My username has apparently been deleted, but due to [GAPING SECURITY HOLE OMITTED HAHAHAHA], I still have access to [GAPING SECURITY HOLE OMITTED HAHAHAHA].
I could have sealed this gaping security hole, of course, but as my server's IP has been banned from khakain.com, I cannot use the tools I've made to correct it.
Oh well, someone will point it out eventually. No one will notice until someone gets curious. And that's when you have problems.
I'll let you know in a week. And I'm sorry for the trouble I caused you, Zman. I'll tell Jesus to forgive the ban, too.
Author
Message
Efreit didgeridoo original man with the dream
Joined: 02 Oct 1999 Posts: 4083 Location: Perth, Australia
Posted: Thu Dec 16, 2004 1:47 am Post subject:
Meh, people suck, some dude. Don't let the man get you down.
_________________ i got soul but im not a soldier
Author
Message
Krono hates you
Joined: 11 Jan 2000 Posts: 3463 Location: Al'alyn, United Arab Emerates
Posted: Thu Dec 16, 2004 1:53 am Post subject:
Yeah, seriously. Most people here think you're awesome. No one would mind if you stuck around.
Author
Message
drewnb cochinillo
Joined: 21 Nov 1999 Posts: 1640
Posted: Thu Dec 16, 2004 1:58 am Post subject:
Why would the some dude be banned from here? He should be admin.
Author
Message
Zman Administrator/1999
Joined: 25 Nov 1999 Posts: 1958 Location: Seattle, WA
Posted: Thu Dec 16, 2004 2:11 am Post subject:
I'm guessing HOAX.
Edit: And that file seems to be 404.
Author
Message
drewnb cochinillo
Joined: 21 Nov 1999 Posts: 1640
Posted: Thu Dec 16, 2004 2:22 am Post subject:
Actually it did read 'some dude was here'.
_________________ [B][78][F5][FF][K]
Author
Message
Zman Administrator/1999
Joined: 25 Nov 1999 Posts: 1958 Location: Seattle, WA
Posted: Thu Dec 16, 2004 2:25 am Post subject:
Looks like it's ShadowLynk's fault.
Author
Message
Archdeco Bored as hell. Mmm...Nutella
Joined: 16 Apr 2000 Posts: 5279 Location: Kansas City
Posted: Thu Dec 16, 2004 2:28 am Post subject:
All the more reason to keep some dude around.
Author
Message
Who Cares Groove Member since 1999
Joined: 30 Dec 1999 Posts: 3888 Location: ...
Posted: Thu Dec 16, 2004 2:34 am Post subject:
I've been a some dude fan since his tour with Whitesnake in '85.
Author
Message
Zman Administrator/1999
Joined: 25 Nov 1999 Posts: 1958 Location: Seattle, WA
Posted: Thu Dec 16, 2004 2:47 am Post subject:
Security hole fixed....hopefully.
Author
Message
Archdeco Bored as hell. Mmm...Nutella
Joined: 16 Apr 2000 Posts: 5279 Location: Kansas City
Posted: Thu Dec 16, 2004 2:50 am Post subject:
But oh, the damage that has been done. Like me, Krono and Kal being admins.
Any chance it could stay that way?
Author
Message
drewnb cochinillo
Joined: 21 Nov 1999 Posts: 1640
Posted: Thu Dec 16, 2004 2:51 am Post subject:
Yes it should.
Especially for Kal.
_________________ [B][78][F5][FF][K]
Author
Message
Krono hates you
Joined: 11 Jan 2000 Posts: 3463 Location: Al'alyn, United Arab Emerates
Posted: Thu Dec 16, 2004 2:52 am Post subject:
We very obviously deserve it.
Especially, yeah, Kal.
(And me and Deco, too, that is)
Author
Message
Archdeco Bored as hell. Mmm...Nutella
Joined: 16 Apr 2000 Posts: 5279 Location: Kansas City
Posted: Thu Dec 16, 2004 2:55 am Post subject:
Even if you de-admin the both of us, keep Kal on. He's long overdue.
Author
Message
Archdeco Bored as hell. Mmm...Nutella
Joined: 16 Apr 2000 Posts: 5279 Location: Kansas City
Posted: Thu Dec 16, 2004 3:01 am Post subject:
Vaginas, every last one of you.
Author
Message
Zman Administrator/1999
Joined: 25 Nov 1999 Posts: 1958 Location: Seattle, WA
Posted: Thu Dec 16, 2004 3:01 am Post subject:
I'm not touching anything. I'm too damn tired. Copying and pasting the change log from 2.0.10 to 2.0.11 is a pain in the ass.
Author
Message
Assassin Member since 1999
Joined: 03 Feb 2004 Posts: 361 Location: Riverhead, New York
Posted: Thu Dec 16, 2004 3:56 am Post subject:
I'm a big some dude fan, he should be an administrator. Seriously.
Author
Message
Flea Puta Traidora
Joined: 17 Oct 1999 Posts: 1376 Location: SD
Posted: Thu Dec 16, 2004 4:07 am Post subject:
Jesus. Who cares if you're an admin for a message board? Whoopdeeshit, you have the ability to screw everything up. Whee.
