Jump to content

Question re compromised account information


agsteele

Recommended Posts

Wazoo has helpfully posted an alert about the recent hack of the forum and potential for compromised account information.

If all it means is that I get on another spammer's list then I guess I can live with that :huh:

But I'm wondering if password data is kept in plain text? If so, then I presume we all need to update our passwords to avoid the hacker masquerading as us.

Andrew

Link to comment
Share on other sites

No, not plain text. a bit of encryption, MD5 that, then add a bit of a salt .... but yes, both the encrypted item and the salt are both in the database .... changing passwords would not be a bad idea, especially if one uses the same password elsewhere, though technically, ths is something tha should be done on a regular basis anyway .... I've hit over 30 boards/forums over the last few hours, but have yet to see complaints of 'user' accounts getting hijacked in all of this (excluding those that were using an insecure/older version of IE and hit a Forum that had been hit with one of the IFRAME exploits ... and actually, the results of the IFRAME exploits aren't that the user's account gets compromised, it's the user's computer that gets zombied .... and repeating, none of these attempts have been successful on this Forum ... I'd like to say that some of my heavy-handed hacks prevented those, but it's more likely due to the great Moderating tean at work)

Link to comment
Share on other sites

I am pretty depressed at the moment ... have spent a number of the past hours wading through a bunch of "web / forum / database" hacking sites, pretty much leading to the question of why anyone would want to put up a website these days .... geeze ....

I've found several copies of the scri_pt available that was more then likely used in this last hack. It's been a slow process of translating a lot of Russian text and Perl code to try to sort things out. On one hand, there is some aggreement that some of "us" have been seeing the 'same' spam since that hack, suggesting that the database was compromised. However, if one goes with the "scri_pt-kiddie" scenario ......

The "original" scri_pt did not run through its full course, assumely due to me shutting down the server while the lowlife was "in the process" ... I base this decision on that the codebase I've seen has several other things/options available that didn't happen here. If I offer a bit of an analogy that there was a menu of 10 things to do, this hacker only got to option #4.

I have found that there was an additional scri_pt offered up a few days after the original code was posted that is identified with the phrase " Stealing info about users (format id:pass:salt::email)" which would seem to indicate that once the initial hack was made, and the database was available, then the snagging of all user data would be the next step. Whether "our" hacker had access to this additional bit of code in unknown, but the suspicions would be that this "option" would have been further down the list than where he/she was stopped.

There is nothing in the access logs that show any kind of a database grab (whereas it does show that he/she spent over six hours to actually "get into" the system [under my/Admin account .. technically not sure which way that decision process actually falls out .. code default is to target user #1])

I'm really of the thought that this hacker only got my data, perhaps some of the 'staff' based on what I can make out of the code and access logs .. yet one of the two folks that have talked about the recent 'new spam' doesn't fit into the same category. So I am stuck having to say that I don't know for sure if or how much data was gleaned ......

Link to comment
Share on other sites

I am pretty depressed at the moment ... have spent a number of the past hours wading through a bunch of "web / forum / database" hacking sites, pretty much leading to the question of why anyone would want to put up a website these days .... geeze ....

Your committment and efforts are much appreciated. Thanks for keeping watch!

Andrew

Link to comment
Share on other sites

I think my spamcop e-mail address was lifted too, because yesterday I received the first two spams I have had for a year and a half, and these were the first ever spams to my spamcop address itself, which is registered with the forum. They also both referenced the site kassir.ru, as did the spams mentioned in this post: http://forum.spamcop.net/forums/index.php?showtopic=6730 (second post).

A round of applause for Wazoo for catching the hacker in the act and stopping them doing more damage! Your efforts are indeed much appreciated.

Link to comment
Share on other sites

I think my spamcop e-mail address was lifted too, because yesterday I received the first two spams I have had for a year and a half, and these were the first ever spams to my spamcop address itself, which is registered with the forum. They also both referenced the site kassir.ru, as did the spams mentioned in this post: http://forum.spamcop.net/forums/index.php?showtopic=6730 (second post)

I thought they were???

Link to comment
Share on other sites

If the offending website is kassir.ru it seems that my address was lifted too, I got 30 spams in one day all linking to this site

I don't think we have sufficient data to indicate these spams were as a result of the hacker. I've not noticed any increase in spam or particular source. Much more likely is that you are one of the lucky ones to have been located by this particular spammer at this time.

Ther are many means by which the information can be gathered so we'd all be guessing but without evidence that the hacker got in and passed the addresses on.

Andrew

Link to comment
Share on other sites

I don't think we have sufficient data to indicate these spams were as a result of the hacker. I've not noticed any increase in spam or particular source. Much more likely is that you are one of the lucky ones to have been located by this particular spammer at this time.

Ther are many means by which the information can be gathered so we'd all be guessing but without evidence that the hacker got in and passed the addresses on.

Andrew

The only spam I have seem a marked increase in is fake gift cards which started June 23 with a single one (Home Depot which I reported directly to them as well because I have filled out surveys to win gift cards from them) and are now coming about 25 per day, all being reported to yipes.com which does not have a good track record (know host to ROSCO groups). These however are all coming in via my yahoo account which I don't think I ever used here.

Submitted: Friday, June 23, 2006 6:34:22 PM -0400:

Home Depot Voucher Winner #568-8755

Link to comment
Share on other sites

I know spammers are stupid, but surely a harvesting a database of email addresses that regularly report spam has got to be the singularly most stupid thing I have heard all year. Does anyone think this hack has anything to do with spammers wanting to listwash all spamcop emails to stop them being reported? :blink:

Link to comment
Share on other sites

After reading the BBC report that agsteele posted in the Lounge, I doubt that spammers are concerned about stopping reporting any more. Why would they care since most of the computers sending spam are compromised computers? The people who are good netizens have secure computers and they are the ones who would do something if they got a report. Few people with compromised computers get a report.

Miss Betsy

Link to comment
Share on other sites

After reading the BBC report that agsteele posted in the Lounge, I doubt that spammers are concerned about stopping reporting any more. Why would they care since most of the computers sending spam are compromised computers? The people who are good netizens have secure computers and they are the ones who would do something if they got a report. Few people with compromised computers get a report.

Miss Betsy

Surely they care if their website gets shut down? - you would think it's not worth the hassle, I mean as if anyone from the spamcop forum is going to buy some fake viagra, "enhancment" pills and a dodgy mortgage...

Link to comment
Share on other sites

Does anyone think this hack has anything to do with spammers wanting to listwash all spamcop emails to stop them being reported? :blink:

After going through various 'hacking' sites trying to follow the code, I would say that "SpamCop.net users" were not targetted .... rather the IPB Forum software was the focus. Forums are found by basically doing search for the copyright string, then the scripts are activated.

Link to comment
Share on other sites

I posted this in another thread, but it really belongs here.

I noticed the account data compromised thread. I reported this on a couple other forums I visit. I wanted to comment in that thread, but it's locked. Here's what I would have said:

I hope no one is too upset about this. This is just the nature of web applications. It was a flaw in the forum software (Invision Power Board) and out of the hands of those who run spamcop. There is a lesson in this: on public forums, use a throw-away-able email address -- always! Then if there is ever another successful attack, you'll just be able to throw away the address and then put in a new one.

Oh, and ... yes, it's an IPB problem, not spamcop (just to make that totally clear)

And ... I take heart in the fact that the addresses lifted from this forum (forum.spamcop.net) will result in numerous spam reports. (it's sad that users on the other forums I visit aren't going to do anything at all about the harvest)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...