nick84

Binrev Hacked 2009-07-29

24 posts in this topic

Binrev was hacked this morning (for further details see http://binrevstatus.blogspot.com/2009/07/we-got-0wned.html )

A backup from the 24th July has been restored. Unfortunately any posts from the 24th-29th have been lost.

You will need to use the "I've forgotten my password" feature to reset your account password.

In the process of restoring the forum files a backdoor was discovered, therefore a decision was taken to only restore the database. This means that custom avatars, attachments, gallery images will not show up until we have had a chance to review them for further backdoors.

If you see any non file related issues with the forums (missing posts from before 24th etc) post here.

Edit by Ohm:

If you have any troubles resetting your password, you can email me at infinite.ohm@gmail.com.

0

Share this post


Link to post
Share on other sites

StankDawg has asked me to mention that the site is now being transitioned away from him and over to a new team and that he will no longer by running things.

0

Share this post


Link to post
Share on other sites

I'd also like to mention that since the password database was stolen you should consider the password you used on these forums to be compromised. The passwords were hashed of course, but we all know hashes can be reversed. If you use this password anywhere else, change it as soon as possible. I'm not sure how Invision hashes passwords and if rainbow tables will be able to break them, but it's safer to assume they're all compromised.

2

Share this post


Link to post
Share on other sites

The DB has not yet been posted on the net, at least far as I can see.

EDIT: Invasion was md5(md5()) and would take time to compute some tables like that, wouldn't it?

Edited by aka-tekio
0

Share this post


Link to post
Share on other sites

Binrev was hacked this morning (for further details see http://binrevstatus....-got-0wned.html )

A backup from the 24th July has been restored. Unfortunately any posts from the 24th-29th have been lost.

You will need to use the "I've forgotten my password" feature to reset your account password.

In the process of restoring the forum files a backdoor was discovered, therefore a decision was taken to only restore the database. This means that custom avatars, attachments, gallery images will not show up until we have had a chance to review them for further backdoors.

If you see any non file related issues with the forums (missing posts from before 24th etc) post here.

Nick, I don't even know you.

But I appreciate everything you are doing for binrev, it goes to show how loyal our community members are.

You too Ohm.

Edited by R4p1d
-1

Share this post


Link to post
Share on other sites

On the topic of changing passwords, can anyone recommend a good password utility?

0

Share this post


Link to post
Share on other sites

Thanks for the information, it is appreciated.

0

Share this post


Link to post
Share on other sites

My advice for a strong password is:

Do not use anything that is a word, or even would look like a word. Use special characters, and try not putting them in the most usually places like the end of the password. Add numbers also, a good trick is to use part of an irrational number so that it's easier to remember if you forget it.

0

Share this post


Link to post
Share on other sites

Also never ever never ever ever reuse passwords! When h4cky0u got pwned a few years ago there were at least 5 binrev memeber's I recognized in that db... I did not try to crack anything, but that DB is still posted all over the net.......

Also be as anon as possible. Just using Google it is sometimes easy to identify other aliases people use in their personal life...

EDIT: it would be interesting to see logs and everything from this attack 6 months down the road when a new Invasion version patches the hole too.

Edited by tekio
0

Share this post


Link to post
Share on other sites

Rainbow table will not be effective against IPB Hashes. IPB Hashes use the following format MD5(MD5(salt).MD5(password)). For IPB Forums, each hash is salted with a different 5 character string consisting of uppercase, lowercase, numbers, and symbols. Cracking the hashes is possible, but each hash will have to be individually brute forced because pre-computing a rainbow table for each possible salt combination would take an insane amount of time and memory.

This being said, your hashes and password may still be revealed, your best bet is to change your password if you use it anywhere else.

Stay safe!

NetMD5Crack Admin

Which one is it that uses the registration key as a salt?

0

Share this post


Link to post
Share on other sites

No further backdoors were found in the files, therefore they have been restored. Post here if you see any broken image tags.

0

Share this post


Link to post
Share on other sites

Could we get some details on the nature of the backdoor found?

Also, please relocate the images to the bottom and/or re-enable image resizing. A 600px high image is loading above the forums.

Thanks for all the hard work! ^_^

0

Share this post


Link to post
Share on other sites

Could we get some details on the nature of the backdoor found?

Also, please relocate the images to the bottom and/or re-enable image resizing. A 600px high image is loading above the forums.

Thanks for all the hard work! ^_^

I think that would be one of my desktop screenshots...lol

-1

Share this post


Link to post
Share on other sites

BinRev don't feel too bad Dan Kaminsky was hacked along with a bunch of other so-called white hat pros.

Anyway, it would really be great if you guys could write up a piece on the attack. It seemed that the whole upgrade was riddled with bugs. Stank put in a lot of hard work and it seems like the new invision board was just a juicy target from the beginning. It would be great if you guys could shed some light on things. Thanks.

1

Share this post


Link to post
Share on other sites

Guess they showed us, didn't they?

Yeah, they showed us how insecure hacker websites are, but didn't we already know this?

Producing content to fill the forums is more important then securing the forums.

