---WARNING--- - password hacking attempt on many accounts -- UPDATE --

[saint]

Someone has been attempting to hack user accounts here today using an automated process with multiple IP addresses. Dozens of regular posters are being targeted. If your password isn't a good, secure, hard to randomly crack/guess password, you are strongly encouraged to change it to one that is.



UPDATE 02-18-2011

The password hacking attack does not appear to be related to any other issue at BYOAC. There is a mass-attack against SMF forums (and others, such as PHPboard) in general. More info here: http://www.simplemachines.org/community/index.php?topic=421603.msg2949285#msg2949285. The attacks against BYOAC match this pattern exactly. I do not believe Driver-Man is related to this at all.

I am taking various measures against the attacks. There have not been any successful attacks that I am aware of anywhere. I now consider this a low threat level. Make sure you have a good, non-dictionary based password and beyond that I would not worry about it.

I will note if anything changes in this arena.

--- saint

[yotsuya]

Man, I wish there was something we could do about it/him.

[SavannahLion]

All it does is prove just how wrong the punk is. If he was right there would be no reason to act like an
---uvula---.

[trevski]

ooh, I wonder.

Man, what a dips**t  

[Hoopz]

Man, what a dips**t   

You can call him a dipshit or anything else.  The site has an auto censor.  I call him a ---P&R denizen--- amongst other things.

[CheffoJeffo]

I think it may be time to take up a collection to send someone down to visit spacies and deal with this ---P&R denizen---.

I would volunteer, but I think that perhaps Xiaou with his death punch may be more suitable.

[Ed_McCarron]

---steaming pile of meadow muffin---, so I should change my password from "12345?"

[stu33]

That's the same combination I have on my luggage!

[shfifty]

he should get a Shinkuu Hadouken to the face

[HaRuMaN]

maybe I should change mine... mine is "password" 

[HaRuMaN]

Here's a dumb question, say he was able to hack a mod's account... would that give him access to the forum user's passwords?  Or is that encrypted somewhere (I hope).

[emphatic]

maybe I should change mine... mine is "password" 

That's really clever.  

[Samstag]

I'm pretty sure I'm okay.  Mine is Hq71d4AQr2KsN4f2S, so only the most persistent of hackers could hope to crack it.

[newmanfamilyvlogs]

If his un-proxied IP was recorded, I wonder what could be done by contacting his ISP? We know his real name, his home address.. I recall seeing a plausible DOB somewhere.

He's lived in NZ since at least 2004:
http://www.trademe.co.nz/Electronics-photography/TVs/Standard/CRT/21-53cm-and-under/auction-62790078.htm

I suppose it's at least possible he's no longer living in the area and the person whose address is findable is just family.. here in 2008 is selling various household items:
http://web.archive.org/web/20080512072008/http://www.trademe.co.nz/Members/Listings.aspx?member=487159

The account is now closed.

[leapinlew]

Thanks saint

I added a number 7 to my "123456" password to make it more secure.

[saint]

Here's a dumb question, say he was able to hack a mod's account... would that give him access to the forum user's passwords?  Or is that encrypted somewhere (I hope).

I don't have access to passwords. I can change them, but not tell you what they are.

[saint]

Thanks saint

I added a number 7 to my "123456" password to make it more secure.

Attaboy.

This may be an unrelated attack. I know of at least one other SMF forum undergoing a similar attack.

[newmanfamilyvlogs]

Maybe setup a honeypot account and see what happens?

[shilmover]

obviously, I have missed something as I have no idea who you are talking about...

[Hoopz]

Maybe setup a honeypot account and see what happens?

The old Pooh Bear defense? 

[Donkbaca]

done - password changed to Hackerlicks2balls

figured the number 2 would prevent him from figuring it out...

[ErikRuud]

Is it ok to use my cat's name as my password?

His name is "p#4dgtoxg@t%htkafe".  I change his name every 30 days. 

[opt2not]

Wow, if it's "you-know-who", his dedication to ---meecrob----baggery is astounding.

