Welcome To The War & Tactics Forum => About The WaT Forum: Rules, Updates, News => Topic started by: TechAdmin on 5 March 2012, 22:04:34



Title: WaT hacked and defaced
Post by: TechAdmin on 5 March 2012, 22:04:34
On FEB 19th, WaT was hacked (the details are not clear yet but it looks the PW of user "admin" got cracked) and defaced, for some (short) time everybody coming here saw this instead of what you all know:

(http://www.warandtactics.com/Images/captura-wat-deface.jpg)

Thanks to our great host nobody ever realized, not even me (as I only tody connected to my email since 3 weeks), as they restored the original forum straight from their last backup which was only 4 hours old.

Again, hats off to those guys, where would we be without them!  hatsoff

The hack itself is not clear yet (I am waiting for their log details) but I assume it was done by data base injection after cracking the PW of user "admin" (this user name actually, I have said it before, is a NO-NO as it is the first name any hacker will try out), no action required atm by anybody until I have confrimation on what happened exactly.

Will keep you updated,

TA



Title: Re: WaT hacked and defaced
Post by: TechAdmin on 5 March 2012, 22:17:04
addendum:

The hacker/defacer is well known, here a few links so you guys can see what trouble hostsuar (our host) saved us from:

He himself notified about his hack on 20/2/12 here:

http://www.zone-h.org/archive/notifier=SouTHRaNDA/page=7 (http://www.zone-h.org/archive/notifier=SouTHRaNDA/page=7)

http://www.simplemachines.org/community/index.php?topic=464098.0 (http://www.simplemachines.org/community/index.php?topic=464098.0)

There is a video of a band "A$G" (you cannot google them because of the "$" character, I will get around this when I find the time) who has a song called "SouthRanda", maybe a hint:

The message the hacker left (which I had assumed to be a code) is most probably the same language the band sings in (Rumanian?) or derived from it:

A.$.G - South Randa (http://www.youtube.com/watch?v=5aHXkNExG9s#)

TA


Title: Re: WaT hacked and defaced
Post by: stoffel on 6 March 2012, 10:23:20
 >:( So are we safe again?
Didi the one responsible changed his pasword?


Title: Re: WaT hacked and defaced
Post by: Mad_Russian on 6 March 2012, 22:16:13
Good job.

I would guess that if they went after any password they could crack them. Of course the more convoluted the password the safer it is.

In any case the security we have for the site seems to have done exactly what we wanted it to.

Thanks for everything you guys do to keep the site safe.

Good Hunting.

MR


Title: Re: WaT hacked and defaced
Post by: TechAdmin on 6 March 2012, 22:35:46
Good job.

By our host, we staff (myself, especially) failed big time, hasd not brought SMF up to speed fast enough and had not pressured *good* PWs enough...

I would guess that if they went after any password they could crack them. Of course the more convoluted the password the safer it is.

While right with the latter, I think we stil suck (and I  mean *suck*, capitally) with the first: You cannot, as average hacker - not talking FBI, NSA or affiliates - crack a good PW "just like that".

Problem is that even I can crack 50% of the passwords on our site without much effort, want to  know how many members have "password" as password? 3 of 200..., says it all. I also tripped in my tests over 31 (of 260 overall tested) PWs that use their user name in reverse as PW, how not to find out in 0.1 sec for a hacker? (First try: "username"/"password" in all combinations, 2nd try all usernames visible with "password" as PW in all combinations, third try visible usernames with "reverse username" as PW, takes less than a seccond to try out with 200 members...)

OTOH, hacking them simple members is not the prob, hacking a member with admin rights, is, and truly so: With admin rights you have access to the database, i.e. all emails of all members (and it seems this table has been dl-ed on other sites by the same hacker, though our logs dont show anything in this respect, assuming for the moment that we were saved by the inherent sec features we have been building up over the years). Problem is that there is almost always a user with the username "admin" on forums, as that is the standard first UN handed out, and hence also the first target try for hackers, 99% success rate...

In any case the security we have for the site seems to have done exactly what we wanted it to.


It did, but it was not *our* security but *the hosts* ones.

Again (I know I am repeating myself for the umptieht time and tiring everybody, talking to a wall here, but these thing *are* important and will be *more important as we advance in time), while we ppl here try our best, this time the praise is only and all owed to our host (hostsuar.com), we staff ppl missed the attack and any responses completely, had they not alerted us we wouldnt even know about the hack. *They* caught it, and *they* fixed it, myself I was only aware of the attack 10 days later (as you all know I am not around here as often anymore). My personal belief is that only less than 1% of hosts available on the net will do that.

Thanks for everything you guys do to keep the site safe.

Good Hunting.

MR


We try (e.g. by finding an excellent host), but also every pecuniary contribution should help, these guys cost (not much, less for what especially *they* are doing for us, but in the end it has to be paid somehow, talking some 200+ Euros a year here), any contributions welcome: See "Support  WaT" on the front page.

Personally, I think all money we spent so far has proved to be the right investment (I know that ppl here feel that we should have an English speaking host, but the way they treat us I have never seen with any host before, whatever language, and they understand enough English to be of more help than any US firm I know).

As far as the pure tech data goes, PMs are on the way, we have the whole thing deciphered by now.

>:( So are we safe again?
Didi the one responsible changed his pasword?


No, and No, PMs on the way to deal with the Lessons Learned.

Kind regards,

TA


Title: Re: WaT hacked and defaced
Post by: stoffel on 7 March 2012, 13:39:47
Ok,

So my basic understanding is that we should write a mail to all members to change their passwords if they havent got a 'safe' one.
We have to delete the admin account and change it into somthing less recognizable.

Using a pasword like I did with the use of small and big letters and all other items on the keyboard in a very unrecognizable pattern should make it far more difficult.