5punk

ProfHawking wrote:yes i know the difference between brute-horse and dictionary, but i didnt realise rainbow tables made it so fast, it is rather worrying.
no chance of this salt in phpbb?

It should be possible to add hopefully.

ProfHawking wrote:no chance of this salt in phpbb?

There are a few mods about:

http://www.phpbb.com/community/viewtopic.php?t=377611

But I've not yet seen a cryptographically secure one. For instance the link above uses the registration date as the salt. The salt should be a cryptographically secure pseudo random number, not an easily guessable date!

I could always write one for phpbb as I've written them before in asp.net, it would just be a case of converting the language of the code pretty much.

Okay, so password hacks got them into 5punk but that still doesn't explain Paypal. I did use the same password for both, so it's possible it was taken from 5punk and tried in other sites, but I don't expect Prof and Berk were as careless as me.

Needless to say, all passwords on anything even vaguely important have been changed and I'm using three different strong passwords now. This unfortunately means I have to try all three passwords on every site because I can never remember which is which.

Dog Pants wrote:Okay, so password hacks got them into 5punk but that still doesn't explain Paypal. I did use the same password for both, so it's possible it was taken from 5punk and tried in other sites, but I don't expect Prof and Berk were as careless as me.

Right, that's that sorted, we were all careless. current assumed happening:

Uploaded php shell script to /uploads
Used script to get ftp login info (most likely webmin login too knowing wey)
Used hax to steal the users table.
Haxed the hashed passwords
Used stolen passwords with other info (like email addy) from the stolen tables.
Used that info to break into paypal and other stuff (I'd bet they tried wow too)


How to cure:
If we reintroduce an uploads system, limit to known registered users and known filetypes.
Use lots more better passwords for the admin side of 5punk/the dreamhost account.
Sort mod to salt/nonce the password system for 5punk

Thought it may be a good idea to throw up a list of commonly used sites in case people forget about any they may need to change passwords for:

ebay
paypal
ebuyer (although this requires extra info so this should be ok)
ballicom
scan (also requires extra info so this should be ok)
cd-wow
play
amazon
hotmail
yahoo
gmail
ISP
BT
Utilities (Gas, elastic trickery etc)

[edit]
W</i>oW
Eve
Steam
Other games

Cheers Fab, I'll be checking those too although I think I've got everything that could financially affect me.

If they got in through Uploads then personally I'd not like to see it back. It was handy, but there are plenty of other ways of hosting stuff and I don't like big security holes like that. Especially when they cost me $50.

Dog Pants wrote:If they got in through Uploads then personally I'd not like to see it back. It was handy, but there are plenty of other ways of hosting stuff and I don't like big security holes like that. Especially when they cost me $50.

That Kinda.

I suspect the risk could basically have been removed by setting the uploads section as a subdirectory and not using the standard 5punk ftp account.

Instead using another account that'd only give access to the uploads directory. however, I'm not familiar with linux, or the hax they used, so there.

Mostly I think this one came down to poor setup of site features.

/me suspects this was WEYs doing and he is in Outer Mongolia rather than the US of States

fabyak wrote:cd-Magical Gaaay Fairy Land

Pfft.

Also, I think my 5punk password was unique but still changed ebay and paypal passwords just in case

I can't change my PayPal password yet as I no longer have the card I registered on there so I can't verify myself! I've emailed them to ask them how I sort this out. In the meantime as the card I used does not exist any more does this mean that they can't take money from my Paypal?

fabyak wrote:the card I used does not exist any more does this mean that they can't take money from my Paypal?

You should be ok, I doubt they can take money from a card that doesn't exist.

smashing I wasn't totally sure if they took it from the card first, then paypal or the other way round

It's kinda a weird thing.

I think they take from card to send from paypal.

TezzRexx wrote:BTW, did we ever find out who hacked 5punk and how?

I suspect we will never know and if you'll really wanted to find out it would be a great deal of work and expense I suspect. I took a dump of the web server logs from the time and had a poke around, there was lots of dodgy looking access to an uploaded "shell.php" file coming from Google.
They were probably masking their IP somehow.

Do we know exactly when it all started happening?

It is also possible that they modified the login page to simply save our unencrypted password as plain text. Might be worth checking there isn't some code hooked into the board palming off our details to another site and/or file.

Didn't it start about 7:30 on the thursday thay WEY left? It could have been compromised well before that though.

Also:

Message from Seller:
Hello Sir this money was sent to my account I have no Knowledge on why it was
Thank you.

(Refunded)

Result, although even the reply I got sounds a bit dodgy. I'm sure there'll be quite a few people doing the same so hopefully Paypal will pick up on it. Maybe whoever it was was hoping they could just take a load and refund anyone who noticed, but keep those that didn't.

OMG HOW DID WEY PAY FOR HIS HOLIDAY!?111LOLHAXLIES!!111

fabyak wrote:/me suspects this was WEYs doing and he is in Outer Mongolia rather than the US of States

Glad i'm not alone in noticing the very coincidental timing here

fabyak wrote:Glad i'm not alone in noticing the very coincidental timing here

You know you're agreeing with yourself, right?

Fear wrote:
You know you're agreeing with yourself, right?

It was with Friz, but I was up the top of the page and was too lazy to scroll down to quote him