Hello

shahedmo · May 12, 2013

Hello there.

This website here http://giveawayirc.x10.bz has been taking passwords from there DB and logging into account in to my game Infamousnation.net, Stop them now. If you need proof I will get 2 other members from my game.

He has logged into 2 accounts from my game. And there were both admins. Stop them now. Or I will take further actions

And here is proof from his game. He LOL me. Cause he though it was funny.

hbazer · May 12, 2013

shahedmo said:
He has logged into 2 accounts from my game. And there were both admins. Stop them now. Or I will take further actions

Change the passwords

shahedmo · May 12, 2013

Yeah, still this guy is finding out peoples passwords. And stealing ****.

Dead-i · May 12, 2013

At the end of the day, account security and the security of your website is your responsibility, and not x10Hosting's. However, I will offer a few tips that you might want to take note of

- When hbazer says change the passwords, he means all the passwords. You should change your cPanel password, MySQL password, any FTP account passwords, and the password to any admin accounts on the system you are using.
- Could the attacker have accessed your files at any time? If so, check your files for any backdoors that could have been placed.
- If you're not already, encrypt logins to the system, and encrypt them well. Just md5() alone isn't enough. You should use various hashes together. You could use salts. Make sure that those passwords can't be easily decrypted. This means that even if the attacker got into the database, he couldn't read any of the passwords easily.

If you're still experiencing problems, please tell us what you have done in order to stop the attackers to see if the community has any suggestions.

shahedmo · May 12, 2013

Nooo, he didn't hack anything. From his Data Base ( Me and my friends signup to his game) he got our passwords. Well my CPanel ETC is all diffent pass. He just hacked into my mates account.

hbazer · May 12, 2013

Where is the account(s) these passwords are for - on your x10hosting's account or on your mates x10hosting's account or on 'his' x10hosting's account or at some other host... ?

shahedmo · May 12, 2013

I host elsewere. So, this guy is using your free hosting. Spaming us to join his game and using our password to login to my members accounts.

hbazer · May 12, 2013

shahedmo said:
I host elsewere. So, this guy is using your free hosting. Spaming us to join his game and using our password to login to my members accounts.

And these "my members accounts" are where ?

descalzo · May 12, 2013

shahedmo said:
Nooo, he didn't hack anything. From his Data Base ( Me and my friends signup to his game) he got our passwords. Well my CPanel ETC is all diffent pass. He just hacked into my mates account.

Are you saying:

1. You and your friends signed up for a game on his site (which looks empty at the moment)
2. Your friends were stupid enough to use the same username/password that they use on your site
3. He used those passwords to get into their accounts

Why not use your admin powers to just change the password on the compromised accounts (or nuke them if need be)?

Livewire · May 12, 2013

I am unable to confirm that any violation has occurred in this situation; we are only able to handle incidents that occur ON our network. You've indicated you're hosted elsewhere; this is something you would then need to handle.

As a side note, although the account you linked to is empty, I've seen the same script in use before - it is the most insecure script I have ever had the displeasure of seeing. If it's the same one I've seen, then how he's able to get the passwords is surprisingly simple - they're stored in plain-text, and the files themselves are prone to even the most basic of SQL/PHP injections. Even if you've managed to secure them on your own install, there's no guarantee that the software in use anywhere else was secured in this fashion.

essellar · May 12, 2013

I feel it's only fair to point out, as well, that even a hosting service that did regular (and expensive) security audits of every single account would not be able to, in practice, prevent this sort of behaviour and still have customers. It would raise the hosting fees to the level of thousands of dollars per month and require a complete code review of both local and external resources on every page and API before deployment and before any change could be rolled out (and that would include every new page, blog entry, forum comment, etc.) by people who are actually experts. I can think of a half-dozen ways (off the top of my head, and without doing any additional research) of storing recoverable passwords that would look secure on the surface and pass simple database table and code scans.

As a site developer (and owner), I go out of my way to make sure that my users' passwords are as safe as they can be, given the processing constraints I have to work with. I never store or send passwords anywhere; I merely store the information needed for them to prove that they know the password they chose, and do that in a way that is specific to the site and user (that is, using a salted and peppered password-based derived key). But I also tell users that they're going to be safer than any promises I can make if they pick a unique password for the site. If you give any Tom, Dick and Harry the same name and password you use for online banking, don't be surprised if your account balance is a little lower than you expected. Until there's a practical, easily-used and enforceable public key infrastructure for authentication, you'll always be at the mercy of a site's owner — don't give them anything you don't want them to have.

Hello

shahedmo

New Member

hbazer

Member

shahedmo

New Member

Dead-i

x10Hosting Support Ninja

shahedmo

New Member

hbazer

Member

shahedmo

New Member

hbazer

Member

descalzo

Grim Squeaker

Livewire

Abuse Compliance Officer

essellar

Community Advocate

Free Web Hosting

Our Community

Legal