Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WebHostingTalk.com - Compromised - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

WebHostingTalk.com - Compromised

24

Comments

  • @GalaxyHostPlus said:
    I wonder when will be the official statements.

    Never... they would have done it by now to prevent loosing revenue.

  • @Jonchun said:

    @Licensecart said:
    As far as I know WHT uses MD5 and a salt which I believe can be decrypted if they have both which are stored in the database. Doesn't surprise me since they use VB4 the worst forum software after VB5.

    The point of hashing is that you can't decrypt it... It's like you trying to guess what a tree looked like from the wood in the pencil you have in front of you.

    Sure you can rainbow table md5, but its not going to be any good when they're all salted with a unique salt. Generating rainbow tables per salt is possible, but really pointless unless you really want a specific users password.

    But vBulletin didn't update with the time :P wonder if vb5 has a new encryption.

  • hostdarehostdare Member, Patron Provider

    Licensecart said: But vBulletin didn't update with the time :P wonder if vb5 has a new encryption.

    did those b**** deleted your account for arrogant reasons ?

    Thanked by 1Licensecart
  • @hostdare said:

    Licensecart said: But vBulletin didn't update with the time :P wonder if vb5 has a new encryption.

    did those b**** deleted your account for arrogant reasons ?

    Sadly not lol it's still there.

  • hostdarehostdare Member, Patron Provider

    Licensecart said: Sadly not lol it's still there.

    very arrogant person over there .. be careful haha

    Thanked by 1Licensecart
  • @WHT said:
    Its dead since 2-3 years. Full of robots commentig check the offers section.

    Funny thing is that as dead as it seems I know providers advertising there and making thousands of sales... so sales wise it seems active.

  • zafouhar said: Funny thing is that as dead as it seems I know providers advertising there and making thousands of sales... so sales wise it seems active.

    Personally I find LET offers are better than even paid WHT offer threads, even though the view count on WHT is a bit higher.

    A lot of hosts on WHT make their sales from posting bad advice and unreleated crap on people's threads, it's so obvious that it makes WHT painful to read. For example, someone might ask if a dedicated server or VPS is better for his needs, then some provider comes along and posts "You must use a hybrid-cloud-super-dedi for running x", when his signature advertises hybrid-cloud-super-dedis.

    LET is much better in that providers who want to recommend their own services in other people's threads can just do it without having to make some bullshit up.

  • I calling this out as bullshit. That's not a reputable vendor and no proof to the details being hacked. Just some campaign probably from some disgruntled WHT member who got banned probably and this is his plan to cause them some financial loss. Sucks at that anyway lol.

  • dailydaily Member

    @Domin43 said:
    I calling this out as bullshit. That's not a reputable vendor and no proof to the details being hacked. Just some campaign probably from some disgruntled WHT member who got banned probably and this is his plan to cause them some financial loss. Sucks at that anyway lol.

    I'd say unlikely considering they targeted and supposedly got three different forums owned by the same company rather than just targeting WHT.

  • @daily said:

    @Domin43 said:
    I calling this out as bullshit. That's not a reputable vendor and no proof to the details being hacked. Just some campaign probably from some disgruntled WHT member who got banned probably and this is his plan to cause them some financial loss. Sucks at that anyway lol.

    I'd say unlikely considering they targeted and supposedly got three different forums owned by the same company rather than just targeting WHT.

    The "proof" is shocking. I don't understand how you take it as valid.

  • GCat said: my friend over at a sec company (won't drop their name here) has access to one private community which the database is listed for free for anyone to download

    This is pretty easily explained - most system administrators do not understand security in any way other than stupid Google tweeks which never work.

  • WilliamWilliam Member
    edited July 2016

    /care

    On more interesting news, Datadog (which is used by a lot of Fortune 500 and similar for monitoring/metric storage) got compromised also, AWS keys and so on....

    Thanked by 2Tom vimalware
  • @William said:
    /care

    On more interesting news, Datadog (which is used by a lot of Fortune 500 and similar for monitoring/metric storage) got compromised also, AWS keys and so on....

    Hahahahahaha.

  • GulfGulf Member

    @linuxthefish said:

    Personally I find LET offers are better than even paid WHT offer threads, even though the view count on WHT is a bit higher.

    I used to read wht till I learned linux and started to use dedicated servers and vps. They have great shared hosting section, but I switched to LET, because I need news about vps and dedicated industry.

  • sinsin Member

    @William said:
    /care

    On more interesting news, Datadog (which is used by a lot of Fortune 500 and similar for monitoring/metric storage) got compromised also, AWS keys and so on....

