Forum Feedback Indian Forums: Not secure?

Status
Not open for further replies.
C

crashnburn

Inactive
Contributor
One of the Indian Tech Forums: Not secure?

One of the Indian Tech Forums: Not secure?

I've been on too many forums for years & years but never had a breach on my account. "Maybe" there was some mistake on my part, and maybe working late one night I clicked on wrong link and gave away a password.

But, its quite possible that one of the Indian forums I've recently logged into has security holes or someone has privileged access to edit my posts and put whatever they want.

Most likely, one of the people I had online arguments with. Its funny someone would go so far. Hope they got their ego boost, kicks and a nice laugh out of it.

I bear no ill-will towards them or anyone. The stuff here is not so important in my life for me to look at someone as a villian over some online argument.

Good luck and I hope they find their bliss. I will come here sparingly, as and when needed but mostly I will stay away from their "Playgrounds" where someone is not welcome.

God Bless.
 
1. Your account was breached/ you gave away a password/ someone hacked your account/ someone had links with mods n admins and edited your posts - and hence "Indian forums" are not secure. Nice way to come at a conclusion.

2. If this is about your account here (which I'm sure it is), all you had to do was report to the mods or admins about a breach in your account, and get the needful done, rather than making baseless allegations/accusations.

3. If this is not about TE, let me know so I can shift this thread to General Talk.

Regards.
 
Powered by vBulletin® Version 4.1.12

http://www.techenclave.com/events-meets/career-life-guidance-meetup-mumbai-132673/

(was hacked..)

Hack vbulletin forums in 5 minutes - YouTube
Not sure if this was the Hack method used. Anyways, in 20 years of using computers its probably the first time my account got compromised.

1. Not making conclusions. Just making you aware. You can investigate. Why do all you guys get so "upset" as soon as something is pointed out? Check it.. if its not then fine. Just investigate. I am sure that I did not give it away through phishing..
But rare possibility of that does exist. Its called being human.

2. What baseless accusation? I am not sure where & how he got it.. whether through TE & Erodov. So I posted the same at both places.

3. Its not general talk. Its a guy who has already done it out of spite over a stupid online argument. Its not a big deal for me and I hope he got his kicks out of it. But, it COULD MEAN your FORUM is open & vulnerable.

Update (from what I can see):
Did again on TE & Erodov after I changed Password. One or both of the forums are not secure. And, I cant log in to Erodov now.

As I said.. no accusations.. relax.. breathe.. and just investigate.. I am not sure whether its from TE or Erodov that he got the password.
 
You can change the thread name to: One of the Indian Tech Forums: Not secure?

PS: Any thoughts on how he hacked in? I looked through all my history & email I doubt if I clicked something that was phishing away my password. Is that vBulletin vulnerability / exploit valid?

My password on Ero was changed again and I cant access again. Lets see what/ how he's doing this.
 
Issue has been brought to the notice of the admins. They will look into the matter. You could probably PM either Safin or Apex with more details if you have any.
 
One more question: In your configuration of this BB, Are the member passwords stored as one way Hashes or as the passwords themselves?

Because, what was funny was he actually got THE password and he even posted it with a HINT.. Hey this is the password (not exact password but indicator). To me its a prank.

Question is.. how did he get the password? Some kind of exploit / buffer overflow or SQL injection ? If they were stored as one way hashes he wouldnt have been able to compute & get the password.. even if he got the hashes. Unless of course the passwords are not stored as Hashes.
 
crashnburn said:
You can change the thread name to: One of the Indian Tech Forums: Not secure?

PS: Any thoughts on how he hacked in? I looked through all my history & email I doubt if I clicked something that was phishing away my password. Is that vBulletin vulnerability / exploit valid?

My password on Ero was changed again and I cant access again. Lets see what/ how he's doing this.
Click to expand...

@ crashnburn - Hacking Vbulletin forum isn't possible if there are any vulnerable VB team fix it ASAP also send emails to script holder to update latest patch.

First of all check your PC is not infected with any virus/spyware/unwanted tool bars in browser mostly account get hacked if they get access to your Personal email account he can reset password and get new password to email account and later he can delete email before u open it again if you are using gmail you can track from which IP you have logged in if IP dosen't match means hacker in HOME.

