sammie
hackers and script kiddies, oh boy ha ha ha
21
Share:
Comments
| aviatrix(positive) | 314 days ago |
 |  | |
 | hahahahah that made me rofl .. kids those days do so many dum things .. they use some random tools and call them hackers .. for example .. few months back some kid askd for my ip .. and i told him that it was 127.0.0.1 and he told me to save my documents and to wait i said ok .. and the convo went liek this : me:what you gona do ? him : im gona restart ur pc !!! me : hokay ... * then i had one big grin on my face wating something to happen 5 seconds later he went offline .. can u gues what happend ? * me : what happend him : i think i hit my firewall and it bacfired to me o.O me : hmm .. stop ur firewall and try again him : ok .. * he goes offline several more times and i laught my but off .. * |  |
 |  |  |
0 |
View 1 replies to this comment
| richardpitt | 314 days ago |
| | |
| These "dictionary" attacks are tried against all manner of systems - FTP, SSH, Telnet (not that any system I run has this turned on, but...) and specific applications like phpMyAdmin and such. I run a program called log-guardian (PERL) http://www.tifaware.com/perl/log-guardian/ (except I can't get in right now) that watches log files for patterns and performs an action if/when the pattern matches. I have my system watching the "secure" log for ssh and ftp transactions - and bad passwords are "3 strikes you're out" - meaning the offending IP address is put into IPTABLES firewall to block any further conversations until the firewall is reset - typically every 12 hours. The same can be done for web logs. Note that this needs to be done at the operating system level so anyone with hosted applications will have a problem. On the other hand there are ways of doing similar things with .htaccess too. | |
| | |
2 |
View 1 replies to this comment
| gautam(positive) | 314 days ago |
| | |
| hope dat i'm not treated like script kiddies :) great post for securing passwords. idea to including to include one or two characters of the website name too is great. In case someone finds password of one site, he won't be able to acces others as other site passwords would have difference in characters. but in case u include too many characters from website name, it might not help ;-) | |
| | |
1 |
View 1 replies to this comment
| CyberXing | 314 days ago |
| | |
| I am still stuck on the 30 hours wasted :-) 30 hours... Sammie... sammie... :-p CyberXing | |
| | |
-1 |
View 1 replies to this comment
| kranio(positive) | 314 days ago |
| | |
| Ooops! I just arrived from jail and forgot some technics. Where I find script kids to restart my career ? ;) Good post Sammie. But is import know that your security is made by you. Watch your logs, change your pass at least one time/week. use strong firewalls (more than one if possible), ssh, read security news, and be expert with the news attacks system and verify the authencity from messages that you can receive by mail. Of course I don't need write almost nothing that I say but ... Cya People | |
| | |
1 |
| sammie | 314 days ago |
| | |
| i'll repost this part and make it a little more clear for you. read the **** parts that i have added to explain more. i will teach you how you can join 20,000 different websites with 20,000 different passwords and login to all 20,000 sites without forgetting a single password. How? read on choose 4 symbols any 4 and remeber them, start your password with 2 of them. like this $% ***** Dictonary attacks will always start with a letter, but some letters are commonly replaced with a symbol like "a" for @ or "s" for $ so an attacker can add both to the script so it tries both "simple" and $imple, by adding 2 symbols to the begining you eliminate this risk is one of the symbols you choose is not one that is standard to replace letters***** choose a name, not your own i'll use my dogs, Max, but wow its only 3 letters long and anyone can guess it? sure they gotta guess one of 810,000 formulae too remember. this formulae uses 4 symbols $% at the start and #^ at the end **** just for showing how it works**** so start with for Max $%M **** for using Max i chose to capitalise the M but if its a longer word you can capitalise the 3rd or 4th or last letter as long as you apply the same formulae to all your passwords, you'll never forget your password again**** then use the standard @ for the a $%M@ drop the last letter and replace with the 3rd symbol of your formulae **** Dropping the last letter is important, because what you are trying to do is make standard words in the dictionary, none exsistant. i know this wont work with the letter S as it would revert the name to the singular, we are not all perfect lol **** $%M@# and now add the last symbol of your formulae $%M@#^ = 95% strong from using my dogs name Max and not a mile long any generic name used needs to have the vowles change for symbols like a=@ e=3 i=1 o=0 u=^ so to login into 20,000 sites without having to remember the password use this. but only the first 6 letters of the domain name. take boonex.com **** i use 6 letters from the domain, but if the domain has only 4 letters then add 2 numbers after the 1st 2 symbols, this ensures you can still drop the last letter of the name. see below **** boonex.com would be using this formulae $%B00n3#^ 100% strong expertzzz.com would be $%Exp3r#^ 100% strong *** you done have to capitalise the 1st letter, i did it here to demonstrate, you can capitalise the 3rd letter so boonex.com would be: $%b0On3#^ 100% strong expertzzz.com would be $%exP3r#^ 100% strong *** for sites with less than 6 letters in the name use numbers you can remember, like 1982 for my year of birth, (dont use that, its just an example) add the numbers after the first 2 symbols so we can still drop the last letter*** msn.com would be $%198Ms#^ bebo.com would be $%19B3b#^ ! " £ $ % ^ & * ( ) _ + - = < . , : ; @ ' ~ # [ { ] } \ | ` =30 symbols choose any 4 to make 2 pair as pointed out in a comment, if the webmaster does not hash your passwords and keeps them in his database in the clear, they only have the one for their own site so can not use it to get to your other accounts like hotmail because he also has your email address you supplied. | |
