• From: VnOSS
  • Registered: 2004-09-04
  • Posts: 121

Topic: MD5 hash password is hackable ?

Hi all,
It's very sad to tell you that our forum (with latest release of PunBB) was hacked last week sad
Our backup server is compromised. We lossed db with md5 hashed-password. I dont know how they can login into our forum with admin control panel.

Anyone here could confirm me : MD5 hash is hackable ? Admin password in this case is 10 char length with letter + number + special char,... sad
If you tell me that MD5 hash is not hackable, so where is the cause of our accident ?

Thank you,

[no signature]

2 Reply by hcgtv

  • hcgtv
  • hcgtv
  • Senior Member
  • Offline
  • From: Charlotte, NC
  • Registered: 2004-06-25
  • Posts: 1,991

Re: MD5 hash password is hackable ?

Hi,

Can you confirm that it was a PunBB vulnerability or did they get in from another app?

PHPCrossRef . TXP Make . TXP Themes . TXP Tags . TXP Planet . We Love TXP

hcgtv's Website

  • Registered: 2006-04-08
  • Posts: 5

Re: MD5 hash password is hackable ?

vnpenguin wrote:

Hi all,
It's very sad to tell you that our forum (with latest release of PunBB) was hacked last week sad
Our backup server is compromised. We lossed db with md5 hashed-password. I dont know how they can login into our forum with admin control panel.

Anyone here could confirm me : MD5 hash is hackable ? Admin password in this case is 10 char length with letter + number + special char,... sad
If you tell me that MD5 hash is not hackable, so where is the cause of our accident ?

Thank you,

nothing is "unhackeable",..however md5 hash is very strong, just change your passwords as a safety measure.
it's more likely your server is compromised if they can actaully login as admins in your forums, or they are sniffing your unencripted traffic.

If your server was compromised PunBB is unlikely to be the cause. you need a better sysadmin tongue

  • From: Paris - France
  • Registered: 2005-06-20
  • Posts: 40

Re: MD5 hash password is hackable ?

judas_iscariote wrote:

If your server was compromised PunBB is unlikely to be the cause. you need a better sysadmin tongue

Not very funny for those who have ever been hacked...

vnpenguin, do you have access to server logs ? It may help you to find the way were used to hijack your forum.
if you can't read the logs, ask to your hosting service to send you logs around the 'crime' hour or for the day it happened. You could ask them to give you a backup of your database before assault.

bye,
habana

PunBB based : All Sansa - Tout Sansa  - Forum Abc de la sécurtité informatique
not PunBB based : actualité sécurité informatique - bistouri, technicien informaticien

habana's Website

  • Connorhd
  • Connorhd
  • Former PunBB Developer
  • Offline
  • From: Leeds, UK
  • Registered: 2004-06-13
  • Posts: 4,195

Re: MD5 hash password is hackable ?

vnpenguin wrote:

Anyone here could confirm me : MD5 hash is hackable ? Admin password in this case is 10 char length with letter + number + special char,... sad
If you tell me that MD5 hash is not hackable, so where is the cause of our accident ?

I think that it is pretty much impossible for them to crack that password.

FluxBB.
Connorhd.co.uk.

Connorhd's Website

  • From: Leuven, Belgium
  • Registered: 2005-06-14
  • Posts: 2,653

Re: MD5 hash password is hackable ?

http://www.stachliu.com/collisions.html

Kinda proves it's hackable =/

  • Connorhd
  • Connorhd
  • Former PunBB Developer
  • Offline
  • From: Leeds, UK
  • Registered: 2004-06-13
  • Posts: 4,195

Re: MD5 hash password is hackable ?

Ermm, how does that prove its hackable?

FluxBB.
Connorhd.co.uk.

Connorhd's Website

  • From: Leuven, Belgium
  • Registered: 2005-06-14
  • Posts: 2,653

Re: MD5 hash password is hackable ?

Errm, you can download the code to break an md5 encryption in less than an hour. Didn't try it yet, but I certainly will.

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: MD5 hash password is hackable ?

elbekko wrote:

Errm, you can download the code to break an md5 encryption in less than an hour. Didn't try it yet, but I certainly will.

A. MD5 is not encryption. It is one way hashing.
B. You need an MD5 hash for it to find a collision with in the first place tongue

  • From: France
  • Registered: 2004-11-06
  • Posts: 695

Re: MD5 hash password is hackable ?

MD5 is not secure anymore, for a little less than 2 years now. I doubt this was used here to hack one's forum, but in theory MD5 should not be used anymore for anything.

Jeu de rôle en ligne sur table virtuelleShadowrun FranceChez Blacky

Jérémie's Website

  • From: Canada
  • Registered: 2004-12-12
  • Posts: 148

Re: MD5 hash password is hackable ?

Ok, then what should be used?