I have been running and managing forums for 3+ years i have faced similar experience and most of times it happens coz email account get hacked. There are few other reasons too.
- Using unsecured/nulled/cracked warez softwares.
- Using easy password like name.
- Using same password for all sites
- Unsecure PC not using any antivirus/spyware
- sharing personal email id/information on net like FB :p

@ Admin/Mod change thread title there is no relation with other Indian Forums and crashnburn hacking problem.

crashnburn said:
PS: Any thoughts on how he hacked in? I looked through all my history & email I doubt if I clicked something that was phishing away my password. Is that vBulletin vulnerability / exploit valid?
Click to expand...

Nope

EDITED : Youtube link shows how to get Admin Access though vulnerable attack there is no way hackers can steal your password using that method even if you google for "how to hack vbulletin 4 members account" there isn't any search whatever video's/tutorials available are for 3.x Versions. Now a days hackers do SQL injection to steal Forum database and email ids :p and there is no way TE can be hacked (also ED) they are using latest secured patch version :)
 
I checked my machine, all my emails in and out and I see no sign of phishing or backdoor.

From what he posted its one the guys who we had an argument with. No big deal about that. He mentioned its been posted up there on pastebin.

Now, that is a matter of concern. So as I looked up a whole bunch of user/ pw lists have been uploaded online by real hackers. I am wondering if he used one of those? Bunch of them have been taken down so couldnt find one with my info on there.

I dont care about him hacking this account for a PRANK. I'd appreciate if the person would let me know exactly how he got the info. I am genuinely curious.

One key question to ask you forum admins:

Are the passwords for this forum stored as One-way Hashes or not?
Are they stored as plain text or encrypted?
 
^ Yes, the passwords are stored as one way hashes. Storing as plain-text is not an option, and the Admins will not risk it. There have been no known XSS or phishing attempts on our site recently either. I'm not aware of any other possible ways to get the exact password.

If you are sharing the same password across different sites, could you please check on the other sites as well? Although the prank was carried out here, it could be a security hole elsewhere.
 
Hi Crazy Eddy - Thanks for responding. I appreciate that atleast you're discussing this courteously and maturely. So, if you guys hash it and I hope ERO guys do that too.

I dont think he phished if off this site. But, more than likely its a member from this site, he quoted & posted the things I had mentioned about my history with computing/ tech on an argument on the board. Someone who got pissed with the arguments we had - stupid online arguments

I also checked all my emails, history, my ports & firewalls. I doubt if I phised it away.

I'd be curious to know if he was tactful here to get it directly from me / my mistake - little unlikely.
If he has, then I say, hats off.. I've been very careful on this front but he got one on me.

He said it was posted on pastebin. He hinted towards the actual password but was decent enough not to post it. I appreciate that.

Of course, its been irritating to reset the passwords and change them through forums but as a prank I'd hoped he'd limit the damage. I just havent had time to go through all forums and doing that.

HOW HE HINTED AT GETTING IT?
I am guessing some hackers posted a bunch of accounts they hacked online (maybe some bad/insecure forums) and posted those accounts of PASTEBIN.
I am guessing he got it from. This what he was hinting.

SECURITY CONVENIENCE/ MISTAKE:
I use several passwords and different sets for forums and different for important stuff / financial etc. My mistake is using few common ones for Forums. That gives him the room to access several forms on my account.

It seems he already has done some pranks using that.

PS: Can you please remove the Phone number from the SALE thread I posted? Its closed and I cant edit it.
 
Since the password doesn't seem to have been leaked here, there's not much we can do other than advise you to change your passwords here and elsewhere. The Admins are prompt with patching security holes, and they haven't reported anything. If you're aware of who's involved, you can let us know on PM and we'll keep an eye on him/her and decide what to do.

PS: Can you please remove the Phone number from the SALE thread I posted? Its closed and I cant edit it.
Click to expand...
Removed the phone number from this post . Any other sensitive data or vandalised posts, you can use the report button for that post and me or one of the other mods will tend to it :)
 
Status
Not open for further replies.
Top Bottom