Results 26 to 50 of 198
Thread: WHT hacked DB for sale
-
07-09-2016, 11:57 AM #26
Well, it's definitely out there, that's for sure.
As far as the version of VB? WHT has always been behind. With a massive place like this you can't just "update it". Then again, I wouldn't be using VB anyways, not on WHT. That thing's riddled with holes and security issues.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
07-09-2016, 12:06 PM #27
As many have pointed out it's been a while since this forum version was updated. But who knows, they might have applied modifications to eliminate the vulnerabilities?
Even the most up to date state of the art security applications can be compromised. So, this happens and it can be said that it still looks normal.█||||[ MechanicWeb.com - Shared Hosting | Reseller Hosting | KVM VPS | Dedicated Server ]
█||||[ NVMe SSD | cPanel | DirectAdmin | LiteSpeed | CloudLinux | MailChannels | Since 2008 ]
-
07-09-2016, 12:11 PM #28Newbie
- Join Date
- Jul 2011
- Posts
- 28
Hope it's a really old release :X Good luck admin guys sorting this crap out.
-
07-09-2016, 03:18 PM #29Aspiring Evangelist
- Join Date
- Feb 2002
- Location
- Indiana
- Posts
- 422
Actually you can just upgrade vBulletin to newer versions or migrate to several other forum solutions, for whatever reason WHT has chosen not to. Just as they've chosen NOT to upgrade their Wordpress (http://www.webhostingtalk.com/blog/) from version 4.3.1 ( also with several vulnerabilities) or several of their Wordpress plugins. Security and staying current is obviously not a priority to them.
Read the following articles and you'll see that WHT did not do what you are suggesting as their passwords are hashed using MD5 which is cake work for modern password crackers to break. Otherwise if they did apply modifications they surely wouldn't have used MD5.
http://motherboard.vice.com/read/hac...b-hosting-talk
https://www.leakedsource.com/blog/webhostingtalk
-
07-09-2016, 03:56 PM #30█||||[ MechanicWeb.com - Shared Hosting | Reseller Hosting | KVM VPS | Dedicated Server ]
█||||[ NVMe SSD | cPanel | DirectAdmin | LiteSpeed | CloudLinux | MailChannels | Since 2008 ]
-
07-09-2016, 05:30 PM #31
Says someone who's never worked behind the scenes in an operation like this before. it's not that easy.
Every time WHT upgrades, it causes problems. WHT is not your default VB install, it's quite custom, quite hackey, and quite a bit out of the box.
Don't blame MD5 here, that's not the issue. The issue is individuals and insecure passwords. Taking a look through the list of available passwords and you'll see precisely what the problem is.
MD5 is fine. While it's hardly the best method on the planet, it's not really 'easy' to hack. Of course, if you're stupid enough to have said weak password, then you deserve what you've got comingTom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
07-09-2016, 06:13 PM #32Newbie
- Join Date
- Sep 2015
- Posts
- 22
Really MD5 is not an issue ?!!!!! well take a look here:
php.net/manual/en/faq.passwords.php#faq.passwords.fasthash
owasp.org/index.php/Guide_to_Cryptography#Algorithm_Selection
And there is a tool available in Kali linux to crack hashes such as MD5 ...etc, called findmyhash, as well as a lot of other more advanced ways to crack it.
-
07-09-2016, 06:24 PM #33Newbie
- Join Date
- Sep 2015
- Posts
- 22
Also, would like to point out:
Many websites even bigger than WHT have been very able to upgrade, move, or scale their website software ..... its not mission impossible, it is not easy but not hard, and custom code can be refactored.
So regarding upgrading the VBulletin problems, the problem is that it seems that WHT have only a production environment, and when they upgrade or do something, they push it immediately to the production rather than testing it on a test/development environment first. I assume that a website with such size have the resources to accomplish such upgrade/maintenance ...etc operations easily.
-
07-09-2016, 06:26 PM #34Total Nerd
- Join Date
- Feb 2007
- Location
- Florida
- Posts
- 1,932
According to the source code, all "findmyhash" does it check against databases for the specific hash, it doesn't actually decrypt the password it just looks to see if it's in a database somewhere. If you're using a randomly generated password greater than 20 characters with random symbols in it the likelihood of your password being in one of the databases is slim.
