Announcement

Collapse
No announcement yet.

The Apolyton hacking pool

Collapse
X
Collapse
 
  • Page of 8
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 4 5 6 7 8 template Next
  • #106
    Yeah, about compromised stuff. In principle any of the hackers could have downloaded the encrypted forum passwords, but they are half-decently encrypted and so it's unlikely they would want to waste the resources to crack them open. Of course changing your forum password and considering it to be compromised is a good security precaution.

    But I would actually advise not doing so yet, because some of the non-forum backdoors into the server probably remain still in place and the server can't be considered secure until Martin gets here to do some magic.
    Solver, WePlayCiv Co-Administrator
    Contact: solver-at-weplayciv-dot-com
    I can kill you whenever I please... but not today. - The Cigarette Smoking Man

    Comment

    • #107
      my 'poly password hasn't changed in fifteen years, and this is the only place that i use it. or does even logging into apolyton pose some kind of danger to us?
      I wasn't born with enough middle fingers.
      [Brandon Roderick? You mean Brock's Toadie?][Hanged from Yggdrasil]

      Comment

      • #108
        Originally posted by self biased View Post
        my 'poly password hasn't changed in fifteen years, and this is the only place that i use it. or does even logging into apolyton pose some kind of danger to us?
        In theory the hackers could have put a browser exploit on all the pages so that visiting the site would be dangerous but that would only matter to people with old, unupdated, insecure browsers and Solver would have probably noticed it.

        Comment

        • #109
          Nah you're fine of course, forum addiction notwithstanding. Worst case scenario someone might decode your password and log in as you here, but realistically that's of no likelihood.
          Solver, WePlayCiv Co-Administrator
          Contact: solver-at-weplayciv-dot-com
          I can kill you whenever I please... but not today. - The Cigarette Smoking Man

          Comment

          • #110
            I'm pretty sure they'd need root access to read packets, and I doubt they got it.

            e: well I suppose they can see anything the webserver sees. Maybe the webserver can see the passwords before they get hashed, maybe not? Auth is sometimes handled separately.

            Comment

            • #111
              There were no processes or tools installed to snoop on the traffic. Of course it is never safe to send passwords in clear text in the first place as there are many conceivable ways to snoop on that.

              vBulletin does not entirely suck though and if you type your password into the login form, it actually gets hashed client-side and the hash gets submitted:

              Code:
              md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)
              Also,

              I'm pretty sure they'd need root access to read packets, and I doubt they got it.
              That is highly optimistic.

              After obtaining a remote shell, they did run a root privilege escalation exploit that was reported on Mitre back in 2010. I do not know if it succeeded in this case, but the vulnerability itself is a real one, and one of the problems here on the server is precisely that software dates back to 2010 or even 2009.
              Last edited by Solver; September 10, 2013, 17:36.
              Solver, WePlayCiv Co-Administrator
              Contact: solver-at-weplayciv-dot-com
              I can kill you whenever I please... but not today. - The Cigarette Smoking Man

              Comment

              • #112
                Who won? I didn't keep track.
                DISCLAIMER: the author of the above written texts does not warrant or assume any legal liability or responsibility for any offence and insult; disrespect, arrogance and related forms of demeaning behaviour; discrimination based on race, gender, age, income class, body mass, living area, political voting-record, football fan-ship and musical preference; insensitivity towards material, emotional or spiritual distress; and attempted emotional or financial black-mailing, skirt-chasing or death-threats perceived by the reader of the said written texts.

                Comment

                • #113
                  Robert won. He used this to dupe some poor soul into being owner. Now he's finally free! As for myself, I suspect it was all an elaborate hoax to that end

                  Comment

                  • #114
                    To us, it is the BEAST.

                    Comment

                    • #115
                      Don't forget to install the shell shock patch.
                      “It is no use trying to 'see through' first principles. If you see through everything, then everything is transparent. But a wholly transparent world is an invisible world. To 'see through' all things is the same as not to see.”

                      ― C.S. Lewis, The Abolition of Man

                      Comment

                      Previous 1 4 5 6 7 8 template Next
                      Working...
                      X