|
|
11 Jun 2006, 15:15
|
#51
|
Mathamagician
Join Date: Aug 2001
Location: At the very edge of existance
Posts: 1,803
|
Re: Account on Planetarion Forums locked out
maybe he can use his ninja skills to get to the idi account though
__________________
I think I just had an evilgasm
|
|
|
11 Jun 2006, 18:37
|
#52
|
Raaaaaaaah!
Join Date: Apr 2000
Location: United Kingdom
Posts: 2,296
|
Re: Account on Planetarion Forums locked out
My situation 8 Jun 2006 22:40 idimmu
I didn't do this What a lame reason to hack forum accounts, to give yourself more rep.
__________________
Hicks
Mercury & Solace
Always [Fury]
|
|
|
11 Jun 2006, 18:54
|
#53
|
Born Sinful
Join Date: Nov 2000
Location: Loughborough, UK
Posts: 4,059
|
Re: Account on Planetarion Forums locked out
You'd rather he had taken control of your account instead? It would have been trivial to lock you out. I very much doubt he repped himself because he cared, he was probably just having a bit of lighthearted fun.
__________________
Worth dying for. Worth killing for. Worth going to hell for. Amen.
|
|
|
11 Jun 2006, 19:01
|
#54
|
Clerk
Join Date: Jun 2001
Posts: 13,940
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by meglamaniac
You'd rather he had taken control of your account instead?
|
I think the preference would be for him to have done nothing at all.
Come on, you can't possibly think "It could have been worse" is some sort of defence. "Hey I could have posted 30 porn links but instead I only posted one!"
|
|
|
11 Jun 2006, 19:06
|
#55
|
Born Sinful
Join Date: Nov 2000
Location: Loughborough, UK
Posts: 4,059
|
Re: Account on Planetarion Forums locked out
You missed the context of the remark I was responding to.
Hicks was suggesting the breakin was specifically in order to increase his reputation level. I was suggesting it wasn't, and as with most omghax was probably just done out of interest and "because I can."
__________________
Worth dying for. Worth killing for. Worth going to hell for. Amen.
|
|
|
11 Jun 2006, 19:14
|
#56
|
Klaatu barada nikto
Join Date: Mar 2000
Location: St. Paul, Minnesota
Posts: 3,237
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by meglamaniac
I very much doubt he repped himself because he cared, he was probably just having a bit of lighthearted fun.
|
The problem with pos repping yourself is that it looks a lot like you do care.
__________________
The Ottawa Citizen and Southam News wish to apologize for our apology to Mark Steyn, published Oct. 22. In correcting the incorrect statements about Mr. Steyn published Oct. 15, we incorrectly published the incorrect correction. We accept and regret that our original regrets were unacceptable and we apologize to Mr. Steyn for any distress caused by our previous apology.
|
|
|
11 Jun 2006, 19:18
|
#57
|
Registered User
Join Date: Jan 2005
Posts: 3,174
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Tactitus
The problem with pos repping yourself is that it looks a lot like you do care.
|
That's what he'd want you to think!
__________________
If one person is in delusion, they're called insane.
If many people are in delusion, it's called a religion.
|
|
|
12 Jun 2006, 00:25
|
#58
|
Mathamagician
Join Date: Aug 2001
Location: At the very edge of existance
Posts: 1,803
|
Re: Account on Planetarion Forums locked out
maybe he's hacked these accounts to soe the seeds of doubt among the gd populus.
He's taking over!
__________________
I think I just had an evilgasm
|
|
|
12 Jun 2006, 00:27
|
#59
|
Insanity Prawn Boy!
Join Date: Dec 2001
Location: In a bush where you can't find me
Posts: 2,474
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by vampire_lestat
maybe he's hacked these accounts to soe the seeds of doubt among the gd populus.
He's taking over!
|
what do you mean "taking"? He's already in charge!
__________________
They shall not grow old, as we who are left grow old:
Age shall not weary them, nor the years condemn.
At the going down of the sun and in the morning
We shall remember them.
|
|
|
12 Jun 2006, 00:28
|
#60
|
Mathamagician
Join Date: Aug 2001
Location: At the very edge of existance
Posts: 1,803
|
Re: Account on Planetarion Forums locked out
then how can I trust you, maybe you're one of him too!
