11
Mamba
Re: Username & Password HACK
  • 2012/3/25 13:01

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


I would run a query and assign a random password for all users.

Then from XOOPS send an email to everybody telling them that for security purposes, all passwords have been changed, and they should use the function "Forgot Password" at Login, to receive a new one.

You could also add a temporary block with a notification above the "Login" block, so they don't panic if their password doesn't work and they can't login.

The only drawback is if they changed the email address, and cannot retrieve the new password. Then they would have to contact you, and you would need to set and email them directly a new password, but you would need to check for some detailed info to make sure that this is the proper person applying for this new password.

Just a thought....
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

12
redheadedrod
Re: Username & Password HACK

This is a good reason why we should have password expiration built into the system.

This is a good thing for me to add to the Groups "hack" I will be looking into.

But I agree with Mamba that would likely be the easiest solution for now. Randomly pick new passwords for your members and send them an email.

Since you have done the work of going through the passwords and looking you could do it by hand and only do those that are simple passwords. But with 600+ people it would be simpler to just change everyones password at this time and send them an email like Mamba has suggested.

When I do the "hack" for the groups stuff I will also add a password expire system.
I will also be providing a patch for profile that will work as well for a more secure password but that will be a little while since I am already working on the install script when I can.



Attending College working towards Bachelors in Software Engineering and Network Security.

13
Anonymous
Re: Username & Password HACK
  • 2012/3/25 19:35

  • Anonymous

  • Posts: 0

  • Since:


I don't know about the password expiration system Rodney, people nowadays tend to have dozens of accounts on all kinds of sites. I would not like all those sites forcing me to chance my password once in a while. Most of the sites I registered myself where for looking around once, I don't like to get to get spammed by them with password expiration mails...

Forcing users to choose a secure password is a better idea. Force them to use one capital and some digits. And educate them on how to make passwords secure.

14
Peekay
Re: Username & Password HACK
  • 2012/3/25 21:05

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


I agree that requiring at least one number is quite a good idea. If someone uses the password 'apples', their account is going to be compromised sooner or later, whereas 'apples22' is unlikely to be guessed. It's just 8 characters, but it would be a pain to write a script to apply a numeric combination to every common type of fruit.

Of course, 'aPPles9T4q' would be better for a webmaster account, but the current maturity of the internet is such that people often use dozens of online resources. A lot of people use the same password for everything and as long as it's not guessable, there shouldn't be a problem.

I wouldn't make the password length too high. If you did use 'apples22' for everything it is really annoying to be faced with a 20 character password minimum.

Zen Cart now forces a change of administrator password every month, but it has not been favourably received. It seems pointless to replace one unguessable password with another one.
A thread is for life. Not just for Christmas.

15
Anonymous
Re: Username & Password HACK
  • 2012/3/25 22:14

  • Anonymous

  • Posts: 0

  • Since:


I'd suggest a >>new thread<< for this discussion, but just one more word @Peekay ...

Indeed good scripting is not the issue, I guess the xoops user system is very secure. Social engineering really is an underrated issue. You suggest many people tend to use the same login credentials at many sites, which is a big mistake. We take care not to leave our passwords at fishing sites but don't mind using the same credentials at obscure hobby sites. Just one unreliable webmaster fooling around with your credentials on sites like Itunes or Paypal can cause a lot of damage...

16
mutley8
Re: Username & Password HACK
  • 2012/3/26 8:44

  • mutley8

  • Just popping in

  • Posts: 9

  • Since: 2012/3/23


UPDATE 4:
Firstly thanks to everyone who has chipped in on this matter, it really is quite calming that I have received help and advice from you.
I also think xoops is a secure platform, as yet I have not found an 'leaks' in my additional pages or coding but that does not mean there are not any so I continue to look.

OK, I opened the site for a few hours, in that time a property was added to the database, this was done I assume by the 'hacker' logging into an account as this is the only way it can be done, the page that adds a property to the database is also coded only to allow that member access to the page.

I also switched 'off' 'Members can change their own email', alas the email on the account was changed, so this now is becoming more confusing, with out this feature I am guessing it's an injection although Protector has not picked anything up...

On the comment of forced password change, personally not a good idea, do you know how many people contact me who have forgotten their password ('forgotten password' feature also disabled).

17
Mamba
Re: Username & Password HACK
  • 2012/3/26 9:21

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


Quote:
OK, I opened the site for a few hours, in that time a property was added to the database,

Did you change all Admin passwords, incl. the password for host Admin access and MySQL access?

Check your Apache logs, and contact your Host to look into any potential security breach.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

18
mutley8
Re: Username & Password HACK
  • 2012/3/26 12:10

  • mutley8

  • Just popping in

  • Posts: 9

  • Since: 2012/3/23


Hi Mamba,
I am working through this, stage by stage, my first priority is to get unsecure passwords sorted even if the website has to stay closed for a few days, after running them all through an md5 hashcraker (not actually a cracker but a database of md5 hash codes that have been discovered) 301 were insecure.

All 3 admin usernames & passwords have been reset.

Hosting admin p/word changed, log files show no breach.

The process of changing the MySql database name and password is underway with a rebuild using xoops 2.5.4, if I am going to the trouble of sorting this issue I may as well start using the latest xoops !!

Once satisfied that all is working as it should and the new secure passwords are in place I will reopen the site with the new installation.

I can't thank you guys enough for your input, I am sure this is not a xoops issue, as I have said before I have several hobby sites built using xoops and never had this issue, but probably one of my own doing in my PHP/MySql coding.

19
mutley8
Re: Username & Password HACK
  • 2012/5/12 9:05

  • mutley8

  • Just popping in

  • Posts: 9

  • Since: 2012/3/23


UPDATE:
OK so it has been a while now and I have had no further 'unwanted' visitors gaining access to our website, Protector has stopped 4 attempts to login by 'Brute Force' which is great news, however I have a question you may be able to answer, I also installed Xortify as suggested, my only problem here is that I see in it's reports that it stops crawler robots such as MSN & Google from crawling the website... does this have an effect on how our websites get listed by the search engines ?
For us it is all about getting on search engines and being seen...
Suggestions or advice would be greatly appreciated.

Regards

Login

Who's Online

241 user(s) are online (129 user(s) are browsing Support Forums)


Members: 0


Guests: 241


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits