£25 Reward
Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: General Discussion
Forum Description: General discussion and chat on any topic.
URL: https://forums.webwiz.net/forum_posts.asp?TID=15705
Printed Date: 31 March 2026 at 11:59am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: £25 Reward
Posted By: Gullanian
Subject: £25 Reward
Date Posted: 03 July 2005 at 11:05am
|
Dear everyone on WWF, Recently my website was broken into, and I would like to discover the method of entry as soon as possible. On C4SMS.com I have set up an account with the username 'BreakTest'. I invite anyone to try (without disrupting service) to enter that account. I will pay via Paypal, £25 (nearly $50) if you manage to tell me the details of the entry stored in the address book for that user when logged into the account. To claim the reward you must also tell me step by step how you achieved the entry. Thanks to anyone that trys. Tom |
Replies:
Posted By: Mart
Date Posted: 03 July 2005 at 6:17pm
| I take it you've eliminated brute force and it is a glitch? |
Posted By: dpyers
Date Posted: 03 July 2005 at 7:33pm
|
As an interim step, you should add some limitations on the number of messages/cc's that can be sent within some time period.
------------- 
Lead me not into temptation... I know the short cut, follow me. |
Posted By: Mart
Date Posted: 04 July 2005 at 5:08am
|
I'm giving it a go, but I entered an incorrect password too many times (I was trying a SQL Injection) and now it says Account locked! Too many invalid login attempts. A re-activation email has been sent.  |
Posted By: huwnet
Date Posted: 04 July 2005 at 10:48am
@Mart: I think that might have been me using brute force  |
Posted By: Gullanian
Date Posted: 04 July 2005 at 10:54am
|
Set up more accounts if you want.
I can eliminate brute force, my password is 6 characters alphanumeric and non dictionary. It also takes 1 second per request to login via FTP etc etc so I don't think it's pheasable.
I saw a guest on my site (I track guests) and he had 11,000 page views in a day, so hes suspect. However, his IP address was the same IP as my server? What's going on there?
I want to put a limit on messages per day, but how? If I put it on accounts, he can set new accounts up. He also is probably spoofing his IP address so I can't do it on that.
|
Posted By: Mart
Date Posted: 04 July 2005 at 3:30pm
| The guest with 11,000 hits and the same ip as your server is probably some software your hosting company uses or something. |
Posted By: Gullanian
Date Posted: 04 July 2005 at 7:48pm
| I'm lost... What software would need to do that? |
Posted By: huwnet
Date Posted: 05 July 2005 at 12:15pm
| Server monitoring to check the wewbserver hasnt crashed |
Posted By: dpyers
Date Posted: 05 July 2005 at 1:54pm
|
Sounds like they may be running a script from your site. Make sure any
testing scripts are in a login/password restricted directory.
-------------
Lead me not into temptation... I know the short cut, follow me. |
Posted By: Gullanian
Date Posted: 05 July 2005 at 2:55pm
|
No scripts have been modified at all on the date of the attack onwards. I'm going to reupload everything again to make sure it's all clean just to be on the safe side. I've also filed a criminal report with the Metropolitan Police, I'm going to forward any data on to them. Can someone look at the login cookies for me? I think I've done them securly enough. When you login it stores your password and usermame in the cookie. The password is and MD5 hash of the original password with a salt appended to it. |
Posted By: dj air
Date Posted: 05 July 2005 at 3:06pm
|
why not store a record/account ID number like webwiz forums that is for that perpose only, that way you dont have cookies storiung usernames or passwords which would be seen as more secure. also make sure anything that has it like login page etc goes though SSL |
Posted By: dpyers
Date Posted: 05 July 2005 at 4:20pm
I was thinking more in terms of someone running existing testing scripts. You'd be amazed at how many production sites have open scripts you can run by entering somesite.com/test/ or somesite.com/test.xxx -------------
Lead me not into temptation... I know the short cut, follow me. |
Gullanian wrote:Posted By: Gullanian
Date Posted: 05 July 2005 at 5:06pm
| As far as I know there are not any testing scripts left! |
Posted By: Phat
Date Posted: 05 July 2005 at 9:35pm
|
No luck here. I even signed up and put credits in my account. You don't send sms to Australia though...  ------------- http://buildit.sitesell.com/sitebuildithome.html - Get a website that sells |
Posted By: Gullanian
Date Posted: 05 July 2005 at 10:00pm
|
Sites currently down Phat! We do send to Australlia, check the prices page. Please wait a few days for me to get service back online though. |
Posted By: Phat
Date Posted: 06 July 2005 at 3:57am
|
True True, I did not even look. I just registered and gave it a try. No sms so just figured it did not work. Tried hacking a few parts with no avail.  ------------- http://buildit.sitesell.com/sitebuildithome.html - Get a website that sells |
Posted By: Mart
Date Posted: 06 July 2005 at 4:50am
| If you really can't figure it out you could contact a web developer and pay him to read over your source code looking for glitches |
Posted By: the boss
Date Posted: 06 July 2005 at 7:47am
|
well storing username and password in a cookie in MD5 hash encryption followed by salt attached to it.. pretty long isnt it.. instead have a field in the database which will store a temporary random value each time user logs in.. use this random unique value to tag the user by storing it in the cookie..u can define the cookie to expire in certain days so a re-login would be enforced...
