Pages:
1
2
3 |
Organikum
resurrected
Posts: 2339
Registered: 12-10-2002
Location: Europe
Member Is Offline
Mood: frustrated
|
|
Agreed, it could have come worse and probably it would have come worse so I am glad we have an friendly hacker here at work. (friendly to us at least
).
You friendly hacker may please understand that nevertheless you being friendly, most people are not overly enthusiastic about what you performed here,
ok?
So lets settle this and realize we have been quite lucky and lets hope we will be as lucky in future.
Its in the nature of these things that a board like this cannot be secured by no means - the only existing workaround is to have always an
administrator online who takes the machine from the net as soon something "suspicious" happens (like the HIVE does). But I see no need here
at ScienceMadness for this, backups often are sufficent.
And friendly hacker dont forget, there are not only friendly boards and admins out there in this evil jungle named The Internet, so take care not to
get stuck in a honeypot. But I guess its "no risk no fun"?
ORG
|
|
vulture
Forum Gatekeeper
Posts: 3330
Registered: 25-5-2002
Location: France
Member Is Offline
Mood: No Mood
|
|
Hack XMBs own support forum and make a statement. Hacking us just caused trouble and annoyance.
Like XMB cares what happens to Sciencemadness...
One shouldn't accept or resort to the mutilation of science to appease the mentally impaired.
|
|
Ramiel
Vicious like a ferret
Posts: 484
Registered: 19-8-2002
Location: Room at the Back, Australia
Member Is Offline
Mood: Semi-demented
|
|
I notice that the names of the users are typed out manually. Interesting.
I don't know much about h4x0ring and computer security, so just bear with me. I logged in during the magic time period of vunerability via
cookies, after arriving directly at http://www.sciencemadness.org/talk/today.php (and yes, I type that into IE each time), but my name doesn't appear on the list. As I said,
I'm not too clued up on computer security, so I don't know if this is significant.
Three cheers for the Board admins, Polverone especially it seems.
Sincerely
-Ramiel
Caveat Orator
|
|
chemoleo
Biochemicus Energeticus
Posts: 3005
Registered: 23-7-2003
Location: England Germany
Member Is Offline
Mood: crystalline
|
|
Something doesn't smell right here.
Indeed, I noticed too that the names were typed in by hand (due to differences in upper/lower cases, i.e. he writes T_Pyro, but it is t_Pyro).
Isn't that a remarkable effort in the age of 'copy & paste', particularly where the alleged hacker had it all in a little list,
with usernames & PW, in an electronic file?
This could be explained by him checking the memberlist, to see who last visited, and simply typing off names. Would be easy to check out who was
online during the hacker period. So maybe he doesn't have our passwords after all (that is, our old ones), and is needlessly taking credit...
Then, I have to question abnormal's posts, too. For one thing, isn't he Quantum's friend, from totse? I am referring to this thread http://www.sciencemadness.org/talk/viewthread.php?tid=1805
Quote: |
Glad you took my advise!
I invited abnormal989 over here from the totse forum after he posted a thread similar to this one. Hopefully he will grow into a full fledged chemist
Abnormal989: Its good you came over here as there are many people smarter than me here that can help you by giving you tips and ideas or by you
searching old posts. |
Quantum, did you not point out to the totse abnormal that his account was compromised? That he may have to register a new account (in case he
can't use his old one) to confirm indeed his account was compromised? Of course, this is providing he's not the hacker himself, and the two
abnormals are one person...
I am not trying to turn this into a witch hunt, or accuse people needlessly- and from the posting style it seems there are two abnormals.
Nonetheless, maybe the admins could check the IP's of abnormals initial post, and the IP's of the last two posts. I guess they will be
different. The hacker IP should be interesting, and maybe the basis for a counter hack attack ... similar to what Mega proposed when roguesci got
hacked... not that I think this is a good idea.
At last, to that proud benevolent hacker who means it all so well, and unwillingly of course pissed off a whole load of people, wasted lots of time,
and has to get a life-
I hope this is the first and last time you try this (sadly i know it won't).
Unlike others, I don't think how great you are for not doing more to us (and yes I lack gratitude), instead I think you are a
FUCKHEAD for disrupting a genuine and great board like this, which in its very character is unique in the internet.
