Page 2 of 8 FirstFirst 12345 ... LastLast
Results 26 to 50 of 198
  1. #26
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,134
    Well, it's definitely out there, that's for sure.
    As far as the version of VB? WHT has always been behind. With a massive place like this you can't just "update it". Then again, I wouldn't be using VB anyways, not on WHT. That thing's riddled with holes and security issues.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  2. #27
    Join Date
    Mar 2014
    Location
    su -
    Posts
    6,284
    As many have pointed out it's been a while since this forum version was updated. But who knows, they might have applied modifications to eliminate the vulnerabilities?

    Even the most up to date state of the art security applications can be compromised. So, this happens and it can be said that it still looks normal.
    █||||[ MechanicWeb.com - Shared Hosting | Reseller Hosting | KVM VPS | Dedicated Server ]
    █||||[ NVMe SSD | cPanel | DirectAdmin | LiteSpeed | CloudLinux | MailChannels | Since 2008 ]

  3. #28
    Hope it's a really old release :X Good luck admin guys sorting this crap out.

  4. #29
    Join Date
    Feb 2002
    Location
    Indiana
    Posts
    422
    Quote Originally Posted by whmcsguru View Post
    Well, it's definitely out there, that's for sure.
    As far as the version of VB? WHT has always been behind. With a massive place like this you can't just "update it". Then again, I wouldn't be using VB anyways, not on WHT. That thing's riddled with holes and security issues.
    Actually you can just upgrade vBulletin to newer versions or migrate to several other forum solutions, for whatever reason WHT has chosen not to. Just as they've chosen NOT to upgrade their Wordpress (http://www.webhostingtalk.com/blog/) from version 4.3.1 ( also with several vulnerabilities) or several of their Wordpress plugins. Security and staying current is obviously not a priority to them.

    Quote Originally Posted by MechanicWeb-shoss View Post
    As many have pointed out it's been a while since this forum version was updated. But who knows, they might have applied modifications to eliminate the vulnerabilities?
    Read the following articles and you'll see that WHT did not do what you are suggesting as their passwords are hashed using MD5 which is cake work for modern password crackers to break. Otherwise if they did apply modifications they surely wouldn't have used MD5.

    http://motherboard.vice.com/read/hac...b-hosting-talk

    https://www.leakedsource.com/blog/webhostingtalk

  5. #30
    Join Date
    Mar 2014
    Location
    su -
    Posts
    6,284
    Quote Originally Posted by WoodiE55 View Post
    Read the following articles and you'll see that WHT did not do what you are suggesting as their passwords are hashed using MD5 which is cake work for modern password crackers to break. Otherwise if they did apply modifications they surely wouldn't have used MD5.

    Well, an incident like this is actually an opportunity to bring change for good. This is the kind of time that can keep you apart and different and help you improve. Let's hope the same this time.
    █||||[ MechanicWeb.com - Shared Hosting | Reseller Hosting | KVM VPS | Dedicated Server ]
    █||||[ NVMe SSD | cPanel | DirectAdmin | LiteSpeed | CloudLinux | MailChannels | Since 2008 ]

  6. #31
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,134
    Quote Originally Posted by WoodiE55 View Post
    Actually you can just upgrade vBulletin to newer versions or migrate to several other forum solutions
    Says someone who's never worked behind the scenes in an operation like this before. it's not that easy.

    Every time WHT upgrades, it causes problems. WHT is not your default VB install, it's quite custom, quite hackey, and quite a bit out of the box.

    Don't blame MD5 here, that's not the issue. The issue is individuals and insecure passwords. Taking a look through the list of available passwords and you'll see precisely what the problem is.
    MD5 is fine. While it's hardly the best method on the planet, it's not really 'easy' to hack. Of course, if you're stupid enough to have said weak password, then you deserve what you've got coming
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  7. #32
    Quote Originally Posted by whmcsguru View Post
    Don't blame MD5 here, that's not the issue. MD5 is fine.
    Really MD5 is not an issue ?!!!!! well take a look here:
    php.net/manual/en/faq.passwords.php#faq.passwords.fasthash
    owasp.org/index.php/Guide_to_Cryptography#Algorithm_Selection

    Quote Originally Posted by whmcsguru View Post
    While it's hardly the best method on the planet, it's not really 'easy' to hack.
    And there is a tool available in Kali linux to crack hashes such as MD5 ...etc, called findmyhash, as well as a lot of other more advanced ways to crack it.

