"Hello, you just got owned"
- Thread starter berry120
- Start date
Why the hell would you do that?
It's clear from the posts here thus far that JCB has just limited damage and is looking for a permanent fix (as he hasn't said that a fix has been applied).
so you thought that you'd go poke some kind of hornets nest. and invite trouble.
cheers for that.
you've basically just started a fight with a guy who is clearly much better armed to fight it than you are, and it's not like you'll be cleaning up the mess when and if this guy does decide to exact some kind of revenge on this site for your email (which came from you, not this site).
Why don't you get a nice hobby? or indeed why don't you actually join the community and help teach other people your computer skills, (if indeed you have skills and are not just running tools developed by someone with more skill than yourself?)
You most certainly could change any passwords, you could probably drop the entire database if you really wanted to. Once you've executed a pre-made script that exploits a security flaw, you can do anything you like. Not hard.
If the vulnerability isn't patched then again, you can do what you like again and again. Monkey see, monkey do, and monkey can double click over and over again with bigger and bigger threats. Unfortunately, monkey can only make threats and execute pre-defined scripts. Because if monkey was clever, monkey would be working for a company finding these flaws, not just running scripts to act out those already found.
What could the flaw be? Well I've no idea what plugins / mods are and aren't installed, but it wouldn't surprise me if one of those were to blame. The big thing I've noticed though is that we seem to be running vbulletin 4.0.6 which is rather old... the latest is 4.1.3 which fixed what looks to be like a pretty big security flaw. Whether that's what the guy is using I don't know, but it's definitely something to fix regardless.
JCB, if you read this before monkey gets here and monkey decides he doesn't want people seeing this post, then you need to take the whole site offline while you investigate this, apply all the patches you need to, make sure the site's as secure as it possibly can be then restore from a recent back up and bring it online again.
Once it's been fixed, there may be some discussion for a while then within a couple of weeks you'll be long gone and forgotten.
Well... the theory is that given enough time a machine can crack it, but most MD5 encryption isn't actually broken using a brute force method, it's cracked using Rainbow tables.
Take your example of tomek, and it's encryption, all I do is write down what you've encrypted, then if I see that encryption again then I don't have to spend any computing power at all, I can just know it is the word tomek that's been encoded.
(think about it you can do this in your head) you're just comparing list for list...
Salting your MD5 hash adds extra security because it alters it from the well knowns. so the rainbow tables are less effective. of course, if you have a huge list of already calculated salted and hashed values the rainbow table method would work. but since your hash can be anything, it's rather unlikely that you're going to get the same hash
so you have a list of plain English words hashed to form your rainbow table, then the people that use password as a password they are easy to spot.
but lets say that you have a salt that changes the word password into "qbttxse" (I've actually just shifted the letters).
but you'll see that when you hash that it'll be different from the hash that password would hash to. and since it's just a jumble of letters, (not a dictionary word) it's less likely to appear in any rainbow tables. (though I'm sure that huge rainbow tables of random letters do exist...)
if you generate hash tables for that particular salt (which take up not inconsiderable computing power to generate and space to actually store), then I can just change my salt key, then you'll either need some more ready prepared tables, or to calculate new ones.
While it's still not impossible to crack, indeed AES-256 is more secure than MD5.
I would hazzard a guess that AES-256 might not be available on the forum software due to US export restrictions on cryptography though? (Do these still exist?)
Salted MD5 has been broken, but it's definitely not a lot to worry about if passwords are stored in it - as has been proved there's far bigger things to worry about! (Passwords can be changed easily since the hashes can just be replaced, but the hashes themselves can't be decoded nearly as easily.) The demo I saw that broke MD5 was using it as a checksum of a file, not the password and the first few kilobytes had to remain the same then the rest had to be in a certain format - it's broken, but far from broken in the sense that anyone can take the hash and reverse it. I'm not sure anyone's actually used the exploit yet, last time I checked it was pretty theoretical and difficult to implement at best in some situations, impossible at worse.
The reason the government has moved on to other hashing algorithms (and most other people have as well actually) is not because MD5 is really insecure, it's as a matter of caution. No such weaknesses have yet been identified in SHA for instance, so it's just better practice to use that (or other such algorithms) instead of MD5. If weaknesses are exposed, they'll move on again, despite the fact it may be decades after these weaknesses actually show until practical attacks appear.
The reason the government has moved on to other hashing algorithms (and most other people have as well actually) is not because MD5 is really insecure, it's as a matter of caution. No such weaknesses have yet been identified in SHA for instance, so it's just better practice to use that (or other such algorithms) instead of MD5. If weaknesses are exposed, they'll move on again, despite the fact it may be decades after these weaknesses actually show until practical attacks appear.
7D8
In Runtime
- Messages
- 209
I agree with both of you. Let us also not forget, that the security has to be proportional to the content you are securing. For a forum like this, MD5 is plenty enough, unless you start posting super secret Taco Bell recipes that you don't want stolen, than you have a problem.
on another note:
So, as far as the forum goes, when we do the updates and we Mr. Hacker gets bored, can we actually get some dark themes for this forum. As a programmer, I'm a big fan of the dark schemes for my IDE's, and when I open this forum I get a big shiny white screen which imprints itself into my retinas. I'm not saying this is a DEFAULT, but I would like the ability to choose a dark scheme for my profile. Some cool options would also be nice.
