A while ago I got a private message from ibidem1698 with the following: I've only now just had a chance to whizz through the database and as suspected, found out that ibidem1698 has sent that same message to 2,178 users since March. "Ibidem" has been progressively going through the members-list and PMing everyone in it, averaging about 31 messages a day. I'm guessing it's an automated script set to run regularly without over-loading the forum on our end, bypassing flood-prevention and therefore avoiding suspicion. The user account has been deleted and eventually, I'll enable the visual confirmation required for registration. I'm willing to bet it's not the only one so in the interim, if anyone gets any private messages along similar lines, let me know and I'll delete that account. Plain and simple.
No, because I know what those messages were all about and would gladly tell DU... except I wouldn't, because that would reveal my own part in that michievous little plot.
Last time I saw him I was telling him to be "nicer" to newbies. That was like 6 months ago. Wasn't it WoW which stole his soul? Come to think of it, I haven't seen some of you on IRC for years. Shame on you.
Yes. I can also (thoeretically) get your password. Funny story: I had an issue with DAC a while ago where I had to re-install the database via a .php file. That meant copying stuff from the database backup into a .php file and executing it online. A big part of that was "escaping" all the special database characters so the text went in correctly. That basically meant I was reading glimpes of private messages as I did it (the posts_text and privmsgs_text tables are the only tables in phpBB that contain wads of text which need to be escaped with a PHP backup). Normal backup processes don't have me reading the data or running massive find and replace queries on it. Along the way I noticed this one message which, by co-incidence was the last message at the "cut point" (to insert text into a database via PHP it's a good idea to cut it up into multiple files of only a few MB each - rather than one enormous 50 MB file which fails to execute properly). Anyway, there was a message from one user to another which had their FTP and admin passwords for their own web-site they were setting up. I didn't log-in to see if they worked but it was pretty funny. An important note about security: 1. The passwords are encrypted here in what's known as an MD5 hash. It's non-reversible. As an example, it turns the word "password" into "5f4dcc3b5aa765d61d8327deb882cf99". Even with that string of alpha-numeric characters and knowing the algorithm behind MD5, I cannot turn the string back into the word "password". What happens when you login is the "password" you type is also encoded with MD5. The resulting MD5 is matched with the one in the database and you get logged in. Your passwords, therefore, are quite safe. 2. I could, however, modify login.php to output your unmodified password into a table of my own design. So the next time you logged in, your password would be logged. If a hacker were to gain FTP access to the web-site and modify login.php, they could do this too. 3. Given the above, there's a damn good reason why you use different passwords for different forums / e-mail / etc... For example, if I got your forum password and it was the same as your e-mail password or the same as your internet account... 4. As you'll recall, we were hacked recently where an attacker gained access to the admin panel. From there, they can download a backup of the database. There is nothing to stop that hacker from taking anything in private messages and using it. That is why you should NEVER store IMPORTANT passwords of any nature in private messages or in posts in the forum. While every method has it's vulnerabilities, if you e-mail them or use some other method, the chances of a hacker getting them are limited. 5. I have no intention of reading anyone's private messages. While it is a relatively simple thing to do, I have better things to do with my time and it is an invasion of privacy. All I did in this case was to get the user_id of the spambot, pull out all messages from that user_id in the private messages table and check them over. Not unless the other person deletes them as well and also presuming I don't have those messages in a backup. PhpBB actually makes two copies of each private message. One copy sits in your outbox until you delete it. The other copy sits in the recepients inbox until they delete it. Is he still an admin? I think our hacker may have changed his password and de-modded him. I know the last thing I tried messaging him about was if he could let me know if he could still log-in. To date I haven't received a reply.
