VaKo Posted December 21, 2007 Share Posted December 21, 2007 We *think* the forums may have been hacked, but, we're struggling to work out exactly how it was done, and even if it was done at our end. As a precaution, we're advising everyone to change there passwords. Quote Link to comment Share on other sites More sharing options...
alluran Posted December 21, 2007 Share Posted December 21, 2007 And the passwords aren't 1-way encrypted? A POX ON YOU! Quote Link to comment Share on other sites More sharing options...
Gigabit Posted December 21, 2007 Share Posted December 21, 2007 That stinks x.x Quote Link to comment Share on other sites More sharing options...
VaKo Posted December 21, 2007 Author Share Posted December 21, 2007 All passwords are sha1 encrypted, the box wasn't owned, all that happened was a few people reporting a weird bug that was potentially a security risk. The only thing this happened with was the SMF install. I didn't want to fuck around with this, and as i needed to tweak the forum software anyway, i did a complete reinstall and made sure everyone was asked to change there passwords. Again, we don't think anything serious happened, but I didn't want to fuck about with this. http://forums.hak5.org/index.php/topic,8129.0.html It is better to be safe than sorry, so I'm disclosing this and not covering it up, which could cause more people problems in the long run. Quote Link to comment Share on other sites More sharing options...
JF1980 Posted December 21, 2007 Share Posted December 21, 2007 All passwords are sha1 encrypted You shouldn't have disclosed that. Now any would-be data thieves know which rainbow tables to put to work. Quote Link to comment Share on other sites More sharing options...
VaKo Posted December 21, 2007 Author Share Posted December 21, 2007 Its in the SMF documentation... And they would need something to run the rainbow tables against. The problem was that 2 times people reported there passwords being sent to an address using rot13 encryption during the login process, not that they have access to the database. Since I can't find anything in the code base that would do that, I can't say that we were indeed hacked, it just makes me wary enough to warrant doing a complete reinstall from known clean code and getting people to change there passwords. Quote Link to comment Share on other sites More sharing options...
jollyrancher82 Posted December 21, 2007 Share Posted December 21, 2007 The passwords would also be salted. Quote Link to comment Share on other sites More sharing options...
Hawkens85 Posted December 21, 2007 Share Posted December 21, 2007 Rather be safe than sorry. Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted December 21, 2007 Share Posted December 21, 2007 ....dude the forum software Is a standard smf install and it is 'common' info and easyly available online plus rainbow tables won't work each password is salted with a random number also the risk to the passwords is VERY VERY low if they had access to them then they wouldn't have to redirect to a url with the user/pass rot13'd edit: sigh.... i've got to stop posting from my phone Quote Link to comment Share on other sites More sharing options...
digip Posted December 21, 2007 Share Posted December 21, 2007 I think the thing to worry about is it wasn't two different sites, but the same site in both Sparda and SomoneE1ses post. This means it wasn't jsut some random fly by, but the same place targetting users of the forum(or both of you visit the same sites that may have compromised your individual machines with the same exact problem). There must be a way to retrace and cause the issue again leading up the the rot13 website showing up, but until it happens again, I think only time will tell if it is a direct attack on the individual users and their machines or an attack on the forums itself. Given the same problem for two different users of the same forum there has to be a common thread between Sparda and SomeoneE1ses accounts or machine setup, surfing habits, etc, that allows this to happen. Maybe the two of you should do a little work together to see what it is that is the same between both of your machines and your habits. Seems that somthing has to be of a common value between the two of you that allowed them to do this. OS, Browser, plugins, web sites you visit, posts from cell phones or mobile devices, bluetooth, wireless, etc... Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted December 21, 2007 Share Posted December 21, 2007 not only are they going to have to be targeted but they are going to have to know what they're doing for all we know it could be 10 redirects to the last page making it harder for us to track I wish I had thought or trying to track it down instead of just changing my password Quote Link to comment Share on other sites More sharing options...
Babs Posted December 21, 2007 Share Posted December 21, 2007 Thanks for the Notice. Quote Link to comment Share on other sites More sharing options...
