There's no way you can decrypt md5(), BUT if openkore forums edited the way of user registration, login, and forgot password to view the user's password on the phpbb db, that might really problem.Bibian wrote: On the old forum, some script kiddie used an old exploit to get the passwords of certain people.
What happened you ask?
Moderator: Moderators
Re: What happened you ask?
Re: What happened you ask?
sry about noob Question!
as i understand it, the old forum was compromised. and as a by product the database structure was screwed up.
does that also apply to the openkore manual? is that why it's inaccesible at the moment?
as i understand it, the old forum was compromised. and as a by product the database structure was screwed up.
does that also apply to the openkore manual? is that why it's inaccesible at the moment?
Re: What happened you ask?
md5 isn't crypt, md5 is a hash. and you can attack md5 hashes with the use of rainbow tables. on weak passwords it won't take long to break a password hash.
anyways, any information available as to which account got compromised and lead to the problems?
.junq
anyways, any information available as to which account got compromised and lead to the problems?
.junq
-
- Kami-Sama Desu~
- Posts: 195
- Joined: 04 Apr 2008, 09:24
- Noob?: Yes
- Location: 31th Dimension
- Contact:
Re: What happened you ask?
it's junq! =Pjunq wrote:md5 isn't crypt, md5 is a hash. and you can attack md5 hashes with the use of rainbow tables. on weak passwords it won't take long to break a password hash.
anyways, any information available as to which account got compromised and lead to the problems?
.junq
mail me with your openkore mail and i'll add you back to the internals :/ security reason...
Re: What happened you ask?
junq wrote:md5 isn't crypt, md5 is a hash. and you can attack md5 hashes with the use of rainbow tables. on weak passwords it won't take long to break a password hash.
anyways, any information available as to which account got compromised and lead to the problems?
.junq
Yes md5 is a hash and there no way to retrieve the original value of hashed strings that why I used the word "Decrypt".
I think Bibians point is, "its easier for that person who exported the user tables if those information are installed on their private machines(mysql server), so they can bruteforce on it without restrictions.On the old forum, some script kiddie used an old exploit to get the passwords of certain people.
Re: What happened you ask?
Which is precisely junq's point - md5 is not a crypt, but a hash. A crypt is different from a hash - they function differently. Of course you can argue that they can be used for the same applications (e.g. user authentication) but that doesn't make them the same. In other words, do not interchange them.There's no way you can decrypt md5()
Besides, the exploiter did not get passwords through bruteforcing the hashes - he used a php bb exploit to piggyback on the login.php page and harvest the passwords of people typing in that form. This is partly the reason why we upgraded to the latest phpbb.
Got your topic trashed by a mod?
Trashing topics is one click, and moving a topic to its proper forum is a lot harder. You expend the least effort in deciding where to post, mods expend the least effort by trashing.
Have a nice day.
Trashing topics is one click, and moving a topic to its proper forum is a lot harder. You expend the least effort in deciding where to post, mods expend the least effort by trashing.
Have a nice day.
Re: What happened you ask?
Read up here: http://en.wikipedia.org/wiki/Rainbow_tablesjbauson wrote: Yes md5 is a hash and there no way to retrieve the original value of hashed strings that why I used the word "Decrypt".
IIRC phpbb 2.x didn't use a salt in the hashing of passwords, thus, they can be reversed. But as kali pointed out, the attack vector chosen was different.
Re: What happened you ask?
BTW, why is junq still not given an admin status?
junq, if you have an openkore.com email I suggest you email isieo so we can verify who you are and give you back admin access.
Oh, and from my cursory inspection of the server logs the day the forum was exploited, I did see that most of the accounts that the exploiter was targetting were the admin accounts. So if there was one admin here who was also an admin in sf.net, and had the same passwords to both websites, his was probably the account that was used to delete the project from sf.
junq, if you have an openkore.com email I suggest you email isieo so we can verify who you are and give you back admin access.
Oh, and from my cursory inspection of the server logs the day the forum was exploited, I did see that most of the accounts that the exploiter was targetting were the admin accounts. So if there was one admin here who was also an admin in sf.net, and had the same passwords to both websites, his was probably the account that was used to delete the project from sf.
Got your topic trashed by a mod?
Trashing topics is one click, and moving a topic to its proper forum is a lot harder. You expend the least effort in deciding where to post, mods expend the least effort by trashing.
Have a nice day.
Trashing topics is one click, and moving a topic to its proper forum is a lot harder. You expend the least effort in deciding where to post, mods expend the least effort by trashing.
Have a nice day.
Re: What happened you ask?
Bibian, can u pls give us a link to the new manual??