OMG, HDBits has been hacked

**redcorvette** · 08-01-2007, 06:14 AM

WTF..i post some funny pics there and i get disabled...i think the person who hacked HDBits is better than the fucking staff there.

LOL...bitches and assholes...

**akkk** · 08-01-2007, 07:57 AM

I just deleted my account at that stinky site, should have done it a lot earlier...

**KSA** · 08-01-2007, 09:52 AM

LOL

**4ndy** · 08-01-2007, 09:53 AM

yea that site sucks

**Patriot foreve** · 08-01-2007, 10:05 AM

Some members Comments From HDbits Forums

everyone needs to chill out. I watched the 'hack' live.

Basically, someone at bitmetv got on the site used valerio's account, deleted all the ctrlhd, deleted the staff... etc etc... he replied a few times on the forum, made a new poll/news on the page, PM'ed everyone... That's about it.

*****************************

early today did the site go all f*ed up and some hateful message towards Valerio get posted, b/c heres the deal, if my password is in the database unencrypted i would like to know. Maybe i am just crazy, but i swore that there was something about hacking hd sites and the other sites that i may or may not use with the information a mod/admin could get?

truth or bullshit?

e: i also had a mass pm about this, but it's gone???????

********************************************

someone with skill could easily find the passwords even if their encrypted...

they must have had db access, which means they could have pulled off all the 'secret' , username and 'joined' fields (if i remember correctly this is what the passhash is made of though i may be wrong) to create a rainbow table (for each row) and then brute force it against the passhash (which they also obviously got ) to retrieve the actual password... it is time consuming but it is very possible if they really wanted them...

if it was unencrypted then they obviously did not have to do anything. Only the server logs can show what they did, and if their good, there wont even be any logs.

**********************************************************
Yaxyo wrote:

Passwords were md5 hashed or not?

nwo (Moderator):

Yes.
But as this (and a shitload of other) torrent site is based on tbsource, it has certain problems.
One is: md5 hash of passwd = pass in cookie file.

So if some1 were to gain access to the database, he can just grab a hashed password from
a user, change his cookie file, and he's logged in under that username.

This has now been changed: pass in cookie file is now different than md5 hashed password in database.

as you can see most of the comments is about that someone from bitmetv hacked hdbits as a revenege for some incident before

some claim that the passes were unencrypted while one of the mods said that it is encrypted but the TB source had major problems

The public announcement says that everything is ok and advise members to change passes but not much details

I hope the guys at HDBits recover quickly ,it's one of the best HD Trackers out there and it was sad to see them got hacked

**CyDealer** · 08-01-2007, 12:01 PM

Valerio wrote:

Credits are still there on the faq page.
I don't use sites like that because most of the 'mods' are made by noobs .... and are almost always the things that are exploited to do things like this (case and point, he used a page that was a mod that either came with brokenstones (brokenstones being tbsource + some mods made by noobs) or dsf added).
I actually made the site more secure last night (should've done this ages ago really). You now can't get on someones account without actually knowing the password. You can sql inject al you like (i really hope there arn't any more, but you never know) but it won't help you create a cookie. I added ages ago a thing to make sure you can only attempt to login 5 times .. so no chance of brute forcing passwords either.

Good job Valerio. You really managed to secure the site I see LOL

You my friend is the n00b cause your site was 0wned YET AGAIN. Oh and by the way, you should check your ssh logs and change your root password. Oh and the salting you added sucks

NOTICE: This is a mass pm, it has been sent to everyone

MASS email just sent out at HDBits