User database compromised?

[Pannapetar]

I was active on this forum some years ago.

Today I received a phishing email entitled "Your itunes account has been frozen" which prompted me to confirm my iTunes account details. This email was sent to my email address "[email protected]" which I have exclusively used on this forum and nowehere else.

Since the settings in my forum profile indicate that other users cannot sent me email, I believe that this email address might have been obtained in an illicit way, i.e. by hacking your website.

You might want to investigate this by scanning your logs for suspicious access.

Kind Regards,
Pannapetar

[Pannapetar]

No takers?

I don't mean to nag, but your users will probably NOT like having their dhammawheel email addresses traded by online marketeers, hackers, or phishers. Admins, you might want to look into this ASAP. I can say for sure that I did not use this email address anywhere else.

Regards, Pannapetar

[vinasp]

Hi everyone,

I have also received such an email, although I have never had an I-tunes account.
It was in the spam folder and I just deleted it, so I do not know if it was malware or not.

Thank you for bringing this to our attention.

Regards, vincent.

[DNS]

I looked at the admin panel and don't see any unauthorized access. I haven't received any email like that, personally. I don't doubt that you did receive that email. Even if you never use that email for any other purpose there are computer bots that randomly search and generate spam and phishing emails to send to people. They even send out emails to randomly produced email addresses. Many bounce back, but they don't care about that. Usually these emails go to our spam folders, but sometimes they slip into the inbox.

[Pannapetar]

Hi David,

Thanks for looking into this. I am quite sure that my email address wasn't randomly generated, but harvested from this board's database, because it contains the exact email address which I used here and I received no other emails from the phishers.

You would not be able to detect illicit access from looking at the control panel. For that, one would have to analyse the web server logs using some kind of detection software.

Since dhammawheel.com is not using SSL, the attacker could simply have eavesdropped an admin password and gain admin access (which is not detectable in the logs at all), or he could have used one of the known security vulnerabilities of phpBB (see this list) to obtain privileges.

As a first measure, I'd recommend to inspect the directory under the web root of the phpBB installation and make sure that the permissions are properly set. This is a common source of security holes and it's cheap/easy to fix. Next, I'd look at the PhpBB version, check for vulnerabilities, and possibly upgrade. This is also fairly straightforward.

Kind Regards, Pannapetar

[robertk]

Thanks for bringing this up, i also received the mail

[MarkNZed]

Hi David,

Thanks for looking into this. I am quite sure that my email address wasn't randomly generated, but harvested from this board's database, because it contains the exact email address which I used here and I received no other emails from the phishers.

You would not be able to detect illicit access from looking at the control panel. For that, one would have to analyse the web server logs using some kind of detection software.

Since dhammawheel.com is not using SSL, the attacker could simply have eavesdropped an admin password and gain admin access (which is not detectable in the logs at all), or he could have used one of the known security vulnerabilities of phpBB (see this list) to obtain privileges.

As a first measure, I'd recommend to inspect the directory under the web root of the phpBB installation and make sure that the permissions are properly set. This is a common source of security holes and it's cheap/easy to fix. Next, I'd look at the PhpBB version, check for vulnerabilities, and possibly upgrade. This is also fairly straightforward.

Kind Regards, Pannapetar

As you mention, the site is not using SSL so it might be your connection to dhammawheel.com that was compromised e.g. while using a public wifi.

If the database was hacked then there would probably be more people noticing a problem.

Another possibility is that your own computer has been hacked or the email account has been hacked.

Good idea to have a dedicated email in any case.

Hopefully you use a unique password for each service too.

[DNS]

I checked my spam folder and didn't see anything. I checked another email I use (not here) and in the spam folder was an itunes request from this email:
verify {at) itunes.app1le.com

replace{at) with the real @ symbol (I wrote it that way so bots don't detect this post)

Notice that the apple website is fake with the first L being the number 1.

If you find fake emails like this don't even open them. Sometimes the emails look much more real, as they use fake emailers and then put the trojans in the link in the email.

[Pannapetar]

As you mention, the site is not using SSL so it might be your connection to dhammawheel.com that was compromised e.g. while using a public wifi.

Very unlikely. I'm an IT professional working on a Linux computer in a secured network. I have not been using this account at all for the last 4 years, and yes, I always use dedicated email/password combinations. Which is why I am quite sure about my initial analysis. It's easy for me to block the compromised email address. Just trying to help.

Regards, Pannapetar

[MarkNZed]

As you mention, the site is not using SSL so it might be your connection to dhammawheel.com that was compromised e.g. while using a public wifi.

Very unlikely. I'm an IT professional working on a Linux computer in a secured network. I have not been using this account at all for the last 4 years, and yes, I always use dedicated email/password combinations. Which is why I am quite sure about my initial analysis. It's easy for me to block the compromised email address. Just trying to help.

Regards, Pannapetar

Assuming the server here was not compromised it could be the email server you used.