Linux Mint Forums Back After Double Attack
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
Re: Linux Mint Forums Back After Double Attack
Do I have to do this CAPTCHA thing or whatever everytime I log in here? I updated my password, stronger than it was before.
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Linux Mint Forums Back After Double Attack
Hi Linux.Blue. Clem mentioned that earlier--it's just a temporary thing while the forum gets straightened out.
It's annoying, I know, but we're gonna have to bear with it for a bit yet!.
It's annoying, I know, but we're gonna have to bear with it for a bit yet!.
Re: Linux Mint Forums Back After Double Attack
the captcha thingy is a known issue - it is getting some attention, though.
- be somewhat patient.
- be somewhat patient.
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
Re: Linux Mint Forums Back After Double Attack
Since the attack I keep receiving spams in my e-mail associated with this forum and so even if I've changed all my passwords. I hope it will stop one day. Has anyone have other solution(s) for that?
Re: Linux Mint Forums Back After Double Attack
what tells you that those e-mail are associated with this forum
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
Re: Linux Mint Forums Back After Double Attack
Most likely hermes333 means the e-mail address is associated with this forum, not the spam.
It wouldn't surprise me. After all, those e-mail addresses were in the stolen data. If some spammer got hold of them...
I don't see how changing passwords could fix anything. It's not as if a spammer needs your password to send you junk. No solution, apart from filtering at your ISP and/or in your mail client.
It wouldn't surprise me. After all, those e-mail addresses were in the stolen data. If some spammer got hold of them...
I don't see how changing passwords could fix anything. It's not as if a spammer needs your password to send you junk. No solution, apart from filtering at your ISP and/or in your mail client.
Re: Linux Mint Forums Back After Double Attack
What is another reason? Do you have anything to back up that statement? phpBB's security record shows quite the contrary.badSparks wrote:Yet another reason why phpBB3 has lax security.
I hope you're not seriously suggesting public key authentication for a web interface.badSparks wrote: It should be key based logins for admins, not passwords.
I also suggest putting phpBB3 under revision control, that way, the next time something happens, you have a history of what is going on, just do commits on every upgrade.
I'm also not sure what revision control is supposed to help with.
I think the Linux Mint team is more than capable of knowing how to do this. Your SQL query will actually just change every user's account to inactive but will not inform people of them having to reactivate or pick a new password.badSparks wrote: Oh, also, if you want, you can force reactivation on ALL accounts.
(Make a backup of your DB first, in case you screw something up!)in your phpMyAdmin go to the SQL tab, and do that command.Code: Select all
UPDATE `YOUR_DATABASE_NAME_HERE`.`phpbb_users` SET `user_type` = '1' WHERE `phpbb_users`.`user_id` != 2 AND user_type != 2;
user #2 = founder (well, should be, so that account won't be touched.)
https://wiki.phpbb.com/Table.phpbb_users for details on user_type = 1 does. (it basically forces reactivation)
I'd very much like you to back that up with actual evidence. phpBB 3 has a very good security record, especially when compared to other competitors (also commercial ones).badSparks wrote: Yeah, that isn't perfect, but, phpBB3 really blows chunks concerning security issues. They should have a option to force all accounts to reactivate easier.
Changing your password after the hack will make sure that nobody can login to your account if they were to be able to recover your previous password from the database dump using bruteforcing. It will also ensure that your password is newly hashed with an even stronger hashing algorithm.grizzler wrote:Most likely hermes333 means the e-mail address is associated with this forum, not the spam.
It wouldn't surprise me. After all, those e-mail addresses were in the stolen data. If some spammer got hold of them...
I don't see how changing passwords could fix anything. It's not as if a spammer needs your password to send you junk. No solution, apart from filtering at your ISP and/or in your mail client.
Re: Linux Mint Forums Back After Double Attack
Regarding spam by mails:
If your e-mail provider allows to create aliases for the account, do this and use this instead. Tell your mail-partner the new address. After some time there should only be spam in the old alias and you can block it completely.
If you use a free-mailer create a new account and do accordingly.
If your e-mail provider allows to create aliases for the account, do this and use this instead. Tell your mail-partner the new address. After some time there should only be spam in the old alias and you can block it completely.