Author
Message
Assassin Member since 1999
Joined: 03 Feb 2004 Posts: 361 Location: Riverhead, New York
Posted: Thu Dec 16, 2004 4:11 am Post subject:
I don't really care if he's an administrator, he should just be allowed to stick around at least. Obviously he didn't do too much, I fell asleep around 6 P.M. EST and woke up around 11 and apparently between 11 and now everything's been fixed.
Author
Message
Flea Puta Traidora
Joined: 17 Oct 1999 Posts: 1376 Location: SD
Posted: Thu Dec 16, 2004 4:13 am Post subject:
Fucking around with the board very much now is kind of like being an Arab shortly after 9/11. Generally not a good idea, as tempers are still short.
Author
Message
Zman Administrator/1999
Joined: 25 Nov 1999 Posts: 1958 Location: Seattle, WA
Posted: Thu Dec 16, 2004 4:16 am Post subject:
Someone deleted his account (not me) and someone banned his IP's (me). I'm waiting for him to reply so I can unban him because the IP logs are gone.
If the gaping security hole is Snip's back door, we all know about it and it's kind of an inside joke around here. Thanks to work I totally missed everything, but eh.
_________________ "Colonel! I've located a ration... but it's trapped behind some sort of metal forcefield! I... I can't get through it!"
"...Raiden, it's just a can, there's a tab..."
"This wasn't in VR training!"
Author
Message
KALIMDEL Random Hero
Joined: 07 Feb 2004 Posts: 987 Location: Manitoba, CANADA
Posted: Thu Dec 16, 2004 10:30 am Post subject:
HEY WTF WAS I AN ADMIN OR SOMETHING?? FUCK I MISSED IT.
Author
Message
Efreit didgeridoo original man with the dream
Joined: 02 Oct 1999 Posts: 4083 Location: Perth, Australia
Posted: Thu Dec 16, 2004 12:25 pm Post subject:
Reitz wrote:
If the gaping security hole is Snip's back door, we all know about it and it's kind of an inside joke around here. Thanks to work I totally missed everything, but eh.
It wasn't Snip's back door, and it's been patched now. But it was a pretty freakin' hilarious breach, I must say =P
_________________ i got soul but im not a soldier
Author
Message
Zman Administrator/1999
Joined: 25 Nov 1999 Posts: 1958 Location: Seattle, WA
Posted: Thu Dec 16, 2004 2:00 pm Post subject:
It was though the fuckin word highlight code.
Author
Message
The Cabbage Member since 1999
Joined: 09 Oct 1999 Posts: 3698
Posted: Thu Dec 16, 2004 3:47 pm Post subject:
_________________ I got ants in my pants and I need to dance.
Author
Message
DAVE Pwner of a lonley heart Mmm...Nutella
Joined: 20 Feb 2001 Posts: 3383
Posted: Thu Dec 16, 2004 4:02 pm Post subject:
Too awesome.
I think he should be an admin because, hell, if he wanted to, are you going to stop him?
Author
Message
Guest
Posted: Thu Dec 16, 2004 4:03 pm Post subject:
The exploit words on all phpbb boards at version 2.0.10 or lower, and works best on 2.0.10.
Basically all you need is the address of the board and a working topic ID number, and you can execute any command on the system with the permissions of the webserver.
I could give you all the address of the tools I made being that they no longer work here, but I don't want to incite mayhem across the internet again.
The GAPING SECURITY HOLE I was referring to earlier was the fact that I had removed authentication checking from the "admin" folder. Between the hours of 11PM and 1AM last night it was possible to log out and access the administration panel from anywhere.
Being that I could have just erased the entire home directory (rm -rf ~/), which includes the board, I think I did relatively minimal damage.
Now aren't you all glad I found this before some trickster did?
Author
Message
Krono hates you
Joined: 11 Jan 2000 Posts: 3463 Location: Al'alyn, United Arab Emerates
Posted: Thu Dec 16, 2004 4:15 pm Post subject:
See? He's like our very dangerous, slightly offsetting, but overall pretty cool guardian angel.
Author
Message
Who Cares Groove Member since 1999
Joined: 30 Dec 1999 Posts: 3888 Location: ...
Posted: Thu Dec 16, 2004 4:18 pm Post subject:
Aww, thanks, sweetie.
Author
Message
The Letter E
Joined: 17 Mar 2005 Posts: 0
Posted: Thu Dec 16, 2004 5:26 pm Post subject:
Weeee unbanned....
I kinda miss my "Taker of Childrens Candy" custom rank, though...
Author
Message
Krono hates you
Joined: 11 Jan 2000 Posts: 3463 Location: Al'alyn, United Arab Emerates
Posted: Thu Dec 16, 2004 6:18 pm Post subject:
So what kind of stuff can't you hack? I'm curious. What are some successful security measures that have (or could possibly have) kept you out in the past?
Author
Message
Archdeco Bored as hell. Mmm...Nutella
Joined: 16 Apr 2000 Posts: 5279 Location: Kansas City
Posted: Thu Dec 16, 2004 6:22 pm Post subject:
Are things like, say, Gamefaqs accounts out of your reach?
