Some of you may remember an incident that occurred in January of 2009, where a hacker posted a blog detailing the compromise of the open source project phpbb's website (http://www.phpbb.com) and claiming responsibility.
After a week or two of concentrated attention by the infosec community and a rebuttal post by the website maintainers, I decided to track down "Hacked PHPBB(DOT)COM" for an anonymous IRC interview that I had planned to use on the ChromedPork podcast.
My intent in conducting this particular interview was to understand the motivations of a malicious attacker in the wild. However I ultimately decided to delay release of the material to avoid satisfying anyones attention seeking behavior.
The hackers original blog has officially been removed, you can still find a short write up and zip containing the original blog content at: http://blog.networkfoo.org/?p=463
Interview:
<multimode> Ok so I'll just jump right into the good stuff... So on your blog you claim to have owned phbbd.com, have any of the 413 comments changed your opinion on the attack? If so how?
<HackedPHPBB> I knew that 99% of the posts were going to be, you suck, I hate you, blah blah. I thank the people that actually put some thought towards their posts. I do kinda regret releasing the phone numbers for the staff. But I got wrapped up in releasing everything I didnt really think, I just uploaded all the text files I had in my folder.
<multimode> Did the staff end up getting phone mobbed by the pla or something?
<HackedPHPBB> I havent received any response from the staff, other than marshal asking for my name and address. So I do not know if they are getting phone bombed.
<multimode> Why do you think I set up this interview with you?
<HackedPHPBB> To track me Mr FBI man?
<multimode> Nah the only FBI i'm part of has to do with free beer initiatives
<HackedPHPBB> Lol to try getting some insight into a strange, screwed up, "little teenaged boy living in his mom's basement, whacking off to gay porn" as a post stated?
<multimode> Today you updated your blog stating boredom as the motivation, not enough hot chicks to chase around?
<HackedPHPBB> boredom, the "big factor" of a site, the thought maybe i could find the next security patch and see if there was an exploit they knew about, that i could exploit on other forums. or see if i could change a file in an upcoming patch to include "miscreant was here"
<multimode> What made you choose to disclose the attack publicly?
<HackedPHPBB> There's always hot chicks around, they are nice to look at. I go for the bottom feeders, that way i can only move up.
<HackedPHPBB> if i had just told the admins, they would have patched and nothing would have come from it. no props, no thank you. so i decided why not release it publicly with out a name, so its known to all but i still get no credit.
<multimode> Comments on your blog are mostly "oh no pwn'ed us!", How do you feel about those people?
<HackedPHPBB> Well at first I had the blog restricted, so you needed an account, and I don’t think any posts were made. So I allowed anyone to post, knowing that hundreds of retards would be posting, just like on the area 51 threads, about retarded shit. So I could careless, I know the stereotype they think I am, but am a lot further away from what they could possibly imagine.
<multimode> Some people say that hackers tend to get caught from inexperience, How long have you been hacking?
<HackedPHPBB> Since 2000 id say, back on my jerry rigged apple system stolen from the school's dumpster
<multimode> So far what has been your most interesting target?
<HackedPHPBB> And on getting caught, I wont. Knowing how big the site was, i covered my tracks, throw away NIC, stolen WIFI, different location than where I live. Proxies, fake emails. Wiping of hard drives. Deleting of all evidence.
<HackedPHPBB> I have comprimised several servers, (some still dont know) but they are all no named. I have created several incidents, a different hacking method which i wont go into detail, that has indirectly shut down a very large gaming community site, and another community site.
<multimode> Aside from attacking web servers what other kind of hacking do you do?
<HackedPHPBB> Web security is mainly what I do, i attend 2600 meetings from time to time, gone to them in 12 states and 4 countries so far. i helped a friend hack together a finger print keyless entry system for his house, a couple of years back. i do some wifi hacking from time to time.
<multimode> Do you listen to security podcasts? Which ones and why or why not?
<HackedPHPBB> I do not get a chance too, but i read up on news sites and forums.
<multimode> How do you feel about the "security" community?
<HackedPHPBB> I feel that it, like the world in general, have it's left and its right. And 9/10 they refuse to see it in the eyes of the other.
<HackedPHPBB> If you find something, you have to worry about reporting it and getting jailed for "hacking". If you exploit it you get jailed for hacking. If you report it and nothing happens, you get pissed off. So after seeing how the other side deals with it, some times a little bit of a wake up call is in order.
