Sciencemadness Discussion Board
Not logged in [Login ]
Go To Bottom

Printable Version  
 Pages:  1  ..  3    5    7
Author: Subject: The Forum Has Been Hacked
Polverone
Now celebrating 21 years of madness
*********




Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline

Mood: Waiting for spring

[*] posted on 13-8-2014 at 13:17


You're called a script kiddie because of the script logs left by attempts to guess passwords for Lumen Christie, Facebook, and other organizations.

The vulnerability you exploited here was already public, though I suppose it is possible you discovered it independently: http://secunia.com/community/forum/thread/show/9946/xmb_cros...

Sadly, since XMB has fallen into disuse, there is no central development committee tracking bugs or working on bug fix releases any more. It will be up to me to fix our own copy of XMB.

[Edited on 8-13-2014 by Polverone]




PGP Key and corresponding e-mail address
View user's profile Visit user's homepage View All Posts By User
forgotpassword
Harmless
*




Posts: 47
Registered: 12-8-2014
Member Is Offline

Mood: No Mood

[*] posted on 13-8-2014 at 13:18


I am not sure where you are getting Kali Linux out of, I didn't even make use of it in this instance.
I do have remorse, perhaps I am not portraying it well within this text.
I was explaining my thought process behind this 'attack'.
I didn't mean any harm in fact I love this forum, it is full of great minds and ideas and the last thing I want is it gone.
Arkoma I have already apologised to you and I have apologised to Polverone in private and have supplied him with the knowledge needed to patch this and I will continue to do so like originally intended.
View user's profile View All Posts By User
arkoma
Redneck Overlord
*******




Posts: 1761
Registered: 3-2-2014
Location: On a Big Blue Marble hurtling through space
Member Is Offline

Mood: украї́нська

[*] posted on 13-8-2014 at 13:24


Young Man, I sincerely hope that you have learned a valuable life lesson from this. Your credibility is now FOREVER suspect here, whatever your original intentions were.



"We believe the knowledge and cultural heritage of mankind should be accessible to all people around the world, regardless of their wealth, social status, nationality, citizenship, etc" z-lib

View user's profile View All Posts By User
Texium
Administrator
********




Posts: 4566
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: PhD candidate!

[*] posted on 13-8-2014 at 13:25


Quote: Originally posted by forgotpassword  

I do have remorse, perhaps I am not portraying it well within this text.
I was explaining my thought process behind this 'attack'.
I didn't mean any harm in fact I love this forum, it is full of great minds and ideas and the last thing I want is it gone.
Arkoma I have already apologised to you and I have apologised to Polverone in private and have supplied him with the knowledge needed to patch this and I will continue to do so like originally intended.
I don't think that all of this apology after the fact of being caught is going to do you much good. The damage is already done, and you'll just have to accept that you blocked yourself out of this forum that you say you love. That's all on you.



Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
The Volatile Chemist
International Hazard
*****




Posts: 1981
Registered: 22-3-2014
Location: 'Stil' in the lab...
Member Is Offline

Mood: Copious

[*] posted on 13-8-2014 at 13:28


Quote: Originally posted by zts16  
Quote: Originally posted by forgotpassword  

I do have remorse, perhaps I am not portraying it well within this text.
I was explaining my thought process behind this 'attack'.
I didn't mean any harm in fact I love this forum, it is full of great minds and ideas and the last thing I want is it gone.
Arkoma I have already apologised to you and I have apologised to Polverone in private and have supplied him with the knowledge needed to patch this and I will continue to do so like originally intended.
I don't think that all of this apology after the fact of being caught is going to do you much good. The damage is already done, and you'll just have to accept that you blocked yourself out of this forum that you say you love. That's all on you.

I agree. It was fun tracking you, etc. but now that the fun of the mystery is over, the damage must be tallied. And you are lacking. I vote ban... But wait, is forgotten password ACTUALLY manifest?




View user's profile Visit user's homepage View All Posts By User
forgotpassword
Harmless
*




Posts: 47
Registered: 12-8-2014
Member Is Offline

Mood: No Mood

[*] posted on 13-8-2014 at 13:29


Well I didn't really bother covering my tracks because I was doing it here and I was going to give myself up anyway, I didn't expect you to be so sharp.
You can also send U2U's on a users behalf.
Click here to see the code used
Click here to see it work to send me a U2U.

EDIT: Polverone has blocked my VPS's IP, it wont work but the code is still there.

No, my name is FORGOTpassword not FORGOTTENpassword.
He is innocent.

[Edited on 13-8-2014 by forgotpassword]
View user's profile View All Posts By User
Texium
Administrator
********




Posts: 4566
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: PhD candidate!