    Yeah got 2 emails from them this morning, signed up but I had never really used it...seems like every other day I'm getting emails from companies getting compromised.

  • jarjar Member, Patron Provider

    linuxthefish said: LET is much better in that providers who want to recommend their own services in other people's threads can just do it without having to make some bullshit up.

    Also the "no ad trashing" rule that we don't have. Never. We tell people when their offers are shit.

  • @Domin43 said:
    I calling this out as bullshit. That's not a reputable vendor and no proof to the details being hacked. Just some campaign probably from some disgruntled WHT member who got banned probably and this is his plan to cause them some financial loss. Sucks at that anyway lol.

    Go back to bed... I linked to a thread on VBULLETIN.COM stating there was a security update for 4.2.2 patch 4. Which is what WHT is currently on...

    And since you are too stupid to go and read yourself i'll paste it here, there could be a issue with their own script but it doesn't take a genius to know you can do DB backups via SQLi.

    A security issue has been reported to us that affects vBulletin 4. We have released security patches for vBulletin 4.2.2 & 4.2.3 to account for this vulnerability. The issue could potentially allow attackers to perform SQL Injection attacks via the included Forerunner add-on. It is recommended that all users update as soon as possible. If you're using a version of vBulletin 4 older than 4.2.2, it is recommended that you upgrade to the latest version as soon as possible. Please note that you need to update regardless of whether you have Forerunner enabled.

  • Oh and that security patch was released: Thu 16th Jun '16, 4:58am today is Sat 9th July '16

  • As I said, no data is safe online. None, zero, no exceptions. If you have someone after you, you will be hacked sooner or later, FBI, NASA, CIA, etc. And if that does not work, insider jobs or social engineering will work instead.
    Sure, some people are more careless than others and the low hanging fruits will be picked much more often, hence criticism here is deserved, however, depends who is after you, also, you may not even know you were hacked, maybe the chinese have right now sniffers in CIAs network, they know all the passes, etc.

  • @Maounique said:
    As I said, no data is safe online. None, zero, no exceptions. If you have someone after you, you will be hacked sooner or later, FBI, NASA, CIA, etc. And if that does not work, insider jobs or social engineering will work instead.
    Sure, some people are more careless than others and the low hanging fruits will be picked much more often, hence criticism here is deserved, however, depends who is after you, also, you may not even know you were hacked, maybe the chinese have right now sniffers in CIAs network, they know all the passes, etc.

    Well if WHT Penton had a brain they would have found this nice little website from the vbulletin.org forum. This changes VB4 MD5 hashing crap to Bcrypt: http://blog.technidev.com/changing-vbulletin-4-its-password-hashing-to-use-bcrypt/

    So they have no excuses. Not one!

  • KuJoeKuJoe Member, Host Rep
    edited July 2016

    Wait, why is MD5 crap? I just did the math and assuming somebody had 100 GPUs to "decrypt" (bruteforce) an MD5 hash for a random alpha-numeric 14 character password, it would take them over 11,000 years to check all of the possible passwords and even more if they didn't know exactly how many characters the password was and if they checked for symbols. If a person only had a single GPU it would take over 1 million years to check the hash against every password.

    EDIT: I didn't take salt into account so I don't know how much time that would add to the calculation if any.

    EDIT2: It's still a shitty situation. My e-mail address is probably more important to me than my password is. :(

  • LicensecartLicensecart Member
    edited July 2016

    @KuJoe said:
    Wait, why is MD5 crap? I just did the math and assuming somebody had 100 GPUs to "decrypt" (bruteforce) an MD5 hash for a random alpha-numeric 14 character password, it would take them over 11,000 years to check all of the possible passwords and even more if they didn't know exactly how many characters the password was and if they checked for symbols. If a person only had a single GPU it would take over 1 million years to check the hash against every password.

    EDIT: I didn't take salt into account so I don't know how much time that would add to the calculation if any.

    EDIT2: It's still a shitty situation. My e-mail address is probably more important to me than my password is. :(

    Because MD5 is hackable, why do you think better software use Bcrypt...

    Do you think SHA-1 SSLs are fine to use because they are insecure? Nah bet you don't mate that's the same reason... You use SHA-256 for SSL certificates, you use Bcrypt or something like it.

    I could have a massive password like:
    b5BR)lRvS6a60x2D'o&#Jx|hpT-%mJs/Mu7-IsBq0}[email protected]*:.pF:Tr8mttU(JJrd?XR

    But I bet if that was in a database and you decoded it with PHP / database you will get the password in plain text.