<HackedPHPBB> For instance
<HackedPHPBB> When I saw kevin mitnick give a speech when he wrote his first book. There were 2 kinds of people there, suits and ties, government officals, and hackers with binary t-shirts. the ones that were there for the real reson
<HackedPHPBB> reason*
<multimode> Today on your blog you mentioned work, What do you do for your day job?
<HackedPHPBB> I work for a telecom company, as a technical advisor
<multimode> Essentially the initial attack used a 0 day, what could the target have done to better defend themselves?
<HackedPHPBB> When the date the patch was released, I was still cracking the 160,000 user accounts (that turned out to be 40,000 successful cracked), the dump of the email, and the password for phplist. So if the patch was applied, that is all that I would have walked away with. The day the site came down, is the day the dump occurred, as mysql dump would time out, were the phpbb suite wouldnt.
<HackedPHPBB> Well when browsing around it appeared they were trying to implement a svn for the running site. that way unless you had the permissions you could not modify anything. they also could have used seperate servers for the tasks at hand or subdomains to try and keep areas as seperated as possible. they could have relocated logs outside of the default path.
<multimode> Did you have prior relations with the target and did those relations motivate the attack?
<HackedPHPBB> no real relations, just one of those random facts that was stored in my head, that they were running phplist.
<multimode> Do you think that phpbb should be immune to attack because they "write good code" for free?
<HackedPHPBB> hell no
<HackedPHPBB> I think every site that leaves their system unprotected, a site that users trust them, deserves the same right as savestarvingbabyelphantsinafrica.com to get comprimised.
<multimode> Comments on your blog are mostly "oh no he pwn'ed us", How do you feel about those people?
<HackedPHPBB> It only teaches them a lesson, if you are going to trust other services instead of coding something yourself (laziness), you better patch your shit.
<HackedPHPBB> i mean phplist, they store their admin password in plain text in the mysql database
<multimode> How should they have gone about it?
<HackedPHPBB> made it themselves? shopped around? hardened code? used the forums to mail people?
<multimode> Reading the other comments one might come to the conclusion that you are a noob script kiddie, who kills kittens and hangs out on 4 chan. Anything to say to those people?
<HackedPHPBB> I used an exploit off milw0rm, so what? I found phpbb.com, not some scanner; I found the log files to include so code could be ran. I found the salt/hash. I found a way to include my avatar/uploaded files. Nothing was automated.
<HackedPHPBB> I used several tricks of the trade to achieve the hack, not just the LFI from phplist.
<HackedPHPBB> I have never killed a kitten, and the only reason i know about 4chan is because i was interested in the XSS worm that was released on the site.
<HackedPHPBB> but i havent been on the site since the post was released
<multimode> Your initial blog stated that you intended to sell the email address's , did you find a buyer yet?
<HackedPHPBB> i am not into the sale of email addresses, i just said that statement for laughs. i knew by releasing it to the public, that it wouldnt go for anything because people could get it for free.
<multimode> Having the data what made you decide not to sell it?
<HackedPHPBB> i dont have an account in the cayman islands, so i figured it wouldnt be safe
<HackedPHPBB> and i didnt want any sort of credit for doing what i did
<multimode> After being on the inside do you think people should use phpbb?
<HackedPHPBB> reason i never posted a name, or website to visit
<HackedPHPBB> I do. I dont believe in paying for software as is. their team is very dovoted. The admins seem like average joes that know what they are doing. Just because they didnt patch something, doesnt mean their software sucks.
<HackedPHPBB> for example kaspersky, got hacked, customer info downloaded, but people still use their product
<multimode> Did you have the opportunity to go the extra mile and insert your own code? Introduce vulnerabilities ect?
<HackedPHPBB> On the first blog, i was able to include any file, once i changed an admin's email i recovered the password, and logged in. I was able to edit the front page layout. And i wish i had taken a screen shot, but i had a shell script running on the main forum site layout
<HackedPHPBB> on the first blog i wrote*
<HackedPHPBB> Once i had an active shell that i could submit post request through, i was able to find a writeable directory
<multimode> Did that access allow you to modify any of the phpbb codebase?
<HackedPHPBB> and upload my on shell file, so i could do what ever i want from there.
<HackedPHPBB> no, the active stuff was read only, and some of it was running from the data base. all the upcoming stuff was in an offsite/domain svn
<multimode> How do you feel about the "ethical hacking"?
<HackedPHPBB> I feel its good to have people that do this, but I am sure many of them have crossed to the darkside out of frustration of being ignored.
<multimode> If someone wanted to offer you work as a pen tester how could they reach you?
<HackedPHPBB> I dont want any way of being contacted, keeps from people finding me :D
<HackedPHPBB> i also make enough money that i do not need outside income