Topic: MD5 hash password is hackable ?

Hi all,
It's very sad to tell you that our forum (with latest release of PunBB) was hacked last week sad
Our backup server is compromised. We lossed db with md5 hashed-password. I dont know how they can login into our forum with admin control panel.

Anyone here could confirm me : MD5 hash is hackable ? Admin password in this case is 10 char length with letter + number + special char,... sad
If you tell me that MD5 hash is not hackable, so where is the cause of our accident ?

Thank you,

[no signature]

2

Re: MD5 hash password is hackable ?

Hi,

Can you confirm that it was a PunBB vulnerability or did they get in from another app?

Re: MD5 hash password is hackable ?

vnpenguin wrote:

Hi all,
It's very sad to tell you that our forum (with latest release of PunBB) was hacked last week sad
Our backup server is compromised. We lossed db with md5 hashed-password. I dont know how they can login into our forum with admin control panel.

Anyone here could confirm me : MD5 hash is hackable ? Admin password in this case is 10 char length with letter + number + special char,... sad
If you tell me that MD5 hash is not hackable, so where is the cause of our accident ?

Thank you,

nothing is "unhackeable",..however md5 hash is very strong, just change your passwords as a safety measure.
it's more likely your server is compromised if they can actaully login as admins in your forums, or they are sniffing your unencripted traffic.

If your server was compromised PunBB is unlikely to be the cause. you need a better sysadmin tongue

Re: MD5 hash password is hackable ?

judas_iscariote wrote:

If your server was compromised PunBB is unlikely to be the cause. you need a better sysadmin tongue

Not very funny for those who have ever been hacked...

vnpenguin, do you have access to server logs ? It may help you to find the way were used to hijack your forum.
if you can't read the logs, ask to your hosting service to send you logs around the 'crime' hour or for the day it happened. You could ask them to give you a backup of your database before assault.

bye,
habana

Re: MD5 hash password is hackable ?

vnpenguin wrote:

Anyone here could confirm me : MD5 hash is hackable ? Admin password in this case is 10 char length with letter + number + special char,... sad
If you tell me that MD5 hash is not hackable, so where is the cause of our accident ?

I think that it is pretty much impossible for them to crack that password.

Re: MD5 hash password is hackable ?

http://www.stachliu.com/collisions.html

Kinda proves it's hackable =/

Re: MD5 hash password is hackable ?

Ermm, how does that prove its hackable?

Re: MD5 hash password is hackable ?

Errm, you can download the code to break an md5 encryption in less than an hour. Didn't try it yet, but I certainly will.

Re: MD5 hash password is hackable ?

elbekko wrote:

Errm, you can download the code to break an md5 encryption in less than an hour. Didn't try it yet, but I certainly will.

A. MD5 is not encryption. It is one way hashing.
B. You need an MD5 hash for it to find a collision with in the first place tongue

Re: MD5 hash password is hackable ?

MD5 is not secure anymore, for a little less than 2 years now. I doubt this was used here to hack one's forum, but in theory MD5 should not be used anymore for anything.

Re: MD5 hash password is hackable ?

Ok, then what should be used?

I don't HAVE a signature, ok?

Re: MD5 hash password is hackable ?

sha1

Re: MD5 hash password is hackable ?

Jérémie wrote:

in theory MD5 should not be used anymore for anything.

It's still useful to check files, which is what it's mostly used for smile

14 (edited by sopel 2006-05-16 11:17)

Re: MD5 hash password is hackable ?

there's no way you can decode md5 and for passwords it's still very secure, though one can use brute-force attacks and if passwords aren't difficult (short, dictionary-words based) it won't  be so difficult to crack, but the same applies to all hashing functions. also, there's some md5 databases avilable in the net making it a little easier for crackers, e.g. http://md5.rednoize.com (the site seems to be down right now, but there's some further reading : http://ilia.ws/archives/68-MD5-Dictionary-Attacks.html)

[img]http://segfaultlabs.com/img/segfault.png[/img] [img]http://img403.imageshack.us/img403/5954/8051171301197130083pp0.png[/img]
"If debugging is the process of removing bugs, then programming must be the process of putting them in..."

Re: MD5 hash password is hackable ?

But PunBB uses SHA1 hashes?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: MD5 hash password is hackable ?

Rickard wrote:

But PunBB uses SHA1 hashes?

If possible smile Tleast that's what the pun_hash() function tells me...

Re: MD5 hash password is hackable ?

vnpenguin wrote:

Hi all,
It's very sad to tell you that our forum (with latest release of PunBB) was hacked last week sad
Our backup server is compromised. We lossed db with md5 hashed-password. I dont know how they can login into our forum with admin control panel.

Anyone here could confirm me : MD5 hash is hackable ? Admin password in this case is 10 char length with letter + number + special char,... sad
If you tell me that MD5 hash is not hackable, so where is the cause of our accident ?

Thank you,

From the description, it is not clear if someone compromised your system by  hacking into the forum. It could be someone got hold of the server's password and then deleted the password.

18 (edited by sirena 2006-05-17 03:57)

Re: MD5 hash password is hackable ?

vnpenguin wrote:

Hi all,
It's very sad to tell you that our forum (with latest release of PunBB) was hacked last week sad
Our backup server is compromised. We lossed db with md5 hashed-password. I dont know how they can login into our forum with admin control panel.

Anyone here could confirm me : MD5 hash is hackable ? Admin password in this case is 10 char length with letter + number + special char,... sad
If you tell me that MD5 hash is not hackable, so where is the cause of our accident ?

Thank you,

Have a look at the war-stories over at the AdminZone about people's forums being hacked, and how, for some possible ideas about the way your site may have been compromised:

http://www.theadminzone.com/forums/foru … y.php?f=24

Read a few of the 'my forum has been hacked' posts to see how others have also been affected using a variety of forum packages (not just pun), and the conclusions they drew.

There are lots and lots of ways your hack could have been done, in short.

Bottom line is: it may be very hard to tell sometimes exactly how the attack was done, esp. if you aren't able to do the forensics properly due to lack of access to logs, poor change management, no baselines etc. But while it can happen to anyone, you can take some steps to reduce the risk of it happening again.

Re: MD5 hash password is hackable ?

Another MD5 lookup database:

http://md5.crysm.net/about

This has just hit the digg front page so will now be very well known about.

--Alan

Re: MD5 hash password is hackable ?

md5 is not considered secure to most security firms.  I used to work at a company that stored credit card info, and to pass the security audit data had to be hashed in something stronger than md5.  we ended up using sha 512.

md5 is md4 (which has been broken) with an extra round.  it is def. crackable but I wouldnt worry about someone taking the time so they can get into your forum.

if you're very concerned about it, write a script that iterates through your user table, generates a new sha hash, stores it in the database for their passwords and emails the new password to each user in your user base.  then modify the punbb code to use sha instead of md5.