  8. #33
    Quote Originally Posted by whmcsguru View Post
    Says someone who's never worked behind the scenes in an operation like this before. it's not that easy.
    Every time WHT upgrades, it causes problems. WHT is not your default VB install, it's quite custom, quite hackey, and quite a bit out of the box.
    Also, would like to point out:
    Many websites even bigger than WHT have been very able to upgrade, move, or scale their website software ..... its not mission impossible, it is not easy but not hard, and custom code can be refactored.
    So regarding upgrading the VBulletin problems, the problem is that it seems that WHT have only a production environment, and when they upgrade or do something, they push it immediately to the production rather than testing it on a test/development environment first. I assume that a website with such size have the resources to accomplish such upgrade/maintenance ...etc operations easily.

  9. #34
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,932
    Quote Originally Posted by Mujahed-Developer View Post
    And there is a tool available in Kali linux to crack hashes such as MD5 ...etc, called findmyhash, as well as a lot of other more advanced ways to crack it.
    According to the source code, all "findmyhash" does it check against databases for the specific hash, it doesn't actually decrypt the password it just looks to see if it's in a database somewhere. If you're using a randomly generated password greater than 20 characters with random symbols in it the likelihood of your password being in one of the databases is slim.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  10. #35
    Quote Originally Posted by ZKuJoe View Post
    According to the source code, all "findmyhash" does it check against databases for the specific hash, it doesn't actually decrypt the password it just looks to see if it's in a database somewhere. If you're using a randomly generated password greater than 20 characters with random symbols in it the likelihood of your password being in one of the databases is slim.
    That is a basic tool, there are more advanced tools and techniques, not sure if its allowed to post info about them here.
    Just understand the point, which is MD5 is weak and crackable even by a script kiddie who can use such tools.

  11. #36
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,932
    Quote Originally Posted by Mujahed-Developer View Post
    That is a basic tool, there are more advanced tools and techniques, not sure if its allowed to post info about them here.
    Just understand the point, which is MD5 is weak and crackable even by a script kiddie who can use such tools.
    The problem is people are not using secure passwords (myself included on this site). If you use a random 14 character alpha-numeric password it would take somebody with a single GPU (~3 billion hashes per second) 1,123,592 years and 11 months to guess every password (561,796 years to guess half of the passwords). Let's assume they had 100 GPUs, that's still 11,235 years to guess every possible password combination assuming they knew how many characters the password was and did not check for special symbols (adding 1 symbol adds over 35 billion years onto the time it would take to check against every possible combination).
    Last edited by ZKuJoe; 07-09-2016 at 06:55 PM.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  12. #37
    Join Date
    Sep 2010
    Location
    Morocco
    Posts
    47
    So is it a vbulletin 0day or something else..
    Fast Linux VPS for cheap price ! Reliable SSD Dedicated Servers with unmetered 1 Gbps !

    Dedicated Servers | Linux VPS | Windows VPS | SSL Certificates | cPanel Web Hosting | Visit us at www.webhi.com

  13. #38
    Join Date
    Feb 2002
    Location
    Indiana
    Posts
    422
    Quote Originally Posted by whmcsguru View Post
    Says someone who's never worked behind the scenes in an operation like this before. it's not that easy.
    You speak as if you know me, you don't. I can assure you I've worked on several large projects and run a big board myself along. So keep talking like you know something you don't.

    Quote Originally Posted by whmcsguru View Post
    Every time WHT upgrades, it causes problems. WHT is not your default VB install, it's quite custom, quite hackey, and quite a bit out of the box.
    When WHT first started, it didn't start on vBulletin 4.2.2. You know what WHT has done though? They upgraded, so YES it's possible. They (WHT) has just chosen not to.

