Fauna HACKED!

[E2MacPets]

I agree its probably not a concern, but I still thought it should be thrown out there.

As for sorting through all the members? Nah, why sort through all when you can see the top 5 active threads here with members who are more than likely big spenders. That wouldn't take long if they indeed have the capability to do something of that sort.

Bare in mind I have no clue what I'm talking about. php and MySQL databases are beyond me at this point.

 

[WebSlave]

Jees people, calm down.

This was just a random hack done by a bunch of cretins in Europe somewhere. They picked an IP address of a server (mine!) that was using an older version of CPanel and just did a minor inconvenience. It was not anyone specifically attacking THIS site.

There is a discussion about this on WebHostingTalk:

Hack thread

And to answer a question asked earlier, whenever someone requests their password to be sent, they are NOT sent their current password. The system generates a new one and sends that one to the original registered member's email address. Even if if I REALLY wanted to, there is no way for ME to get someone's password. And I have full access to MySQL and everything else on my server.

 

[Axe]

And to answer a question asked earlier, whenever someone requests their password to be sent, they are NOT sent their current password. The system generates a new one and sends that one to the original registered member's email address.

Cool, that's what I thought. I've not forgotten my passwords on vB sites, so I've never had to have it E-Mail me, heh.

Even if if I REALLY wanted to, there is no way for ME to get someone's password. And I have full access to MySQL and everything else on my server.

That's not true. ANY password file, no matter how well encrypted can be at least brute-forced to reveal insecure passwords quickly. The more difficult passwords can also be cracked, although this can take a long time for a PC to generate the possible combinations.

If vBulletin works the same way as many other scripts with encrypted passwords, then the passwords are not decrypted by vBulletin and checked against the one entered. Many use a one-way encryption that can not be decrypted. So, instead, they encrypt the password the user entered, and compare the two encrypted strings. This is a very common practice these days, and has been around for a LONG time - Unix & Linux system user passwords for example (as well as .htaccess protected URLs).

But like I said, brute force password cracking can, and eventually will, get around this. Sure, it's a lot of combinations, and may take a while, but it's doable.

Even if the password length is restricted to only 8 characters, you're still talking about a rough total of 72,057,594,037,927,936 possibly combinations. But with a PC testing a few thousand of these combinations per second, and several PCs possibly testing millions of these per second, it shortens down the time a lil.

And then there are just wordlists that can be downloaded containing commonly used passwords (names of people, popular names of pets, makes & models of cars, etc.) and even this limited set of words, on a large site, will reveal some vulnerable accounts.

With a wordlist, you either find insecure accounts, or you don't. With a generator creating all possible combinations, it's only a matter of time (and lots of it, heh) before you could have the password of every account on the system. Although, by the time you've cracked them all, most of them will probably have been changed.

 

[WebSlave]

I just pulled this from the vBulletin site:

A hash is a one-way cipher. Which means that it cannot be decrypted. It is encrypted and all login attempts are encrypted using the same key, if the hash's match then you are authorized.

Yes, certainly ANY password can be discovered if enough time and effort is applied to it, but what the heck would be HERE that would be worth that kind of effort from anyone? To impersonate someone? Sheesh, if I were going to go through all of that effort, I would certainly not waste my time with this penny ante stuff. I just had a discussion this weekend with a guy that had his PayPal password hacked and had not only his PayPal account sucked dry, but his checking account and his credit cards as well.

 

[Axe]

Yes, certainly ANY password can be discovered if enough time and effort is applied to it, but what the heck would be HERE that would be worth that kind of effort from anyone? To impersonate someone? Sheesh, if I were going to go through all of that effort, I would certainly not waste my time with this penny ante stuff. I just had a discussion this weekend with a guy that had his PayPal password hacked and had not only his PayPal account sucked dry, but his checking account and his credit cards as well.

Yup, like I said, it's doable, but certainly not worth the hassle.

 

[HerpVenue]

okay you are all confusing me with this computer stuff.
to tell you the truth...I have books on C, my sql, php, html and other stuff. The wife says she will no longer buy me computer books. I read the first 5-10 pages then it goes on my bookshelf...it is all giberish to me. there is just so much computer information and computer language to figure out. way way way too much info. I will just play with my reptiles. oh wait.....that is a lie.. I still open up my html book to copy codes for my website.

