NMA was hacked

generalissimofurioso said:
Well, all he got was a password that I don't use for anything anymore.

Oooooh, enjoy attempting to pretend to be me on here.

That's all he could do with it.
Click to expand...
 
If a hacker really wants to be ethical, once they get into a system they just peak at the internal workings/security and then make a copy of some random config file that only an admin would have access to (for proof). Maybe add a brief message on the front page just so users know about it.

If a hacker does anything that compromises or destroys data, etc. then they lose the right to consider their act as being beneficial to others. Now if you are hacking an site that is through and through evil, maybe there is an argument to be made for that.
 
In addition to:

Corith said:
Code: 
array_walk($_GET, 'RemoveSQLInc');    

function RemoveSQLInc(&$value, $key)    
{
    $search = array("/delete /i", "/update /i","/union /i","/insert /i","/drop /i","/#/i","/'/i","/=/i","/--/i");
    $replace = '';
    $value =  preg_replace( $search, $replace,$value ); 
   
      
}
Click to expand...
you can use the mysql_real_escape_string() function before using a variable in a sql statement. A nice & easy tutorial can be found here
 
Boomi said:
In addition to:
you can use the mysql_real_escape_string() function before using a variable in a sql statement. A nice & easy tutorial can be found here
Click to expand...

Mysql_real_escape_string() has to be applied to the mySQL statement, and Odin fessed up about not being all that savy of a programmer, so I was thinking of a global band-aid. By itself, it offers insufficient protection for a true SQL injection attack. It also does not escape % and _ wildcards in MySQL.

phpBB out of the box is very vulnerable to injection attacks. Even on its form posting it offers little in the way of protection.
 
Todd Howard hacked NMA? That's just... just...

orig-14421741.jpg
 
Hey I just beat the shit out of your car with a sledgehammer. Because... you know... I've got a sledgehammer and you had a car. I just wanted to be helpful and show you it could be done.
 
Oh and I also made a backup of your car before smashing it and I don't know why exactly I'm telling you that but it sounds cool I guess.
 
lol, OMG, I don't think anyone would believe me when I say what email I used to register at this place. Damn, have I really be here that long? Ok, netscape, let's see if I remember your password...

Looks like my old acc was either deleted as suspended, interesting, but it still let me enter using the old address. Everything else was deleted.

Word to the wise, only gmail and yahoo doesn't seem to delete acc after long periods of inactive use. Hm.., lost some old exes' contacts, oh well.
 
Corith said:
Mysql_real_escape_string() has to be applied to the mySQL statement, and Odin fessed up about not being all that savy of a programmer, so I was thinking of a global band-aid. By itself, it offers insufficient protection for a true SQL injection attack. It also does not escape % and _ wildcards in MySQL.

phpBB out of the box is very vulnerable to injection attacks. Even on its form posting it offers little in the way of protection.
Click to expand...

I'm not familiar with phpBB to be honest, but your code in combination with the mysql_real_escape_string would take care of most of the injections.
 
Cheers for the tips guys, that specific code that was used to hack his way in was done ages ago and with the help from my host at the time.

We were in the progress of planning to upgrade the site these last few weeks, so most of the code here will be gone after the upgrade.
 
I just hope the forum will at least partly remain it's current look. :>

Oh and please no website width, like 900px or something. It's always easier to read a forum, if it's using 100% of the screen.
 
You must log in or register to reply here.
Back
Top