    Put it this way, WHMCS uses MD5 with a little security extra and even Blesta developers can decrypt that with their importer, now ask WHMCS for a Blesta importer and they'll tell you, they don't have one, Blesta uses Bcrypt.

    See:

    And in layman terms.

    You could have the best lock on your front door, the most expensive lock, but if you leave your door open, you are welcoming even the beginner thief.

    I take it being a Brit I learn the easy way: http://www.ncl.ac.uk/estates/services/documents/Dont-Advertise-Your-Stuff-To-Thieves-Booklet-Dec2009.pdf

    "Don't Advertise Your Things To Thieves"

  • I remember Tom Scott a great youtuber I subscribe too has a video about why not to use MD5:

    Thanked by 1HBAndrei
  • jarjar Member, Patron Provider
    edited July 2016

    Licensecart said: Put it this way, WHMCS uses MD5 with a little security extra and even Blesta developers can decrypt that with their importer

    MD5 still shouldn't just be "decrypted" like it's that easy. Are you sure something else isn't going on there? MD5 decryption is done by guessing+comparison. Are you claiming Blesta has an algorithm that immediately, with no resources, turns MD5 into plain text?

    Seems more likely Blesta would be using the MD5, not decrypting it.

    Thanked by 1KuJoe
  • LicensecartLicensecart Member
    edited July 2016

    @jarland said:

    Licensecart said: Put it this way, WHMCS uses MD5 with a little security extra and even Blesta developers can decrypt that with their importer

    MD5 still shouldn't just be "decrypted" like it's that easy. Are you sure something else isn't going on there? MD5 decryption is done by guessing+comparison. Are you claiming Blesta has an algorithm that immediately, with no resources, turns MD5 into plain text?

    WHMCS uses salts, Blesta uses Bcrypt which are one way passwords, when you enter your password it crypts it and checks it. You can check the importer and find out how they do it if you can understand PHP.

  • jarjar Member, Patron Provider
    edited July 2016

    Licensecart said: WHMCS uses salts, Blesta uses Bcrypt which are one way passwords, when you enter your password it crypts it and checks it.

    I may be misunderstanding but I don't think that quite answers this:

    Licensecart said: Blesta developers can decrypt that with their importer

    You're suggesting that Blesta's importer is completely decrypting MD5 hashes. Exactly how sure of that statement are you? This should be international news if Blesta has figured out how to instantly turn MD5 hash into plain text.

  • @jarland said:

    Licensecart said: WHMCS uses salts, Blesta uses Bcrypt which are one way passwords, when you enter your password it crypts it and checks it.

    I may be misunderstanding but I don't think that quite answers this:

    Licensecart said: Blesta developers can decrypt that with their importer

    You're suggesting that Blesta's importer is completely decrypting MD5 hashes. Exactly how sure of that statement are you? This should be international news if Blesta has figured out how to instantly turn MD5 hash into plain text.

    I might have said it wrongly :s

    They import them over and then if you change the configuration to "whmcs-md5" it imports them to the database in md5, you can then log in and it changes it to Bcrypt.

    They use the phpseclib library to do the encoding.

  • jarjar Member, Patron Provider

    Licensecart said: I might have said it wrongly :s

    Aye. I mean I'll admit MD5 isn't the best choice and if you're making a decision today that wouldn't be the smart pick. That said, it would be a bit extreme to say MD5 is hackable. It's crackable. That still means that the only way to get the password is to guess the password. You have to have the password to know you have it. In 25 years MD5 may be completely useless and so easy to crack that using it is hilariously dumb, but at least for today it still has some value if you've got a few legacy things using MD5, IMO. It just shouldn't be where you actively choose to go today.

    Thanked by 1Licensecart
  • @jarland said:

    Licensecart said: I might have said it wrongly :s

    Aye. I mean I'll admit MD5 isn't the best choice and if you're making a decision today that wouldn't be the smart pick. That said, it would be a bit extreme to say MD5 is hackable. It's crackable. That still means that the only way to get the password is to guess the password. You have to have the password to know you have it. In 25 years MD5 may be completely useless and so easy to crack that using it is hilariously dumb, but at least for today it still has some value if you've got a few legacy things using MD5, IMO. It just shouldn't be where you actively choose to go today.

    Sadly this could have been avoided at WHT if they updated the forum last month when the fix came out, unless it was hacked before June.

    Thanked by 1jar
  • jarjar Member, Patron Provider

    Gotta be honest I have a really hard time caring if they did get compromised. Like my level of "give a shit" about WHT is so low that I can't even get the wheels spinning.

    I'm gonna get my ass kicked talking this much trash before hostingcon :( lol

Sign In or Register to comment.