Here are the best things I know.
1. get a good antivirus (Norton?)
2. get a good firewall software (Zone alarm) EASY to figure out...even a dumb ### like me
3. some hardware comes with its own firewall (routers?) this stuff is harder..definately not for me. Leave this stuff for the computer people.

with all that being said
I still want to know who this guy is

whois -h whois.cjb.net nofear.cjb.net

CJB.NET WHOIS Server [whois.cjb.net]

Hostname: NOFEAR.CJB.NET
Registrant: [email protected]

Redirected To: http://no-fear.bfgservers.com/html/

IP Address: None
MX Address: None

DNS Server: None

If unused, this account will expire on 7 Jun 2003.

 

[E2MacPets]

My theory remains that it would be far easier to hack a memberlist consisting of paypal users than it would be to attempt to hack paypal directly.

 

[Axe]

Here are the best things I know.
1. get a good antivirus (Norton?)
2. get a good firewall software (Zone alarm) EASY to figure out...even a dumb ### like me
3. some hardware comes with its own firewall (routers?) this stuff is harder..definately not for me. Leave this stuff for the computer people.

I can't agree with #1 more. Both that a decent anti-virus/mailing scanning software is required, and that Norton is the best!

For #2 & #3, I combine the two. Software firewalls can easily be knocked out and bypassed if you know how, and dedicated hardware routers can be a real pain in the ass.

I use a Linux box with two network cards. One goes to the cablemodem, the other goes to a hub and on ot all the other machines, forwarding ports, etc. where they need to go. So I have an actual entire PC dedicated to just routing network traffic and keeping my LAN separate from the rest of the world, except for what I allow.

Works very well, and takes a lil longer to setup than just a lil router box, but much more reliable & configurable.

 

[WebSlave]

Ritchie,

I would seriously doubt that any hacker would post a message pointing back to themselves as the culprit. At best it may be someone whom they are pissed at, using the message to direct ire at them, and perhapsTHAT targeted person may have a good idea of whom would be pissed at them enough to do something like that.

My opinion is that the message is a red herring. So I wouldn't waste my time trying to track it down.

 

[Axe]

Ritchie,

I would seriously doubt that any hacker would post a message pointing back to themselves as the culprit.

The message points back to the author of the exploit, not the person who actually used it - unless it was indeed the author of the exploit who hacked the box.

http://list.cobalt.com/pipermail/cobalt-security/2003-January/007174.html

 

[CheriS]

I will try to put this in simple laymen terms and not panic people, but I think it is important that people, who do not understand how sites, servers and security work and know what hackers can do with this information.

I ran a test on this, so know its possible, this is not theory. From my computer I connected to a local server. This server is setup exactly the same way as it would be if it were publicly accessible on the Internet. I was using a regular user account and was able to get basic access into that system. Even "basic" access exposed a lot of potentially sensitive information (E-Mail records, etc.).

From that, we were able to expand the access which we had to the system, eventually upgrading to the "root" account, which is the administrative account on the system - the one who has TOTAL access to everything on the system.

I then could look at all information on that system, including information stored in the MySql data base which included, email address, Ip address, Date of Birth(if added by the user @ registration) location, website info(this is significant if they have a online business) complete private messages (PM's) that had been sent from any user to anyone else!! (Information that can also very quickly be accessed via the web by an authorized administrator), and encrypted password hashes. Those we could run on a program to match encryptions and get matches on passwords!!

These encrypted passwords are, by themselves, useless. They will not work to gain entry into the forum, and are useless on other sites that might be using the same password. However, there are many applications available for brute-force password cracking these lists in as little as a few minutes. Any search engine will direct you to the programs that can break the encryption........With a userbase of over a thousand users, some of them are bound to be using very commonly used, and easy to guess, passwords. Even if more complex, they can be gained.

Wordlists containing commonly used passwords are available even more freely than the software they're designed for, and they're updated constantly. These wordlists can be ran against an encrypted password file and complete it a matter of hours. You may not have access to all the accounts on the system with this method, but you should have a fair amount. and chances are, many of these people will have login details common to something of importance like PayPal or eBay.

