Go Back   Computer Forums > Welcome To Computer Forums .org > Social Lounge | Off Topic
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 05-19-2011, 04:05 AM   #31
In Runtime
 
Join Date: Mar 2011
Posts: 179
Default Re: "Hello, you just got owned"

i had no idea what was happening. i loled. who would hack a computer forum........
__________________

fractalr3 is offline   Reply With Quote
Old 05-19-2011, 04:10 AM   #32
In Runtime
 
Join Date: Mar 2011
Posts: 179
Default Re: "Hello, you just got owned"

i cant seem to post new threads anymore?
__________________

fractalr3 is offline   Reply With Quote
Old 05-19-2011, 07:47 AM   #33
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 7,999
Default Re: "Hello, you just got owned"

Quote:
Originally Posted by xxPoweredgexx View Post
and so i emailed them telling them to get their S*** off of our site!
Why the hell would you do that?

It's clear from the posts here thus far that JCB has just limited damage and is looking for a permanent fix (as he hasn't said that a fix has been applied).

so you thought that you'd go poke some kind of hornets nest. and invite trouble.

cheers for that.

you've basically just started a fight with a guy who is clearly much better armed to fight it than you are, and it's not like you'll be cleaning up the mess when and if this guy does decide to exact some kind of revenge on this site for your email (which came from you, not this site).
__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Old 05-19-2011, 07:49 AM   #34
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 7,999
Default Re: "Hello, you just got owned"

Quote:
Originally Posted by Exposure View Post
i can change any of your passwords you guys are all stupid and that email as a threat you saying you will take my site down? That just caused alot more trouble Never forget me
Why don't you get a nice hobby? or indeed why don't you actually join the community and help teach other people your computer skills, (if indeed you have skills and are not just running tools developed by someone with more skill than yourself?)
__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Old 05-19-2011, 08:22 AM   #35
Site Team
 
berry120's Avatar
 
Join Date: Jul 2009
Location: England, UK
Posts: 3,425
Default Re: "Hello, you just got owned"

Quote:
i can change any of your passwords you guys are all stupid and that email as a threat you saying you will take my site down? That just caused alot more trouble
You most certainly could change any passwords, you could probably drop the entire database if you really wanted to. Once you've executed a pre-made script that exploits a security flaw, you can do anything you like. Not hard.

If the vulnerability isn't patched then again, you can do what you like again and again. Monkey see, monkey do, and monkey can double click over and over again with bigger and bigger threats. Unfortunately, monkey can only make threats and execute pre-defined scripts. Because if monkey was clever, monkey would be working for a company finding these flaws, not just running scripts to act out those already found.

What could the flaw be? Well I've no idea what plugins / mods are and aren't installed, but it wouldn't surprise me if one of those were to blame. The big thing I've noticed though is that we seem to be running vbulletin 4.0.6 which is rather old... the latest is 4.1.3 which fixed what looks to be like a pretty big security flaw. Whether that's what the guy is using I don't know, but it's definitely something to fix regardless.

JCB, if you read this before monkey gets here and monkey decides he doesn't want people seeing this post, then you need to take the whole site offline while you investigate this, apply all the patches you need to, make sure the site's as secure as it possibly can be then restore from a recent back up and bring it online again.

Quote:
Never forget me
Once it's been fixed, there may be some discussion for a while then within a couple of weeks you'll be long gone and forgotten.
__________________
Save the whales, feed the hungry, free the mallocs.
berry120 is offline   Reply With Quote
Old 05-19-2011, 09:21 AM   #36
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 7,999
Default Re: "Hello, you just got owned"

Quote:
Originally Posted by tomek View Post
well, apparently just the index.php was replaced. I've actually logged into the site when its hacked. So it looks like everything else works.


