to the database) and were able to log in as me, thus having access to the site's configuration and then the ability to insert the redirect command.
It is likely that they have the entire membership's encrypted passwords and, should they choose, could log in as any one of you who have the same password you had at the time of the first attack.
The only way to defend against this is to change your password for this site. Please note that they
do not have the actual password itself, only an encrypted form of it, so if you use the same password elsewhere it is most likely safe. That being said I would suggest you change passwords elsewhere as a precaution, anyway.
To change your password click on the Profile link at the top of the page and enter in your old password, then the new password twice.
If you do not recall your old password then log out and click the "I forgot my password" link on the login page to have the system assign a new one and send it to you. Once you have the new password log back in with it, visit your profile then change it to something that you can remember,
hopefully not the one you used before.
If the email address in your profile is not current you will not get the new password. If that is the case please email me at
webmaster@cheakamus.com and I will update the email address in your profile so you can get it.
I apologise for the inconvenience this has caused. If you need information regarding the trojan that was involved please see
the thread in the Problems and Questions room. If you have any other questions please feel free to contact me.
Jay
