Jump to content

Somebody Is Up To No Good


herme3

Recommended Posts

cool!, now all the REAL hackers are coming out the closset, anyone care to pop around to my place and get this clunky old PC of mine working as it should? :P

 

there`s a free beer and as many chemicals as you care to consume/sniff/look-at :)

Link to comment
Share on other sites

Herme,

 

In the log you posted, it shows that the hacker attempted to reset your password at least 13 times in 1 minute. That's an attempt every 4.6 seconds. That's got to be a program, not a person. There are people who make programs like this and deploy them into the internet. They can be programmed to seek out any accounts they can find, and it can be done for any number of reasons. Some try to hack into email accounts and take them hostage in order to send out spam. Others might want to hack into your machine and plant viruses. Whatever their reason, they don't need to know who you are or even pick you out of a number of other targets. For the most part, these programs are built to attack people at random and at such high rates that they can target thousands of accounts in a matter of seconds. For all you know, this might just be a random attack from a random source.

Link to comment
Share on other sites

I do make my passwords complex. I usually combine letters and numbers, and I sometimes forget my passwords. :P

 

I'm more concerned about somebody breaking into my database and taking the passwords from there. They are all encrypted, so I only see a long string like "b1c1539fc19d323df2af1935c595fb71". Of course, that isn't an actual encrypted password, it's just an example of what one looks like.

 

Do you think the encrypted passwords are secure?

 

Encrypted passwords can not be decrypted but one can write program that takes random words and encrypts them with same one-way algorithm. If certain word gives identical result then password is not secret any more.

 

This is only minor risk if passwords are too complex for random guessing.

 

In my humble opinion this case is not worth very much attention especially if no other attacks will follow.

Link to comment
Share on other sites

The password can be broken if you know something that's been encrypted and the real text, the special md5 encryption code, or a couple other things (there are special files on the server). Some websites will leave the encryption script open letting users type in text and getting the md5 back, allowing them to hack the script. (if you notice some porn sites encript the "real" site w/ md5 -- php?site=q45ehy8... and if you get the site you hack the md5 algorithm and can then decode all the other links)

 

There are articles on the Internet about all this. I used to know how but that was a while ago. You just use john, it's really not that hard.

 

I doubt your site has any problem though -- if it's one of the big forum software programs like vb or phpbb.

Link to comment
Share on other sites

cool!, now all the REAL hackers are coming out the closset, anyone care to pop around to my place and get this clunky old PC of mine working as it should? :P

 

there`s a free beer and as many chemicals as you care to consume/sniff/look-at :)

 

I heard free beer:D . Oh yeah, I'm a yank. But if you pay for the plane ticket...:rolleyes:

Link to comment
Share on other sites

Glad to see the problemo is sorted, and I wouldn't have suspected anyone from SFN would ever do something like that, but better to be safe and check.

 

herme3: that type of encryption is fairly safe, however if you were to give me an encrypted password like that I could discover the password via a method known as brute force. As you cannot decode that you basically have to try every single possible combination of letters and numbers until you get it correct.

 

To speed up this process there are big tables listing precalculated passwords/codes. The ultime exaple of this is a 64GB table which can crack any password up to 14 characters long using any possbile characters on a standard keyboard. It would take any one computer years to calculate this, but as all the data is stored in this 64GB table, all a computer has to do is search through the table, which takes a few minutes.

 

Having said all of this I will conclude by saying that md5 is about the safest type of encryption and is used on all Windows systems (well, all the recent ones anyway), and don't worry about people brute forcing your database of passwords.

Link to comment
Share on other sites

I have to say that as the computing power goes up, I'm trusting md5 less and less. There have been quite a few developments in cracking it recently; as a result, I'm tending to use SHA-256 these days, which is a much better replacement. Have a look at the Wikipedia entry for some more information on the md5 algorithm - if nothing else, it makes interesting reading.

Link to comment
Share on other sites

I have to say that as the computing power goes up, I'm trusting md5 less and less. There have been quite a few developments in cracking it recently; as a result, I'm tending to use SHA-256 these days, which is a much better replacement.
Can you expand on that please. AFAIK there's the brute force method. Also as the months go by there will be more Rainbow tables (tables of precalculated passwords and corresponding md5 hashes) that can be used to quickly crack md5 encrypted passwords. Now if we combine this with the increasing efficiency of brute force attacks, and the overall increase of computing power available to the average user, it has certainly become quicker to brute force md5. Is this what you mean by "quite a few developments in cracking it recently"? Or is there something else I'm not aware of?
Link to comment
Share on other sites

I'm really not talking about brute-force here. You can use that for any sort of hashing algorithm. If you do a little searching, a couple of years ago a few (albeit obscure) cases were found in which you can deliberately create collisions. My betting is that eventually, and maybe soon, we're going to find a nasty hole in it, and all of a sudden, anyone using md5-based hashing is going to be vulnerable.

Link to comment
Share on other sites

The problem is that finding a collision won't be a problem for forum softwares. A hacker would need access to the database to find the md5 hash anyways, and if he has access to the database, it doesn't really matter any more.

 

Exactly, and rainbow tables can be rendered useless by salting your hash.

 

The problem with MD5 collisions is when you're talking about binaries that could potentially be replaced with a malicious alternative with the same hash. Luckily most smart people are using SHA (for example, the FreeBSD ports system computes both MD5 + SHA-256 for a downloaded package; try finding a collision for both ;) )

Link to comment
Share on other sites

The problem is that finding a collision won't be a problem for forum softwares. A hacker would need access to the database to find the md5 hash anyways, and if he has access to the database, it doesn't really matter any more.

 

A lot of software, including vB, stores your md5'd password in a cookie, although I think vB md5's the password twice for additional security. Obtaining access to a cookie is relatively trivial, especially when people tick the "Remember Me" box and go and leave their computers for a while. It's an extremely common way of managing web sessions, since it authenticates the user on each page load.

Link to comment
Share on other sites

I thought most software would be sane enough to simply store a different unique session ID (not the password) as a cookie. That's how I wrote my software, at least, and I believe phpBB does it that way.

 

 

You would think wouldn't you but sometimes even software engineers are dumb...

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.