Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WebHostingTalk.com - Compromised - Page 3
New on LowEndTalk? Please Register and read our Community Rules.

WebHostingTalk.com - Compromised

13

Comments

  • @jarland said:
    Gotta be honest I have a really hard time caring if they did get compromised. Like my level of "give a shit" about WHT is so low that I can't even get the wheels spinning.

    I'm gonna get my ass kicked talking this much trash before hostingcon :( lol

    Well it's true they died in 2013/2014, if not in 2009 when they got hacked firstly and then upgraded to vb4 when everyone wanted them to stay on vb3 :)

    Thanked by 1jar
  • Licensecart said: Because MD5 is hackable, why do you think better software use Bcrypt...

    Collision Resistance != Decryption.

    There's a 2^18 collision attack against MD5. There's a 2^123.8 decryption attack against MD5. Having something generate the same hash only allows you to authenticate to the same website.

    Do you think SHA-1 SSLs are fine to use because they are insecure? Nah bet you don't mate that's the same reason... You use SHA-256 for SSL certificates, you use Bcrypt or something like it.

    Because SHA-256 has no known attack against the full algorithm, only reduced-rounds variants thereof (at least, per a quick wikipedia lookup).

  • KuJoeKuJoe Member, Host Rep

    This is just another lesson for people not to use the same passwords on multiple websites and stop using insecure passwords. Regardless how the password is stored in a database (as long as it's not plain text), the strength of your password is critical to your own security.

    Thanked by 1Maounique
  • @Licensecart said:

    @jarland said:

    Licensecart said: Put it this way, WHMCS uses MD5 with a little security extra and even Blesta developers can decrypt that with their importer

    MD5 still shouldn't just be "decrypted" like it's that easy. Are you sure something else isn't going on there? MD5 decryption is done by guessing+comparison. Are you claiming Blesta has an algorithm that immediately, with no resources, turns MD5 into plain text?

    WHMCS uses salts, Blesta uses Bcrypt which are one way passwords, when you enter your password it crypts it and checks it. You can check the importer and find out how they do it if you can understand PHP.

    MD5 is also one way, and can not be decrypted. What you can do is encrypt all the possible passwords in the world, store the result in a database, and then search for the MD5 hash - it's not easy, though.

  • luissousa said: it's not easy, though.

    Also impossible with salt.

  • http://www.webhostingtalk.com/showthread.php?t=1584028

    @splitice looking for a WHT ban?

    I'm still betting that they cover it all up in a few days and delete that topic

  • @linuxthefish said:
    http://www.webhostingtalk.com/showthread.php?t=1584028

    @splitice looking for a WHT ban?

    I'm still betting that they cover it all up in a few days and delete that topic

    They can try :) it's on archive.org

  • HBAndreiHBAndrei Member, Top Host, Host Rep

    Maounique said: Also impossible with salt.

    Not if the attacker knows the salt method.

    Thanked by 1Licensecart
  • HBAndreiHBAndrei Member, Top Host, Host Rep

    This just got posted on WHT:

  • MikeAMikeA Member, Host Rep

    @HBAndrei said:
    This just got posted on WHT:

    Not only does that look fake but it looks dumb considering the DB is already out there.

  • gadzooksgadzooks Member
    edited July 2016

    Not fake? See 4th post: (edit - post deleted at Wht)

  • HBAndreiHBAndrei Member, Top Host, Host Rep

    MikeA said: Not only does that look fake but it looks dumb considering the DB is already out there.

    No kidding :D
    It's still fun seeing people trying.

    Thanked by 1Maounique
  • HassanHassan Member, Host Rep

    Jeez

  • AnthonySmithAnthonySmith Member, Patron Provider

    Thanks for the heads up.

  • JoeryJoery Member

    @luissousa said:

    @Licensecart said:

    @jarland said:

    Licensecart said: Put it this way, WHMCS uses MD5 with a little security extra and even Blesta developers can decrypt that with their importer

    MD5 still shouldn't just be "decrypted" like it's that easy. Are you sure something else isn't going on there? MD5 decryption is done by guessing+comparison. Are you claiming Blesta has an algorithm that immediately, with no resources, turns MD5 into plain text?

    WHMCS uses salts, Blesta uses Bcrypt which are one way passwords, when you enter your password it crypts it and checks it. You can check the importer and find out how they do it if you can understand PHP.

    MD5 is also one way, and can not be decrypted. What you can do is encrypt all the possible passwords in the world, store the result in a database, and then search for the MD5 hash - it's not easy, though.

    You can't decrypt hashes because it's never encrypted. If you want to crack a hash you could just post your list on the Hashkiller.co.uk forum, you don't even need GPU's and a huge wordlist.

    Salting in vbulletin is pretty much useless.