    Quote Originally Posted by whmcsguru View Post
    Don't blame MD5 here, that's not the issue. The issue is individuals and insecure passwords.
    HAHA. "MD5 isn't to blame". I'll admit I don't know you from Peter but that statement says plenty about your understanding about password storage. Here's a great article from a well known and respected individual, Troy Hunt, that shows just how weak MD5 really is and how easy it is to crack - https://www.troyhunt.com/data-breach...etin-and-weak/

    MD5 is exactly the cause. If passwords were stored far more securely then it would take FAR more time and energy to crack the same weak password. MD5 is exactly the reason we already know how weak passwords are here.

    Quote Originally Posted by Mujahed-Developer View Post
    Really MD5 is not an issue ?!!!!! well take a look here:
    php.net/manual/en/faq.passwords.php#faq.passwords.fasthash
    owasp.org/index.php/Guide_to_Cryptography#Algorithm_Selection

    And there is a tool available in Kali linux to crack hashes such as MD5 ...etc, called findmyhash, as well as a lot of other more advanced ways to crack it.
    Yes don't let others fool you into thinking MD5 is even remotely secure - it's not. Check out hashcat, it's incredibly fast - even without using GPU's.

  14. #39
    Join Date
    Mar 2009
    Location
    Miami, Florida
    Posts
    20,777
    Quote Originally Posted by WoodiE55 View Post
    Yes don't let others fool you into thinking MD5 is even remotely secure - it's not. Check out hashcat, it's incredibly fast - even without using GPU's.
    It is widely accepted that MD5 is broken for many reasons - modern computers can bruteforce hashes fairly quickly, rainbow tables exist and worse - it is possible to create a MD5 collision. SHA128 was designed to fix many of the problems with the hashes but using it now is also a bad idea as theoretical weaknesses exist that make computer researchers believe it will be broken in a few years. SHA256 is what should be used

    With this said, as long as the database is salted and other security best practices are followed, MD5 is still reasonably secure.

    The worst thing is not the hashed passwords rather the email addresses and WHT usernames - If I were to obtain the database (and were malicious) I would do one of two things with the database; spam the users with targeted messages or perform a phishing attack to convince WHT users to "verify their account".
    Keith I Myers
    KMyers.me The rantings of a lunatic
    Join me on Technical.chat

  15. #40
    Join Date
    Jul 2005
    Posts
    3,784
    This doesn't surprise me - Penton has pretty much killed WHT since they bought it, they have put zero interest in keeping it alive.

  16. #41
    Join Date
    Mar 2009
    Location
    Miami, Florida
    Posts
    20,777
    Quote Originally Posted by stablehost View Post
    This doesn't surprise me - Penton has pretty much killed WHT since they bought it, they have put zero interest in keeping it alive.
    I also have the same feeling, ever since Penton took over, things have been a royal mess and we have yet to see a Penton rep make any responses to any of the complaint threads.
    Keith I Myers
    KMyers.me The rantings of a lunatic
    Join me on Technical.chat

  17. #42
    Join Date
    Oct 2015
    Location
    Perth
    Posts
    255
    A bit concerning though hardly surprising. I've been concerned about the security of this site mainly due to the lack of enforced SSL. I figure if they don't at least enforce SSL where else is security lacking.
    Altair Hosting - Hosting You Can Trust
    Shared Hosting | Auto Website Setup | SSL Certificates

  18. #43
    Join Date
    Oct 2015
    Posts
    64
    They do not care as long as they getting the money from advertisers
    I have no signature

  19. #44
    Join Date
    Jul 2005
    Posts
    3,784
    Quote Originally Posted by KMyers View Post
    I also have the same feeling, ever since Penton took over, things have been a royal mess and we have yet to see a Penton rep make any responses to any of the complaint threads.
    I've been trying to get a hold of someone from Penton that oversees WHT for months, nobody knows... (or cares, I guess?)

    Very sad.