[*] posted on 13-8-2014 at 13:35


Quote: Originally posted by The Volatile Chemist  
I agree. It was fun tracking you, etc. but now that the fun of the mystery is over, the damage must be tallied. And you are lacking. I vote ban... But wait, is forgotten password ACTUALLY manifest?
As pointed out earlier, forgottenpassword is not an alternate account of Manifest, but an innocent and unrelated member, while forgotpassword is Manifest's alternate account. I would also vote ban, if there was a vote, because as arkoma said, his credibility is now forever in question.



Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
DrAldehyde
Hazard to Self
**




Posts: 82
Registered: 12-1-2014
Member Is Offline

Mood: No Mood

[*] posted on 13-8-2014 at 13:42


I suggest doing a Google search of "how to apologize". You seem to be making some classic mistakes. Most people are pretty forgiving if you offer a sincere meaningful apology. Good luck to you.

Quote: Originally posted by forgotpassword  
Well I didn't really bother covering my tracks
View user's profile View All Posts By User
forgotpassword
Harmless
*




Posts: 47
Registered: 12-8-2014
Member Is Offline

Mood: No Mood

[*] posted on 13-8-2014 at 13:44


I have offered a meaningful apology 1 page ago.
You're taking me out of context I didn't cover my tracks because I was going to inform Polverone it was me anyway.

I sincerely hope it doesn't come to a ban as stated before I love this site.
I am also sincerely sorry for wasting Polverone's time and for wasting yours also.
I'm sure I might have made a few of you fear that your security was at risk so I am also very sorry for that.

[Edited on 13-8-2014 by forgotpassword]
View user's profile View All Posts By User
Brain&Force
Hazard to Lanthanides
*****




Posts: 1302
Registered: 13-11-2013
Location: UW-Madison
Member Is Offline

Mood: Incommensurately modulated

[*] posted on 13-8-2014 at 13:46


Also vote ban, ESPECIALLY because you deleted my posts and tricked zts16 into thinking I was faking it. And you sockpuppeted Mr_Magnesium - so you've also killed the credibilities of other members, at least temporarily.



At the end of the day, simulating atoms doesn't beat working with the real things...
View user's profile View All Posts By User
forgotpassword
Harmless
*




Posts: 47
Registered: 12-8-2014
Member Is Offline

Mood: No Mood

[*] posted on 13-8-2014 at 13:53


Well if that's your opinion I have got to respect that.
View user's profile View All Posts By User
arkoma
Redneck Overlord
*******




Posts: 1761
Registered: 3-2-2014
Location: On a Big Blue Marble hurtling through space
Member Is Offline

Mood: украї́нська

[*] posted on 13-8-2014 at 13:59


ban

banhammer.jpg - 49kB




"We believe the knowledge and cultural heritage of mankind should be accessible to all people around the world, regardless of their wealth, social status, nationality, citizenship, etc" z-lib

View user's profile View All Posts By User
Polverone
Now celebrating 21 years of madness
*********




Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline

Mood: Waiting for spring

shocked.gif posted on 13-8-2014 at 14:01
Making restitution


If you want to get your account back, and you want the big page of evidence about what you've done to go away and not show up in search engine results, fix the CSRF vulnerability in XMB:

https://github.com/mattbernst/xmbforum

You write the fixes, I'll do the code reviews and merge your pull requests. Maybe someone has already fixed them in another fork/derivative of XMB I'm unaware of. I don't care if you crib from fixes written elsewhere, but the fixes must be merged into the version I've put up on github, since that's the version we are using on sciencemadness.

You can get a sanitized, virtualized version of the forum to use for populating a test database, and seeing how the configuration works, here: https://www.sciencemadness.org/whisper/viewthread.php?tid=12...

If you aren't fluent with PHP or git now is a great time to learn.




PGP Key and corresponding e-mail address
View user's profile Visit user's homepage View All Posts By User
HeYBrO
Hazard to Others
***




Posts: 289
Registered: 6-12-2013
Location: 'straya
Member Is Offline

Mood: :)

[*] posted on 13-8-2014 at 14:03


I have my account back. Thanks woelen and Polverone.
View user's profile View All Posts By User
forgotpassword
Harmless
*




Posts: 47
Registered: 12-8-2014
Member Is Offline

Mood: No Mood

[*] posted on 13-8-2014 at 14:03


Okay, but I feel I am better to this forum unbanned than banned, I am a genuine user, I have 229 posts.
What I feel are high quality posts.
If I came here to hack or be a nuisance I wouldn't post 229 times.
View user's profile View All Posts By User
arkoma
Redneck Overlord
*******




Posts: 1761
Registered: 3-2-2014
Location: On a Big Blue Marble hurtling through space
Member Is Offline

