Announcement

**Nikolai** · September 10, 2013, 16:12

So I guess we all should change passwords then? Anything else we should be wary of?

**Robert** · September 10, 2013, 16:35

Thanks for your help Solver!!!
Nice chatting with you as well!

**Buster Crabbe's Uncle** · September 10, 2013, 16:58

Originally posted by Nikolai View Post

So I guess we all should change passwords then?

I would think there's no use until all the holes are closed, is there?

**Solver** · September 10, 2013, 17:01

Yeah, about compromised stuff. In principle any of the hackers could have downloaded the encrypted forum passwords, but they are half-decently encrypted and so it's unlikely they would want to waste the resources to crack them open. Of course changing your forum password and considering it to be compromised is a good security precaution.

But I would actually advise not doing so yet, because some of the non-forum backdoors into the server probably remain still in place and the server can't be considered secure until Martin gets here to do some magic.

**self biased** · September 10, 2013, 17:08

my 'poly password hasn't changed in fifteen years, and this is the only place that i use it. or does even logging into apolyton pose some kind of danger to us?

**regexcellent** · September 10, 2013, 17:14

Originally posted by self biased View Post

my 'poly password hasn't changed in fifteen years, and this is the only place that i use it. or does even logging into apolyton pose some kind of danger to us?

In theory the hackers could have put a browser exploit on all the pages so that visiting the site would be dangerous but that would only matter to people with old, unupdated, insecure browsers and Solver would have probably noticed it.

**Solver** · September 10, 2013, 17:14

Nah you're fine of course, forum addiction notwithstanding. Worst case scenario someone might decode your password and log in as you here, but realistically that's of no likelihood.

**regexcellent** · September 10, 2013, 17:15

I'm pretty sure they'd need root access to read packets, and I doubt they got it.

e: well I suppose they can see anything the webserver sees. Maybe the webserver can see the passwords before they get hashed, maybe not? Auth is sometimes handled separately.

**Solver** · September 10, 2013, 17:29

There were no processes or tools installed to snoop on the traffic. Of course it is never safe to send passwords in clear text in the first place as there are many conceivable ways to snoop on that.

vBulletin does not entirely suck though and if you type your password into the login form, it actually gets hashed client-side and the hash gets submitted:

Code:

md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)

Also,

I'm pretty sure they'd need root access to read packets, and I doubt they got it.

That is highly optimistic.

After obtaining a remote shell, they did run a root privilege escalation exploit that was reported on Mitre back in 2010. I do not know if it succeeded in this case, but the vulnerability itself is a real one, and one of the problems here on the server is precisely that software dates back to 2010 or even 2009.

**Colon™** · October 21, 2014, 19:05

Who won? I didn't keep track.

**Aeson** · October 22, 2014, 02:01

Robert won. He used this to dupe some poor soul into being owner. Now he's finally free! As for myself, I suspect it was all an elaborate hoax to that end

**Sava** · October 22, 2014, 07:04

**pchang** · October 22, 2014, 12:29

Don't forget to install the shell shock patch.

Announcement

The Apolyton hacking pool

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment