Catalyst Gaming
CG Central => News and Announcements => Topic started by: the.derp on January 15, 2012, 04:24:05 PM
-
The past couple of days have seen the forums with an issue. Someone broke into a few admin accounts and decided to ban every user and then break the forums. We have done what we can, but we need you to do something.
Change your passwords now. And make sure it is secure.
Good password guidelines:
http://www.microsoft.com/security/online-privacy/passwords-create.aspx
-
I suggest people tell their friends that use CG about this ASAP.
-
Whoever is doing this isn't to smart though.
Anyways, I already change my password of course.
-
Very sad, there are so many haters in this world :'(.
-
Hopefully this won't happen again. I changed my password already as well. Any ideas on who it was?
-
Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues
-
Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues
Either it's:
a) Some douche who had access to privileged information.
b) -snipped so we don't give people ideas-
I doubt very much that it's b.
-
Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues
from what i heard no one changed the DB password since it was leaked 8 months ago, unless some of your admins are making up bull shit on the spot
-
My assumption was a lot of RTLK's scripts for handling bans were completely insecure and required no authentication, only a steamID.
If he actually followed the new developer guidelines instead of assuming he's above them, as usual, that wouldn't be a problem. It's most likely that it was a type of SQL injection.
-
you should switch back to mysql 4, no one takes the time to find table names them selves
oh and why are people being asked to change their passwords? smf hashes/salts them?
-
It only uses the salt under specific circumstances. The hash for SMF is sha1(username+password) which should be nearly impossible to get just through has tables.
And about mysql, we have no options coming to that and downgrading to an old version is a idiotic decision to just practicing better coding habits.
-
meh, this is why i dont like smf, im sure if you know what you're doing its secure, but the fact the database info is (defaultly) stored as plaintext in the files is pretty eeghh
-
Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues
from what i heard no one changed the DB password since it was leaked 8 months ago, unless some of your admins are making up bull shit on the spot
admins are full of shit, not only did we change the password multiple times since then but its IP locked so it wouldn't matter
what really happened was a certain group of kiddies got a hold of two admins passwords which happened to be incredibly insecure and decided to ban all
Nothing on CGs side was compromised.
-
Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues
from what i heard no one changed the DB password since it was leaked 8 months ago, unless some of your admins are making up bull shit on the spot
admins are full of shit, not only did we change the password multiple times since then but its IP locked so it wouldn't matter
what really happened was a certain group of kiddies got a hold of two admins passwords which happened to be incredibly insecure and decided to ban all
Nothing on CGs side was compromised.
If nothing was compromised, why are we being told to change our passwords?
-
Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues
from what i heard no one changed the DB password since it was leaked 8 months ago, unless some of your admins are making up bull shit on the spot
admins are full of shit, not only did we change the password multiple times since then but its IP locked so it wouldn't matter
what really happened was a certain group of kiddies got a hold of two admins passwords which happened to be incredibly insecure and decided to ban all
Nothing on CGs side was compromised.
If nothing was compromised, why are we being told to change our passwords?
Using the SMF adminCP, assuming these admins had access to it, you can backup any sql table. And yes SMT, passwords are salted and hashed, but they can still be bruted.
-
Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues
from what i heard no one changed the DB password since it was leaked 8 months ago, unless some of your admins are making up bull shit on the spot
admins are full of shit, not only did we change the password multiple times since then but its IP locked so it wouldn't matter
what really happened was a certain group of kiddies got a hold of two admins passwords which happened to be incredibly insecure and decided to ban all
Nothing on CGs side was compromised.
If nothing was compromised, why are we being told to change our passwords?
It never hurts to do it and a lot of people do have incredibly insecure passwords.
Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues
from what i heard no one changed the DB password since it was leaked 8 months ago, unless some of your admins are making up bull shit on the spot
admins are full of shit, not only did we change the password multiple times since then but its IP locked so it wouldn't matter
what really happened was a certain group of kiddies got a hold of two admins passwords which happened to be incredibly insecure and decided to ban all
Nothing on CGs side was compromised.
If nothing was compromised, why are we being told to change our passwords?
Using the SMF adminCP, assuming these admins had access to it, you can backup any sql table. And yes SMT, passwords are salted and hashed, but they can still be bruted.
Admins did not have access to it.
-
Mind explaining what you mean by "broke in"?
I enjoy the specifics of things, and I think I ought to know what may/may not bring me issues
from what i heard no one changed the DB password since it was leaked 8 months ago, unless some of your admins are making up bull shit on the spot
what really happened was a certain group of kiddies got a hold of two admins passwords which happened to be incredibly insecure and decided to ban all
Nothing on CGs side was compromised.
My assumption was a lot of RTLK's scripts for handling bans were completely insecure and required no authentication, only a steamID.
If he actually followed the new developer guidelines instead of assuming he's above them, as usual, that wouldn't be a problem. It's most likely that it was a type of SQL injection.
Which one makes more sense? How could 2 admins out of the entire staff be the ones targeted. Blt is not a idiot to have a easy password. Acorn is also not that dumb. The question is how they got ahold of them. Someone77 made sense out of it but no one wants to make a confession.
-
My assumption was a lot of RTLK's scripts for handling bans were completely insecure and required no authentication, only a steamID.
If he actually followed the new developer guidelines instead of assuming he's above them, as usual, that wouldn't be a problem. It's most likely that it was a type of SQL injection.
Which one makes more sense? How could 2 admins out of the entire staff be the ones targeted. Blt is not a idiot to have a easy password. Acorn is also not that dumb. The question is how they got ahold of them. Someone77 made sense out of it but no one wants to make a confession.
This was posted after the announcement was made, no response.
(http://speedcap.net/img/014bd4aa1f41e49fa619df751299e747/6edb6a1e.png)
-
And yes SMT, passwords are salted and hashed, but they can still be bruted.
assuming peoples password here are usually+ 6 characters and have numbers whatever, no one is going to waste a machine capable of bruting these hashes quicker than a year or two on cg (no offence xdia)
and ty for clearing things up rofl
-
What happened is admins had insecure passwords (easy passwords and passwords that had not been changed in months) that got accessed by the wrong people and were then used to ban every user as well as break a SMF script and cause an error log to generate that caused the site to lag and become inaccessable. It had nothing to do with any system or anything. All possible things that could cause issues have been disabled for all but waffle and myself for the time being. The error log has been fixed, and by changing passwords it will prevent accounts from being accessed. Full access should be restored for admins by tomorrow unless another account is suspected of being accessed.
Both admins were demoted to prevent access, and (per waffle) Blt will be getting his back once the system is secure again. Acorn will stay demoted due to inactivity.