somewhat the WWGF method... the random value is MD5 hash i belive and the salt for it is also stored in the database ------------- http://www.web2messenger.com/theboss"> 
|
Posted By: Gullanian
Date Posted: 06 July 2005 at 7:57am
|
I do that. Basically, 3 fields in database. Username, password and salt. Salt changes every time you login. Password is an MD5 hash of the password + newsalt Cookie stores username field and password field To check they are logged in it selects a user record where username = cookie and password = cookie Failsafe ? Or am I missing something obvious. |
Posted By: dpyers
Date Posted: 06 July 2005 at 1:52pm
|
Perhaps I'm misunderstanding the situation... The way I understand it is that you had a valid user send thousands of blank sms messages. The first question I would address is "how did they send thousands of requests". The second question would be is "has the user id who sent the requests been hacked". IMHO, the only way you can send thousands of requests within a specific time period is through either client or server scriptiing. Limiting requests within a time period for a session and by ip, perhaps also limiting the number of active sessions, should reduce your exposure there. One of the things I would be concerned with would be flaws in my own code. Analysis of the the data might reveal a clue... Are you sure that all of the messages sent by the user were blank? (e.g. Were they really blank or did they contain unprintable characters for your character set? Was there a sequence - like 1 message with data followed by 99 empty messages or 1 x 9999? Did the user ever send a message with data? What was the data in that message?). Who were the messages sent to? (e.g. Were they valid SMS users? Did it look like a dictionary attack? Did they all use the same provider? Were they all to one user?) I'd probably try to walk through the input-execute-output process - not just the code. Tools like Visual Studio allow you to process the code a line at a time examining things as you go, but you can do the same with pencil and paper. You might also want to sanity check input and output headers and/or explicitely rewrite them before sending anything out. Do you delete cookies? What would happen if I had multiple cookies? would I be logged in multiple times? Can I be loggined in multiple times at once? Will sending a message from 1 login cause all logins to send that message? What happens if I have cookies turned off - am I explicitely rejected, or do I fall through to something? What happens if I delete the cookies while logged in? Find out how your mail server handles failed deliverys. Does it retry x times? Were there problems with it on that day? If all the messages were sent to/through 1 sms provider did they have problems that day? How do they handle failed delivery attempts? For the future, you may want to do additional session/user logging that gets turned on automatically when certain event thresholds are reached - e.g. x number of - failed login attempts, failed messages, blank messages, failed deliveries, etc. -------------
Lead me not into temptation... I know the short cut, follow me. |
Posted By: Gullanian
Date Posted: 06 July 2005 at 2:43pm
|
Thanks Dpyers, I will go through my code. My webhost said there were no large attacks on my site in my logs, which is rather unusual. However there were IPs 'from the RIPE and Asian Pacific networks that do not regulate their customers'. Most likely the hacker knew his business and masked his IP. I don't think it was a valid user unfortunatly, that would be easier to look out. I think they figured a way to send the messages outside the system somehow. I have a few ideas that I am going to investigate. Thanks again for your detailed help everyone! |
Posted By: Mart
Date Posted: 07 July 2005 at 8:27am
| Guess your attack will be low priority now, after the terrorist attack today |
Posted By: Gullanian
Date Posted: 07 July 2005 at 12:48pm
| Yeah that stuffs pretty nasty, sad watching it on the news. |
Posted By: Scotty32
Date Posted: 08 July 2005 at 7:13am
dont you offer 'reselling'? couldnt they of used that as a way of doin it? ------------- S2H.co.uk - http://www.s2h.co.uk/wwf/" rel="nofollow - WebWiz Mods and Skins For support on my mods + skins, please use http://www.s2h.co.uk/forum/" rel="nofollow - my forum . |
Posted By: theSCIENTIST
Date Posted: 09 July 2005 at 1:07pm
Right, first I would like to say that MD5 can be cracked, however I don't think that was the scenario here since you are sufixing it with a salt, then adding the password to the cookie is a really bad idea, the username is fine, as it can be found out anyway.
Humm, what steps are you tacking against CSRF? That's when people build their own forms and submit data with their own custom forms and not yours, therefore bypassing a few things that could be crutial and also sending stuff along that could have nasty effects, I'm actually developing my own way to prevent this that will involve checking for referee and generating a form token then when receiving data I would compare the token, meaning whether it came from my form or not, this is very important, you must make sure people submit data with your form only. ------------- :: http://www.mylittlehost.com/ - www.mylittlehost.com |
Posted By: dfrancis
Date Posted: 09 July 2005 at 2:24pm
YES! That's what I was thinking too!!!
However, that would have been easily identifiable in the logs I would think.
The for token sounds like a great idea... I've read something on this before but can't remember where... darnit.
|
Posted By: Gullanian
Date Posted: 09 July 2005 at 4:03pm
|
Nothing of any value came from the logs. I think someone found out my password and wrote their own scripts to send SMS messages. |
Posted By: pmormr
Date Posted: 13 July 2005 at 2:45am
|
does your site store login information so they don't have to log in when they come back?.. it's possible that you logged on somewhere public and somebody sat down and went o boy! administrator access! ------------- Paul A Morgan http://www.pmorganphoto.com/" rel="nofollow - http://www.pmorganphoto.com/ |