__________________
I think I just had an evilgasm
|
|
|
12 Jun 2006, 00:28
|
#61
|
And you expected Kittens?
Join Date: Nov 2001
Location: Purgatory, Upper Hell, Manchester.
Posts: 478
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Androme2
When is the anonymous rep being taken away? JJ said on Thursday heh.
|
Seems to have been TOTALLY glossed over by the mods. there isnt even an announcement anymore. Care to explain, anyone?
__________________
If music be the food of love, then industrial techno be the food of BDSM.
|
|
|
12 Jun 2006, 00:31
|
#62
|
Dirte
Join Date: Apr 2002
Posts: 5,573
|
Re: Account on Planetarion Forums locked out
I would have given him posrep anyways !
IDI WON AGAIN
|
|
|
12 Jun 2006, 01:12
|
#63
|
Born Sinful
Join Date: Nov 2000
Location: Loughborough, UK
Posts: 4,059
|
Re: Account on Planetarion Forums locked out
JJ's been away lately. We're warming up the red hot poker of ass lovin' to remind him about that. However, the current situation is a priority.
__________________
Worth dying for. Worth killing for. Worth going to hell for. Amen.
|
|
|
12 Jun 2006, 01:19
|
#64
|
Angry Young Man
Join Date: Jul 2002
Location: Mister Cacciatore's down on Sullivan Street
Posts: 7,518
|
Re: Account on Planetarion Forums locked out
im still not seeing the point in banning idi
__________________
Believe in me, cause i don't believe in anything
And i wanna be someone, to believe, to believe in
|
|
|
12 Jun 2006, 01:27
|
#65
|
#planetarion
Join Date: Feb 2002
Location: Birmingham, UK
Posts: 1,538
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Evil Skragg
Seems to have been TOTALLY glossed over by the mods. there isnt even an announcement anymore. Care to explain, anyone?
|
There's a shiny new announcement at the top of every forum advising everyone to change their password.
__________________
- A2
|
|
|
12 Jun 2006, 02:06
|
#66
|
Godfather
Join Date: May 2000
Location: England
Posts: 5,185
|
Re: Account on Planetarion Forums locked out
Its still in discussion about the rep thing. I delayed the timings so i could talk it over for longer with the mods and come to some kind of decision. Plus a hack i need to install I currently cannot because of some issue with pirate.
Until that is resolved and the discussion has taken place i removed the announcement as it placed a timeframe that was no longer relevant
Method to madness and all that.
__________________
Forum Administrator
Mail : [email protected] // IRC : #forums
__________________
It's not personal, it's just business.
|
|
|
12 Jun 2006, 07:50
|
#67
|
☆ ♥
Join Date: Jan 2003
Posts: 3,489
|
Re: Account on Planetarion Forums locked out
My password is 13 characters long and is a combination of letters, numbers and non-alphanumerical characters
__________________
R3: LegioN (came #32) || R4: BlueTuba
R5: WolfPack Order || R6: Wolfpack
R7: Fury
----------retired-------
R52-R55: Apprime
R56-R57: FaceLess
R58-60: Apprime/Ultores
|
|
|
12 Jun 2006, 09:42
|
#68
|
Registered Abuser
Join Date: Jun 2005
Location: Lincoln!!
Posts: 425
|
Re: Account on Planetarion Forums locked out
Delete thread.
Un-ban user.
__________________
The hungriest man will eat the dirtiest meat.
|
|
|
12 Jun 2006, 09:46
|
#69
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Androme2
My password is 13 characters long and is a combination of letters, numbers and non-alphanumerical characters
|
That's entirely irrelevant actually.
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 09:59
|
#70
|
Godfather
Join Date: May 2000
Location: England
Posts: 5,185
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Androme2
My password is 13 characters long and is a combination of letters, numbers and non-alphanumerical characters
|
It makes no difference. If you havnt changed it recently then do so now to a different combination of 13 letters numbers and non alphanumerical charachters.