  20. #45
    Join Date
    Feb 2012
    Location
    New York, NY
    Posts
    568
    Quote Originally Posted by WebHi View Post
    So is it a vbulletin 0day or something else..
    VBulletin isn't necessarily the culprit and likewise it wasn't necessarily a vulnerability in the WHT site that the hacker used to gain access to the databases. According to Motherboard, five Penton sites were compromised and not all of those sites use VB (HotScripts doesn't use it). It's more likely the hacker used a vulnerability in one of the five sites to gain access to the database server cluster used by the sites (assuming all sites use the same cluster of physical servers for their DBs since all are hosted at LiquidWeb) and once they gained access to the DB server they were able to grab the databases of all sites.

    On Friday, an operator of the data breach awareness site LeakedSource said that hackers breached the media company Penton on July 4, 2016 and stole the databases of Web Hosting Talk, Mac Forums, HotScripts.com, dBforums, and A Best Web.
    http://motherboard.vice.com/read/hac...b-hosting-talk
    also from that Motherboard article:

    The operator said that the passwords are not in plaintext, but are hashed,...

    ...The bad news is that they were hashed with the MD5 algorithm, which is notoriously weak, and the salt is in the database “next to [the] hashes,” according to the operator.

    So the passwords should be relatively easy to crack. In fact, the operator said on Friday evening that they had cracked around 60 percent in only two hours.
    Last edited by domainbop; 07-09-2016 at 10:43 PM.

  21. #46
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    19,178
    Quote Originally Posted by stablehost View Post
    I've been trying to get a hold of someone from Penton that oversees WHT for months, nobody knows... (or cares, I guess?)

    Very sad.
    We also haven't had any luck getting a hold of anybody.
    Michael Denney - MDDHosting.com - Proudly hosting more than 37,800 websites since 2007.
    Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
    cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
    Class-leading support that responds in minutes, not days.

  22. #47
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,932
    This is a reminder for everybody to never use the same password on multiple sites and to always use a secure password. MD5 is not a problem, insecure passwords found in MD5 databases is. 11,000 years it a long time to guess a password.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  23. #48
    Join Date
    Mar 2009
    Location
    Miami, Florida
    Posts
    20,777
    Quote Originally Posted by ZKuJoe View Post
    This is a reminder for everybody to never use the same password on multiple sites.
    It is sad that this needs to be repeated on this site but it does
    Keith I Myers
    KMyers.me The rantings of a lunatic
    Join me on Technical.chat

  24. #49
    Join Date
    Feb 2012
    Location
    New York, NY
    Posts
    568
    Quote Originally Posted by ZKuJoe View Post
    This is a reminder for everybody to never use the same password on multiple sites and to always use a secure password. MD5 is not a problem, insecure passwords found in MD5 databases is. 11,000 years it a long time to guess a password.
    According to Motherboard it only took 2 hours for the hackers to crack 60% of the passwords from the 5 Penton sites because the salts were also kept in the same databases. A far cry from 11,000 years for the average user password.

    The databases are searchable on leakedsource (according to them all Penton sites were hacked but only 4 of the sites' DBs are currently available) and the WHT user info that was hacked on 7/4 appears to be: "username, Possible plaintext password, hash, email, register_date, last_login, birthday, ipaddress, salt" .

  25. #50
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,932
    Quote Originally Posted by KMyers View Post
    It is sad that this needs to be repeated on this site but it does
    I agree 100% but I am guilty of this also. For some reason I didn't have an entry for WHT in my password manager and I found I was using an old password that I was using on another forum that wasn't in my password manager either. This thread is the only reason I even checked the password since I rarely ever have to login to it.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

Page 2 of 8 FirstFirst 12345 ... LastLast

Similar Threads

  1. Very interested on the status of WHT hacked db restore, Any one else?
    By Manageandsupport_com in forum WHT Announcements, Feedback and Questions
    Replies: 16
    Last Post: 04-06-2009, 07:23 PM
  2. US and Canada Telephone Area Code DB for sale!
    By Douglas in forum Other Offers & Requests
    Replies: 2
    Last Post: 06-09-2006, 02:27 PM
  3. site + large DB for sale with some traffic + others
    By DNGeeks in forum Other Offers & Requests
    Replies: 7
    Last Post: 10-15-2004, 10:29 AM
  4. 30+ Domains for sale - Discounts for WHT users
    By deepensky90 in forum Other Offers & Requests
    Replies: 9
    Last Post: 05-26-2003, 08:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •