View previous topic :: View next topic |
Author |
Message |
Toc_vremenno -
Joined: 09 Apr 2004 Posts: 3
|
Posted: Mon Jun 28, 2004 4:00 pm Post subject: A hacker got my abyss.conf. Could he open the password? |
|
|
A hacker got my abyss.conf. Could he open the password?
I mean, could he open the password having these lines:
Version 1.1
login adm*** .......
password 85b6e0290xx .......... |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Mon Jun 28, 2004 4:24 pm Post subject: |
|
|
How do you know he got the .conf file ?
The password is MD5 encrypted. It is possible to break MD5 encryption with enough time and CPU power, but he won't be getting there in a hurry unless you chose an insecure password. However, even if you chose a stupid password, the MD5 hash is of the username + password joined, so he won't be breaking it with a dictionairy attack in a hurry.
Just change your admin password and everything will be fine. You don't reuse passwords do you ? ;)
Also, as long as you have not forwarded access to your console port through a router, there is no way for him to access the admin console other than be sat at your machine. |
|
Back to top |
|
|
TRUSTAbyss -
Joined: 29 Oct 2003 Posts: 3752 Location: USA, GA
|
Posted: Mon Jun 28, 2004 5:04 pm Post subject: |
|
|
You should download the new Beta 1 and use that for
your server , it has a feature to only allow requests from
your localhost address and that way no hacker has access. |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Mon Jun 28, 2004 5:19 pm Post subject: |
|
|
He was asking whether anyone could read the password. If he uses the same password for everything on his PC he has a lot more to worry about than upgrading to the latest beta... |
|
Back to top |
|
|
Lithorien -
Joined: 20 Jun 2004 Posts: 40
|
Posted: Mon Jun 28, 2004 9:32 pm Post subject: |
|
|
Nothing to worry about unless this guy can decrypt MD5 hashes... before he dies of old age. :P |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Tue Jun 29, 2004 3:54 pm Post subject: Re: A hacker got my abyss.conf. Could he open the password? |
|
|
Toc_vremenno,
The passwords in the configuration file are one-way encrypted which means that they cannot be decrypted without using huge computing resources to try billions of possibilities to guess your password (assuming your password is not a common word or something easy that the hacker could guess.) _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
Toc_vremenno -
Joined: 09 Apr 2004 Posts: 3
|
Posted: Tue Jun 29, 2004 7:53 pm Post subject: Brute force? |
|
|
Ok. I understood.
And do You know wich progz can decrypt MD5 hashes?
Are there with open source?
What about speed? I mean, how much time does admonistrator
have to change the password if it was very simple, eg
login: admin
pass: 123456
or a dictionary based. |
|
Back to top |
|
|
iNaNimAtE -
Joined: 05 Nov 2003 Posts: 2381 Location: Everywhere you're not.
|
Posted: Tue Jun 29, 2004 8:09 pm Post subject: |
|
|
First, the password cannot be decrypted. It needs to be broken with a brute forcer.
If you just go and change the password to something a little more complicated, you don't have to be worrying about this.
Make the user something like "admin[]website," and use http://www.winguides.com/security/password.php to make a password. _________________ Bienvenidos! |
|
Back to top |
|
|
erskie -
Joined: 16 Jan 2004 Posts: 31 Location: ALL over
|
Posted: Tue Jul 06, 2004 3:07 am Post subject: To reiterate the question ... |
|
|
Out of interest, to repeat a previous question, how do you know a/the hacker got the file? _________________ 'Smile', he said, 'things could get worse...'
So I smiled, and things got worse... |
|
Back to top |
|
|
avisonjohn -
Joined: 04 Aug 2004 Posts: 4
|
Posted: Wed Aug 04, 2004 6:18 pm Post subject: |
|
|
he proberly got sum 1 elses and wants to know how to get the password....
