So I guess we all should change passwords then? Anything else we should be wary of?
Announcement
Collapse
No announcement yet.
The Apolyton hacking pool
Collapse
X
-
Originally posted by Nikolai View PostSo I guess we all should change passwords then?
Comment
-
Yeah, about compromised stuff. In principle any of the hackers could have downloaded the encrypted forum passwords, but they are half-decently encrypted and so it's unlikely they would want to waste the resources to crack them open. Of course changing your forum password and considering it to be compromised is a good security precaution.
But I would actually advise not doing so yet, because some of the non-forum backdoors into the server probably remain still in place and the server can't be considered secure until Martin gets here to do some magic.Solver, WePlayCiv Co-Administrator
Contact: solver-at-weplayciv-dot-com
I can kill you whenever I please... but not today. - The Cigarette Smoking Man
Comment
-
my 'poly password hasn't changed in fifteen years, and this is the only place that i use it. or does even logging into apolyton pose some kind of danger to us?I wasn't born with enough middle fingers.
[Brandon Roderick? You mean Brock's Toadie?][Hanged from Yggdrasil]
Comment
-
Originally posted by self biased View Postmy 'poly password hasn't changed in fifteen years, and this is the only place that i use it. or does even logging into apolyton pose some kind of danger to us?
Comment
-
Nah you're fine of course, forum addiction notwithstanding. Worst case scenario someone might decode your password and log in as you here, but realistically that's of no likelihood.Solver, WePlayCiv Co-Administrator
Contact: solver-at-weplayciv-dot-com
I can kill you whenever I please... but not today. - The Cigarette Smoking Man
Comment
-
There were no processes or tools installed to snoop on the traffic. Of course it is never safe to send passwords in clear text in the first place as there are many conceivable ways to snoop on that.
vBulletin does not entirely suck though and if you type your password into the login form, it actually gets hashed client-side and the hash gets submitted:
Code:md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)
I'm pretty sure they'd need root access to read packets, and I doubt they got it.
After obtaining a remote shell, they did run a root privilege escalation exploit that was reported on Mitre back in 2010. I do not know if it succeeded in this case, but the vulnerability itself is a real one, and one of the problems here on the server is precisely that software dates back to 2010 or even 2009.Last edited by Solver; September 10, 2013, 17:36.Solver, WePlayCiv Co-Administrator
Contact: solver-at-weplayciv-dot-com
I can kill you whenever I please... but not today. - The Cigarette Smoking Man
Comment
-
Who won? I didn't keep track.DISCLAIMER: the author of the above written texts does not warrant or assume any legal liability or responsibility for any offence and insult; disrespect, arrogance and related forms of demeaning behaviour; discrimination based on race, gender, age, income class, body mass, living area, political voting-record, football fan-ship and musical preference; insensitivity towards material, emotional or spiritual distress; and attempted emotional or financial black-mailing, skirt-chasing or death-threats perceived by the reader of the said written texts.
Comment
-
Don't forget to install the shell shock patch.“It is no use trying to 'see through' first principles. If you see through everything, then everything is transparent. But a wholly transparent world is an invisible world. To 'see through' all things is the same as not to see.”
― C.S. Lewis, The Abolition of Man
Comment
Comment