  • shovenoseshovenose Member, Host Rep
    edited July 2016

    @KuJoe said:
    LOL! @Licensecart is really upset with my posts and his inability to read. :D

    Hey, at least I know my data is secured by dragon :)

    -happy SD customer

  • AmitzAmitz Member

    @KuJoe said:
    LOL! @Licensecart is really upset with my posts and his inability to read. :D

    Well, what did you expect... ;-)

  • NeoonNeoon Member, Community Contributor

    Thanked by 1theroyalstudent
  • raindog308raindog308 Administrator

    jarland said: Also the "no ad trashing" rule that we don't have. Never. We tell people when their offers are shit.

    Always the most ridiculous part of WHT to me, and a clear sign they're more interested in advertising dollars than actual participation.

    Thanked by 1jar
  • raindog308raindog308 Administrator

    Licensecart said: So they have no excuses. Not one!

    Make zero difference if the user chooses "password" as their password, though.

  • @Licensecart said:
    Oh and that security patch was released: Thu 16th Jun '16, 4:58am today is Sat 9th July '16

    Ow and expect my business with you to be gone next month. Bye bye $30/month

  • vfusevfuse Member, Host Rep

    @Licensecart said:

    @jarland said:

    Licensecart said: WHMCS uses salts, Blesta uses Bcrypt which are one way passwords, when you enter your password it crypts it and checks it.

    I may be misunderstanding but I don't think that quite answers this:

    Licensecart said: Blesta developers can decrypt that with their importer

    You're suggesting that Blesta's importer is completely decrypting MD5 hashes. Exactly how sure of that statement are you? This should be international news if Blesta has figured out how to instantly turn MD5 hash into plain text.

    I might have said it wrongly :s

    They import them over and then if you change the configuration to "whmcs-md5" it imports them to the database in md5, you can then log in and it changes it to Bcrypt.

    They use the phpseclib library to do the encoding.

    Im pretty sure the only thing they do when importing is save then vb auth and wait for the imported users to login. When signing in they check the info with vbs auth functions and if it's right save the password using blestas function.

    Vbulletin is pretty horrible though.

  • @Domin43 said:

    @Licensecart said:
    Oh and that security patch was released: Thu 16th Jun '16, 4:58am today is Sat 9th July '16

    Ow and expect my business with you to be gone next month. Bye bye $30/month

    Well I can't find anyone with Domin43 or Domain43, so if you are a real customer you claim to be feel free to DM me your client ID or post it here since it's a 4 digit number, and I'll schedule a cancellation at the end of the month for you :) no skin off my nose...

  • hostdarehostdare Member, Patron Provider

    We should be concentrating on wht than diverting ..

  • MikePTMikePT Member, Moderator, Patron Provider

    @Licensecart is an ass. He reported me to fraudrecord for not paying an invoice, probably a Blesta license. So anyone who orders something from him and stops renewing it, will be reported in fraudrecord. This guy is hilarious and annoys the fuck out of me always talking about Blesta.

    Thanked by 1Domin43
  • @MrGeneral said:
    @Licensecart is an ass. He reported me to fraudrecord for not paying an invoice, probably a Blesta license. So anyone who orders something from him and stops renewing it, will be reported in fraudrecord. This guy is hilarious and annoys the fuck out of me always talking about Blesta.

    Well, his unprofessionalism has no bounds, it could be seen in multiple occasions already. Lol, I would happily buy direct rather from unethical resellers, regardless of the benefits it can ever bring.

    Did you get your record off FraudRecord, though?

    Thanked by 1MikePT
  • Have they still not made any form of public announcement about it..?

  • MikePTMikePT Member, Moderator, Patron Provider

    @theroyalstudent said:

    @MrGeneral said:
    @Licensecart is an ass. He reported me to fraudrecord for not paying an invoice, probably a Blesta license. So anyone who orders something from him and stops renewing it, will be reported in fraudrecord. This guy is hilarious and annoys the fuck out of me always talking about Blesta.

    Well, his unprofessionalism has no bounds, it could be seen in multiple occasions already. Lol, I would happily buy direct rather from unethical resellers, regardless of the benefits it can ever bring.

    Did you get your record off FraudRecord, though?

    For sure!
    No, I haven't, I think he's the only one who can remove it IIRC?

  • @MrGeneral said:

    @theroyalstudent said:

    @MrGeneral said:
    @Licensecart is an ass. He reported me to fraudrecord for not paying an invoice, probably a Blesta license. So anyone who orders something from him and stops renewing it, will be reported in fraudrecord. This guy is hilarious and annoys the fuck out of me always talking about Blesta.

    Well, his unprofessionalism has no bounds, it could be seen in multiple occasions already. Lol, I would happily buy direct rather from unethical resellers, regardless of the benefits it can ever bring.

    Did you get your record off FraudRecord, though?

    For sure!
    No, I haven't, I think he's the only one who can remove it IIRC?

    Ah that sucks. Well I'll just say this. @LicenseCart go fuck yourself.

    Thanked by 1MikePT
Sign In or Register to comment.