CaveMan Posted December 21, 2007 Share Posted December 21, 2007 definatly sucks, thanks for the notice Quote Link to comment Share on other sites More sharing options...
Bannana Posted December 22, 2007 Share Posted December 22, 2007 I blame evil server Quote Link to comment Share on other sites More sharing options...
thespy Posted December 22, 2007 Share Posted December 22, 2007 brilliant. just a quick question, if i haven't been logging in recently is there less risk of someone having stolen my pass? it's a pity that the only time i visit the hak5 forums is when something like this happens.. TheSPY Quote Link to comment Share on other sites More sharing options...
Mark Manching Posted December 23, 2007 Share Posted December 23, 2007 I blame evil server Yeah! Evil Server Pwns This Forum :x [me=Mark Manching]are now changed my password too[/me] Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted December 23, 2007 Share Posted December 23, 2007 brilliant. just a quick question, if i haven't been logging in recently is there less risk of someone having stolen my pass? it's a pity that the only time i visit the hak5 forums is when something like this happens.. TheSPY the only risk is if you have logged in and be redirected to site that is not hak5 AFAIK Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 23, 2007 Share Posted December 23, 2007 I happened to me once. Spotted instantly, reported to VaKo and Moonlit. Never found how it happened. Quote Link to comment Share on other sites More sharing options...
VaKo Posted December 23, 2007 Author Share Posted December 23, 2007 I happened to me once. Spotted instantly, reported to VaKo and Moonlit. Never found how it happened. Yeah, and in both cases I couldn't find anything on our end that would do that. Went threw the forum code and the database, diffed it with clean code, nothing. But after the 2nd time it was reported, I decided to reinstall just to be safe. So now we're using a 100% clean code base, far more restrictive php and apache settings (sorry Darren if i've broken something), aggressive mod_security rules and different passwords. Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 23, 2007 Share Posted December 23, 2007 Using Sherlock Holmes logic it can be concluded: "It was self destructive code that targeted individual users." Other wise my clean install of Kubuntu 7.10 was owned lol. Quote Link to comment Share on other sites More sharing options...
VaKo Posted December 23, 2007 Author Share Posted December 23, 2007 brilliant. just a quick question, if i haven't been logging in recently is there less risk of someone having stolen my pass? it's a pity that the only time i visit the hak5 forums is when something like this happens.. TheSPY Less risk the longer its been, but change anyway. Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 23, 2007 Share Posted December 23, 2007 brilliant. just a quick question, if i haven't been logging in recently is there less risk of someone having stolen my pass? it's a pity that the only time i visit the hak5 forums is when something like this happens.. TheSPY Less risk the longer its been, but change anyway. The safest way to login to forums like these is to do it once then figure out a way to always have your cookie with you. If the cookie is stolen people can post as you and send PM's and change your settings. Except, they can't change your password with out knowing your password, so you still remain in control. the attack used in this case totally relied on people using the login mechanism, using the cookie remembering method this attack completely fails (unltil you 'loose' your cookie and have to login again). Quote Link to comment Share on other sites More sharing options...
VaKo Posted December 23, 2007 Author Share Posted December 23, 2007 And don't, whatever you do, use a password you use here for anywhere else. Use something like http://www.pctools.com/guides/password/ and change it every now and again. Quote Link to comment Share on other sites More sharing options...
digip Posted December 23, 2007 Share Posted December 23, 2007 And don't, whatever you do, use a password you use here for anywhere else. Use something like http://www.pctools.com/guides/password/ and change it every now and again. You know, all this "change your password" stuff and I went and changed it yesterday. I was so tired, I forget what the hell I changed it to. So next time I logout, I am going to have to figure out what the hell I did. "Damn you dirty login screen, damn you to hell....." edit: figured it out... Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted December 23, 2007 Share Posted December 23, 2007 Using Sherlock Holmes logic it can be concluded: "It was self destructive code that targeted individual users." Other wise my clean install of Kubuntu 7.10 was owned lol. we need a good Sherlock Holmes movie! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.