0062

Thanks iHackforFun! :) You had some good ideas. I do need my MySQL databases running though, because I have comments, galleries, and plans for more community building. I did forget to mention I have Cloudflare enabled so DDOS is not a concern. ROFL ROFL, no, no it's neither illegal or against the Terms of Service. You don't have to be a digital gangster to challenge people to hack you LOL. Many sites do this and I can't imagine why it would be against anyones rules (and on that note I'll reward anyone who can hack this account). Providing hack-this contests is a vital part of the hacking community and hacking history because it gives up and coming hackers some legitimate targets so that they don't have to break the law. I've been hacking hackthissite.org for years myself. I think you were in the DDOS mindset, but not only do I not consider that hacking (officially in my contest and as a matter of taste) it's non-issue because in addition to Cloudflare the host has secure servers and is extremely helpful with my website. He's certainly seen it many times and has no objection to say the least.

OK, so I believe a member of this community has developed a hot new WordPress attack scanner. I've got my scanner plugins installed but I still feel like my WordPress site is a huge pile of SQL vulnerabilities and opporunities for leaking databases, XSS, RFI/LFI, and other penetration. Beyond having a scanner plugin, what more can I do to harden WordPress? Is it an intrinsically vulnerable system or can the security be pretty tight? Frankly, I have a $100 reward for anyone who hacks my site and I want to post even more tempting challenges for people to hack it, but I feel like right now it's just not up to snuff [it's not really ready yet, so don't ask for the URL lol]. In addition to security I would like my WordPress to look leet, have some leet features, and ideally not be recognized as WordPress. I used to build websites in the 90's and early 00's, but I just have not had the time to stay current, thus WordPress is a very attractive option. But I feel like some lamer having this cookie-cutter pre-coded solution... so can I at least hack it in the sense of making it appear to be a hand coded site? I have a plugin called hide-login that changes some of the default WordPress directories and I've modified a public domain theme to remove the dead giveaways, but what more can I do? Finally, what are your favorite themes for hacking/tech stuff, if any? I like the Commodore theme but its formatting doesn't hold up well on anything but desktop based IE and Chrome.

I actually didn't catch who you're replying to, but I've seen a lot of people say this when someone confuses DOS with DDOS. I wonder though...isn't it fair to say that single computers/servers can do DDoS by distributing it over a range of spoofed IP's? I think this is how server/"shell" based booters work as opposed to "bot" based ones, but I've never actually used a booter and am just catching up on all these new terms. Back when I was a kid they called it DOS even if it was distributed and you mainly read about it in the context of rival computer clubs doing it to one another. Yea, most peeps wouldn't use ICMP on a server and if they did it can be easily disabled. However I will say that I have seen some people use ICMP floods sucessfully for stress testing servers, it's definitely a major vector for IRC/gamer flooding, and it's a part of a SSYN attack. I just disable it on my servers tho.

Hi Kabel, I don't believe it's logical or helpful for hackers on a hacking board to try to pass ethical judgements on attack vectors or the people who ask about them, so I'm just going to give you a straightforward answer. To DDOS you cause a large amount of traffic from multiple (i.e. distributed) sources to be directed to a target. The target could be an individual, a website, a production server, whatever. You usually identify the target with its IP address. Most websites' IP address can be obtained with a ping. For example in Windows cmd prompt, OS X terminal, or a Linux command shell just type "ping hak5.org" to get the IP of this site. Some sites try to hide their IP addresses, but you can still sometimes get them with special "resolvers". In the case of an individual, you might send them a link to your website, then check the logs for their IP after they visit. There are mutliple forms of traffic you might send -- UDP, SSYN, GET, POST, Slowaris, etc. Your options will depend on the software you're using to co-ordinate your DDOS attack and which one is best will probably depend on the set up of your target's computer/server. So now the questions are where do you get your distributed sources and what software do you use to co-ordinate the attacks. The sources could be your own servers/computers, a bunch of friends, or computers that you control because they are infected with a trojan/virus that gives you control. The software that is used to control them is usually called a "booter" by the younger generation of hackers. It's extremely commonplace that kids own, rent, and trade these booters on other popular hacking forums. Now, having answered your question as directly as I could, I will throw in a few editorial comments here at the end. DDOSing is an extremely easy, yet powerful, form of hacking (it's so basic it's almost hard for pen tester's to consider it hacking). There are only very limited ethical uses by most people's standards -- you could use it to test the security of your website, you could use it to kick your buddy offline during a multiplayer game bc you're both kids and you know that he has a sense of humor, or you could use it to stop some evil power such as if radical fundementalists had an anti-American website that had to go. It's caught a lot of negative attention from the public over the past 3-5 years though, due to groups like Anonymous having DDOS'ed various government websites in such a way that could encourage the enemies of America to think that we are weak. You don't want to do that and as a result law enforcement, particularlly the FBI, have been cracking down on lots of kids who use booters. They can trace the source of the traffic very easily and from there find the IRC channel used by your booter to "command and control" the sources of traffic, then from there they find your IP address, show up at your house, slam you on the ground, break your ribs, put their knees in your back, take you to a dirty prison, let you become the sex slave of an STD-infected prison gang, and ruin your future by giving you a criminal background. That amount of paternalist government intolerance is all absolutely horrifying, aborant, anti-American, anti-Internet, and sickening. But it's the way it is and things are just getting worse, so if you experiment with DDOS do so safely. Use it on yourself and your buddies, but don't use it in such a way that will get you into trouble. Cheers!