Hack-A-Server (Yelled in Scooters voice)

So today we will talk about a few things form past week

Somewhere around the time BoM started last week a friend of mine came with a problem to me. His minecraft server got ass raped by ponies. So yeh i did decide to help him out and put his server on my coffee table (IKEA makes grate server racks, very good value as well)

In any case… since I’m the kind of guy that likes to know what happen i started digging out what kind of shitfest do we have here. Names or hosting providers and involved parties have been changed for their protection (sure… like noone has google)

So… there is a group of hackers, you could class them as gray hats. What they did was more or less go to minecraft forums and fish on the cheap host section for targets. They went for sup par host that offered little of everything including support. Mostly one man starup that rented a server in some data center and used a quick setup using premad things… and this is the problem.

First of all… for billing they used whmcs… that is a system that took the best as a example and like sony stores the user password in plaintext. That’s a good start. Also gives you the owners email. Bet the password works there as well.

Lets now go even one step further. There is a thing in linux called cpanel, and if I was in charge there would be a hardcode in the kernel that is hidden and obscured that would prevent that from working. Who ever decided root access www webpanel will be a good idea should be pummeld to death with internet explorer 5.0

Back to the topic at hand. Multicraft is sorta similar, its a minecraft admin panel for multiple servers that allows people their server not knowing what ssh is. Lets say that thing is insecure as shit. prone to injection and remote code execution attacks checking in google for multicraft exploits gives me guides, for noobs, for ppl that have little understanding how this works. That’s how easy it is to mess that up.

 

So about 5 hosts got hit, cheap host that attempted to get some easy money of people that wanted a cheap hosting. Since i had expirences with cheap hosts of www pages. I know its sometimes better to pay premium or have a friend with a fiber line in his house and a not that much used server

In anycase, BBQ is over, rant is over, time to resume boring evening

/Derresh

 

 

BBQ time

So yeh, time for the BBQ of awsome, today i got 3 Kg of ham,  marinaded in a nice soy sauce-scotch mix, 2,5 kg of chicken, Marinated in ginger and stuff… And 10 ppl that want to get taste of that. I guess this will be one long day with everything around, but sure will be fun.

And again

Ok… so i get a tweet…

 

And what is my first thought, like the second i get this ? Of course, they got hacked.

You don’t have to be a IT expert to do this right, you hash and salt your passwords, its not hard to implement, you can find scrips for that for kinda anything that can interface with MySQL or similar DB. The funny thing here is, every single time someone gets hacked, they claim the password db was encrypted or something like that. Here is the thing. That dose not make the IT crowd feel better. When you’re say password is encrypted instead of making people sleep better at night you tell them “You got around 12h till they crack it, or less. change it NOW”

Also… in cases like that you send a email to your users, you force reset there passwords. You tell them to change the password everywhere else, since a lot of people use the same pass for a few things.

On a plus side. They did not handle credit card info.

So somewhere we start

After some time I finally got my scheduled fixes… somewhat. So my GF now fiance is living with me, need to start getting paperwork done for her to stay longer. She is also drawing stuff again so thats good

 

Tech wise… Small rant of bitcoins.

So… bitcoins, who ever invented this should get a noble price in economics for something that might devastate the economics system as we know it. So yeh, its money for nothing ppl think. Nope you need a digger, that runs 24/7, you can use your GPU for it, and not make it even for the utility bill or get a 2000$ digger rig that will mb make back the money you put in for it.

I am just waiting now for the whole system to have some sort of fundamental flaw. A hash based system has one risk, of getting cross hashes. As in two things can give you the same hash, its a very low chance, but due to that occurrence RAID 5 is considered no longer fail safe, due to the size of HDDs it can happen and garbage your data, it always had a chance to but now its just enough data to make the chance be considered. Time will tell how this goes, but don’t be surprised when this falls. Some countries are banning BTC trade, some are investigating. Its just a mess, someone will end it soon

Well just a blog about how lazy I am