View Poll Results: Boxes or Boxen?

Voters
6. You may not vote on this poll
  • Boxes

    6 100.00%
  • Boxen

    0 0%
Page 4 of 5 FirstFirst ... 2345 LastLast
Results 31 to 40 of 43

Thread: Defacers Really a Problem?

  1. #31
    Senior Member
    Join Date
    Dec 2002
    Posts
    134
    You originally said about how if you were defaced it would bring more visitors to your site, well that might be fine for some britney spears fan club its not ok for any sort of site with credability. What if you a computer security site, do u really think people are going to carry on taking any advice from a site when it cant even protect itself. You say you have 60 members of your site, well thats 60 peoples personal information compromised. I hope your getting the idea, the attention you`ll recive from being defaced is not the kinda attention any decent web site would want.

  2. #32
    we dont have much personal data, the only REQUIRED DATA( of my best reccolection is):
    EMAIL
    ACCOUNT NAME
    PASSWD
    (maybe name)

    optional:
    location
    hobbies
    etc.

    um... what kinda problem is that? most ppl only have required information. A username and passowrd: regenerate pwds with a click of a button sending the new ones to the emails supplied, which we could use the old DB for to be sure they werent altered. The pwds are stored in a microsoft acccess database document ;ast time i looked at it (maybe on a diffferent for7um system) with enxryption on the pwds. even i couldnt get to them, and I have root access. If they is using the vulnerability i think they are using they only have aceess in PHP-NUKE ADMIN CPANEL, which isnt really a threat, the real threat is if they have root ftp access, which is how they would get pwds. I notices wetico and alucard of wetico defaced several php-nuke sites around that time, suggesting they used that vunerability which came out around that time and is yet to be patched (last time i checked). so... no what happened isnt a security risk, or a problem for our 60 users. ALL the information they supplied except password is supplied to users who want it, unless they specify and i dont believe anybody chose that option. It wasnt a risk I had 2 worry about, and our members aeren't in any danger.
    if you have time be sure to drop my my website at www.johnscompany.net

  3. #33
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Any level of unauthorised access is highly relevant. Someone who gains a php-nuke site admin, may be able to run php code on the server. Being able to do that, they may be able to gain shell access on the server. Once they have shell access on the server, they may be able to use an exploit to gain root access on the server, and once they have that they can get all the passwords off the machine they want.

    Being encrypted in the DB doesn't stop attackers from obtaining them; they can simply modify the PHP scripts to save copies unencrypted somewhere.

    Even ssh passwords are vulnerable to this attack - someone with root can modify sshd to record plaintext passwords.

    So any level of penetration is serious cause for concern.

    Slarty

  4. #34
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    To continue Slarty's line of thought and to debunk this phrase:-

    and our members aeren't in any danger
    Since you have already been compromised it would have been trivial for the defacer to alter the web pages themselves in such a way that your visitors computers become compromised without altering the look of the site one bit. From the sound of it you wouldn't have noticed for a good long time. Then that "little piece of data" your not worried about becomes everything they have on their computer.

    Naaaah, your peeps are not in any danger.... except from your lack of understanding of the problem..... Open a new account.... Call yourself ph34r_M3....... then at least everyone listening will be forewarned......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #35
    ths iste isnt even up right now, how should I be concerned about the security of it? Theres nothng there any more, all gone the host ran out of disk space and crashed. ALL that is on the ftp server last time i checked is that wimpy skimpy index page, no member info, nothing.
    if you have time be sure to drop my my website at www.johnscompany.net

  6. #36
    Senior Member
    Join Date
    Jun 2002
    Posts
    174
    Sounds like a lost cause. If you didn't have backups (I'm not going to say you deserved it...but...) then I really don't know what the point is. If you plan to start from scratch, do things right this time...
    I\'m back.

  7. #37
    Belive it or not the defacers are actually doing web site owners a favour because for every expliot they find and use there is someone out there making a patch ¨to block the hole¨ or there is a admin making his boxś security evan stronger.The question i would be asking is when the patchs out strip the crackers what will they do then,Guess it will be back to playiing the Xbox!!!

  8. #38
    a white hat hacker who tells your your vulnerability would be a better way to find a hole
    if you have time be sure to drop my my website at www.johnscompany.net

  9. #39
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    erm, defacers aren't doing anyone any favors. If you need someone to find holes in your software you hire Software Test Engineers, contract them out, or learn the skills yourself. Good STE's can test your website, web application, server configuration, etc in a sane fashion that does no damage and doesn't ruin the reputation of your company.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  10. #40
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Originally posted here by unit321
    a white hat hacker who tells your your vulnerability would be a better way to find a hole
    You've been influenced by too much D$D, my friend. No one is a white hat hacker. Those would be security admins or people who work for security firms. There is no such thing as grey hats either, that's a bulls**t metaphor for someone who decides, at the moment, whom they serve. If you draw too many lines you end up with a scribble that no one can decipher.

    Of course that is my opinion. And you can argue all you want, it still doesn't make what hackers do, ethical.

    Invading anyone's system is akin to invading anyone's body. If no one invted you,
    rape is still rape.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •