Jump to content

Forum Possibly Hacked


VaKo

Recommended Posts

All passwords are sha1 encrypted, the box wasn't owned, all that happened was a few people reporting a weird bug that was potentially a security risk. The only thing this happened with was the SMF install. I didn't want to fuck around with this, and as i needed to tweak the forum software anyway, i did a complete reinstall and made sure everyone was asked to change there passwords. Again, we don't think anything serious happened, but I didn't want to fuck about with this.

http://forums.hak5.org/index.php/topic,8129.0.html

It is better to be safe than sorry, so I'm disclosing this and not covering it up, which could cause more people problems in the long run.

Link to comment
Share on other sites

Its in the SMF documentation... And they would need something to run the rainbow tables against. The problem was that 2 times people reported there passwords being sent to an address using rot13 encryption during the login process, not that they have access to the database. Since I can't find anything in the code base that would do that, I can't say that we were indeed hacked, it just makes me wary enough to warrant doing a complete reinstall from known clean code and getting people to change there passwords.

Link to comment
Share on other sites

....dude the forum software Is a standard smf install and it is 'common' info and easyly available online plus rainbow tables won't work each password is salted with a random number

also the risk to the passwords is VERY VERY low if they had access to them then they wouldn't have to redirect to a url with the user/pass rot13'd

edit: sigh.... i've got to stop posting from my phone

Link to comment
Share on other sites

I think the thing to worry about is it wasn't two different sites, but the same site in both Sparda and SomoneE1ses post. This means it wasn't jsut some random fly by, but the same place targetting users of the forum(or both of you visit the same sites that may have compromised your individual machines with the same exact problem).

There must be a way to retrace and cause the issue again leading up the the rot13 website showing up, but until it happens again, I think only time will tell if it is a direct attack on the individual users and their machines or an attack on the forums itself.

Given the same problem for two different users of the same forum there has to be a common thread between Sparda and SomeoneE1ses accounts or machine setup, surfing habits, etc,  that allows this to happen. Maybe the two of you should do a little work together to see what it is that is the same between both of your machines and your habits. Seems that somthing has to be of a common value between the two of you that allowed them to do this. OS, Browser, plugins, web sites you visit, posts from cell phones or mobile devices, bluetooth, wireless, etc...

Link to comment
Share on other sites

not only are they going to have to be targeted

but they are going to have to know what they're doing for all we know it could be 10 redirects to the last page making it harder for us to track I wish I had thought or trying to track it down instead of just changing my password

Link to comment
Share on other sites

brilliant.

just a quick question, if i haven't been logging in recently is there less risk of someone having stolen my pass?

it's a pity that the only time i visit the hak5 forums is when something like this happens..

TheSPY

the only risk is if you have logged in and be redirected to site that is not hak5

AFAIK

Link to comment
Share on other sites

I happened to me once. Spotted instantly, reported to VaKo and Moonlit. Never found how it happened.

Yeah, and in both cases I couldn't find anything on our end that would do that. Went threw the forum code and the database, diffed it with clean code, nothing. But after the 2nd time it was reported, I decided to reinstall just to be safe. So now we're using a 100% clean code base, far more restrictive php and apache settings (sorry Darren if i've broken something), aggressive mod_security rules and different passwords.

Link to comment
Share on other sites

brilliant.

just a quick question, if i haven't been logging in recently is there less risk of someone having stolen my pass?

it's a pity that the only time i visit the hak5 forums is when something like this happens..

TheSPY

Less risk the longer its been, but change anyway.

Link to comment
Share on other sites

brilliant.

just a quick question, if i haven't been logging in recently is there less risk of someone having stolen my pass?

it's a pity that the only time i visit the hak5 forums is when something like this happens..

TheSPY

Less risk the longer its been, but change anyway.

The safest way to login to forums like these is to do it once then figure out a way to always have your cookie with you. If the cookie is stolen people can post as you and send PM's and change your settings. Except, they can't change your password with out knowing your password, so you still remain in control.

the attack used in this case totally relied on people using the login mechanism, using the cookie remembering method this attack completely fails (unltil you 'loose' your cookie and have to login again).

Link to comment
Share on other sites

And don't, whatever you do, use a password you use here for anywhere else. Use something like http://www.pctools.com/guides/password/ and change it every now and again.

You know, all this "change your password" stuff and I went and changed it yesterday. I was so tired, I forget what the hell I changed it to. So next time I logout, I am going to have to figure out what the hell I did.  :lol:

"Damn you dirty login screen, damn you to hell....."

edit: figured it out...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...