Regarding the MITB hack

#1

I was checking some logs over at villavu.com today and found that someone did a similar hack on villavu.com forums. (E: Including, most likely - a database dump)

While the hackers used tor in most cases, Nielsie95 and I managed to find a few IP’s that are definitely from the hack, but aren’t using tor.

Facts:

[ul][] After the initial hack, the account “super_” was given lots of access, and a reputation power of 13k+.
[] One of the IP’s used in the AdminCP match super_‘s IRC logins. ( https://encrypted.google.com/search?q=pool-173-65-194-148.tampfl.fios.verizon.net )
[*] One of my fellow admins’ password was somehow retrieved, used to access the admincp. Apparently the HTTP auth (extra auth) was also compromised, perhaps the password of the admin was the same - this seems like the only possibility. After that, he changed the password of an admin with access to vBulletin plugins (the account was unfortunately mutable) (the ones where you can edit php code of plugins… directly in the admincp). After that a simple shell script was edited into the plugin.[/ul]

E: This all took place 3 and 4 September.

#2

itt: no one cares

#3

why would no one care? the culprit needs to be found and banned.

#4

The chance of this being super_ is pretty minimal though. He does know a ton of skids (which he frequently bash on irc), but i doubt he has any interest in fucking mitb over, if anything he’s the only one trying to get this website “back on track” by creating discussions.

#5

what happened to super_?

#6

I can’t think of a reason for him to mess with SRL either, but it happened. And the same happened earlier to MITB. I’m trying not to draw any conclusion, merely posting what I found out with my staff. The IP match is strong evidence though, unless these skiddies use his IRC nickname and his IP?

#7

actually most of us do care…

But like Speljohan said Wizzup, I highly doubt that super would have any animosity towards either this website or your website. I would look into the user T__X (remove one underscore, the name is censored) though, as we’re pretty positive that he is the culprit over here. I’m also pretty sure that he has somewhat of a history with super_

#8

[quote=“Newty, post:7, topic:414033”][quote author=Stork link=topic=515997.msg3743601#msg3743601 date=1315582916]
itt: no one cares
[/quote]

actually most of us do care…

But like Speljohan said Wizzup, I highly doubt that super would have any animosity towards either this website or your website. I would look into the user T__X (remove one underscore, the name is censored) though, as we’re pretty positive that he is the culprit over here. I’m also pretty sure that he has somewhat of a history with super_[/quote]He has a history with me too, i believe that he was the one who spoofed my ip when rscheata was hacked (ruler had logs of my ip). Beside his skidding, he is also a real pain in the ass. A few years back when i was running rsbot, he aquired my phone number and started making prank calls in the middle of the night, not very pleasant.

#9
#10

[quote=“Newty, post:7, topic:414033”][quote author=Stork link=topic=515997.msg3743601#msg3743601 date=1315582916]
itt: no one cares
[/quote]

actually most of us do care…

But like Speljohan said Wizzup, I highly doubt that super would have any animosity towards either this website or your website. I would look into the user T__X (remove one underscore, the name is censored) though, as we’re pretty positive that he is the culprit over here. I’m also pretty sure that he has somewhat of a history with super_[/quote]
Iirc he started hanging out on IRC a couple weeks ago, but was only in one channel. I’m pretty sure Drew and Speed were talking to him for a while. He was using/still might be using the nick RSCUn

[quote=“Davidi2, post:9, topic:414033”][quote author=Newty link=topic=515997.msg3743780#msg3743780 date=1315599477]
I would look into the user T__X (remove one underscore, the name is censored) though, as we’re pretty positive that he is the culprit over here.
[/quote][/quote]
Was there really a point on quoting that?

#11

Yes, it’s called ‘to support’.

Was there really a point for that reply? :rolleyes:

#12

Guys, Davidi2 supports Newty’s comment.

Just supporting you, mate!

#13

idiots such as yourself should not be allowed to post

edit: nice ninja delete davidi, reinforcing my point

#14

Noone is going to point out that this thread feels like it was written by Ruler? I highly doubt it was super_

#15

I think I’ve already stated I’m not drawing conclusions here, I’m posting facts. It is a fact that the IP that matches super_‘s was used to perform nasty things in the Villavu adminCP, during the ``hack’’. It is related, no doubt about it. It is also a fact that two users were edited. super_ and another user (I luffs yew, aka Ian_). As far as I could see only the user super_ had been modified a lot. I don’t know if this was super_, but he could at least help explaining this? Everything points at him, at least when it comes to villavu.com; I don’t have any knowledge of MITB.

I’m not the man for conspiracies, but I don’t like it when people mess with my community like this. And I’m sure MITB is not particularly happy either at the moment.

About this T__X user, I recall him as well. He ``said’’ he would hack villavu two years ago with some old exploit (I upgraded the forum software regardless, where possible - stupid vBulletin). I don’t recall him being a nice person, and yeah, he does looks like a skiddie.

#16

[quote=“frank_, post:13, topic:414033”]idiots such as yourself should not be allowed to post

edit: nice ninja delete davidi, reinforcing my point[/quote]you didnt see anything ;D no but really, since when has anyone cared about quoting

#17

[quote=“Wizzup?, post:15, topic:414033”][quote author=Miss Silabsoft link=topic=515997.msg3744455#msg3744455 date=1315630849]
Noone is going to point out that this thread feels like it was written by Ruler? I highly doubt it was super_
[/quote]

I think I’ve already stated I’m not drawing conclusions here, I’m posting facts. It is a fact that the IP that matches super_‘s was used to perform nasty things in the Villavu adminCP, during the ``hack’’. It is related, no doubt about it. It is also a fact that two users were edited. super_ and another user (I luffs yew, aka Ian_). As far as I could see only the user super_ had been modified a lot. I don’t know if this was super_, but he could at least help explaining this? Everything points at him, at least when it comes to villavu.com; I don’t have any knowledge of MITB.

I’m not the man for conspiracies, but I don’t like it when people mess with my community like this. And I’m sure MITB is not particularly happy either at the moment.

About this T__X user, I recall him as well. He ``said’’ he would hack villavu two years ago with some old exploit (I upgraded the forum software regardless, where possible - stupid vBulletin). I don’t recall him being a nice person, and yeah, he does looks like a skiddie.[/quote]
I never said I had doubts thats super might have attacked villavu, I just have doubts that the two issues are related in anyway.

#18

Well,

[ul][li] Both forums were compromised by using an existing admin account. The passwords were known to the attacker, as far as I am concerned. With Villavu there was additional security in place, but that could have been compromised easily with other existing passwords I fear. In other words, the method of attack was the same. [/li]
[li]The hacks took place only shortly after each other. (MITB.com: ~1 September, Villavu.com: 3-4 September)[/li][/ul]

How can they not be related? How realistic is to state that the hacks were random? Villavu.com has never been compromised (as in database access) before to my knowledge, so that’s at least 5 years of no trust issues. I can only suppose MITB has a similar trust history. How random would it be, for two related communities to be both hacked, days after each other, having a relatively safe security history? Sounds irrational to me.

#19

Your correct in assuming that we’ve never had any type of password leak/forum infiltration such as this (excluding a global mod incident a few years back in which the mod went awol.)

In regards to T__X, I would not really put him in the realm of a script kiddy, although he possesses the grammatical prowess of a 4 year old, he is indeed very intelligent and is more then capable of exploiting holes in software. I also wouldn’t put framing super_ past him, as I said previously.

However, I think you should wait until super_ responds before deciding that he’s guilty.

#20

He did not say super_ is guilty, he has reinforced this point numerous times.