Court case against my hackers.

Status
Not open for further replies.
Good to hear the bad guys are going to get what they deserve. Hopefully this is a lesson for you and your other admin as well... use strong passwords. ;)
 
WoodiE said:
Good to hear the bad guys are going to get what they deserve. Hopefully this is a lesson for you and your other admin as well... use strong passwords. ;)
Click to expand...

Actually the lesson was to stop using sh*t forum software ;)
 
MGSteve said:
Well done to Slavik, although its only the start, the real problem now is getting them to pay....
Click to expand...

XF already has paid subscriptions feature built into it...



Slavik said:
Actually the lesson was to stop using sh*t forum software ;)
Click to expand...


Really? How did you come to that conclusion?

In your initial thread you stated this:
Slavik said:
One of the other admins for p8ntballer had his password stolen...
Click to expand...

What does it matter what software you're using so long as your staff is using strong passwords?

Just for giggles, what software was you using at the time of this "hack"?
 
WoodiE said:
Really? How did you come to that conclusion?

What does it matter what software you're using so long as your staff is using strong passwords?
Click to expand...

You obviously haven't much experience with hash cracking and the resources available. An 11 character MD5 password with 3 upper case, 4 lowercase, 2 numbers and 2 special characters can be bruteforce cracked in as little as 6 hours nowdays.

It was vbulletin we were on.
 
Slavik said:
You obviously haven't much experience with hash cracking and the resources available. An 11 character MD5 password with 3 upper case, 4 lowercase, 2 numbers and 2 special characters can be bruteforce cracked in as little as 6 hours nowdays.

It was vbulletin we were on.
Click to expand...

Plus salts are adding only an hour or so these days too.
 
MGSteve said:
Well done to Slavik, although its only the start, the real problem now is getting them to pay....
Click to expand...

Exactly, if they claim they don't work and can only afford pittance each week to pay any fines imposed. You'll be looking at it spread over years in very small repayments. There's not a lot you can do about that either to get your money back any faster, that's why it's not even worth taking them to court sometimes. You can't make somebody pay it faster if they don't have it, and a court will take their money situation into account.

Feel the same, you may have won the court case. But now comes the hard part getting your money from them.
 
Slavik said:
You obviously haven't much experience with hash cracking and the resources available. An 11 character MD5 password with 3 upper case, 4 lowercase, 2 numbers and 2 special characters can be bruteforce cracked in as little as 6 hours nowdays.

It was vbulletin we were on.
Click to expand...
That is a huge number.

How can the server handle that many login attempts?
Doesn't vbulletin have some protection against repeated login attempts?
 
Pretty sure it does, so many failed logins and you have to wait a set time period. If your talking about the Admin CP, you could even use a second htaccess password protection before they get to the main vB Admin login page. I did it when running vBulletin, 2 logins needed to get into Admin CP settings.
 
mrGTB said:
Pretty sure it does, so many failed logins and you have to wait a set time period. If your talking about the Admin CP, you could even use a second htaccess password protection before they get to the main vB Admin login page. I did it when running vBulletin, 2 logins needed to get into Admin CP settings.
Click to expand...
whynot said:
That is a huge number.

How can the server handle that many login attempts?
Doesn't vbulletin have some protection against repeated login attempts?
Click to expand...

The exploit in vbulletin basically allowed them to extact the password hashes and salts from the database. They then run that hash through a bruteforce program on a streaming proccessor to crack.
 
I know, if you search Google on vBulletin and HASH cracking, it's plastered all over the web about it with kiddie scripters. You can even find guides would you believe posted on YouTube how to hack vBulletin boards. Crazy!

When I ran vBulletin 3.7 recently, someone managed to reset the Admin Password 2 times and lock me out the forum. Lucky I made daily backups and was able to just do a database restore. I think it had something to do with "social groups" how they did it, read about that hacking before if Admin runs one himself. Anyway, after I changed who could view social groups (no longer allowing guests), but only the very highest member groups with 2000 posts or more. It stopped after that.

But that was in a space of running vBulletin for around a month only.
 
mrGTB said:
Exactly, if they claim they don't work and can only afford pittance each week to pay any fines imposed. You'll be looking at it spread over years in very small repayments. There's not a lot you can do about that either to get your money back any faster, that's why it's not even worth taking them to court sometimes. You can't make somebody pay it faster if they don't have it, and a court will take their money situation into account.

Feel the same, you may have won the court case. But now comes the hard part getting your money from them.
Click to expand...

I sincerely get the feeling this was never about the money.
 
No, I agree with you totally. Just saying when it does come later to getting some compensation. It can be a hard thing, not quite what you may have first thought. Most of these hackers are probably not working spending all day on the web taking sites down, or what ever else they get up too? They claim social benefits and are in no situation to cough up money fast to any claimant putting them through the courts.

Just being realistic, no court judge is going to order an unemployed person (if in fact they are), to pay something they cannot afford. At the very least the judge will reduce the fine down and allow them to spread it over a realistic period of time to pay back. I have no idea if they are or not working, only saying I hope they are when it comes to getting compensation.
 
Can't believe they were/are stupid enough to keep defacing other websites, I can only hope those websites join any criminal action against them

Congrats on winning the first round :)
 
Slavik said:
You obviously haven't much experience with hash cracking and the resources available. An 11 character MD5 password with 3 upper case, 4 lowercase, 2 numbers and 2 special characters can be bruteforce cracked in as little as 6 hours nowdays.

It was vbulletin we were on.
Click to expand...

No I'm sorry I'm not a hacking expert. Though I'm guessing by your comical reply that YOU are? haha

I'll leave this thread alone as I think I see where it's going now, especially being on a XF forum. Though I will say, it's much much easier to blame the "other guy" then to blame ourselves. It's the "other guys" fault for you not having secure passwords, for not securing your website, keeping your server hardened and uptodate.

The fact is there are thousands if not hundred of thousands of sites that use MD5 hashing in their logins. If this was so incredibly easy than they all would be hacked - but the fact is they aren't. The "script kiddies" have to get your hash somehow or another. The fact they got it, if that's how they even did it in the first place, shows the lack of security.

Anyways - glad to hear justice prevailed. Have a good day!
 
Status
Not open for further replies.
Back
Top Bottom