User panel stuff on forum
  12 posts on 1 page  1
Site Feedback
2011-10-26, 07:14
Administrator
1025 posts

Registered:
Apr 2006
In swedish, but check the list: http://www.aftonbladet.se/nyheter/article13838087.ab

For foreigners, it says about: "A swedish hacker has hacked the following sites"

I haven't got confirmed by Zalon or any other site admin, but it seems like he got a hold of the databases on all those sites.

So users that have the same password here as on other sites: CONSIDER CHANGING YOUR PASSWORD ON THOSE SITES.

//dimman

EDIT: The hacker confirms that the qw.nu database has been compromised:
Still in swedish (qw.nu is on the list of sites of which got their databases dumped): https://www.flashback.org/p32277168#p32277168
2011-10-26, 08:11
Member
3 posts

Registered:
Feb 2006
Yeah, I saw the same, for once I was glad I did not change my password from the randomized one I got the last time I requested a password change.

Btw, this is what it says if you request a new password :-)

"An e-mail has been sent to the specified address with instructions on how to change your password. If it does not arrive you can contact the forum administrator at hack@hack.com."
2011-10-26, 09:21
Member
693 posts

Registered:
Jan 2006
If I recall correctly from when I coded most of qw.nu many years ago, the passwords are stored in the database as an md5 hash, so it shouldn't be possible for the hackers to view or work out your actual password. However, if you have to physically login post-hack, it is possible that he/she has changed the login mechanism to record your non-hashed password elsewhere.

So don't login if you're not already logged in via cookie.
2011-10-26, 09:29
News Writer
1267 posts

Registered:
Jun 2007
The site was hacked like what, a week ago? I guess many have logged in physically by now :/
Chosen
2011-10-26, 09:40
Administrator
1025 posts

Registered:
Apr 2006
gaz wrote:
If I recall correctly from when I coded most of qw.nu many years ago, the passwords are stored in the database as an md5 hash, so it shouldn't be possible for the hackers to view or work out your actual password. However, if you have to physically login post-hack, it is possible that he/she has changed the login mechanism to record your non-hashed password elsewhere.

So don't login if you're not already logged in via cookie.

Its major failure if its MD5 hashes only. MD5 is severly broken.

I haven't looked it up all that much lately, but a identical checksum can be created within seconds, thus even if not revealing your real password, its not much help if the false password generates the same checksum.
2011-10-26, 09:48
Member
693 posts

Registered:
Jan 2006
The login is based on the punBB software, which yes only uses MD5 hashes (afaik). If I was coding it again now I'd know better...

edit: I was just trying to reassure that the hacker probably can't recover your actual password, which is hopefully good news for people that use the same password here as they do on their email accounts, facebook, paypal, amazon etc (and remember that your email address is also in the database).
2011-10-26, 10:18
Member
80 posts

Registered:
Jan 2006
I don't think theyve made changes to the site, but can't be 100% sure. I know from the thread on flashback when I read through that all people did was look up sites with vulnerabilities in their database. After that it seems some person did an sql injection and dumped the database from a majority of those sites, all in all around 700 000 password were stolen I think. The best thing for people is to just change the password here to something that they don't use on other sites where they have their email registered.

Most of those sites hacked also used MD5, one of them being a majorsite called "Bloggtoppen". MD5 is as Dimman said really easy to get past either with bruteforce or from various sites where you can easily match the checksum with the ones in their database already. Just change the password on your other sites if you have a similar password. I've kept the same password here since I first registered my account, this site has been hacked like 3 times already? I just keep this password completely different from my other sites.
2011-10-26, 12:01
News Writer
646 posts

Registered:
Mar 2006
I have issue with the term "hacker", but of course you already know this. People that run "hack_websites.exe" overnight on their dell PC are not hackers.

Also it is sad news that md5 is no longer secure (source?) - is it possible to upgrade to sha1 or something similar?
2011-10-26, 12:16
Administrator
2059 posts

Registered:
Jan 2006
Checking the source of punbb it seems md5 was used at the beginning, but there is a function when logging in that checks if you have a md5 hash in the DB, and if so, saves it as SHA1 instead.
www.facebook.com/QuakeWorld
2011-10-26, 12:41
Administrator
1025 posts

Registered:
Apr 2006
!phil wrote:
I have issue with the term "hacker", but of course you already know this. People that run "hack_websites.exe" overnight on their dell PC are not hackers.

Also it is sad news that md5 is no longer secure (source?) - is it possible to upgrade to sha1 or something similar?

Not that I care if you have an issue with it or not, but I didn't know thats what he did. According to what I've found from him, it seems like he knows what he's doing,
and himself doesn't like script-kiddies (which i think is the term your looking for). But what do I know, feel free if you have any other info to share.

It has been public info that MD5 is broken for several years. Google "md5 broken".

Åke Vader: Allright, atleast that's better. I'm assuming you are checking the source used at qw.nu (which Zalon told me was really old)?
Then the remaining problem is the vulnerability mainly from SQL injections
2011-10-26, 19:27
Member
1100 posts

Registered:
Jan 2006
So I guess the recent admin account takeover was related to this?
2011-10-27, 11:41
Administrator
1025 posts

Registered:
Apr 2006
Spirit wrote:
So I guess the recent admin account takeover was related to this?

Yes, most likely.
  12 posts on 1 page  1