JonHind
|
|
September 11, 2011, 07:52:01 AM Last edit: September 11, 2011, 08:06:32 AM by JonHind |
|
Any admin hosting a site which deals with discussions of a financial nature who couldn't even be bothered to upgrade along the 1.1.xx path (yet alone switch to v.2) should hang their head in shame.
What are you talking about? This is the latest upgrade in the 1.1.xx path. Sorry, I stand corrected. Weren't you running 1.1.13 until very recently? I still stand by the other points raised though. I am not aware of any other vulnerabilities. If vulnerabilities exist, report them to me and I will take the forum down until they are fixed.
How to keep abreast of security vulnerabilities in SMF 1.1.14 - From there you should be able to click your way to discovering less known vulnerabilities. Also, a tip: Check your plugins for holes. If you need any further help, I normally charge £200ph an hour for IT consultancy, though I've never worked on any site which has ever used SMF. PM me if you are interested and I will forward you my wallet info.
|
|
|
|
wumpus
|
|
September 11, 2011, 07:52:16 AM |
|
He is providing free hosting. He is not "taking over Bitcointalk". In that IRC excerpt I even say that Sirius will retain control of the DNS.
Please please please tell him to not host this forum on any server even close to a server for the trading site. I'd hate to see it used as an attack vector.
|
Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through File → Backup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
|
|
|
TiagoTiago
|
|
September 11, 2011, 07:55:58 AM |
|
Where can i find more information on what exactly is in the way of upgrading to 2.somthing?
|
(I dont always get new reply notifications, pls send a pm when you think it has happened) Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!
|
|
|
theymos (OP)
Administrator
Legendary
Offline
Activity: 5418
Merit: 13499
|
|
September 11, 2011, 08:12:44 AM Merited by PowerGlove (1) |
|
Where can i find more information on what exactly is in the way of upgrading to 2.somthing?
I need updated versions of these mods (some of them might already exist or be covered by the new core): Custom Profile Field Mod Edit_Display_Name_Permission Ignore Boards Prevent Adding Signature Images And Links Ignore user There are also two major custom modifications: - Membergroup membership based on time online as well as posts - Advanced CAPTCHAs I'd also like to use the same theme we have now. I'd really prefer to move to some other forum software rather than upgrade, though. SMF is not well-written.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
pekv2
|
|
September 11, 2011, 08:13:25 AM |
|
Valid question.
theymos, did they have access to our IP's connected to our user accounts by any chance?
|
|
|
|
knightmb
|
|
September 11, 2011, 08:33:34 AM |
|
Valid question.
theymos, did they have access to our IP's connected to our user accounts by any chance?
As admin, they would have access to all, including that.
|
Timekoin - The World's Most Energy Efficient Encrypted Digital Currency
|
|
|
pekv2
|
|
September 11, 2011, 08:39:54 AM |
|
Valid question.
theymos, did they have access to our IP's connected to our user accounts by any chance?
As admin, they would have access to all, including that. omy. Well, for the hell of it, I've taken the listed IP's in OP, did whois, got the IP ranges and popped them in my blockzones of my firewall.
|
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
September 11, 2011, 08:46:24 AM |
|
you did say that he paid, right?
are you able to trace his payment back to an account on some of the exchanges?
|
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
mizerydearia
|
|
September 11, 2011, 08:49:14 AM |
|
I cannot recall where I read it, but I think theymos (was it someone else?) mentioned that only a few bitcoin community members were contacted by email regarding volunteers for hosting the forum. Is it possible to shed some light on the people that were contacted so the community knows who were the only people that had opportunity to volunteer to host the forum?
|
|
|
|
theymos (OP)
Administrator
Legendary
Offline
Activity: 5418
Merit: 13499
|
|
September 11, 2011, 09:01:10 AM |
|
you did say that he paid, right?
are you able to trace his payment back to an account on some of the exchanges?
He paid to 1JadERuRgxMgrNcpCPmG35wbYkb7d6jZkw.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
im3w1l
|
|
September 11, 2011, 09:05:28 AM |
|
you can go hunter2 my hunter2-ing hunter2!
|
|
|
|
Are-you-a-wizard?
Member
Offline
Activity: 98
Merit: 10
|
|
September 11, 2011, 09:06:24 AM |
|
I'm done with this bullshit. Every month my password is leaked by fail bitcoin sites and their shit security.
Yes, I use different passwords for each site. I don't give a flying fuck.
This is unacceptable, bye
|
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
September 11, 2011, 09:10:13 AM |
|
you did say that he paid, right?
are you able to trace his payment back to an account on some of the exchanges?