The accounts were accessed no matter what password you had. It wasnt a brute force.
__________________
Forum Administrator
Mail : [email protected] // IRC : #forums
__________________
It's not personal, it's just business.
|
|
|
12 Jun 2006, 10:17
|
#71
|
Bored
Join Date: Apr 2001
Location: Nottm ->Shef ->Croydon ->Manc ->Durham ->Sheffield
Posts: 6,506
|
Re: Account on Planetarion Forums locked out
are you actually telling us all to change our passwords?
That's quite annoying
|
|
|
12 Jun 2006, 10:38
|
#72
|
☆ ♥
Join Date: Jan 2003
Posts: 3,489
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by JammyJim
The accounts were accessed no matter what password you had. It wasnt a brute force.
|
So you're saying he had complete access to the forums database?
If he did, he would not know what my password is. It would take a computer literally years to run through rainbow tables and try to crack the hash. Considering the password is encrypted with the md5 algorithm, it's too likely that it also has a salted hash applied as well (which means 2 hashes mixed into one).
It's not impossible but due to the strength of my password to begin with and the fact it doesn't exist in any wordlist, it would literally take him along time to get my password.
If he didn't and you're saying it wasn't brute force then I'm surprised. There's a certain program that can generate wordlists and then it's a simple case of writing some Perl and downloading the memberlist and using the Perl to do the job of trying the combinations.
__________________
R3: LegioN (came #32) || R4: BlueTuba
R5: WolfPack Order || R6: Wolfpack
R7: Fury
----------retired-------
R52-R55: Apprime
R56-R57: FaceLess
R58-60: Apprime/Ultores
|
|
|
12 Jun 2006, 10:42
|
#73
|
lolly roffle
Join Date: Nov 2001
Posts: 5,514
|
Re: Account on Planetarion Forums locked out
It makes no difference how wonderful your password was, he had access to your account. Just change it.
__________________
eXcessum
|
|
|
12 Jun 2006, 10:42
|
#74
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
It wasn't a question of getting the password. If you had a password and hadn't changed it he had it.
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 10:48
|
#75
|
Registered User
Join Date: Feb 2006
Posts: 1,094
|
Re: Account on Planetarion Forums locked out
how the fck did he manage that then? i thought the passwords were incrypted and noone knew them or <insert technocrap>
|
|
|
12 Jun 2006, 10:52
|
#76
|
Tilting at windmills
Join Date: Nov 2003
Posts: 579
|
Re: Account on Planetarion Forums locked out
The lack of actual information in this thread is just super.
I am led to believe that Idi hacked the forum using witchcraft or some form of dark magic.
__________________
[Fury] [1up] [Ascendancy]
|
|
|
12 Jun 2006, 10:52
|
#77
|
Godfather
Join Date: May 2000
Location: England
Posts: 5,185
|
Re: Account on Planetarion Forums locked out
You need to phone scooby doo and the gang before we tell you although id imagine someone else will probably explain how it was done.
It involves a candle, some cotton buds and a piece of cheese.
__________________
Forum Administrator
Mail : [email protected] // IRC : #forums
__________________
It's not personal, it's just business.
|
|
|
12 Jun 2006, 10:57
|
#78
|
Registered User
Join Date: Feb 2006
Posts: 1,094
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by JammyJim
You need to phone scooby doo and the gang before we tell you although id imagine someone else will probably explain how it was done.
It involves a candle, some cotton buds and a piece of cheese.
|
pa never had any security to begin with, entering passwords was an attempt to keep the truth from getting widely known, idi found out and now hes been banned and you asked us to change the passwords to put the cloak of conspiracy back where it was.
but seriously im intriged if pws didn't matter why do we need to bother changing them now, answers on a pm
|
|
|
12 Jun 2006, 10:59
|
#79
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
As basically as it is possible to explain idi literally had a list of everyone's passwords. However he cannot get a new updated list so change them and he can't access your account.
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 11:02
|
#80
|
Registered User
Join Date: Feb 2006
Posts: 1,094
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by JonnyBGood
As basically as it is possible to explain idi literally had a list of everyone's passwords. However he cannot get a new updated list so change them and he can't access your account.
|
...i thought the password list was itself incrypted
idis was far 13373R than we gave him credit for, although changing passwords is a pain.
|
|
|
12 Jun 2006, 11:04
|
#81
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by milo
...i thought the password list was itself incrypted
idis was far 13373R than we gave him credit for, although changing passwords is a pain.
|
Yeah but due to some shit thing in vb I don't understand while he can't actually see your password the encrypted thingamy allowed him to access accounts.
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 11:05
|
#82
|
Registered User
Join Date: Feb 2006
Posts: 1,094
|
Re: Account on Planetarion Forums locked out
idi watches us while we sleep
|
|
|
12 Jun 2006, 11:06
|
#83
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
It's like having the key but not being able to look at it!
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 11:07
|
#84
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
Re: Account on Planetarion Forums locked out
Wait, so he didn't actually have access to our passwords, just their hashes?
|
|
|
12 Jun 2006, 11:08
|
#85
|
☆ ♥
Join Date: Jan 2003
Posts: 3,489
|
Re: Account on Planetarion Forums locked out
Is it simply a case of a SQL injection? Or just a case of him taking a hash and using javascript to create a cookie and login based on that hash?
Like I said, there's no way in hell he would know what the password actually is unless he knew the salted hash (as then the clear text password wouldn't be too hard to figure out).
__________________
R3: LegioN (came #32) || R4: BlueTuba
R5: WolfPack Order || R6: Wolfpack
R7: Fury
----------retired-------
R52-R55: Apprime
R56-R57: FaceLess
R58-60: Apprime/Ultores
|
|
|
12 Jun 2006, 11:09
|
#86
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by pablissimo
Wait, so he didn't actually have access to our passwords, just their hashes?
|
Something like that.
I think.
I hate computers
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 11:10
|
#87
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Androme2
Is it simply a case of a SQL injection? Or just a case of him taking a hash and using javascript to create a cookie and login based on that hash?
Like I said, there's no way in hell he would know what the password actually is unless he knew the salted hash (as then the clear text password wouldn't be too hard to figure out).
|
That couldn't have made less sense to me if you'd written it in Mandarin.
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 11:10
|
#88
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
Re: Account on Planetarion Forums locked out
Well wasn't that clever of him =(
|
|
|
12 Jun 2006, 11:18
|
#89
|
☆ ♥
Join Date: Jan 2003
Posts: 3,489
|
Re: Account on Planetarion Forums locked out
If I was to make use of an SQL Injection it means I can insert/execute commands directly into the database - for example in a url I could do
Code:
pirate.pa.forum/index.php?par=2%20UNION%20SELECT%20null,null,null,null,null,null,password,null%20FROM%20cws_members%20WHERE%20member_id=1
It's powerful enough that I can bypass the actual login process based on a hash and its associated memberid - and thus, gain complete access to a forum.
__________________
R3: LegioN (came #32) || R4: BlueTuba
R5: WolfPack Order || R6: Wolfpack
R7: Fury
----------retired-------
R52-R55: Apprime
R56-R57: FaceLess
R58-60: Apprime/Ultores
|
|
|
12 Jun 2006, 11:21
|
#90
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
I'm fairly sure that's not what he did.
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 11:22
|
#91
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
Re: Account on Planetarion Forums locked out
Is that not defeated by just using mysql_real_escape_string on the input? I'd be concerned if something as far along as VBB didn't validate user input all the time, though I guess there can be odd things that might get missed.
|
|
|
12 Jun 2006, 11:25
|
#92
|
☆ ♥
Join Date: Jan 2003
Posts: 3,489
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by pablissimo
Is that not defeated by just using mysql_real_escape_string on the input? I'd be concerned if something as far along as VBB didn't validate user input all the time, though I guess there can be odd things that might get missed.
|
A lot of people make mods - for example, like an article script or something. Because of that mod/script, it opens up room for a command to be inserted through 'that' particular page.
Metacharacters like ' and ( are used to bypass protections (until patches come out).