-Joe @ Secure Dragon LLC.
+ OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
+ Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas
-
07-09-2016, 06:34 PM #35Newbie
- Join Date
- Sep 2015
- Posts
- 22
-
07-09-2016, 06:50 PM #36Total Nerd
- Join Date
- Feb 2007
- Location
- Florida
- Posts
- 1,932
The problem is people are not using secure passwords (myself included on this site). If you use a random 14 character alpha-numeric password it would take somebody with a single GPU (~3 billion hashes per second) 1,123,592 years and 11 months to guess every password (561,796 years to guess half of the passwords). Let's assume they had 100 GPUs, that's still 11,235 years to guess every possible password combination assuming they knew how many characters the password was and did not check for special symbols (adding 1 symbol adds over 35 billion years onto the time it would take to check against every possible combination).
Last edited by ZKuJoe; 07-09-2016 at 06:55 PM.
-Joe @ Secure Dragon LLC.
+ OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
+ Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas
-
07-09-2016, 07:29 PM #37Premium Member
- Join Date
- Sep 2010
- Location
- Morocco
- Posts
- 47
So is it a vbulletin 0day or something else..
Fast Linux VPS for cheap price ! Reliable SSD Dedicated Servers with unmetered 1 Gbps !
Dedicated Servers | Linux VPS | Windows VPS | SSL Certificates | cPanel Web Hosting | Visit us at www.webhi.com
-
07-09-2016, 07:41 PM #38Aspiring Evangelist
- Join Date
- Feb 2002
- Location
- Indiana
- Posts
- 422
You speak as if you know me, you don't. I can assure you I've worked on several large projects and run a big board myself along. So keep talking like you know something you don't.
When WHT first started, it didn't start on vBulletin 4.2.2. You know what WHT has done though? They upgraded, so YES it's possible. They (WHT) has just chosen not to.
HAHA. "MD5 isn't to blame". I'll admit I don't know you from Peter but that statement says plenty about your understanding about password storage. Here's a great article from a well known and respected individual, Troy Hunt, that shows just how weak MD5 really is and how easy it is to crack - https://www.troyhunt.com/data-breach...etin-and-weak/
MD5 is exactly the cause. If passwords were stored far more securely then it would take FAR more time and energy to crack the same weak password. MD5 is exactly the reason we already know how weak passwords are here.
Yes don't let others fool you into thinking MD5 is even remotely secure - it's not. Check out hashcat, it's incredibly fast - even without using GPU's.
-
07-09-2016, 08:18 PM #39Web Hosting Master
- Join Date
- Mar 2009
- Location
- Miami, Florida
- Posts
- 20,777
It is widely accepted that MD5 is broken for many reasons - modern computers can bruteforce hashes fairly quickly, rainbow tables exist and worse - it is possible to create a MD5 collision. SHA128 was designed to fix many of the problems with the hashes but using it now is also a bad idea as theoretical weaknesses exist that make computer researchers believe it will be broken in a few years. SHA256 is what should be used
With this said, as long as the database is salted and other security best practices are followed, MD5 is still reasonably secure.
The worst thing is not the hashed passwords rather the email addresses and WHT usernames - If I were to obtain the database (and were malicious) I would do one of two things with the database; spam the users with targeted messages or perform a phishing attack to convince WHT users to "verify their account".
-
07-09-2016, 09:17 PM #40Web Hosting Master
- Join Date
- Jul 2005
- Posts
- 3,784
This doesn't surprise me - Penton has pretty much killed WHT since they bought it, they have put zero interest in keeping it alive.
-
07-09-2016, 09:25 PM #41Web Hosting Master
- Join Date
- Mar 2009
- Location
- Miami, Florida
- Posts
- 20,777
-
07-09-2016, 09:39 PM #42Web Hosting Guru
- Join Date
- Oct 2015
- Location
- Perth
- Posts
- 255
A bit concerning though hardly surprising. I've been concerned about the security of this site mainly due to the lack of enforced SSL. I figure if they don't at least enforce SSL where else is security lacking.