Mood: украї́нська

[*] posted on 13-8-2014 at 14:06


QUIT JUSTIFYING AND GET BUSY CODING



"We believe the knowledge and cultural heritage of mankind should be accessible to all people around the world, regardless of their wealth, social status, nationality, citizenship, etc" z-lib

View user's profile View All Posts By User
forgotpassword
Harmless
*




Posts: 47
Registered: 12-8-2014
Member Is Offline

Mood: No Mood

[*] posted on 13-8-2014 at 14:06


Will do sir.
View user's profile View All Posts By User
gdflp
Super Moderator
*******




Posts: 1320
Registered: 14-2-2014
Location: NY, USA
Member Is Offline

Mood: Staring at code

[*] posted on 13-8-2014 at 14:07


Quote: Originally posted by forgotpassword  
Okay, but I feel I am better to this forum unbanned than banned, I am a genuine user, I have 229 posts.
What I feel are high quality posts.
If I came here to hack or be a nuisance I wouldn't post 229 times.


Obviously the forum, including me, disagrees.
View user's profile View All Posts By User
arkoma
Redneck Overlord
*******




Posts: 1761
Registered: 3-2-2014
Location: On a Big Blue Marble hurtling through space
Member Is Offline

Mood: украї́нська

[*] posted on 13-8-2014 at 14:08


You obviously have the talent.........use it PRODUCTIVELY as Polv has so graciously allowed



"We believe the knowledge and cultural heritage of mankind should be accessible to all people around the world, regardless of their wealth, social status, nationality, citizenship, etc" z-lib

View user's profile View All Posts By User
Polverone
Now celebrating 21 years of madness
*********




Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline

Mood: Waiting for spring

[*] posted on 13-8-2014 at 14:12


No, a new backup drive is cheap. I want restitution in kind. And the restitution process will improve Manifest's skills for legal employment in software development, so win/win.



PGP Key and corresponding e-mail address
View user's profile Visit user's homepage View All Posts By User
arkoma
Redneck Overlord
*******




Posts: 1761
Registered: 3-2-2014
Location: On a Big Blue Marble hurtling through space
Member Is Offline

Mood: украї́нська

[*] posted on 13-8-2014 at 14:13


Quote: Originally posted by Polverone  
No, a new backup drive is cheap. I want restitution in kind. And the restitution process will improve Manifest's skills for legal employment in software development, so win/win.


King Solomon could not do better IMHO

edit--messed up quote

[Edited on 8-13-2014 by arkoma]




"We believe the knowledge and cultural heritage of mankind should be accessible to all people around the world, regardless of their wealth, social status, nationality, citizenship, etc" z-lib

View user's profile View All Posts By User
WGTR
National Hazard
****




Posts: 971
Registered: 29-9-2013
Location: Online
Member Is Offline

Mood: Outline

[*] posted on 13-8-2014 at 14:20


I crafted this exquisite masterpiece of a post, and then realized it was already a page out of date when I posted it. This thread is moving fast (or maybe I'm just slow).
View user's profile View All Posts By User
adamsium
Hazard to Others
***




Posts: 180
Registered: 9-4-2012
Location: \ƚooɿ\
Member Is Offline

Mood: uprooting

[*] posted on 13-8-2014 at 16:14


Given that this is not the first time that Manifest has made a forum-related 'hack', it is rather difficult to accept his explanation.

See the IRC logs for what Manifest likes to do when he feels butthurt. (hint: he likes to launch DoS attacks in a feeble attempt to display some sort of 'superiority').

Regardless, let's hope he actually does something useful now and properly patches the vulnerability.
View user's profile View All Posts By User
elementcollector1
International Hazard
*****




Posts: 2684
Registered: 28-12-2011
Location: The Known Universe
Member Is Offline

Mood: Molten

[*] posted on 13-8-2014 at 16:34


Polverone, I hate to give you more work after what you've been through, but I hope you double- and triple-check Manifest's fix - it would not surprise me if he left additional back doors somewhere to cause even worse damage.



Elements Collected:52/87
Latest Acquired: Cl
Next in Line: Nd
View user's profile View All Posts By User
APO
National Hazard
****




Posts: 627
Registered: 28-12-2012
Location: China Lake
Member Is Offline

Mood: Refluxing

[*] posted on 13-8-2014 at 20:48


Seconded, I definitely think that he'll just add security holes, rather than fix any. At most he would just hide them. He doesn't deserve a second chance in my opinion. Ban his IP address and freeze all his accounts.



"Damn it George! I told you not to drop me!"
View user's profile View All Posts By User
 Pages:  1  ..  3    5    7

  Go To Top