Next time waste your time on a neonazi/similar forum, at least I would accept that as an excuse.
Edit: It's not normally in my character to swear at people, but I couldnt help myself
[Edited on 10-4-2004 by chemoleo]
Never Stop to Begin, and Never Begin to Stop...
Tolerance is good. But not with the intolerant! (Wilhelm Busch)
|
|
Quantum
Hazard to Others
Posts: 300
Registered: 2-12-2003
Location: Nowhereville
Member Is Offline
Mood: Interested
|
|
I saw Abnormal's post over at Totse in the 'Bad Ideas' forum surrounded by such gems as 'Stealing a chicken A serious
question'
Here is his post: http://www.totse.com/bbs/Forum7/HTML/008406.html
I posted a link over here hoping he could ask his question here and not be dragged down by idiots.
I think you(Abnormal) should post a new topic in BB at Totse called "MSDB hacker' and include a sentence if you want. it will get locked but
I/others here can see it and know that you here and you there are one in the same.
I did not tell abnormal over at tose because I had forgoten already about posting the link over here. I hope he is not the hacker but an admin can
check IPs and logs I guess.
Quanutum
Edit: This gave me a good excuse to get my 100th post without post whoring!
[Edited on 10-4-2004 by Quantum]
What if, what is isn\'t true?
|
|
Alchemist
Hazard to Self
Posts: 93
Registered: 22-6-2002
Location: Hostton Texas
Member Is Offline
Mood: No Mood
|
|
Different account today
chemoleo, you mentioned me "typing in things by hand". Well I didn't. They were indeed all in a neat little list, but due to the length
I decided not to flood my post with usernames. Also, since I had to delete the passwords beside them, it wasn't much touble to include a comma
and a space. The reason some have differences in cases in some usernames is simple, it's because they aren't case sensitive, so even if you
type your username, changing a few caps to small and vice versa, it'll still work, and that's exactly what happened here.
Now, why oh why would the real abnormal989 confess to hacking this forum through his own username? I'm not really abnormal989, as I said before I
just used his username because he hadn't changed his password yet. Besides, the admins can just check out the login sessinon IP addresses, the
last 3 will NOT match the older ones. And as for the use of the new IPs for a "counter hack attack", I am truly sorry chemoleo but you live
in a dream world. Anyway, leave it up to the admins, they'll realize what I'm talking about.
Oh, disclosed is something that might interest you:
vulture | VTZUfMdoa
chemoleo | bowle
chemoleo | abspasfrac
Polverone | c1ndy
Quantum | smiley
Quantum | cran28Nix@Oclcok!#
Those are the login attempts of 4 people I'm quite sure have changed their password since the attack. I think that's proof enough I
didn't copy this stuff from anywhere. I even included Quantums' extra-lengthy password, cracked via the dual quantum computers sitting in my
basement .
Oh yes, for your information chemoleo, it only took 5 minutes to set things up here, so I didn't waste too much time, but many thanks for your
kind concern. I'd really just LOVE to start a swearing match with you, but unfortunately I have better things to do.
Thanks for listening again, and I can explain in detail how the hack worked to the admins, if they'd really like to know.
P.S.: vulture: I very much agree, XMB should be punished for making a good-looking but extremely bugged forum and hardly ever repairing it properly.
And we're working on that too, don't worry .
|
|
The_Davster
A pnictogen
Posts: 2861
Registered: 18-11-2003
Member Is Offline
Mood: .
|
|
Why is there 2 different passwords for the same user. Old and new ones?
|
|
Hermes_Trismegistus
National Hazard
Posts: 602
Registered: 27-11-2003
Location: Greece, Ancient
Member Is Offline
Mood: conformation:ga
|
|
oh god.
I see this has gone from downhill to under ground.
Even old Professor Hardwigg knew when to turn back.
Arguing on the internet is like running in the special olympics; even if you win: you\'re still retarded.
|
|
vulture
Forum Gatekeeper
Posts: 3330
Registered: 25-5-2002
Location: France
Member Is Offline
Mood: No Mood
|
|
I'm using the adventureMedia black&yellow color scheme for the board, but since yesterday all text except the links gone white. Did I
accidently activate a hotkey or is this another bug?
I'm not going to swear at mister hacker, I just advise him to use concentrated nitric acid as a cooling fluid for his überPC.
[Edited on 10-4-2004 by vulture]
One shouldn't accept or resort to the mutilation of science to appease the mentally impaired.
|
|
Organikum
resurrected
Posts: 2339
Registered: 12-10-2002
Location: Europe
Member Is Offline
Mood: frustrated
|
|
In short:
- this is the friendly hacker who hacked this board.
- this is not a skript kiddie as a skript kiddie would have gone hysteric by now.
- the admins should use the offer to get the hack explained.
regards
ORG
|
|
Quantum
Hazard to Others
Posts: 300
Registered: 2-12-2003
Location: Nowhereville
Member Is Offline
Mood: Interested
|
|
I hope Mr.Hacker can't get pgp keys this easily!
He can't be cracking the passwords as it would take a loooonnng time for my second one. He must have some sort of way to intercept them before
they are md5sumed.
My hat is off to the skill of the benign hacker. Still I wish you would not post my new(er) password. Other people could see it and harm my account
while I was away.
Edit: Back hacking wouldn't work for this guy; he is bouncing off a few proxies I bet.
[Edited on 10-4-2004 by Quantum]
What if, what is isn\'t true?
|
|
Eliteforum
National Hazard
Posts: 571
Registered: 18-11-2002
Location: United Kingdom
Member Is Offline
Mood: Enjoying the journey
|
|
Lamer.
All that glitters isn't gold.
|
|
All Chemist
Harmless
Posts: 2
Registered: 5-4-2004
Location: Dresdon
Member Is Offline
Mood: exccentric
|
|
I already changed my password like you asked. And now u use my account once more. I don't appreciate having to change my password from the
origonal to 'Px94sn0Fgi' to some other guf. Now, decist, or i will be forced to unleash my world splitting Super-Sayan Fireball and kill
everyone to get you.
He who howls at teh moon.
|
|
Organikum
resurrected
Posts: 2339
Registered: 12-10-2002
Location: Europe
Member Is Offline
Mood: frustrated
|
|
Quote: |
He who howls at teh moon.
|
tis sounds like mei favorit mOOnMoNSTa....
|
|
Hermes_Trismegistus
National Hazard
Posts: 602
Registered: 27-11-2003
Location: Greece, Ancient
Member Is Offline
Mood: conformation:ga
|
|
Using poor Orgi to post has much more flair than using Newbie's
Hello Mr. Hacker, I'd like to ask you a couple questions if you don't mind.
Would you please U2U with an email addy?
Hermes
Arguing on the internet is like running in the special olympics; even if you win: you\'re still retarded.
|
|
Organikum
resurrected
Posts: 2339
Registered: 12-10-2002
Location: Europe
Member Is Offline
Mood: frustrated
|
|
you got something wrong Hermes, up to now my name wasnt (ab)used.
|
|
Hermes_Trismegistus
National Hazard
Posts: 602
Registered: 27-11-2003
Location: Greece, Ancient
Member Is Offline
Mood: conformation:ga
|
|
Quote: | Originally posted by Organikum
In short:
- this is the friendly hacker who hacked this board.
|
My mistake, I hadn't seen your sig at the bottom at first glance, and was confused.
Who is the friendly hacker?
Arguing on the internet is like running in the special olympics; even if you win: you\'re still retarded.
|
|
Organikum
resurrected
Posts: 2339
Registered: 12-10-2002
Location: Europe
Member Is Offline
Mood: frustrated
|
|
yes thats unclear I admit.
I was referring to chemoleos claim that the person posting here isnt the one who hacked the board - ok?
|
|
Polverone
Now celebrating 21 years of madness
Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline
Mood: Waiting for spring
|
|
attention Sir Haxalot
Quote: | Thanks for listening again, and I can explain in detail how the hack worked to the admins, if they'd really like to know. |
This I would like to know.
Do you know of any vulnerabilities in XMB 1.8 SP3, or just what has already been published about 1.8 SP2 and earlier?
