Originally posted by CRZHelle Members, bad news. We got hacked. CRZ.
Oh snap they did it again. They're clever! (And, now we know, funny!)
I've plugged the latest hole (the way I SHOULD have done it over the weekend - my bad), and changed my password again (since they helpfully changed it for me - along with Aaron's).
Thankfully, this guy(s) aren't doing damage... just annoying me by figuring out new ways to perform SQL injections.
Looking at the logs, if your userid is 782 or lower, they probably had (or have) your password. Sorry. If they'll DO anything with it, I dunno...you're not admins so I don't know how interesting it will be to post as you (and if you DO see any posts authored by you which you haven't written, and I haven't already noticed the weird flags and deleted it, do let Aaron or I know.)
Note to hackers: "Hacked." is exactly the sort of Twitter I don't want to get on the freeway.
Originally posted by bizzitI don't try again, im not a bad boy, i really dont know why i chage the passwords, sry. Add me in ICQ we talk a little bit. ~b!zZ!t
I sent you a private message and I'll add you in ICQ when I get home. (My number is 8046423 if you didn't already see it in my profile)
Originally posted by DJ FrostyFreezeIt does seem odd that CRZ is this ok with his site being hacked and the guy who did it.
It's called pragmatism
Plus, you catch more flies with honey than vinegar.
Yes, this board is part of a lot of people's daily routine. But if it disappeared tomorrow, I don't know how many would shed a tear. Nothing of any real importance is stored here and the worst the hacker can do is be annoying. We get some of that without hackers.
The only folk with anything to fear are those who used that password in another, more important, place (e.g. a bank site) and who have enough real personal information stored in their profile or in their posts to make the password useful. This is why CRZ disclosed, because information was potentially compromised. I'm willing to bet the board was hacked at least once before, but there was no such compromise so there was no, or limited, disclosure.
Anyone who's been in operations knows that being hacked isn't a matter of if, it's a matter of when. And as long as nobody's life or livelihood is at stake, it doesn't make much sense to get worked up about it. Patch, disclose (NNITO), and move on with your life.
I'm fairly certain we've mentioned it every time there has been an issue. Why wouldn't we? I have nothing to gain from you thinking this place is more secure than it is
Most of the time people have screwed around in more of a vanadlism approach. I believe this was the first successful SQL injection. Really, we don't claim a lot of security, but we've at least both audited this place a little bit
Originally posted by DJ FrostyFreezeIt does seem odd that CRZ is this ok with his site being hacked and the guy who did it.
It's called pragmatism
Plus, you catch more flies with honey than vinegar.
Agreed. When the guy who hacked your website wants to talk to you, you talk to him. Better then making him angry in case he finds yet another security hole to exploit.
I'll shed some light on this, at least from my perspective.
I don't have an exactly clean past when it comes to computer systems I never did anything criminal as far as I know, but I would poke around systems and see what I could do. I was the kid who changed the BASIC programs around in school so that you could have a huge mountain in artillery - only sunny days in lemonade - etc.
I know where these kids are coming from, and I can't really say I don't deserve some sort of "American style Karma" (Not to be confused with Actual Karma) for my past.
So, I'm generally not too much of a jerk with people if they step forward. I did eventually have to come up with a script to ban one kid from a different board I ran.
I dunno. I'm not happy about it, but I'm more likely to sigh than swear.
Originally posted by Guru ZimI'll shed some light on this, at least from my perspective.
I don't have an exactly clean past when it comes to computer systems I never did anything criminal as far as I know, but I would poke around systems and see what I could do. I was the kid who changed the BASIC programs around in school so that you could have a huge mountain in artillery - only sunny days in lemonade - etc.
I hated kids like you when I attended summer school...because there was actually someone who could do that. We had a competition playing that game back in the day, and someone who knew how to fiddle with the innards of the programming did exactly what you did. He won, of course.
When I went to The W just now, not logged in, it listed no forums, just "Increased Chatter" headers, etc. There was also some random thing about SQL at the top which I couldn;t understand.
As of 2/28/05: 101 pounds since December 7, 2004 OFFICIAL THREE-MONTH COUNT: 112 pounds on March 9, 2005 OFFICIAL SIX-MONTH COUNT: 142 pounds on June 8, 2005 OFFICIAL ONE YEAR COUNT: 187 pounds on December 7, 2005 As of 2/27/06: 202 pounds "I've lost a heavyweight" As of 7/31/06: 224 pounds< As of 10/31/07: Still 217 down! As of 5/18/08: Still 217 down! Now announcing for the NBWA and GAW television! www.wdws.com home of DWS Sportsnight and downstate radio home of thecubsfan!
Originally posted by Eddie FamousWhen I went to The W just now, not logged in, it listed no forums, just "Increased Chatter" headers, etc. There was also some random thing about SQL at the top which I couldn;t understand.
That probably means you still had a cookie with your username in it, even if you didn't have one with the right password. It kinda puts you in that "in-between" state until you log in proper. I suppose I could fix this code but this piece is a very low-priority problem with me.
EDIT: Definitively clear your cookies with the logout link (The W) if you think that's where you are. (Of course, you'll probably have trouble even finding this post if you're there...)
That seemed to be what was wrong. Looked weird though.
As of 2/28/05: 101 pounds since December 7, 2004 OFFICIAL THREE-MONTH COUNT: 112 pounds on March 9, 2005 OFFICIAL SIX-MONTH COUNT: 142 pounds on June 8, 2005 OFFICIAL ONE YEAR COUNT: 187 pounds on December 7, 2005 As of 2/27/06: 202 pounds "I've lost a heavyweight" As of 7/31/06: 224 pounds< As of 10/31/07: Still 217 down! As of 5/18/08: Still 217 down! Now announcing for the NBWA and GAW television! www.wdws.com home of DWS Sportsnight and downstate radio home of thecubsfan!
The judges have credited a lurker from RoadRunner (Wisconsin) with our latest megaclick. Recent millions (and how long it took to get there) 27M 06 Jun 2005 10:51:02 (48:22:36:05) 26M 18 Apr 2005 12:14:57 (46:01:19:36) 25M 03 Mar 2005 09:55:21 (42:13:04:...