Receiving spam from anandtech smtp server?

[dualsmp]

Is the admin being cheeky or is this a hack?

Folks, and folkettes (both of you) we were the victims of a serious forum breach early this morning, possibly from aliens, we're not sure.
Our field hospitals are littered with the horribly wounded and the merely annoyed, their blood curdling complaints chilling us all.
We will fight on the beaches, and in the hills and sub-forums, so that our valor or at least our sheer stubbornness will be long cherished and dearly remembered.
For as long as the English language is misused men will say, "This was their finest hour ... sort of."

THE FORUMS WILL BE DOWN AGAIN FOR 25 HOURS from 12:15 am this Saturday, Dec. 5th until 1:15 am Sunday the 6th for quadruple secret maintenance.
During this otherwise unwelcome interregnum, please find something productive to do. Om for world peace or re-grout the tile in your bathroom. You DO have a bathroom, don't you?
Oh, sure, you'll curse us at first, but in the end, this short vacation will make a better person out of you, and you can thank us later.

 

[Ken g6]

Is the admin being cheeky or is this a hack?

Re: the forums down announcement:

That was my announcement. Can't you recognize the writing style? Anyway, and sadly, that announcement is true.

I imagine the other one is of similar origin?

 

[ivan2]

Let me fix that for you - it wouldn't be easy provided they have no access to the DB or web server. Given that it's already been compromised... The fact is if you have what's stored in the database, you don't need to decrypt anything. You use THAT as is to generate authentication.

Anyway, there shouldn't be any need to panic anyway. After all, you guys aren't realistically using the same password on some random internet forum as you are for, lets say... you BANK account, right?

this isn't easy to do(brute forcing a good pw out of a hash takes a lot of time, dictionary takes much less time, thus if ur pw is weak change it). what i got from your description, if right, to stick a hash generated by a pw you know, with the salt, into the server DB so that you will have access to all the account.

I have no idea how you can use the hash to generate authentication unless you explain further.

 

[Crusty]

this isn't easy to do(brute forcing a good pw out of a hash takes a lot of time, dictionary takes much less time, thus if ur pw is weak change it). what i got from your description, if right, to stick a hash generated by a pw you know, with the salt, into the server DB so that you will have access to all the account.

I have no idea how you can use the hash to generate authentication unless you explain further.

It's the way that vB handles logins. When you send a request to the server for a login you typically send your username and your password in plain text to the server.

vB has a javascript action that computes an MD5 hash BEFORE it sends it over to the server. Therefore yoru hashed password is being sent in clear text which is only a security risk for sites where you use the SAME password and they use the SAME authentication scripts.

At least the login code does degrade gracefully when there isn't javascript present and the server does allow you to login with a plaintext password instead of the MD5 hash.

You can test it yourself by installing a plugin called 'liveHTTPHeaders' for Firefox and look at the parameters you pass when you click the login link with both Javascript enabled and disabled.

So all that being said, if the hacker has a list of MD5 passwords and associated login names he can login as any user he wants to the forums.

The fix to these kinds of risks is to use SSL, in which case it won't matter if you send an MD5 hash of your password or you just send it in plain text, it's still encrypted and unreadable in normal circumstances.

 

[Scouzer]

So has anyone determined whether our passwords are safe?

 

[Crusty]

So has anyone determined whether our passwords are safe?

From what I can tell, yes. As far as I know the 'hacker' only got access to an admin user account, which has no way to see hashed passwords in the database.