Fauna HACKED!

I will try to put this in simple laymen terms and not panic people, but I think it is important that people, who do not understand how sites, servers and security work and know what hackers can do with this information.

I ran a test on this, so know its possible, this is not theory. From my computer I connected to a local server. This server is setup exactly the same way as it would be if it were publicly accessible on the Internet. I was using a regular user account and was able to get basic access into that system. Even "basic" access exposed a lot of potentially sensitive information (E-Mail records, etc.).

From that, we were able to expand the access which we had to the system, eventually upgrading to the "root" account, which is the administrative account on the system - the one who has TOTAL access to everything on the system.

I then could look at all information on that system, including information stored in the MySql data base which included, email address, Ip address, Date of Birth(if added by the user @ registration) location, website info(this is significant if they have a online business) complete private messages (PM's) that had been sent from any user to anyone else!! (Information that can also very quickly be accessed via the web by an authorized administrator), and encrypted password hashes. Those we could run on a program to match encryptions and get matches on passwords!!

These encrypted passwords are, by themselves, useless. They will not work to gain entry into the forum, and are useless on other sites that might be using the same password. However, there are many applications available for brute-force password cracking these lists in as little as a few minutes. Any search engine will direct you to the programs that can break the encryption........With a userbase of over a thousand users, some of them are bound to be using very commonly used, and easy to guess, passwords. Even if more complex, they can be gained.

Wordlists containing commonly used passwords are available even more freely than the software they're designed for, and they're updated constantly. These wordlists can be ran against an encrypted password file and complete it a matter of hours. You may not have access to all the accounts on the system with this method, but you should have a fair amount. and chances are, many of these people will have login details common to something of importance like PayPal or eBay.

Even without a word list of commonly used passwords, some of the brute-force cracking applications are able to sequentially generate a series of words & combinations. For example: If you were only allowed numeric passwords on a site, the software would start at "1", and work its way up to "99,999,999", or whatever the maximum number of characters allowed is. This would run through in a relatively short space of time, and reveal the password of every account on the system. Due to the fact that upper & lower case letters, as well as symbols (such as !#@$, etc.) are allowed in passwords, it may take a little while for this process to complete. But it is possible and only as slow as the computer(s) running them.

Information accessible is able to be downloaded to the hacking computer and used to "test" access to passwords then in turn if the same passwords are used on the paypal accts or ebay accts of those users...... boom, I have access to them and their funds or ordering.

Bottom line...... if you use the same password on here as on any commercial site, paypal, ebay or anywhere you may have funds stored or the ability to buy/sell..... CHANGE IT. Do not use any mutual passwords on those accts, or email accounts.

The real beauty of this, after accessing the root I was also able to go in and remove all info of me accessing it , so no one could ever be aware of it or was there any record left behind of me being there and what I did.

PLEASE NOTE: This was done with consent of the other party, no illegal activities took place, nor was anyone's privacy violated

If I wanted to target something to exploit for financial gain, I would look for a site of heavy registration of users, finding one with classified would tell me they have money flowing somewhere between users and add in the fact I could also get their REAL NAMES to use, which opens a whole other can of worms for me to exploit.......... makes me wonder that this site was a random act or a very smart gathering of potential information that could be profited from with little effort.

Before anyone ask, NO, I did not hack FC or know who did.... I was concerned about some questions raised here and the answers provided and wanted to test something to know the answer.

I am posting a link for a free security test on your personal computer. This has always been a reliable test. This is for windows only.

https://grc.com/x/ne.dll?bh0bkyd2


Even if you think your firewall is working it always pays to check it.
Someone has tried to access my checking account 38 times as of 4 pm est this afternoon.

Candy King

Quote:

Originally posted by Axe
Yup, like I said, it's doable, but certainly not worth the hassle.

And most importantly - don't use anything made by microsoft....

Joe Monahan

lol! that reminds me of a guy that does Security checks for website to see how hackable they are..... if he can hack em, he leaves them a nice big picture of a penguin as a calling card as their front page along with a message "do you really want to trust your website to software that is this easy to hack? USE LINUX

I thought that was so funny

I love it, I can’t believe you people really honestly believe what people say here. You people sure must trust every word out of these people to not research anything.

“Jees people, calm down.

This was just a random hack done by a bunch of cretins in Europe somewhere. They picked an IP address of a server (mine!) that was using an older version of CPanel and just did a minor inconvenience. It was not anyone specifically attacking THIS site.”

Rich Z you are hilarious. I would love to see your proof because I’m not one of your sheep that follow your garbage that is placed in front of me. That link has nothing to do with who the hacker is.

And Ritchie the one everyone love’s to believe at face value.
“Here are the best things I know.
1. get a good antivirus (Norton?)
2. get a good firewall software (Zone alarm) EASY to figure out...even a dumb ### like me
3. some hardware comes with its own firewall (routers?) this stuff is harder..definately not for me. Leave this stuff for the computer people.”

You got to be joking, cause I know you don’t lie, right?

Wow what a false sense of security. You people truly believe too much at face value.

Here’s a hint people the Hacker is from the United States, not Europe. That is pure BS.
And to show you people who it is, I will say a few more things about your hacker. I do know he is a white person, age around 15 and the last letter of the State abbreviation is I.

Let’s see how long it takes you people to figure it out.

Clock start’s now.

P.S. It wasn’t me, nor have I had any involvement in it. I just find it interesting!

You had nothing to do with it, yet you seem to know so much about the person who you claim did it.

Yup

In a lot of cases, someone who has info (specific) about something important ends up knowing a lot more then they first let on!

You seem to be hinting you know more then what you're letting on.... or maybe you are just seeking attention and trying to pick a fight with the two fauna members you mentioned by throwing in some rather weak punches?

Try wetting the paper bag next time Mario, you might punch a hole through it!

Lol, I like that one. Here’s more info to see the suspicions fly.

His hair style. It’s short and he where’s it in a spike.