He paid to 1JadERuRgxMgrNcpCPmG35wbYkb7d6jZkw. then can you have some of the exchanges to check, who cashed out to that address. or trace it back to when the coins last come in contact with an exchange. make a list of involved addresses, and then check them. you could get an account/address(real world) of the attacker.
|
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
makomk
|
|
September 11, 2011, 09:54:38 AM |
|
Ah, so you can't actually point to any then? I even Googled for this specific vulnerability when I noticed theymos's post about it - nada. (It looks like SMF 2.0 probably doesn't have this vulnerability due to a much-needed restructuring of how they handle the database, but I'm not sure I'd trust it to be secure; whoever rewrote SMF should've spotted there was something fishy about the existing code if they were security-conscious.)
|
Quad XC6SLX150 Board: 860 MHash/s or so. SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
|
|
|
haploid23
Legendary
Offline
Activity: 812
Merit: 1002
|
|
September 11, 2011, 09:54:49 AM |
|
my password has 11 characters total: 1 symbol, 8 letters, and 2 numbers. what are the chances it gets broken into after it's hashed?
|
|
|
|
ovidiusoft
|
|
September 11, 2011, 10:08:52 AM |
|
my password has 11 characters total: 1 symbol, 8 letters, and 2 numbers. what are the chances it gets broken into after it's hashed?
After hashing, very little. But: The attacker was capable of running arbitrary PHP code, and he could have therefore copied all password hashes and read all personal messages. He also could have done all of the things that admins can normally do, such as editing/deleting/moving posts. You should assume that if you entered your password while logging in after sept 3rd, it was intercepted while still in plaintext. Change it.
|
|
|
|
EskimoBob
Legendary
Offline
Activity: 910
Merit: 1000
Quality Printing Services by Federal Reserve Bank
|
|
September 11, 2011, 10:15:18 AM |
|
DO NOT USE WEBSITES TO GENERATE YOUR PASSWORDS There is a good chance that your new and shiny password is stored for later attacks! Create 4 random passwords which contains no special characters and are 10 characters long: cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4
Create 4 random passwords which DO contains special characters and are 12 characters long: $ cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]'
|
While reading what I wrote, use the most friendliest and relaxing voice in your head. BTW, Things in BTC bubble universes are getting ugly....
|
|
|
fadisaaida
Member
Offline
Activity: 105
Merit: 10
|
|
September 11, 2011, 10:18:25 AM |
|
The vulnerabilities in 1.1.14 have been known for a LONG time. You can hardly call what SA did a 0-day exploit. While 1.1.14 might still be 'supported', it is full of security holes. The admins of this site have been aware of these vulnerabilities for a while, as quite a few people (myself included) have pointed out the dangers of using 1.1.14.
Seriously i spent 5 minutes trying to see where did you point it out before ? am i blind ?
|
Lisk. Develop Decentralized Applications & Sidechains in JavaScript with Lisk! Website | Blog | BTT Thread | Chat - Be part of the decentralized application movement!
|
|
|
deepceleron
Legendary
Offline
Activity: 1512
Merit: 1036
|
|
September 11, 2011, 10:20:19 AM Last edit: September 11, 2011, 10:39:47 AM by deepceleron |
|
He paid to 1JadERuRgxMgrNcpCPmG35wbYkb7d6jZkw.
That address was funded with exactly 10BTC with this transaction on 9-3. We see that wallet that funded the 10BTC sent a remainder back to itself at address 1GzKzdZ7KxXboxz6ehJFqJ9vv6EFdvuBYm. Those remainder coins get sent around for a while with wallet-aggregating payments, and then they are sent to a new address with all the other little coins on 9-4 to 1FLipaPNU3FHWJz6NFetzTN6xBsjvRXKhS. Current balance? 4500BTC. That kinda looks like an exchange savings account too, so they could have gone into an exchange. I followed a few of the coins into the sending wallet all the way back to them being mined and sent from a pool account (if the haxor was the one who mined them, the pool address owner could reveal the account), and googled some of the addresses, and they haven't been posted prominently as 'donation' addresses or such. A more extensive dump than my manual exploring could get a picture of all the addresses in the wallet and what else they've been doing, and if any of the addresses have leaked out on the internet to be matched to an identity, or have coins that have gone through an exchange.
|
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
September 11, 2011, 10:35:35 AM |
|
He paid to 1JadERuRgxMgrNcpCPmG35wbYkb7d6jZkw.
That address was funded with exactly 10BTC with this transaction on 9-3. We see that wallet that funded the 10BTC sent a remainder back to itself at address 1GzKzdZ7KxXboxz6ehJFqJ9vv6EFdvuBYm. Those remainder coins get sent around for a while with wallet-aggregating payments, and then they are sent to a new address with all the other little coins on 9-4 to 1FLipaPNU3FHWJz6NFetzTN6xBsjvRXKhS. Current balance? 4500BTC. I followed a few of the coins into the sending wallet all the way back to them being mined and sent from a pool account (if the haxor was the one who mined them, the pool address owner could reveal the account), and googled some of the addresses, and they haven't been posted prominently as 'donation' addresses or such. A more extensive dump than my manual exploring could get a picture of all the addresses in the wallet and what else they've been doing, and if any of the addresses have leaked out on the internet to be matched to an identity, or have coins that have gone through an exchange. ithink that its most likely that the coins came direcly from an exchange. i dont know why, but the acount balances are odd, and the timing between the transactions is fast(indicating some kind of online wallet, at least in my mind)
|
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
|