[Edited on 4-10-2004 by Polverone]
PGP Key and corresponding e-mail address
|
|
Alchemist
Hazard to Self
Posts: 93
Registered: 22-6-2002
Location: Hostton Texas
Member Is Offline
Mood: No Mood
|
|
Ok, first off: Who I am doesn't really matter, and I'm only using different usernames to stop people from thinking that the owner of the
username is the real hacker. Neither abnormal989 nor Alchemist is the hacker, they just haven't changed their passwords yet. Also, I didn't
expect I'd be posting this often, maybe I should just make a new username to rid myself of the trouble...
Anyway, Quantum: You are right, there's no possible way your 18-digit password can be cracked. Trying all possible combinations of a-z, A-Z, 0-9
and only 4 extra symbols for an 8-digit password would take approximately 11.4 years, assuming a brute force speed of 1000000 passwords per second.
The admins know I didn't just get the md5 passwords, that would be too hard to trace anyway.
Now, I'll explain briefly what happened so that everyone interested can comprehend how it worked and the admins will be able to recognise such
attacks with ease in the future. With some standard SQL injection (injecting sql statements into a php script by fooling the script to run them), you
can easily obtain the md5 hash of any users' password. Using that you can spoof your cookie and login as the owner of the username, for instance
the administrator. This allows you to do pretty much anything you want within the confines of the forum, but by no means can you learn the password.
However, you can modify the templates that are loaded in specific pages. Specifically, the header template, which is used in all pages, was modified
to redirect the user to the misc.php?action=login page, whose template was modified to redirect the user to another page, where a php script stored
the username and password and sent the user back to the main forum website, logged in. That is basically how it worked.
Polverone: Funny you should mention that, because XMB 1.8 SP3 DOES have some vulnerabilities, and so does XMB 1.9. Even the version they're using
over at the XMB website is vulnerable, but to a different kind of SQL injection we haven't been able to fully exploit yet. But I promise if
anything comes up you'll be among the first to know (and by that I mean i'll e-mail you or u2u or whatever, not that I'll hack the
forum all over again ).
|
|
Polverone
Now celebrating 21 years of madness
Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline
Mood: Waiting for spring
|
|
It seems like a much more subtle attack would be possible, if you can execute arbitrary SQL commands. I.E. couldn't you modify the login page to
store plaintext usernames/passwords in new entries in the database, and later use another command to retrieve all the stored pairs? An attack like
that wouldn't need redirection to another site, and would be very subtle indeed if you just let logins naturally expire and be re-entered. But I
don't know exactly what you can accomplish, even after having it explained.
PGP Key and corresponding e-mail address
|
|
Blind Angel
National Hazard
Posts: 845
Registered: 24-11-2002
Location: Québec
Member Is Offline
Mood: Meh!
|
|
My question is: From where were you able to inject the SQL statement, for the rest it's not a big deal.
|
|
axehandle
Free Radical
Posts: 1065
Registered: 30-12-2003
Location: Sweden
Member Is Offline
Mood: horny
|
|
warning
When I tried to enter the profile editing section using mozilla, I got a popup with the text "Select a username to be used entering this
forum", and a field with my email adress listed twice.
Is this related to the upgrade or is it another crack?
My PGP key, Fingerprint 5D96 E09E 365D 1867 2DF5 C2FE 4269 9C19 E079 CD35
\"Verbing nouns weirds the language!\"
|
|
Polverone
Now celebrating 21 years of madness
Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline
Mood: Waiting for spring
|
|
neither
It's a Mozilla thing. Delete one of the saved user/password combinations, using Password Manager.
PGP Key and corresponding e-mail address
|
|
axehandle
Free Radical
Posts: 1065
Registered: 30-12-2003
Location: Sweden
Member Is Offline
Mood: horny
|
|
silly me
Mozilla must have stored both the old and the new password, and instead of behaving logically I became paranoid. Thanks for not saying out loud that
I'm an idiot though, Polverone.
There. I said it myself.
Edit: As a side note, I managed to cast aluminum on my charred wooden table, gripping the handle of the crucible with a towel. I was lucky I wore
gloves. The towel, as well as the table under the SS mold, caught fire. Big time. *cough* *cough*
[Edited on 2004-4-12 by axehandle]
[Edited on 2004-4-12 by axehandle]
My PGP key, Fingerprint 5D96 E09E 365D 1867 2DF5 C2FE 4269 9C19 E079 CD35
\"Verbing nouns weirds the language!\"
|
|
Pages:
1
2
3 |