For example,
Code:
'/**/OR/**/1/**/=/**/1
' or 1/*
*/=1--
UNI/**/ON SEL/**/ECT
' OR 'unusual' = 'unusual'
' OR 'whatever' in ('whatever')
__________________
R3: LegioN (came #32) || R4: BlueTuba
R5: WolfPack Order || R6: Wolfpack
R7: Fury
----------retired-------
R52-R55: Apprime
R56-R57: FaceLess
R58-60: Apprime/Ultores
Last edited by Androme; 12 Jun 2006 at 11:32.
|
|
|
12 Jun 2006, 11:26
|
#93
|
Clerk
Join Date: Jun 2001
Posts: 13,940
|
Re: Account on Planetarion Forums locked out
I'm not sure JJ and JBG being the forum admins technical representatives in a thread like this is a good idea.
|
|
|
12 Jun 2006, 11:27
|
#94
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Dante Hicks
I'm not sure JJ and JBG being the forum admins technical representatives in a thread like this is a good idea.
|
I said that ages ago.
And my solution you ask?
Idi for technical admin I said
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 11:31
|
#95
|
Tilting at windmills
Join Date: Nov 2003
Posts: 579
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by JonnyBGood
That couldn't have made less sense to me if you'd written it in Mandarin.
|
Quote:
Originally Posted by Androme2
這簡單地是 射入的事例嗎? 或事例他採取回鍋碎肉和使用 語言創造曲奇餅和註冊根據那回鍋碎肉? 如我說, 沒有方式在他會知道的地獄實際上是什麼密碼除非他知道鹽味
|
Now I'm to understand from your posts that he did have the passwords but he didn't have them at all! Which is to say he had them but couldn't see them. Which is to say he didn't have them at all really and could simply access peoples accounts based on some flaw in the forum. Now assuming the flaw has been fixed, this leads me to the question, why should we change our passwords?
Is it because this list (which he can't see) still exists independently of the forum? And in fixing the flaw you have simply prevented people from obtaining another such list?
__________________
[Fury] [1up] [Ascendancy]
|
|
|
12 Jun 2006, 11:39
|
#96
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Cooling
Now I'm to understand from your posts that he did have the passwords but he didn't have them at all! Which is to say he had them but couldn't see them. Which is to say he didn't have them at all really and could simply access peoples accounts based on some flaw in the forum. Now assuming the flaw has been fixed, this leads me to the question, why should we change our passwords?
Is it because this list (which he can't see) still exists independently of the forum? And in fixing the flaw you have simply prevented people from obtaining another such list?
|
:crymeariver:
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 11:39
|
#97
|
☆ ♥
Join Date: Jan 2003
Posts: 3,489
|
Re: Account on Planetarion Forums locked out
There's another possibility.
With all vBulletins, there's a part of it to backup the database. This includes usernames, encrypted passwords etc. If a certain admin hadn't deleted this backup file (upgrade1.php) then yeah, it's not helpful.
I can't think of anything other sql injection, getting an admin's password, getting an admin's hash (which is easy, just by getting an admin to click on any URL, even if it's just an image), or by some other form of XSS (cross-site scripting).
__________________
R3: LegioN (came #32) || R4: BlueTuba
R5: WolfPack Order || R6: Wolfpack
R7: Fury
----------retired-------
R52-R55: Apprime
R56-R57: FaceLess
R58-60: Apprime/Ultores
|
|
|
12 Jun 2006, 11:40
|
#98
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
Re: Account on Planetarion Forums locked out
Paging a pint of Guinness to thread #191215
|
|
|
12 Jun 2006, 12:12
|
#99
|
Made of Twigs
Join Date: Jun 2003
Posts: 5,459
|
Re: Account on Planetarion Forums locked out
Why did everyone get emails saying they'd been locked out due to 5 unsuccessful login attempts is he had the password?
__________________
If I hadn't seen such riches, I could live with being poor - James
It's hard to be humble when you're as great as I am - Muhammad Ali
So **** y'all, all of y'all; if y'all don't like me, blow me! - Dr. Dre
|
|
|
12 Jun 2006, 12:17
|
#100
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Those were people who had changed their password I believe.
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
|
All times are GMT +1. The time now is 09:40.
| |