[Dartful Dodger]

My password is so secure I don't even know it.

I've had this computer for over 7 years. I think the last time I had to enter a password  was a few years ago when arcadecontrols.com switch servers or something.

(I had forgotten my password then too.)

[wp34]

Is it ok to use my cat's name as my password?

His name is "p#4dgtoxg@t%htkafe".  I change his name every 30 days. 

 

[Mikezilla]

God that is such ---That which is odiferous and causeth plants to grow---. What a low life scumbag. That cat one was pretty funny though. 

[missioncontrol]

what if your password is a censored word, does that mean you password is actually what the auto-censor changes it to?

[newmanfamilyvlogs]

My password has an MD5 hash of 'xxxxpleasedontstealpasswordsxxxx'

[ark_ader]

Really, what is in your account for him to steal?

Time to have a peek and remove any details that might incriminate you or put your personal life into Jeopardy.

I have a SMF forum on my site that was retired on the grounds that it was targetted by hackers.

Maybe Saint should migrate to IP Board.  Yes it costs to subscribe, but it is more secure. 

If everyone donated 50c Saint would have enough cash to have it.

Thanks for tell me though, and I have changed my password from ataridigdug to........

[saint]

For what it's worth, I have no indicators that we *have* been hacked. My warning about your password is precautionary (and good advice in general)...

[ark_ader]

For what it's worth, I have no indicators that we *have* been hacked. My warning about your password is precautionary (and good advice in general)...

You do not have a three try lockout or something similar for an indicator?

[saint]

For what it's worth, I have no indicators that we *have* been hacked. My warning about your password is precautionary (and good advice in general)...

You do not have a three try lockout or something similar for an indicator?

The behavior looks a lot like a brute force attack. No one account is ever attempted more than once in a row, though repeated periodically. It's pretty much:

Try a username/password. Fail
Try another username/password. Fail
Try another username/password. Fail
.
.
.
Try the first username/password. Fail

Each from a different IP address with random time intervals between.

A 3 tries and you're locked won't really work in this attack due to the long time intervals and IP hopping, unless someone sees something I'm overlooking? Suggestions welcomed of course... I am banning the IP addresses used in the attack which is having a pretty good effect in stopping the attempts, but more IP addresses are easy to get...
 

[ark_ader]

Perhaps you should disable the avatar uploading facility just to be sure, and purge all avatars from the board. 

You can have members email you their avatars later on.  If it was my site, I would do this immediately.

[RayB]

So Driver-ManBoy is a 14 year old script-kiddie. That actually explains a lot.

[pinballwizard79]

who are we talking about, ive been a good member I deserve to know 

[SavannahLion]

Perhaps you should disable the avatar uploading facility just to be sure, and purge all avatars from the board. 

You can have members email you their avatars later on.  If it was my site, I would do this immediately.

It's not, so we have little to worry about in that regards.

[polaris]

Thanks saint

I added a number 7 to my "123456" password to make it more secure.

hey we're password buddies, i never thought someone would pick the same as me, odds must be like 1 in a 100, maybe more.

[ChadTower]

Actually, this might just be Stingray trying to get in after a few beers. 

The behavior looks a lot like a brute force attack. No one account is ever attempted more than once in a row, though repeated periodically. It's pretty much:

Try a username/password. Fail
Try another username/password. Fail
Try another username/password. Fail
.
.
.
Try the first username/password. Fail

Each from a different IP address with random time intervals between.

A 3 tries and you're locked won't really work in this attack due to the long time intervals and IP hopping, unless someone sees something I'm overlooking? Suggestions welcomed of course... I am banning the IP addresses used in the attack which is having a pretty good effect in stopping the attempts, but more IP addresses are easy to get...
 

[hypernova]

I've always been more of a "pound of cure" kind of guy myself, rather than the "ounce of prevention."

Because, hey, more is better.  Duh! 

[Donkbaca]

Just do what I do with passwords.  Change it every week. Start of with -99bottlesofbeeronthewall