Author
Message
Rocketlex Member since 1999
Joined: 31 Jan 2004 Posts: 5283 Location: Arpegania
Posted: Thu Dec 16, 2004 6:23 pm Post subject:
Oh, God, not this again...
_________________ Board City
(A fantastic comic of words!)
Author
Message
Zman Administrator/1999
Joined: 25 Nov 1999 Posts: 1958 Location: Seattle, WA
Posted: Thu Dec 16, 2004 8:28 pm Post subject:
I'm sure SL isn't the smartest person when it comes to making good passwords.
Author
Message
Efreit didgeridoo original man with the dream
Joined: 02 Oct 1999 Posts: 4083 Location: Perth, Australia
Posted: Thu Dec 16, 2004 10:00 pm Post subject:
Archdeco wrote:
Are things like, say, Gamefaqs accounts out of your reach?
Ahahaha. That would be the ultimate revenge... I love it.
_________________ i got soul but im not a soldier
Author
Message
The Letter E
Joined: 17 Mar 2005 Posts: 0
Posted: Thu Dec 16, 2004 11:30 pm Post subject:
BlanKrono wrote:
So what kind of stuff can't you hack? I'm curious. What are some successful security measures that have (or could possibly have) kept you out in the past?
For this specific hack, the only insecurity I could manage to exploit was the webserver's permissions.
It's a good idea (though not necessary) to have your webserver run as "nobody" and give it only read access to the files it needs to access. Since it's being run as the user "khakain," it has write access to all of khakain's files, include the one I modified to grant access to the admin section.
Things that keep hackers out (khakain has almost all these, good job guys):
- Disabling remote connections for MySQL
- Setting up proper linux permissions
- Not making all your passwords the same, and not using "password" or a series of consecutive numbers as your password
- Disabling default login usernames
Things that you think keep hackers out but don't:
- Excessively strong password. Pretty much any mangled english word with some numbers will work fine, you don't have to have a 20-character completely random password, the security difference is minimal considering they would both take several billion years to brute force.
- Firewall. Just give it up. If we want in, we get in.
- Secret questions that only you (supposedly) know the answer to. I've called several people to ask them the answer to their secret question in a roundabout way, and it fucking works more often than anyone wants to admit.
- Advertising the fact that you have some kind of anti-hacker protection installed. We view this as a challenge, not a deterrant.
The golden rule is pretty much thus: If you believe it's error-free, chances are good one will be found, and you will find out about it only after it has been exploited.
I've never tried GameFAQs but I believe it must be possible.
Author
Message
Rocketlex Member since 1999
Joined: 31 Jan 2004 Posts: 5283 Location: Arpegania
Posted: Thu Dec 16, 2004 11:37 pm Post subject:
I wonder, would it be possible to set some sort of trap program? Something which looks like an exploit but, when used, actually sends out a virus or something?
_________________ Board City
(A fantastic comic of words!)
Author
Message
Dunkinbean Handsome
Joined: 28 Oct 1999 Posts: 4577 Location: Naperville, Illinois
Posted: Thu Dec 16, 2004 11:38 pm Post subject:
Quote:
- Firewall. Just give it up. If we want in, we get in.
Thank you. I'm tried of fixing people's computers and having the problem turn out to be Zone Alarm blocking a port.
Author
Message
The Fonz Member since 1999
Joined: 11 Oct 1999 Posts: 2610 Location: Ottawa
Posted: Thu Dec 16, 2004 11:39 pm Post subject:
Heh, same with the new windows firewall. I turned that shit off the second it DL'd SP2.
Author
Message
Zman Administrator/1999
Joined: 25 Nov 1999 Posts: 1958 Location: Seattle, WA
Posted: Thu Dec 16, 2004 11:57 pm Post subject:
Gamefaqs accounts would probably be pretty easy for Brutus to crack, especially since the username is already known.
Author
Message
Zman Administrator/1999
Joined: 25 Nov 1999 Posts: 1958 Location: Seattle, WA
Posted: Thu Dec 16, 2004 11:59 pm Post subject:
You guys know the email address, right?
Author
Message
Tinister Sterdonian Superwarrior
Joined: 13 Nov 1999 Posts: 2728
Posted: Fri Dec 17, 2004 12:24 am Post subject:
Actually, GameFAQs now has it where to log in you need an email address and a password, they don't ask for your username anymore. Shadowlynk posted on his topic that he was gonna use a private email address.
_________________ Doug Flutie. Part Cyborg. Part Jesus. Most likely your biological father.
Author
Message
Zman Administrator/1999
Joined: 25 Nov 1999 Posts: 1958 Location: Seattle, WA
Posted: Fri Dec 17, 2004 12:47 am Post subject:
Brutus is having a hard time figuring out what the correct response for a login is. I might have to switch to Access Driver.
Author
Message
drewnb cochinillo
Joined: 21 Nov 1999 Posts: 1640
Posted: Fri Dec 17, 2004 1:35 am Post subject:
Off topic, but I hate it that gamefaqs boards are gonna merge with gamespot. It was bad enough as it was.
_________________ [B][78][F5][FF][K]
You can post new topics in this forum You can reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
