NMA was hacked

Discussion in 'NMA News and Information' started by Odin, Sep 27, 2011.

  1. Odin

    Odin Carbon Dated and Proud
    Admin

    Apr 2, 2003
    Meh, like I've said. I dont mind that people hack sites, its more of a sport for them. But he could have contacted me or some other admin and warned us instead, its not like he won any fame points by doing this.
     
  2. Brother None

    Brother None This ghoul has seen it all
    Staff Member Admin Orderite

    Apr 3, 2003
    He could go back and brag to his fellow hackers. I imagine it'd be the mental equivalent of trying to brag to gangsters about stealing an old lady's purse.
     
  3. Korin

    Korin So Old I'm Losing Radiation Signs
    Admin

    Aug 6, 2010
    Sure, I've done a fair amount with phpbb2 in the past so it's not too foreign. Happy to do whatever I can.
     
  4. Corith

    Corith Still Mildly Glowing

    292
    Apr 28, 2004
    here is some quick fix help.

    In your php.ini file, add
    auto_prepend_file = filepath/scrubber.php

    with filepath being actual physical location of a new file, scrubber.php
    something like
    C:/myphpfolder/someotherfolder/scrubber.php

    in this new file, use notepad to create and edit, insert the following code between php start and stop calls


    Code:
    
    array_walk($_GET, 'RemoveSQLInc');    
    
    function RemoveSQLInc(&$value, $key)    
    {
        $search = array("/delete /i", "/update /i","/union /i","/insert /i","/drop /i","/#/i","/'/i","/=/i","/--/i");
        $replace = '';
        $value =  preg_replace( $search, $replace,$value ); 
       
          
    }
    
    
    and restart your apache.
    This will remove any nasty commands from GET variables.
    It isn't a sure fire cure, but it is a band-aid.
     
  5. Sam Ecorners

    Sam Ecorners Vault Senior Citizen
    Orderite

    Jan 23, 2007
    Thankfully this is the same password that I used on gawker when it got hacked, so it's already been released.

    Unfortunately I know very little PHP and I also don't like it with all of its dollar signs. However, maybe for good sport I will try to clone this site in Rails 3 as my side learning project. It seems like a nice, expansive project and just perhaps it could be eventually useful.
     
  6. rabidpulse

    rabidpulse First time out of the vault

    11
    May 9, 2006
    I recently read this on XKCD and it got my rethinking about how i should make my passwords now.

    http://www.xkcd.com/936/

    Still I hate f'ing hackers.
     
  7. dev

    dev Still Mildly Glowing

    231
    Sep 25, 2004
    i bet he looks like that:

     
  8. shihonage

    shihonage Made in USSR

    May 8, 2007
    He truly sounds like a person of integrity and control and I completely trust him not to sell the private information he stole.

    Oh wait.
     
  9. RRBM

    RRBM First time out of the vault

    46
    Jul 28, 2011
    Won't somebody PLEASE think of the children!
     
  10. 4too

    4too Vault Senior Citizen

    Apr 30, 2003
    Arcane Back Up Thrills

    Arcane Back Up Thrills


    Was using a 2005 P-word generated by NMA.

    My hand scripting may have been accurate for each '05 change, but my penmanship for the exact date threw me into the tedious muzzle of trial and error.

    New 2011 P-word recognized. Mission Accomplished!

    Implies malicious intent and evidence of an act of theft. ;)

    NMA hostage data may be soon depicted on a milk carton near you!





    4too
     
  11. whirlingdervish

    whirlingdervish Brahmin Cavalry Commander

    Jul 3, 2007
    hope this faggy little thief was using a proxy, otherwise his ISP is getting a call regarding malicious use of their network to perpetrate a crime.
     
  12. Nark

    Nark Sonny, I Watched the Vault Bein' Built!

    Dec 6, 2008
    Re: Arcane Back Up Thrills

    Hey, I got that much. I meant why would he bother to try telling us he's a good guy in all of this and that he won't sell the data even though he stole it all anyway?
     
  13. Jebus

    Jebus Background Radiant
    Orderite

    Jan 29, 2004
    Such a missed opportunity... If only he had deleted Kharn's postcount! :puppy-dog:
     
  14. I_eat_supermutants

    I_eat_supermutants Vault Senior Citizen

    Feb 5, 2007
    Well password changing again. Boy this is swell and unneeded.
     
  15. Cimmerian Nights

    Cimmerian Nights So Old I'm Losing Radiation Signs

    Aug 20, 2004
    This never happens at Duck and Cover.
     
  16. iridium_ionizer

    iridium_ionizer Where'd That 6th Toe Come From?

    492
    Jul 24, 2007
    If a hacker really wants to be ethical, once they get into a system they just peak at the internal workings/security and then make a copy of some random config file that only an admin would have access to (for proof). Maybe add a brief message on the front page just so users know about it.

    If a hacker does anything that compromises or destroys data, etc. then they lose the right to consider there act as being beneficial to others. Now if you are hacking an site that is through and through evil, maybe there is an argument to be made for that.
     
  17. sea

    sea Vault Senior Citizen

    Oct 5, 2009
    Hey man, I saw that you didn't have a lock on your car's steering wheel, so I smashed your windshield and stole the iPhone I found inside. Glad I could help.
     
  18. sea

    sea Vault Senior Citizen

    Oct 5, 2009
    Also double-posts are fun.
     
  19. TheWesDude

    TheWesDude Sonny, I Watched the Vault Bein' Built!

    Feb 25, 2005
    it doesnt really matter what password you use.

    brute forcing MD5 passwords are easy.

    plus there are only 128^2 possible "values" for a MD5 password.

    especially if there is no "automatic account lockout" after X failed attempts.

    and/or logging failed attempts.

    if the only "protection" you use is MD5 hashing of passwords, you dont have any security.
     
  20. Wastewander

    Wastewander It Wandered In From the Wastes

    178
    Jul 6, 2011
    Well, luckily the only other account I use this password on has a different e-mail. Just changed my password and will most likely change the other one just to be on the safe side.