User database compromised?

Tell us how you think the forum can be improved. We will listen.
Post Reply
User avatar
Pannapetar
Posts: 327
Joined: Wed Jul 29, 2009 6:05 am
Location: Chiang Mai, Thailand
Contact:

User database compromised?

Post by Pannapetar » Wed Jul 16, 2014 1:40 pm

I was active on this forum some years ago.

Today I received a phishing email entitled "Your itunes account has been frozen" which prompted me to confirm my iTunes account details. This email was sent to my email address "dhammawheel@....com" which I have exclusively used on this forum and nowehere else.

Since the settings in my forum profile indicate that other users cannot sent me email, I believe that this email address might have been obtained in an illicit way, i.e. by hacking your website.

You might want to investigate this by scanning your logs for suspicious access.

Kind Regards,
Pannapetar

User avatar
Pannapetar
Posts: 327
Joined: Wed Jul 29, 2009 6:05 am
Location: Chiang Mai, Thailand
Contact:

Re: User database compromised?

Post by Pannapetar » Mon Jul 21, 2014 1:34 pm

No takers?

I don't mean to nag, but your users will probably NOT like having their dhammawheel email addresses traded by online marketeers, hackers, or phishers. Admins, you might want to look into this ASAP. I can say for sure that I did not use this email address anywhere else.

Regards, Pannapetar

vinasp
Posts: 1675
Joined: Tue Aug 18, 2009 7:49 pm
Location: Bristol. United Kingdom.

Re: User database compromised?

Post by vinasp » Mon Jul 21, 2014 1:43 pm

Hi everyone,

I have also received such an email, although I have never had an I-tunes account.
It was in the spam folder and I just deleted it, so I do not know if it was malware or not.

Thank you for bringing this to our attention.

Regards, vincent.

User avatar
DNS
Site Admin
Posts: 11892
Joined: Tue Dec 30, 2008 4:15 am
Location: Las Vegas, Nevada, Estados Unidos de América
Contact:

Re: User database compromised?

Post by DNS » Mon Jul 21, 2014 5:12 pm

I looked at the admin panel and don't see any unauthorized access. I haven't received any email like that, personally. I don't doubt that you did receive that email. Even if you never use that email for any other purpose there are computer bots that randomly search and generate spam and phishing emails to send to people. They even send out emails to randomly produced email addresses. Many bounce back, but they don't care about that. Usually these emails go to our spam folders, but sometimes they slip into the inbox.

User avatar
Pannapetar
Posts: 327
Joined: Wed Jul 29, 2009 6:05 am
Location: Chiang Mai, Thailand
Contact:

Re: User database compromised?

Post by Pannapetar » Tue Jul 22, 2014 1:36 pm

Hi David,

Thanks for looking into this. I am quite sure that my email address wasn't randomly generated, but harvested from this board's database, because it contains the exact email address which I used here and I received no other emails from the phishers.

You would not be able to detect illicit access from looking at the control panel. For that, one would have to analyse the web server logs using some kind of detection software.

Since dhammawheel.com is not using SSL, the attacker could simply have eavesdropped an admin password and gain admin access (which is not detectable in the logs at all), or he could have used one of the known security vulnerabilities of phpBB (see this list) to obtain privileges.

As a first measure, I'd recommend to inspect the directory under the web root of the phpBB installation and make sure that the permissions are properly set. This is a common source of security holes and it's cheap/easy to fix. Next, I'd look at the PhpBB version, check for vulnerabilities, and possibly upgrade. This is also fairly straightforward.

Kind Regards, Pannapetar

User avatar
robertk
Posts: 2937
Joined: Sat Jan 03, 2009 2:08 am

Re: User database compromised?

Post by robertk » Tue Jul 22, 2014 2:23 pm

Thanks for bringing this up, i also received the mail

MarkNZed
Posts: 67
Joined: Mon Jun 23, 2014 9:27 pm

Re: User database compromised?

Post by MarkNZed » Tue Jul 22, 2014 3:36 pm

Pannapetar wrote:Hi David,

Thanks for looking into this. I am quite sure that my email address wasn't randomly generated, but harvested from this board's database, because it contains the exact email address which I used here and I received no other emails from the phishers.

You would not be able to detect illicit access from looking at the control panel. For that, one would have to analyse the web server logs using some kind of detection software.

Since dhammawheel.com is not using SSL, the attacker could simply have eavesdropped an admin password and gain admin access (which is not detectable in the logs at all), or he could have used one of the known security vulnerabilities of phpBB (see this list) to obtain privileges.

As a first measure, I'd recommend to inspect the directory under the web root of the phpBB installation and make sure that the permissions are properly set. This is a common source of security holes and it's cheap/easy to fix. Next, I'd look at the PhpBB version, check for vulnerabilities, and possibly upgrade. This is also fairly straightforward.

Kind Regards, Pannapetar
As you mention, the site is not using SSL so it might be your connection to dhammawheel.com that was compromised e.g. while using a public wifi.

If the database was hacked then there would probably be more people noticing a problem.

Another possibility is that your own computer has been hacked or the email account has been hacked.

Good idea to have a dedicated email in any case.

Hopefully you use a unique password for each service too.

User avatar
DNS
Site Admin
Posts: 11892
Joined: Tue Dec 30, 2008 4:15 am
Location: Las Vegas, Nevada, Estados Unidos de América
Contact:

Re: User database compromised?

Post by DNS » Tue Jul 22, 2014 3:44 pm

I checked my spam folder and didn't see anything. I checked another email I use (not here) and in the spam folder was an itunes request from this email:
verify {at) itunes.app1le.com

replace{at) with the real @ symbol (I wrote it that way so bots don't detect this post)

Notice that the apple website is fake with the first L being the number 1.

If you find fake emails like this don't even open them. Sometimes the emails look much more real, as they use fake emailers and then put the trojans in the link in the email.

User avatar
Pannapetar
Posts: 327
Joined: Wed Jul 29, 2009 6:05 am
Location: Chiang Mai, Thailand
Contact:

Re: User database compromised?

Post by Pannapetar » Wed Jul 23, 2014 6:09 am

MarkNZed wrote:As you mention, the site is not using SSL so it might be your connection to dhammawheel.com that was compromised e.g. while using a public wifi.
Very unlikely. I'm an IT professional working on a Linux computer in a secured network. I have not been using this account at all for the last 4 years, and yes, I always use dedicated email/password combinations. Which is why I am quite sure about my initial analysis. It's easy for me to block the compromised email address. Just trying to help.

Regards, Pannapetar

MarkNZed
Posts: 67
Joined: Mon Jun 23, 2014 9:27 pm

Re: User database compromised?

Post by MarkNZed » Sat Jul 26, 2014 9:00 pm

Pannapetar wrote:
MarkNZed wrote:As you mention, the site is not using SSL so it might be your connection to dhammawheel.com that was compromised e.g. while using a public wifi.
Very unlikely. I'm an IT professional working on a Linux computer in a secured network. I have not been using this account at all for the last 4 years, and yes, I always use dedicated email/password combinations. Which is why I am quite sure about my initial analysis. It's easy for me to block the compromised email address. Just trying to help.

Regards, Pannapetar
Assuming the server here was not compromised it could be the email server you used.

Post Reply

Who is online

Users browsing this forum: No registered users and 12 guests