Jump to content

The server hosting Hak5.org and the Hak5 forums was hacked.

VaKo

By VaKo
in Everything Else

 Share

Recommended Posts

RobLoos Newbie

RobLoos

Posted
Posted

1 question: via twitter matt told us:

"Hak5 was indeed hacked along with all 84 of the other sites on the server being wiped, backups are a month old, rebuilding the server now"

why are the backups a month old?

other then that i'm pretty amazed that after 1 day the entire system is back up :)

thx for the disclosure & warning us of the possible danger

Link to comment
Share on other sites
  • Replies 108
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

VaKo Newbie

VaKo

Posted
  • Author
Posted

UPDATE: If you have posted and want your account deleted, please remove all personal details from the account and PM myself, your account will be banned. This allows us to keep the posts intact and you to be rid of your unwanted account.

Link to comment
Share on other sites
deleted Newbie

deleted

Posted
Posted

Sorry to hear that. Luckily I use just the MD5 hash of one of my files as a password, and all I need to do is remember a different file. I know its not random nor the best method, its just an easy way to remember a password without writing it down or havng a guessable one. 

Is this intrustion anythng to do with the anti-sec movement :P

Link to comment
Share on other sites
wakes Newbie

wakes

Posted
Posted

Take site homepage offline, or leave online, but with really loud warning. Dumbasses who you have described who use important passwords on fun sites ARE at risk, you need to emphasise it more now and in the future.

Link to comment
Share on other sites
operat0r_001 Newbie

operat0r_001

Posted
Posted

This is why I run my own sever ... I don't want some ass hat at my webhost to root my box .. got comcast .. only time I site is ever down is comcast. I once got hit by lightning and was out for like 3 days (lost cable modem ,router and 3 nics ) . One night somebody turned off my sever because it was loud and they were trying to sleep .. Other then that been dossed but I will take a doss over r00t any @#%^ing day :)

hak5.org run a drop to my house ill host the forums for you

if you have r00t you should do some of this along with snort

http://www.binrev.com/forums/index.php/top...ge__hl__mod_sec

let me know if you need help

Link to comment
Share on other sites
Matt Lestock Newbie

Matt Lestock

Posted
Posted

Hey everyone,

First let me be the first to apologize for what has happened over the last two / three days.

After many cans of Red Bull, and more nicotine than I think I've ever had before there are very few issues that remain to be resolved.

Let's start on what exactly happened.

At approximately 3:30pm eastern time on Monday, the webserver that hosts Hak5 as well as 84 other non Hak5 related sites was exploited by a cross site scripting attack which resulted in the dump of a mysql field that contained the root password for the server.

The reason this password was stored is because the billing system we have in place handles orders and cancellations based on a cron job automatically.

However recently the billing system began to employ the use of a remote key hash, however not thinking about it, I never removed the root password from the other field. This mishap ended up causing the hell that has been my life for the last 48 hours.

This has been fixed, the remote access key can now only be used by scripts calling the key from the local machine. SSH certificate authentication has been enabled and password authentication is in the process of being disabled. We have modified our backup strategy and verified it's functionality. We're still working on getting the backups stored remotely and this will happen within the next week.

I want to once again sincerely apologize for the problems that this has caused to each of you, our dedicated members. It has also made me rethink exactly how I go about security on things such as this. When I offered to host Hak5, it was to save $100 per month and increase performance of the site. When we migrated the website to my server we received a number of emails about the noticeable performance increase.

It saddens me that there are those who hate what we do so much that they are willing to completely destroy what we've done without remorse or consideration, however there isn't anything we can do but to continue doing what we enjoy, bringing you weekly technolust.

I must also make this note, the attacker was not prdelka.

I've been in contact with the real prdelka (who is a weekly viewer of the show) over the past 24 hours and he has provided me with numerous valuable pieces of information on who really perpetrated this attack.

There are also others who have been instrumental in the process of getting us back online and educated as to what happened.

Mubix has done an amazing job of tracking logs and ip addresses and getting as much information as possible.

Vako has been rock solid in his support and offering to help in any way he can whether it be here on the forums, in IRC or elsewhere

The #hak5 irc guys; while we've had our differences, you've really outdone yourselves in helping out in this situation and keeping things under control in there, my hat goes off to you guys.

Steve from Rack911.com - Steve has been a good personal and professional friend of mine for a number of years, and his tireless hours in assisting me with getting the server and services on it back up and running have been an absolute life saver.

There are others I'm sure I'm forgetting, but please know that all of the help that everyone has provided during this incident has been nothing short of awe inspiring.