-
07-09-2016, 09:56 PM #43Junior Guru Wannabe
- Join Date
- Oct 2015
- Posts
- 64
They do not care as long as they getting the money from advertisers
I have no signature
-
07-09-2016, 10:25 PM #44Web Hosting Master
- Join Date
- Jul 2005
- Posts
- 3,784
-
07-09-2016, 10:29 PM #45Web Hosting Master
- Join Date
- Feb 2012
- Location
- New York, NY
- Posts
- 568
VBulletin isn't necessarily the culprit and likewise it wasn't necessarily a vulnerability in the WHT site that the hacker used to gain access to the databases. According to Motherboard, five Penton sites were compromised and not all of those sites use VB (HotScripts doesn't use it). It's more likely the hacker used a vulnerability in one of the five sites to gain access to the database server cluster used by the sites (assuming all sites use the same cluster of physical servers for their DBs since all are hosted at LiquidWeb) and once they gained access to the DB server they were able to grab the databases of all sites.
On Friday, an operator of the data breach awareness site LeakedSource said that hackers breached the media company Penton on July 4, 2016 and stole the databases of Web Hosting Talk, Mac Forums, HotScripts.com, dBforums, and A Best Web.
http://motherboard.vice.com/read/hac...b-hosting-talk
The operator said that the passwords are not in plaintext, but are hashed,...
...The bad news is that they were hashed with the MD5 algorithm, which is notoriously weak, and the salt is in the database “next to [the] hashes,” according to the operator.
So the passwords should be relatively easy to crack. In fact, the operator said on Friday evening that they had cracked around 60 percent in only two hours.Last edited by domainbop; 07-09-2016 at 10:43 PM.
-
07-09-2016, 10:30 PM #46Web Hosting Industry Expert
- Join Date
- Dec 2007
- Location
- Indiana, USA
- Posts
- 19,178
█ Michael Denney - MDDHosting.com - Proudly hosting more than 37,800 websites since 2007.
█ Ultra-Fast Cloud Shared and Pay-By-Use Reseller Hosting Powered by LiteSpeed!
█ cPanel • Free SSL • 100% Uptime SLA • 24/7 Support
█ Class-leading support that responds in minutes, not days.
-
07-09-2016, 11:57 PM #47Total Nerd
- Join Date
- Feb 2007
- Location
- Florida
- Posts
- 1,932
This is a reminder for everybody to never use the same password on multiple sites and to always use a secure password. MD5 is not a problem, insecure passwords found in MD5 databases is. 11,000 years it a long time to guess a password.
-Joe @ Secure Dragon LLC.
+ OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
+ Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas
-
07-10-2016, 12:05 AM #48Web Hosting Master
- Join Date
- Mar 2009
- Location
- Miami, Florida
- Posts
- 20,777
-
07-10-2016, 12:11 AM #49Web Hosting Master
- Join Date
- Feb 2012
- Location
- New York, NY
- Posts
- 568
According to Motherboard it only took 2 hours for the hackers to crack 60% of the passwords from the 5 Penton sites because the salts were also kept in the same databases. A far cry from 11,000 years for the average user password.
The databases are searchable on leakedsource (according to them all Penton sites were hacked but only 4 of the sites' DBs are currently available) and the WHT user info that was hacked on 7/4 appears to be: "username, Possible plaintext password, hash, email, register_date, last_login, birthday, ipaddress, salt" .
-
07-10-2016, 12:12 AM #50Total Nerd
- Join Date
- Feb 2007
- Location
- Florida
- Posts
- 1,932
I agree 100% but I am guilty of this also. For some reason I didn't have an entry for WHT in my password manager and I found I was using an old password that I was using on another forum that wasn't in my password manager either. This thread is the only reason I even checked the password since I rarely ever have to login to it.
-Joe @ Secure Dragon LLC.
+ OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
+ Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas
Similar Threads
-
Very interested on the status of WHT hacked db restore, Any one else?
By Manageandsupport_com in forum WHT Announcements, Feedback and QuestionsReplies: 16Last Post: 04-06-2009, 07:23 PM -
US and Canada Telephone Area Code DB for sale!
By Douglas in forum Other Offers & RequestsReplies: 2Last Post: 06-09-2006, 02:27 PM -
site + large DB for sale with some traffic + others
By DNGeeks in forum Other Offers & RequestsReplies: 7Last Post: 10-15-2004, 10:29 AM -
30+ Domains for sale - Discounts for WHT users
By deepensky90 in forum Other Offers & RequestsReplies: 9Last Post: 05-26-2003, 08:17 PM