Quote:
Originally Posted by setishock View Post
Mine uses MD5 + salt. Good luck decoding that.
again, its crackable. Not sure if this guy it correct or not, but i will tell you that if MD5 + salt was uncrackable, the govt would be using it. Yet, the government has moved onto AES-256 bit. To this, you can say:

However, even THIS can be broken, given enough time and computing power. I had to do all of this research upon building various sites that use ultra sensitive data. In the end AES-256 prevailed. Bitch to setup on SQL Server though.
Well... the theory is that given enough time a machine can crack it, but most MD5 encryption isn't actually broken using a brute force method, it's cracked using Rainbow tables.

Take your example of tomek, and it's encryption, all I do is write down what you've encrypted, then if I see that encryption again then I don't have to spend any computing power at all, I can just know it is the word tomek that's been encoded.

(think about it you can do this in your head) you're just comparing list for list...

Salting your MD5 hash adds extra security because it alters it from the well knowns. so the rainbow tables are less effective. of course, if you have a huge list of already calculated salted and hashed values the rainbow table method would work. but since your hash can be anything, it's rather unlikely that you're going to get the same hash

so you have a list of plain English words hashed to form your rainbow table, then the people that use password as a password they are easy to spot.

but lets say that you have a salt that changes the word password into "qbttxse" (I've actually just shifted the letters).
but you'll see that when you hash that it'll be different from the hash that password would hash to. and since it's just a jumble of letters, (not a dictionary word) it's less likely to appear in any rainbow tables. (though I'm sure that huge rainbow tables of random letters do exist...)

if you generate hash tables for that particular salt (which take up not inconsiderable computing power to generate and space to actually store), then I can just change my salt key, then you'll either need some more ready prepared tables, or to calculate new ones.

While it's still not impossible to crack, indeed AES-256 is more secure than MD5.

I would hazzard a guess that AES-256 might not be available on the forum software due to US export restrictions on cryptography though? (Do these still exist?)
__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Old 05-19-2011, 09:37 AM   #37
Site Team
 
berry120's Avatar
 
Join Date: Jul 2009
Location: England, UK
Posts: 3,425
Default Re: "Hello, you just got owned"

Salted MD5 has been broken, but it's definitely not a lot to worry about if passwords are stored in it - as has been proved there's far bigger things to worry about! (Passwords can be changed easily since the hashes can just be replaced, but the hashes themselves can't be decoded nearly as easily.) The demo I saw that broke MD5 was using it as a checksum of a file, not the password and the first few kilobytes had to remain the same then the rest had to be in a certain format - it's broken, but far from broken in the sense that anyone can take the hash and reverse it. I'm not sure anyone's actually used the exploit yet, last time I checked it was pretty theoretical and difficult to implement at best in some situations, impossible at worse.

The reason the government has moved on to other hashing algorithms (and most other people have as well actually) is not because MD5 is really insecure, it's as a matter of caution. No such weaknesses have yet been identified in SHA for instance, so it's just better practice to use that (or other such algorithms) instead of MD5. If weaknesses are exposed, they'll move on again, despite the fact it may be decades after these weaknesses actually show until practical attacks appear.
__________________
Save the whales, feed the hungry, free the mallocs.
berry120 is offline   Reply With Quote
Old 05-19-2011, 10:07 AM   #38
7D8
In Runtime
 
7D8's Avatar
 
Join Date: Oct 2006
Posts: 209
Default Re: "Hello, you just got owned"

Quote:
Originally Posted by tomek View Post
oh oh... this may have a very negative impact.
Quote:
Originally Posted by root View Post
Well... the theory is that given enough time a machine can crack it, but most MD5 encryption isn't actually broken using a brute force method, it's cracked using Rainbow tables.

Take your example of tomek, and it's encryption, all I do is write down what you've encrypted, then if I see that encryption again then I don't have to spend any computing power at all, I can just know it is the word tomek that's been encoded.

(think about it you can do this in your head) you're just comparing list for list...

Salting your MD5 hash adds extra security because it alters it from the well knowns. so the rainbow tables are less effective. of course, if you have a huge list of already calculated salted and hashed values the rainbow table method would work. but since your hash can be anything, it's rather unlikely that you're going to get the same hash

so you have a list of plain English words hashed to form your rainbow table, then the people that use password as a password they are easy to spot.

but lets say that you have a salt that changes the word password into "qbttxse" (I've actually just shifted the letters).
but you'll see that when you hash that it'll be different from the hash that password would hash to. and since it's just a jumble of letters, (not a dictionary word) it's less likely to appear in any rainbow tables. (though I'm sure that huge rainbow tables of random letters do exist...)

if you generate hash tables for that particular salt (which take up not inconsiderable computing power to generate and space to actually store), then I can just change my salt key, then you'll either need some more ready prepared tables, or to calculate new ones.

While it's still not impossible to crack, indeed AES-256 is more secure than MD5.

I would hazzard a guess that AES-256 might not be available on the forum software due to US export restrictions on cryptography though? (Do these still exist?)
Quote:
Originally Posted by berry120 View Post
Salted MD5 has been broken, but it's definitely not a lot to worry about if passwords are stored in it - as has been proved there's far bigger things to worry about! (Passwords can be changed easily since the hashes can just be replaced, but the hashes themselves can't be decoded nearly as easily.) The demo I saw that broke MD5 was using it as a checksum of a file, not the password and the first few kilobytes had to remain the same then the rest had to be in a certain format - it's broken, but far from broken in the sense that anyone can take the hash and reverse it. I'm not sure anyone's actually used the exploit yet, last time I checked it was pretty theoretical and difficult to implement at best in some situations, impossible at worse.

The reason the government has moved on to other hashing algorithms (and most other people have as well actually) is not because MD5 is really insecure, it's as a matter of caution. No such weaknesses have yet been identified in SHA for instance, so it's just better practice to use that (or other such algorithms) instead of MD5. If weaknesses are exposed, they'll move on again, despite the fact it may be decades after these weaknesses actually show until practical attacks appear.
I agree with both of you. Let us also not forget, that the security has to be proportional to the content you are securing. For a forum like this, MD5 is plenty enough, unless you start posting super secret Taco Bell recipes that you don't want stolen, than you have a problem.

on another note:

So, as far as the forum goes, when we do the updates and we Mr. Hacker gets bored, can we actually get some dark themes for this forum. As a programmer, I'm a big fan of the dark schemes for my IDE's, and when I open this forum I get a big shiny white screen which imprints itself into my retinas. I'm not saying this is a DEFAULT, but I would like the ability to choose a dark scheme for my profile. Some cool options would also be nice.
7D8 is offline   Reply With Quote
Old 05-19-2011, 10:37 AM   #39
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 7,999
Default Re: "Hello, you just got owned"

Quote:
Originally Posted by berry120 View Post
The big thing I've noticed though is that we seem to be running vbulletin 4.0.6 which is rather old...
The irony of course being that cyberhackerz.net appears to be running 3.8.5
fazedgamerz.com/ is running 3.8.7 (and has 18 posts) do I sense jealousy of a more active forum?

dgsecurityteam.com appears to run the latest version but again is a completely inactive forum...


look at the source of the hacked page.
<!--img src="http://operatorchan.org/t/src/t223059_1442814-trollface_super.jpg"></img-->
that particular line made me laugh a bit. can't actually write their own hacked page even just ripped off the hard work of a 4channer

to get an idea of the people that you're dealing with here look at this page.

http://www.fazedgamerz.com/computer_..._spam_bot.html
just found a hacking tool, so yeah, pretty much script kiddy just down loading tools that others make.
the guys there are publishing their MSN addresses.

then one of them confirms that it's him...

so the list of names are
redecline@hotmail.com
time_out_1995@hotmail.com
realitymodz@hotmail.com
hasaanp@ymail.com
jake.__@live.co.uk
[edited] (see post #72)
yahoo:jtakwan@yahoo.com
jeremy_hughes95@live.com
kane_kirkpatrick@hotmail.co.uk
ngugecko@hotmail.com
ocelotcr@hotmail.co.uk
joshd232@hotmail.com
talktofrankbot@hotmail.co.uk
bieber_buddy@hotmail.com
[edited] (see post #72 of this thread)

then the admin there confirms that one of those addresses is theirs! what I would say is that from that list, I'm guessing that the kind of people we're dealing with here are about 16. (most likely realitymodz@hotmail.com)
actually I can look at the profiles and see that both these guys are actually just 15...

which kinda makes me feel old since I was starting to hack our school network whilst they weren't even an itch in their daddies nut sacks.

speaking of daddies, Perhaps we should write to the little guys daddy? I'm sure that Jeffrey would be interested to know what the little mite gets up to when he's not wanking and crying?

on defaced.com.nu it becomes even more clear if you poke around that they've just ripped off hacks from a more competent person.

if you right click the page it says "IP logged"

funny, the code doesn't seem to support this!

Code:
var mymessage = "IP Address Logged, I WILL come for you. ~ Exposure";
function rtclickcheck(keyp){
  if (navigator.appName == "Netscape" && keyp.which == 3) {
    alert(mymessage);
    return false;
  }
  if (navigator.appVersion.indexOf("MSIE") != -1 && event.button == 2) {
    alert(mymessage);
    return false;
  }
}
document.onmousedown = rtclickcheck
//-->

of course, if they'd loaded the pictures on their own machine rather than a free host then they might have been able to look at the access logs to determine who was looking at their page (and capture a few public IPs)...

but that's not what's happening here.



so basically.... what we're talking about is a couple of 15 year old kids, who've ripped off scripts written by 4channers. (badly). who have the grandios idea that they want to be security consultants, yet don't seem to realise that the worst advert for a security company is to hack another site.

as a hint to you guys...
1 stop hacking forums, there is a paper trail.
when you do hack forums don't leave the kind of information that will allow me to trace you back to your house!
2 Browsing this forum from a VPS box was a pretty decent idea, but clearly hasn't stopped be from being able to find your house, your family names, the planning applications for the extension that you built a few years ago, your fathers name, your mothers name and allows me to say get a decent hair cut, right now it looks a little like your mum put a bowl on your head and cut round the sides.
3 stop using the LOIC tool that I see is stored in your webspace.
for these reasons
a, it doesn't make you cool
b, there is no anonymity spoofing or proxying built into that tool, it just connects straight to the site and floods on someone else's behalf leaving you as the ones that have participated in a crime.

For your little friends I think I've figured out where one of your dads works.

you'd best be careful, I can say with confidence that in the parts of the world that you all live in computer crimes are dealt with pretty seriously...
whilst you guys are all 15 (and so not legally viable for prosecution) the kind of tools that are on your computers could lead to your computers being removed (and I mean by the police, not your parents).
and next year later this year you'll be old enough to be tried for your crimes as an adult.

I'll admit that your house isn't as nice as your neighbours appear to be on google maps, but it'd be a real shame if your parents lost it hiring lawyers to defend you in court.
and for your little Oz friend, clean your garden up, it's a fucking disgrace.

of course, it might be the third person in your little band of hackers that's taking down this site... in which case it'd be a real shame if he got to go unpunished whilst they rest of you guys are pretty much only a phone call to your parents away from being grounded... (another hint to you, there is no loyalty amongst thieves) -by which I mean that you'll all sell each other out for a better deal without even blinking.

Anyways. I best get back to work...
__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote
Old 05-19-2011, 11:10 AM   #40
7D8
In Runtime
 
7D8's Avatar
 
Join Date: Oct 2006
Posts: 209
Default Re: "Hello, you just got owned"

Quote:
Originally Posted by root View Post
...I best get back to work...
Please do, and lets do preventive measures this time (and add a dark theme )

I'm curious, was the host compromised or just vBulletin?
__________________

7D8 is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 01:00 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0