It looks like the truth about wht being compromised finally came out.

It’s good to see that they admitted to what happened, though there is still some denial about the possibilities of what happened.

It turns out, I was right about a majority of what happened. Wiki vulnerability exploited by somebody. Not sure if it was masteritx who was responsible for it, but I’m fairly sure he’s at least partly involved.

I’m ok with it, I guess. I don’t really wanna kick sand in the face of their mods, but it was handled in a less than honest manner, by at least one party. I don’t really believe dennis, jan, writespeak, or anyone other than mat are really knowledgeable of what happened, but I do believe that if mat gave the others the information that they were posting, than he probably handled it in a less than honest manner, possibly to save his credibility.

The main issue is, we don’t have any evidence of what happened. They say that the attacker didn’t have access to the database, but he could have easily gained the credentials by opening the forum’s config.inc.php file with the phpshell he managed to get onto the servers originally. Additionally, he could have used the same methods to install phpmyadmin, configure with the same login credentials he obtained via config.inc.php, and then browse the database that he was writing user logins to. They could have also removed the files that they put there in order to erase their tracks. If wht did log, they might have evidence of what happened, but since the hack can be dated back as early as august, they probably don’t have logs dating back that far.

But, they’re forcing users change their passwords, so that’ll help. Hopefully nobody used the same password for multiple websites, but something tells me they were.

Another problem is that, they say:

This occurred only when logging into WHT through the wiki, not through the standard vBulletin (homepage) login

Which isn’t true, as I was recieving the error when logging in via the homepage on their dev server while the original thread was happening.

But, I don’t know. I’m not overly concerned about it, at least they’re not denying it completely anymore.

yogurt - small town boy

Normally, when I see someone post a thread that includes multiple sentence terminators in it’s subject, I believe that the thread starter is exaggerating the topic at hand. However, in this thread, it would appear that the poster is completely right. Only problem is, only a quarter of the forum’s user base understands why.

You see, the block of error message shows a very serious problem taking place on wht. A php script that’s masked as a .jpg file is being invisibly accessed by a php script on the server of wht, and it’s passing along three variables any time the user logs in: 1) The user’s username, 2) The user’s password, and 3) The user’s email address. After that, there isn’t a completely clear idea of what is being done with the data, but common sense tells me that the data is being sent out in an email to someone who is collecting wht accounts for some purpose.

How did it get there? Well, this is where it gets interesting. About a month ago, I was contacted by this fag who calls himself masteritx. This boring virgin who comes to the internet via a telephone line in some third world sandbox. This guy went on to tell me that he hacked wht, and to prove it he sent me an email from a webserver of wht’s, with the headers of the email clearly showing the email as being sent via a php script on a webserver of webhostingtalk. Every few weeks, he likes to contact me telling me he’s doing something new with the hack he put down on wht. What’s fucked up about it is, when he did tell inet about the vulnerabilities, he was registered, and those fucks actually banned him when they found out about the compromise. Real nice, ban the guy who offered to help you close a security hole. But, I’m not sure how masteritx went about it. He could have tried to extort them, and that could have triggered the ban, but I’m not really sure what happened. All I know is that he told me he was trying to reach wht’s admins, and a few days later he was banned. After that, he tried to tell me that he had obtained a copy of wht’s database, and that he was going to sell it to somebody.

Back to the technical specifics of the attack, the error that was posted on the thread is as follows:

Warning: fopen(http://www.webhostingtalk.com/store/images/126928744_lg.jpg?user=calamine&pass=xxxxxx&email=xxxxxx%40gmail.com): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /includes/functions.php(2651) : eval()’d code(1) : eval()’d code on line 5

When the user logged in, the php script login.php calls a file under includes/function.php, and within that file is code which uses the php fopen function to download a file at http://webhostingtalk.com/store/images/126928744_lg.jpg while passing the username, password, and email address variables back down to the page. How did the 126928744_lg.jpg file get there? Well, my bet is that when the wiki was compromised, masteritx put in a few backdoors in directories he found were chmod 777, because those are directories that the webserver would be able to write to. With those backdoors, he probably wrote a php script, disguised it as a .jpg file which sends him an email with the variables the user sends when they login.

Currently, one admin has posted, Dennis. Dennis has posted to tell my friend and associate Steven that he should be posting elsewhere, and not “insulting” wht by posting information about the hack. I find inet’s disregard for user security a lot more insulting than what steven has posted. More information is probably going to come as the days go on, but the side of intelligence and security has been gaining support, with only a few idiots stepping in to defend wht’s admins.

For some time, I have been engaged in a lifestyle some of you are likely to question. I am not proud of the choices I have made, and to be honest, I wish I could escape what I have become. However, the overwhelming nature of the condition has rendered be unable to cope with life without it.

sigh…

I am a cat person.

For my entire life, I have embraced the spirit of the cat, and will always prefer the company of a cat over any other member of the animal kingdom. Rover? Get the fuck away from me. I won’t be having any of your shit today. Mr. Boots? Get the over here and cuddle up in my bed all afternoon.

I hope you can understand…

Well, sometimes.

I live about 5 blocks away from us cellular stadium. Home of the white sox. The girl I’ve been seeing enjoys coming over, however there’s a problem. All of the street parking in my area is reserved for people who have a sticker which declares them a resident of the area. She doesn’t have one, nor does she have a chicago-resident sticker, because she registered her vehicle in the suburbs where it isn’t fucking expensive as shit to register your vehicle.

This presents a problem when she wants to sleep over at my place during the afternoon. If the game starts at 6, her car has to be out of the area before 2PM or else she’ll be towed. Game-Side parking? $22 god damn dollars.

I’m starting to dislike living in bridgeport. It’s far away from her, getting to work from here during the winter will be a bitch. Though, I am getting used to taking the bus. Previously, I stuck specifically to the redline train, but the cta will take me closer to work in only 2 stops. The previous route involved 1 fifteen minute walk, 1 five minute train ride, and 1 more fifteen minute walk. Now, it’s just a 6 minute walk, a 5 - 10 minute wait, and two bus transfers, from halsted street to cermak.