Once again, thank you for watching Hak5 and should you have any questions regarding this or any other topic please feel free to contact me or post them here in the forums and I'll do my best to answer them.

Thanks,

Matt

Link to comment
Share on other sites
VaKo Newbie

VaKo

Posted
  • Author
Posted
Are you kidding me?! You kept my password in clear text?! WTF?!

credibility = 0

Your password was never stored in clear text, as I have repeatedly stated all forum passwords were hashed and salted.

Link to comment
Share on other sites
Matt Lestock Newbie

Matt Lestock

Posted
Posted
Are you kidding me?! You kept my password in clear text?! WTF?!

credibility = 0

Let me be clear on this... NONE of your passwords were stored in clear text.

They were hashed and salted.

The only thing that was stored in clear was the root password of the server, and as mentioned, this has been fixed.

Matt Lestock

Link to comment
Share on other sites
microft Newbie

microft

Posted
Posted

OK, looks like I over-reacted. I'm sorry!

This lead me to think that

During this time the forum database was accessed and as such, passwords (which are linked to your email address) used for forum accounts have been compromised.

If the they are hashed (with a good hash function) and salted then it's safe to say that they are not compromised.

Anyway, I just learned something from all of this. Got to get a better way to generate/manage passwords.

Link to comment
Share on other sites
Kung Fu Jesus Newbie

Kung Fu Jesus

Posted
Posted
Let me be clear on this... NONE of your passwords were stored in clear text.

They were hashed and salted.

The only thing that was stored in clear was the root password of the server, and as mentioned, this has been fixed.

Matt Lestock

That's what I figured. Then why the hell does the email you guys sent say to change my passwords associated with my email address?

The only thing I'm worried about is an additional 200 spam emails per day.

Link to comment
Share on other sites
VaKo Newbie

VaKo

Posted
  • Author
Posted
That's what I figured. Then why the hell does the email you guys sent say to change my passwords associated with my email address?

The only thing I'm worried about is an additional 200 spam emails per day.

Because the server was compromised, and several passwords were leaked including my own. However we know other passwords weren't. The issue here is that the server was rooted, and for a period of time we know that a 3rd party was in full control of it. We cannot know who's passwords were recovered by the hackers so we have to notify *everyone* that there was a break in and that there is a *potential* that other passwords were stolen. This is largely a preventative measure.

Link to comment
Share on other sites
El Di Pablo Newbie

El Di Pablo

Posted
Posted

Hack happens. Thanks for letting us know.

-EDP

Link to comment
Share on other sites
loftrat Newbie

loftrat

Posted
Posted

Do we know if any large portions of data were harvested (does the server log show any such activity)? WHat I guess I'm wanting to know is, what are the chances that my email address is currently being targetted by people wanting to sell me penis enlargements?

Link to comment
Share on other sites
Jason Cooper Newbie

Jason Cooper

Posted
Posted
Do we know if any large portions of data were harvested (does the server log show any such activity)? WHat I guess I'm wanting to know is, what are the chances that my email address is currently being targetted by people wanting to sell me penis enlargements?

Quite high, but then it is for any email address :)

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
Was this the SQL root password or the actual root password?

Regardless, most of the time it's quite difficult/impossible to reverse a hashed field.

Reversing might be hard, but if they had root access at some point, they can overwrite a hash in the databast with their own to use on someones account later on. I used to have to force a hash into wordpress in order to fix borked upgrades that screwed up the database. Its possible to overwrite the hash with a "known" hashed password, then its game over. If they created one on someones acocunt, and they don't bother to change it, they could come back later as that user, say, if that person hadn't logged on for a while and wasn't aware of the compromise.

Link to comment
Share on other sites
Kung Fu Jesus Newbie

Kung Fu Jesus

Posted
Posted
Reversing might be hard, but if they had root access at some point, they can overwrite a hash in the databast with their own to use on someones account later on. I used to have to force a hash into wordpress in order to fix borked upgrades that screwed up the database. Its possible to overwrite the hash with a "known" hashed password, then its game over. If they created one on someones acocunt, and they don't bother to change it, they could come back later as that user, say, if that person hadn't logged on for a whiel ans wasn;t aware of the compromise.

Yes but you see then at the worst they can only change your password, which is the whole point in password hashing. Seeing as my password is exactly what it was before the exploit, I'm fairly certain that there is no need to change my forum password. The speculation to change my password for anything else tied to this email that uses it is also a false one, as again, these were hashed passwords.

Link to comment
Share on other sites
VaKo Newbie

VaKo

Posted
  • Author
Posted

Thats your own call. This was a precautionary measure as I know of several people who used the same password for Facebook etc. Its probally safe, but who knows where that database ended up.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...