I don't HAVE a signature, ok?

creaturecorp's Website

  • From: Leuven, Belgium
  • Registered: 2005-06-14
  • Posts: 2,653

Re: MD5 hash password is hackable ?

sha1

  • Jansson
  • Former PunBB Developer
  • Offline
  • From: Sweden
  • Registered: 2003-01-06
  • Posts: 856

Re: MD5 hash password is hackable ?

Jérémie wrote:

in theory MD5 should not be used anymore for anything.

It's still useful to check files, which is what it's mostly used for smile

14 Reply by sopel (edited by sopel 2006-05-16 11:17)

  • sopel
  • Junior Member
  • Offline
  • From: Poland
  • Registered: 2005-10-01
  • Posts: 9

Re: MD5 hash password is hackable ?

there's no way you can decode md5 and for passwords it's still very secure, though one can use brute-force attacks and if passwords aren't difficult (short, dictionary-words based) it won't  be so difficult to crack, but the same applies to all hashing functions. also, there's some md5 databases avilable in the net making it a little easier for crackers, e.g. http://md5.rednoize.com (the site seems to be down right now, but there's some further reading : http://ilia.ws/archives/68-MD5-Dictionary-Attacks.html)

[img]http://segfaultlabs.com/img/segfault.png[/img] [img]http://img403.imageshack.us/img403/5954/8051171301197130083pp0.png[/img]
"If debugging is the process of removing bugs, then programming must be the process of putting them in..."

sopel's Website

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: MD5 hash password is hackable ?

But PunBB uses SHA1 hashes?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • From: Leuven, Belgium
  • Registered: 2005-06-14
  • Posts: 2,653

Re: MD5 hash password is hackable ?

Rickard wrote:

But PunBB uses SHA1 hashes?

If possible smile Tleast that's what the pun_hash() function tells me...

  • Registered: 2006-02-23
  • Posts: 14

Re: MD5 hash password is hackable ?

vnpenguin wrote:

Hi all,
It's very sad to tell you that our forum (with latest release of PunBB) was hacked last week sad
Our backup server is compromised. We lossed db with md5 hashed-password. I dont know how they can login into our forum with admin control panel.

Anyone here could confirm me : MD5 hash is hackable ? Admin password in this case is 10 char length with letter + number + special char,... sad
If you tell me that MD5 hash is not hackable, so where is the cause of our accident ?

Thank you,

From the description, it is not clear if someone compromised your system by  hacking into the forum. It could be someone got hold of the server's password and then deleted the password.

Apartment Rental, For Sale, Wanted Ads | Bayarea Apartment Rental, For Sale, Wanted Ads

18 Reply by sirena (edited by sirena 2006-05-17 03:57)

  • sirena
  • sirena
  • Senior Member
  • Offline
  • Registered: 2006-04-06
  • Posts: 473

Re: MD5 hash password is hackable ?

vnpenguin wrote:

Hi all,
It's very sad to tell you that our forum (with latest release of PunBB) was hacked last week sad
Our backup server is compromised. We lossed db with md5 hashed-password. I dont know how they can login into our forum with admin control panel.

Anyone here could confirm me : MD5 hash is hackable ? Admin password in this case is 10 char length with letter + number + special char,... sad
If you tell me that MD5 hash is not hackable, so where is the cause of our accident ?

Thank you,

Have a look at the war-stories over at the AdminZone about people's forums being hacked, and how, for some possible ideas about the way your site may have been compromised:

http://www.theadminzone.com/forums/foru … y.php?f=24

Read a few of the 'my forum has been hacked' posts to see how others have also been affected using a variety of forum packages (not just pun), and the conclusions they drew.

There are lots and lots of ways your hack could have been done, in short.

Bottom line is: it may be very hard to tell sometimes exactly how the attack was done, esp. if you aren't able to do the forensics properly due to lack of access to logs, poor change management, no baselines etc. But while it can happen to anyone, you can take some steps to reduce the risk of it happening again.

  • Registered: 2006-05-03
  • Posts: 102

Re: MD5 hash password is hackable ?

Another MD5 lookup database:

http://md5.crysm.net/about

This has just hit the digg front page so will now be very well known about.

--Alan

AlanCollier's Website

  • Registered: 2006-06-29
  • Posts: 324

Re: MD5 hash password is hackable ?

md5 is not considered secure to most security firms.  I used to work at a company that stored credit card info, and to pass the security audit data had to be hashed in something stronger than md5.  we ended up using sha 512.

md5 is md4 (which has been broken) with an extra round.  it is def. crackable but I wouldnt worry about someone taking the time so they can get into your forum.

if you're very concerned about it, write a script that iterates through your user table, generates a new sha hash, stores it in the database for their passwords and emails the new password to each user in your user base.  then modify the punbb code to use sha instead of md5.