And yeah, i have made an MD5 brute force decrypter with PHP. will seel the source. Nay bids? emal me at avisonjohn@yahoo.co.uk |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
|
Back to top |
|
|
senshi -
Joined: 05 Nov 2003 Posts: 385 Location: UK
|
Posted: Wed Aug 11, 2004 10:38 am Post subject: |
|
|
Simple and easy rule to making a secure password.
Dont use a name, a Date, a pets name, a favourite colour, password less than 6 characters, something you like doing, your car registration, anything that can be found out about you from someone else.
Any Human Readable format is insecure as is any public information about you or what you disclose about yourself to others can be used to help guess passwords, in short, the password is only as secure as you make yourself, if you go around boasting or bragging, people will use what they cdan against you, so start being secure by securing the biggest security hole, your mouth.
for example,
alan10121977 -- wouldnt take very long to crack, a matter of minutes I would say.
Alan_10121977? -- Would present some element of difficulty as it uses non standard characters, most crackers will be looking at Aa-Zz & 0-9, the addition of a non-standard character is what makes any password secure.
Most secure would be something that is a mix of characters that you can remember but doesnt make a word, has mixed capitals and lower case, numbers and atleast one non-standard character.
a10L12a19n77? -- a bit awkward but does prove more difficult to crack because the name is broken up by numbers and theirs a case change and one nonstandard character.
The crack engines that pick out words easily enough cang find matches to what appears to ba a random set of characters as it has some case changes and the name alan is broken up by numbers.
The best passwords are ones that have no connection to you, your surroundings and the things you like doing or relatives, birthdays or anything that has a 'Human' readable form, it all depends on how easily you want your passwords stolen, I use one password for many secured items because I know that my password is really secure, it has 12 digits that are mixed numbers, letters with case changes and nonstandard characters. |
|
Back to top |
|
|
senshi -
Joined: 05 Nov 2003 Posts: 385 Location: UK
|
Posted: Wed Aug 11, 2004 2:41 pm Post subject: |
|
|
If you put / as the virtual path and enter the physical path to the folder you want, any request arriving as a simple http://*yourIPaddress/ will automatically get directed to that folder, so you can add the same physical path to /mp3.
This would have the same effect of securing the root of your site as it now becomes invisible.
Thats if you want to only allow users you add to the server security, you are better to host a page or to with links to file that are locked down with a password and user login to gain access to the download, if all your worried about is hot linking, you can use simple methods to prevent the user from doing such things by simple uses of javascript or a simple cgi program or PHP to run as CGI. |
|
Back to top |
|
|
kuratkull -
Joined: 20 Aug 2004 Posts: 3
|
Posted: Fri Aug 20, 2004 12:15 am Post subject: |
|
|
A few days ago, some chinese smart men found out an algorithm to break the MD5 hash in a matter of hours. Creepy...
www.md5crack.com |
|
Back to top |
|
|
senshi -
Joined: 05 Nov 2003 Posts: 385 Location: UK
|
Posted: Sat Aug 21, 2004 10:14 am Post subject: |
|
|
kuratkull wrote: | A few days ago, some chinese smart men found out an algorithm to break the MD5 hash in a matter of hours. Creepy...
www.md5crack.com |
Quote: | The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.
--------------------------------------------------------------------------------
Please try the following:
Click the Refresh button, or try again later.
If you typed the page address in the Address bar, make sure that it is spelled correctly.
To check your connection settings, click the Tools menu, and then click Internet Options. On the Connections tab, click Settings. The settings should match those provided by your local area network (LAN) administrator or Internet service provider (ISP).
If your Network Administrator has enabled it, Microsoft Windows can examine your network and automatically discover network connection settings.
If you would like Windows to try and discover them,
click Detect Network Settings
Some sites require 128-bit connection security. Click the Help menu and then click About Internet Explorer to determine what strength security you have installed.
If you are trying to reach a secure site, make sure your Security settings can support it. Click the Tools menu, and then click Internet Options. On the Advanced tab, scroll to the Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0.
Click the Back button to try another link.
Cannot find server or DNS Error
Internet Explorer
|
BUT NOT FOR LONG ! |
|
Back to top |
|
|
|