The irony of course being that cyberhackerz.net appears to be running 3.8.5
fazedgamerz.com/ is running 3.8.7 (and has 18 posts) do I sense jealousy of a more active forum?
dgsecurityteam.com appears to run the latest version but again is a completely inactive forum...
look at the source of the hacked page.
<!--img src="http://operatorchan.org/t/src/t223059_1442814-trollface_super.jpg"></img-->
that particular line made me laugh a bit. can't actually write their own hacked page even just ripped off the hard work of a 4channer
to get an idea of the people that you're dealing with here look at this page.
http://www.fazedgamerz.com/computer_programming/12-msn_spam_bot.html
just found a hacking tool, so yeah, pretty much script kiddy just down loading tools that others make.
the guys there are publishing their MSN addresses.
then one of them confirms that it's him...
so the list of names are
redecline@hotmail.com
time_out_1995@hotmail.com
realitymodz@hotmail.com
hasaanp@ymail.com
jake.__@live.co.uk
[edited] (see post #72)
yahoo:jtakwan@yahoo.com
jeremy_hughes95@live.com
kane_kirkpatrick@hotmail.co.uk
ngugecko@hotmail.com
ocelotcr@hotmail.co.uk
joshd232@hotmail.com
talktofrankbot@hotmail.co.uk
bieber_buddy@hotmail.com
[edited] (see post #72 of this thread)
then the admin there confirms that one of those addresses is theirs! what I would say is that from that list, I'm guessing that the kind of people we're dealing with here are about 16. (most likely realitymodz@hotmail.com)
actually I can look at the profiles and see that both these guys are actually just 15...
which kinda makes me feel old since I was starting to hack our school network whilst they weren't even an itch in their daddies nut sacks.
speaking of daddies, Perhaps we should write to the little guys daddy? I'm sure that Jeffrey would be interested to know what the little mite gets up to when he's not wanking and crying?
on defaced.com.nu it becomes even more clear if you poke around that they've just ripped off hacks from a more competent person.
if you right click the page it says "IP logged"
funny, the code doesn't seem to support this!
Code:
var mymessage = "IP Address Logged, I WILL come for you. ~ Exposure";
function rtclickcheck(keyp){
if (navigator.appName == "Netscape" && keyp.which == 3) {
alert(mymessage);
return false;
}
if (navigator.appVersion.indexOf("MSIE") != -1 && event.button == 2) {
alert(mymessage);
return false;
}
}
document.onmousedown = rtclickcheck
//-->of course, if they'd loaded the pictures on their own machine rather than a free host then they might have been able to look at the access logs to determine who was looking at their page (and capture a few public IPs)...
but that's not what's happening here.
so basically.... what we're talking about is a couple of 15 year old kids, who've ripped off scripts written by 4channers. (badly). who have the grandios idea that they want to be security consultants, yet don't seem to realise that the worst advert for a security company is to hack another site.
as a hint to you guys...
1 stop hacking forums, there is a paper trail.
when you do hack forums don't leave the kind of information that will allow me to trace you back to your house!
2 Browsing this forum from a VPS box was a pretty decent idea, but clearly hasn't stopped be from being able to find your house, your family names, the planning applications for the extension that you built a few years ago, your fathers name, your mothers name and allows me to say get a decent hair cut, right now it looks a little like your mum put a bowl on your head and cut round the sides.
3 stop using the LOIC tool that I see is stored in your webspace.
for these reasons
a, it doesn't make you cool
b, there is no anonymity spoofing or proxying built into that tool, it just connects straight to the site and floods on someone else's behalf leaving you as the ones that have participated in a crime.
For your little friends I think I've figured out where one of your dads works.
you'd best be careful, I can say with confidence that in the parts of the world that you all live in computer crimes are dealt with pretty seriously...
whilst you guys are all 15 (and so not legally viable for prosecution) the kind of tools that are on your computers could lead to your computers being removed (and I mean by the police, not your parents).
and next year later this year you'll be old enough to be tried for your crimes as an adult.
I'll admit that your house isn't as nice as your neighbours appear to be on google maps, but it'd be a real shame if your parents lost it hiring lawyers to defend you in court.
and for your little Oz friend, clean your garden up, it's a fucking disgrace.
of course, it might be the third person in your little band of hackers that's taking down this site... in which case it'd be a real shame if he got to go unpunished whilst they rest of you guys are pretty much only a phone call to your parents away from being grounded... (another hint to you, there is no loyalty amongst thieves) -by which I mean that you'll all sell each other out for a better deal without even blinking.
Anyways. I best get back to work...
7D8
In Runtime
- Messages
- 209
Please do, and lets do preventive measures this time (and add a dark theme
)I'm curious, was the host compromised or just vBulletin?
