GSC has been hacked
Johan:
Quote from: J. M. Pescado on 2010 January 17, 02:26:52
The latter seems more likely. If a true vulnerability existed, it would not have been easy to selectively target data using an SQL or PHP vulnerability, and your attacker would have simply deleted everything. Similarly, admin-level password compromise is thus unlikely, as if someone had an admin password, they would have been able to do far more damage.
Yeah i think i'm leaning towards that option too. One strange detail though was that there had been some falied login attempts on some accounts using the wrong random passwords.
Quote from: J. M. Pescado on 2010 January 17, 02:26:52
Is there a technical reason, other than possibly sheer size, that would have made this impossible?
Yeah the technical reason being that he wouldn't be able to dump the member table even if he had a GUI db client and the all necessary information to connect to the database, Thomas is a pixel pusher and he doesn't know how that stuff works.
We don't have any functionality to get a list of passwords in admin so he would have had to pick the one by one to compile a list, which due to sheer size is next to impossible.
Quote from: J. M. Pescado on 2010 January 17, 02:26:52
This does sound excessively laborious, but not impossible, if he selectively compiled anti-paysite activists. The more likely scenario is still whole or partial membertable dumping.
Theoretically possible but then again i have a lot of reason to believe he wouldn't do that. Membertable dump is definitely more likely than that but just as scary.
Quote from: J. M. Pescado on 2010 January 17, 02:26:52
Of the known attacks, the Buggybooz, Shanow, and Scotty attacks are the ones known to me to have confirmed the TSR-password link. There may be others I don't recall offhand, and in none of the unconfirmed cases has this been ruled out as an possibility.
Has there been attacks where it has been confirmed that the password was not the same as a TSR account?
Johan:
Quote from: DrNerd on 2010 January 17, 23:05:54
I don't recall which of the former admins it was (sinthe, maybe), but she did admit at the time that she'd used the same username and password on TSR.
The IP info is here.
Simsecret posts regarding the hacking are here and here.
I've done some digging and from what i can tell it was Sinthe and a shared account (secret poster or something like that) that was compromised.
Some further digging got me to a post on PMBD where Delphy showed a screenshot from Sinthe with the logins, which i assume was for when simsecret got hacked (not sure about that though):
http://phorum.mustnotbenamed.com/index.php/topic,2399.msg141367.html#msg141367
The combination of IP's and useragent defenitley points to the same perpetrator as in the Buggybooz incident.
Witchboy:
The user agent for the IP that hacked into SV & GSC is as follows...
IP: 83.170.113.97 User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
J. M. Pescado:
Quote from: Johan on 2010 January 17, 23:34:14
Yeah i think i'm leaning towards that option too. One strange detail though was that there had been some falied login attempts on some accounts using the wrong random passwords.
That doesn't mean anything. Random people randomly rattle doors on accounts all the time. This would only be a concern if there was a systemic pattern of door-rattling. Given that you run a paysite, it's entirely reasonable to expect that random people will attempt to rattle the doors on accounts simply to see if they can get any free swag, and people also lose their passwords and try to guess which of the set of usual passwords was the right one. Given the sheer size of your site, hundreds if not thousands of such attempts are probably made every week. The SUSPICIOUS thing would be when a strange IP logged into an account, then did nothing with it, and that account was subsequently attacked elsewhere, meaning that someone was trying to probe for a TSR commonality before attempting an attack.
Quote from: Johan on 2010 January 17, 23:34:14
Yeah the technical reason being that he wouldn't be able to dump the member table even if he had a GUI db client and the all necessary information to connect to the database, Thomas is a pixel pusher and he doesn't know how that stuff works.
I dunno about that. I mean, Spilt Pee Soup, a thoroughly nontechnical user, managed to figure out how to use phpmyadmin just fine. Also, there is no guarantee it was Thomas who personally did it. Thomas is the most likely suspect purely based on motives and opportunity, but he isn't the only one who could have done it.
Quote from: Johan on 2010 January 17, 23:34:14
We don't have any functionality to get a list of passwords in admin so he would have had to pick the one by one to compile a list, which due to sheer size is next to impossible.
Or, he could dump the entire thing and do a CRTL-F...
Quote from: Johan on 2010 January 17, 23:34:14
Theoretically possible but then again i have a lot of reason to believe he wouldn't do that. Membertable dump is definitely more likely than that but just as scary.
The exact methodology by which the information was acquired from the database is really less important than the fact that it clearly had to have been.
Quote from: Johan on 2010 January 17, 23:34:14
Has there been attacks where it has been confirmed that the password was not the same as a TSR account?
No. There have been no negative confirmations where a password-attack was conclusively NOT a TSR account password, only cases where confirmation could not be acquired due to either the user not remembering, or not being present. All other hacking attacks not related or suspected to be related to TSR account passwords have all been dismissed as common vandalism and bear no connection to any community politics.
Inge:
Quote from: J. M. Pescado on 2010 January 18, 05:15:24
Spilt Pee Soup, a thoroughly nontechnical user, managed to figure out how to use phpmyadmin just fine.
If you're talkign about Brynne, I don't think she did. Every time she wanted to look at something she asked someone to do it for her, handing out temporary admin access if necessary. Lol long after she thought she'd banned me I could have got in the back door. Fortunately for her I wasn't the shady character she thought I was.
Navigation
[0] Message Index
[*] Previous page