Even without a word list of commonly used passwords, some of the brute-force cracking applications are able to sequentially generate a series of words & combinations. For example: If you were only allowed numeric passwords on a site, the software would start at "1", and work its way up to "99,999,999", or whatever the maximum number of characters allowed is. This would run through in a relatively short space of time, and reveal the password of every account on the system. Due to the fact that upper & lower case letters, as well as symbols (such as !#@$, etc.) are allowed in passwords, it may take a little while for this process to complete. But it is possible and only as slow as the computer(s) running them.

Information accessible is able to be downloaded to the hacking computer and used to "test" access to passwords then in turn if the same passwords are used on the paypal accts or ebay accts of those users...... boom, I have access to them and their funds or ordering.

Bottom line...... if you use the same password on here as on any commercial site, paypal, ebay or anywhere you may have funds stored or the ability to buy/sell..... CHANGE IT. Do not use any mutual passwords on those accts, or email accounts.

The real beauty of this, after accessing the root I was also able to go in and remove all info of me accessing it , so no one could ever be aware of it or was there any record left behind of me being there and what I did.

PLEASE NOTE: This was done with consent of the other party, no illegal activities took place, nor was anyone's privacy violated

If I wanted to target something to exploit for financial gain, I would look for a site of heavy registration of users, finding one with classified would tell me they have money flowing somewhere between users and add in the fact I could also get their REAL NAMES to use, which opens a whole other can of worms for me to exploit.......... makes me wonder that this site was a random act or a very smart gathering of potential information that could be profited from with little effort.

Before anyone ask, NO, I did not hack FC or know who did.... I was concerned about some questions raised here and the answers provided and wanted to test something to know the answer.

 

[mycurlylocks]

Security Test

I am posting a link for a free security test on your personal computer. This has always been a reliable test. This is for windows only.

https://grc.com/x/ne.dll?bh0bkyd2


Even if you think your firewall is working it always pays to check it.
Someone has tried to access my checking account 38 times as of 4 pm est this afternoon.

Candy King

 

[Spilotes]

Yup, like I said, it's doable, but certainly not worth the hassle.

And most importantly - don't use anything made by microsoft....

Joe Monahan

 

[CheriS]

lol! that reminds me of a guy that does Security checks for website to see how hackable they are..... if he can hack em, he leaves them a nice big picture of a penguin as a calling card as their front page along with a message "do you really want to trust your website to software that is this easy to hack? USE LINUX

I thought that was so funny

 

[Mario]

I love it, I can’t believe you people really honestly believe what people say here. You people sure must trust every word out of these people to not research anything.

“Jees people, calm down.

This was just a random hack done by a bunch of cretins in Europe somewhere. They picked an IP address of a server (mine!) that was using an older version of CPanel and just did a minor inconvenience. It was not anyone specifically attacking THIS site.”

Rich Z you are hilarious. I would love to see your proof because I’m not one of your sheep that follow your garbage that is placed in front of me. That link has nothing to do with who the hacker is.

And Ritchie the one everyone love’s to believe at face value.
“Here are the best things I know.
1. get a good antivirus (Norton?)
2. get a good firewall software (Zone alarm) EASY to figure out...even a dumb ### like me
3. some hardware comes with its own firewall (routers?) this stuff is harder..definately not for me. Leave this stuff for the computer people.”

You got to be joking, cause I know you don’t lie, right?

Wow what a false sense of security. You people truly believe too much at face value.

Here’s a hint people the Hacker is from the United States, not Europe. That is pure BS.
And to show you people who it is, I will say a few more things about your hacker. I do know he is a white person, age around 15 and the last letter of the State abbreviation is I.

Let’s see how long it takes you people to figure it out.

Clock start’s now.

P.S. It wasn’t me, nor have I had any involvement in it. I just find it interesting!

 

[Uffern]

You had nothing to do with it, yet you seem to know so much about the person who you claim did it.

 

[Mario]

Yup

 

[sputnik]

HUMMMMMMMMMM

In a lot of cases, someone who has info (specific) about something important ends up knowing a lot more then they first let on!

You seem to be hinting you know more then what you're letting on.... or maybe you are just seeking attention and trying to pick a fight with the two fauna members you mentioned by throwing in some rather weak punches?

Try wetting the paper bag next time Mario, you might punch a hole through it!

 

[Mario]

Lol, I like that one. Here’s more info to see the suspicions fly.

His hair style. It’s short and he where’s it in a spike.