Forum hacked

Bernhard

Founder Drummerworld
Staff member
Drummerworld hacked - the hacker asked for money and erased then both the drummerworld website and the forum - we took our measures - so everything back again - posts the last 2 days are lost. Sorry for inconvenience....Thankfully we have Markus Supergrobi on board and also a super team with Webair Host - unbelievable hard and good work!!!

and also this:
PLEASE TAKE EVENTUALLY A STRONGER PASSWORD IF YOU DON'T HAVE ALREADY! A NO GO is using the same password with other services
For changing PW i think the best way is eventually: login out - login in without Password and click "forgot password" so you receive an email to reset or change.

Bernhard
 
Last edited:

iCe

Senior Member
Drummerworld hacked - the hacker asked for money and erased then both the drummerworld website and the forum - we took our measures - so everything back again - posts the last 2 days are lost. Sorry for inconvenience....Thankfully we have Markus Supergrobi on board and also a super team with Webair Host - unbelievable hard and good work!!!

and also this:
PLEASE TAKE EVENTUALLY A STRONGER PASSWORD IF YOU DON'T HAVE ALREADY! A NO GO is using the same password with other services
For changing PW i think the best way is eventually: login out - login in without Password and click "forgot password" so you receive an email to reset or change.

Bernhard

Just to be sure; we don't need to reset our passwords, right? If i read it correctly it's that a forum member's account was accessed by someone who obtained his login info?
 

Bernhard

Founder Drummerworld
Staff member
Just to be sure; we don't need to reset our passwords, right? If i read it correctly it's that a forum member's account was accessed by someone who obtained his login info?
Just have a strong password - if you have already: fine - and not used for others accounts too like FB.
 

Woolwich

Silver Member
It was scary for a moment, I didn't know the answer to the password security reset question!!!



Which band did John Bonham play in ?
 

Woolwich

Silver Member
On a serious note, is it good advice to suggest changing your password on OTHER sites if it's the same as the one you used here?
If my account gets hacked here it's not the end of the world, but if the hackers trawl the internet with my email address and password and find that I used the same password for my email account, online banking,, credit card then THAT can cause serious problems.
I recently found an email in my spam folder demanding money because "they" had lifted a password from another site they'd breached. It was a password I hadn't used for years and only then on sites with low level risks to myself such as forums, but it drove home to me the potential risk.
 

Al Strange

Well-known member
Thanks for sorting guys, I feared something bad had occurred; hoping everyone ok and secure from the password pirates!! Keep smashing it DW!!!(y):love:
 

Supergrobi

Technical Supervisor
If my account gets hacked here it's not the end of the world, but if the hackers trawl the internet with my email address and password and find that I used the same password for my email account, online banking,, credit card then THAT can cause serious problems.

True. There's lots of hacks stealing and publishing user account data, latest big one was something like 500 million accounts from facebook. They normally include the password, at best in a salted, hashed version. But often - if any - those hashes are something like unsalted MD5 which is not too hard to roll back to plain text these days. The follow-up attacks are fully automated, so a hacker downloads or buys a package of user accounts to feed them into a couple of scripts which then crawl the internet trying to get access to various services. That's the reason for having different user credentials on all services you're using. So I can only second this one:

Password managers are our friends. They generate random passwords for every site, and then they remember them and fill them out for you.

Yeah, it's a bit inconvenient if you have to log in from another device or browser but it's your data, your money, your computer, keep that in mind.

Another vector is weak passwords. It doesn't matter if you sprinkle in some numbers or special characters, they are kept in dictionaries, downloadable or purchasable, containing millions of average passwords. So "P4s$w0rd", "123456#", "qwerty123", "_4dm1n15tr4t0r_", "MyPassw0rd", "$3CUR3" and friends are considered non-existent password-wise. With a dictionary of passwords and a user name it's often a matter of seconds to get access to whatever site.

The best thing to do is using random strings. This can be done with most programs these days as pointed out by Naigewron already. If you're using Linux, there's a command line tool called pwgen which can be used like

Bash:
~$ pwgen 16
iephumooLushiez4 ieNg0Quu3aongaeV RooDiechi0jiZ0Oh Ahth0loDe5aeYeri
ov6ahph2WaiVoon6 chaiwab8Roy3ta6W foowaiquee0map9D gaJiZioPhieChec6
ietooX1Chi6pha8e Aequ5shu9tah4Vid oop6Ohta1neishai iefu1yuChi5saimu
Yiuxiedaeyah8Lea jier2Eew1Pha6fee Ojou1OoWae4la9qu sooT0Eepoo2ahj1i
isieghu1Shoh9ohg itheojo4iZaisiHa Ur3jo1eequaito5A KaiPo0nee9Thi7so
iurahmeegh1gohJe Oshie6LaiZe8beif Et5quithie6oilua ooGoh9IeS5yi4pee
leu3aQu7rohsoo5u ahzaeDu1Baig5Huv faew5epaCishog8n tah5aiyahWoo1ait

It can be used in MacOS as well, install via homebrew:

Code:
brew install pwgen

The probably most secure passwords is something long you are able remember, maybe something like:

"MyMotherWasBorn1942AndNeverHeardOfInstagram"

But that user credentials thing is just one of the attack vectors these days...

EDIT: One thing to keep in mind is that it's not about you personally. No one would try to spoof you just out of nothing if you're no high priority target for whatever reason. You're just a single entry in a huuuge CSV file, getting attacked on an automated basis. No humans and no feelings involved here.
 
Last edited:

Sebenza

Member
The probably most secure passwords is something long you are able remember, maybe something like:

"MyMotherWasBorn1942AndNeverHeardOfInstagram"
This is what I do. As added security I even use a dialect of my native language.

I actually started using this type of password because of google and their pushy behavior of demanding you to log in into whatever google related app or site for just about anything. By having to constantly create new passwords, which I then of course almost instantly forgot again, I eventually became so p'd off with google, I consequently made a huge long ranting password sentence filled with expletives in my local dialect, telling google where they can stuff it. Aside from obviously being pretty darn secure, I haven't forgotten it since either:sneaky:
 

Old PIT Guy

Well-known member
I'm not a hacker but I do take an interest in human behavior, and the first thing I ponder in a situation like this is motive. Hacking a forum isn't exactly a 5 minute task. Unless you have a key. So, this hacker commandeered the site to post a link for users to send $300 to a listed Moderator while he also set out to delete the entire site (and that link to $300), and that was the point of the entire effort? Call me cynical but I don't think that's all there was to it.
 

Supergrobi

Technical Supervisor
Money, fun, adventure, gaining knowledge are huge motivators and those attacks can be automated. Just one single scenario out of thousands, not even targeting log-in breaches by gaining access through weak or stolen passwords which can easily be automated, too:

Vulnerabilities of any forum/blog/web shop/whatever software can be found on the internet, let's take this system as an example:


Find one for maybe this forum software running on an older version and script the attack, then do this:

https://www.google.de/search?q=Forum+software+by+XenForo®+©+2010-2021+XenForo+Ltd.&

It gives 49,300,000 results. That's quite a lot of possible targets to your attack.

A bot network (maybe including your possibly unpatched Windows installation?) orchestrating automated attacks, already under control of the attacker, crawls through all search results and informs the hacker about a successful breach.

Done.
 

Supergrobi

Technical Supervisor
Top