2

Share this post


Link to post
Share on other sites

If you have any troubles resetting your password, you can email me at infinite.ohm@gmail.com.

0

Share this post


Link to post
Share on other sites

Guess they showed us, didn't they?

Yeah, they showed us how insecure hacker websites are, but didn't we already know this?

Producing content to fill the forums is more important then securing the forums.

You beat me to it. These guys are run of the mill hackers with excellent showmanship. How can I make that claim? They exploited common vulnerabilities, using common tools and techniques. It was evident that their brains were required occasionally, and I'm sure it was refreshing after all that routine hacking they bragged about. The choice of targets? High profile hacking- or security-oriented sites that focused more on content than their site security. Bragging about these sites is like saying you can shoot fish in a bucket... with a machine gun! Of course, these sites do get lots of press, so whatever happens to them gets noticed. In the end, Zero for Owned resembles a Richard Nixon publicity stunt more than a Kevin Mitnick exploit story. Does anyone else think Zero was named after its contribution to IT security?

To Zero for Owned: You've Just Been Powned! :cool:

2

Share this post


Link to post
Share on other sites

I thought Zf0 was dead.

0

Share this post


Link to post
Share on other sites

I thought Zf0 was dead.

Obviously not...but either way this thread seems to be. I am going to unpin it now since we have long been back up and running again.

0

Share this post


Link to post
Share on other sites

I find it a little nuts that even website about hacking (and I assume also run by hackers) doesn't even have the ability to trace the source of a hack on their web server?

I always assumed hacking a website like this would be far more difficult than a normal site because hackers would know where the vulnerabilities are in their ports, and would be waiting for a hacker to come in, then trap him like a mouse in a cage.

But I guess it's possibly to just use a proxy chain or other means to become totally anonymous and look around any computer or web server without the possibility of being tracked down? That has always been a hacker's dream right? To explore the whole internet and any/all computers connected to it without ever having to worry about getting caught because you have 100% anonymity. Is such a thing actually possible?

0

Share this post


Link to post
Share on other sites
<br />I find it a little nuts that even website about hacking (and I assume also run by hackers) doesn't even have the ability to trace the source of a hack on their web server?<br /><br />I always assumed hacking a website like this would be far more difficult than a normal site because hackers would know where the vulnerabilities are in their ports, and would be waiting for a hacker to come in, then trap him like a mouse in a cage.<br /><br />But I guess it's possibly to just use a proxy chain or other means to become totally anonymous and look around any computer or web server without the possibility of being tracked down? That has always been a hacker's dream right? To explore the whole internet and any/all computers connected to it without ever having to worry about getting caught because you have 100% anonymity. Is such a thing actually possible?<br />

The source of a hack depends on the type of hack. Let's assume in this case it would be an IP address. The IP address can point to an attacker's machine or a proxy. The proxy may be a dumb proxy (that's all it does) or even a compromised machine belonging to an innocent user. If proxying is used, defender may have to hack into the computers to trace the attackers. That's a crime, and BinRev doesn't condone crimes. Different jurisdictions complicate issues for law enforcement, and I have my doubts that Russian national investigators even want to catch some of their local criminals. (hint hint, wink wink) Due to difficulty and expense of tracing, most defenders simply focus on prevention and getting their assets back online after a disaster.

Good defense is about dealing with risks. You look at your assets, your security goals (e.g. Confidentiality), and various threats to these goals/assets. You use this information and the likelihood of exploit to measure how risky each threat is. You then decide how to deal with the risk. It's often perfectly acceptable to accept a risk, as long as it doesn't compromise mission-critical goals. Using a mainstream web server is a risk, as it increases likelihood of exploits. However, the feature-rich server's benefits outweigh the potential cost, especially if basic backup and hardening strategies are employed. In real defense, choosing what not to worry about is just as important as closing the holes that matter.

As far as anonymity is concerned, it is a relative term. Anonymity from whom? The system you are connecting to? The systems in between? The person sniffing the traffic on your home network? The FBI? Your ISP? Each different entity has its own capabilities for analyzing and manipulating your traffic. A good proxy will usually keep your name off the other web site's logs. However, you must remember that you can't send anything identifiable, such as login credentials. Proxy chains through countries like China can frustrate investigations, as can using other peoples' wireless access points with spoofed MAC address on netbook bought with cash. (No, I've never done this...) If you are under surveillance, then you can use Tor relay node and/or Freenet to attempt a disguise. If the heat is really onto you locally, you're busted. There are defenses, but you'd rather not be in that position & would have paranoid, miserable life. :( You have to remember that, just like with security, each technology is designed to counter specific privacy threats. You must properly combine the technologies according to well-thought-out requirements in order to achieve your privacy goals online.

Last piece of advice: Just because you can't break your own scheme doesn't mean it's secure. If your assets or goals are critical, then try to use existing schemes and best practices. IF you come up with your own, subject it to intense scrutiny via peer review and pen testing. Even then, you should be prepared for its failure. In this business, there are NO GUARANTEE's... of anything. Sad but true.

- Nimity (a.k.a. army_of_one on binrev)

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now