| | |
1 |
View 1 replies to this comment
| buzz_lightyear(positive) | 313 days ago |
| | |
| Hi Sammy, nice post, however i think, that your passwords are very short for nowadays computers and password generators. In general, longer passwords means much better security (even without special characters). So as a suggestion, i'd extend your pass formula to some constant suffix/prefix (8 alphanum characters), which would then hopefully make it 100% attack proof. Anyway, log files and some nice ban utility on your server is also good to have. I use fail2ban on my servers and it works very nicely... have a nice day.. | |
| | |
-1 |
| sammie | 312 days ago |
| | |
| hi buzz re read it, you'll see i recommend using 6 letters from the domain +4 symbols, dropping the last letter of the domain = 9 in all. | |
| | |
1 |
| buzz_lightyear(positive) | 312 days ago |
| | |
| hi sammie, i did :) 9 sounds good. i use 16 myself :P here's a pass strength meter, if someone wants to check his password: http://www.passwordmeter.com/ | |
| | |
0 |
View 2 replies to this comment
| theguypc(positive) | 312 days ago |
| | |
| I just use keypass. It's set to create a 17 character password & it shows the strength of the password automatically. No need to check it online - which I would never do anyways. Keypass is free & it is beyond awesome IMHO. Great post though Sammie. PC | |
| | |
0 |
| stech786(positive) | 311 days ago |
| | |
| Hey sammie, Before you post how to join 20,000 sites, can you PLEASE teach us how to protect our site from these attacks, cheers :-) | |
| | |
1 |
View 1 replies to this comment
| ladybugn(positive) | 294 days ago |
| | |
| coo. going to go change my unity password. Now if I can just get that "welcome admin" off my front pages to stop inviting visitors to come try to log into my admin panel... | |
| | |
0 |
| stophi | 285 days ago |
| | |
| But if someone knows your rules, the password isn't secure anymore, is it? If you register at a malicious site, then the admin knows your first two and the last two characters of all your passwords. So then the passwords have actually only the strength of a password with five letters. Or if someone knows that you are using some leetspeak presentation of the domain name in letter 2 to 7 and only special characters in letter 1,2,8,9 then he can also exclude many possible passwords. | |
| | |
0 |
| sammie | 284 days ago |
| | |
| Well the 1st thing to remember is this, its for you to make your own formulae, the post is to get you thinking, not to follow everything i have posted. you see i used 4 symbols, 2 at the start to at the end, you can use 3 or 4 at the start and 2,3, or 4 at the end, or in the middle, the post is to get you thinking of how to make your passwords for you, so you can use them and remember them. i used very basic and symplistic demo's i made people think, now they can go away and think of the other ways to apply a formulae (i am not doing all the thinking for you, nor am i going to post a 3 mile long post showing every way you can apply this. again, one webmaster with one password, has nothing to compare it with to see its a formulae, again the passwords today should in most cases be in MD5 hashed code so safe as long as you do not use one to make your password, or a strenth meter as mentioned above. | |
| | |
2 |
| stophi | 283 days ago |
| | |
| Yeah, I mean, the idea is great. I think I will adopt some version of it for my "not so important" passwords. But i will continue using unique, random passwords for important things like banking, webserver, PGP and so on. Because if you are using the domain name in your formula, it is fairly easy for a human being to guess the pattern, I think. And of course, reliable admins will hash the password right away. So nobody would ever see the plain password. But you never know if they are reliable. Okay, sounds a bit paranoid. Never mind. | |
| | |
0 |
| earpick | 273 days ago |
| | |
| That's all dandy but as soon as one of your passwords gets uncovered I think there's going to be a whole lot of personal data theft all at once. There is nothing wrong with generating a completely random password for something like a hosting account and storing it somewhere safe, such as your wallet. If you're not bringing your wallet around with you, I think you should be afraid for more than your email. With hosting accounts in particular, you could always set up a set of SSH passphrase-protected keys that you can keep reusing. With a fairly long passphrase even if somebody gets onto your computer and steals the keys, there is little chance they will be able to guess the passphrase unless it's a saying you like to rub into your friends' and colleagues' ears. In which case nothing can stop social engineering. | |
| | |
0 |
| ZopfWare(positive) | 246 days ago |
| | |
| Good article and tips. I only scanned through some of it but I noticed that a security I use didn't appear to be mentioned. I run Linux boxes and I find that, when properly configured, DenyHosts (a python script) is great to automatically scan logs and lockout ssh and other attempts on the fly. You may already be able to install it by apt or yum depending on your distro. | |
| | |
0 |
| DamnIt(positive) | 212 days ago |
| | |
| Awesome Sammee, but any opinions on keypass and/or roboform password generators? | |
| | |
0 |
| Robbie | 197 days ago |
| | |
| Finally we have tracked down how my server was being hacked into. The attacker was able to upload a file called zq.php to "/var/www/html/roundcubemail-0.1.1/logs/zq.php" and was executed at http://seekqa.co.nz/roundcube/logs/zq.php. I have disabled that file. This is a bad one | |
| | |
0 |
Post a Comment
Please login to post a comment.This Post
sammie Blog
All Blogs