If you use a free-mailer create a new account and do accordingly.
Re: Linux Mint Forums Back After Double Attack
I use StartMail a private and "not free" e-mail.
Re: Linux Mint Forums Back After Double Attack
That response has zero relevance to my reply, which was about hermes333 receiving spam and apparently assuming that changing his password would have prevented that.MarcAlexander wrote:Changing your password after the hack will make sure that nobody can login to your account if they were to be able to recover your previous password from the database dump using bruteforcing. It will also ensure that your password is newly hashed with an even stronger hashing algorithm.grizzler wrote:Most likely hermes333 means the e-mail address is associated with this forum, not the spam.
It wouldn't surprise me. After all, those e-mail addresses were in the stolen data. If some spammer got hold of them...
I don't see how changing passwords could fix anything. It's not as if a spammer needs your password to send you junk. No solution, apart from filtering at your ISP and/or in your mail client.
Re: Linux Mint Forums Back After Double Attack
Well, that didn't take very long. I got a notice from my ID monitor that my email address (and username associated only with this list) is for sale on the dark web. SpamAssassin is gonna be busy.
Re: Linux Mint Forums Back After Double Attack
Hi all, I thought it appropriate to reply with this. I have Lifelock and about an hour ago I got an email indicating that they have, "During our monitoring of your identity information, LifeLock detected the following event:"
Date Of Birth: **/**/1965
Email: *@gmail.com
Email User Name: *a**e****
Email Password: Exposed Online
Type of Compromise: breach
Where your data was found: web page
Breached Site: forums.linuxmint.com
Password Status: hashed+salt
The info from the breach is in the wind. I use a different password for 90% of the sites I access and use a password manager program to keep track of them. I'm confident that the info that was accessed is useless since I changed the password here.
Date Of Birth: **/**/1965
Email: *@gmail.com
Email User Name: *a**e****
Email Password: Exposed Online
Type of Compromise: breach
Where your data was found: web page
Breached Site: forums.linuxmint.com
Password Status: hashed+salt
The info from the breach is in the wind. I use a different password for 90% of the sites I access and use a password manager program to keep track of them. I'm confident that the info that was accessed is useless since I changed the password here.
-
- Level 4
- Posts: 315
- Joined: Wed Dec 02, 2009 5:02 pm
Re: Linux Mint Forums Back After Double Attack
is there no way to have the email addresses also encrypted?
spam is how phishing spreads.
also they took my old Ubuntu forums password.... they got hacked as well not that long ago.
by the way any chance mint could use Ubutnu One SSO as well? would that make it safer?
spam is how phishing spreads.
also they took my old Ubuntu forums password.... they got hacked as well not that long ago.
by the way any chance mint could use Ubutnu One SSO as well? would that make it safer?
-
- Level 2
- Posts: 61
- Joined: Tue Oct 12, 2010 9:06 am
- Location: Arizona
Re: Linux Mint Forums Back After Double Attack
Reddog1 wrote:Well, that didn't take very long. I got a notice from my ID monitor that my email address (and username associated only with this list) is for sale on the dark web. SpamAssassin is gonna be busy.
I too was told my email address associated with the username here was for sale on the dark web. I had already changed my password for here before I got that message. But to play safe I did again and also spent a lot of time changing a group of others.
Linux Mint, Mageia
Leveno IDea Centre
ASUS A53SD-TS72 Intel Cor i7-2670QM 2.20GHz, 8GB DDR3, 750GB HDD, 2GB NVIDIA GeForce GT 610M, Mint LMDE2 64 bit.
Leveno IDea Centre
ASUS A53SD-TS72 Intel Cor i7-2670QM 2.20GHz, 8GB DDR3, 750GB HDD, 2GB NVIDIA GeForce GT 610M, Mint LMDE2 64 bit.
-
- Level 6
- Posts: 1491
- Joined: Fri Feb 22, 2013 5:18 pm
- Location: United States
Re: Linux Mint Forums Back After Double Attack
He also postulated that his password would be the last combination (out of all the possibilities) that would be guessed, which seems to be about as realistic as thinking that your name will be the last one in the phone book (assuming that your last name DOESN'T begin with "Zyz," lol).killer de bug wrote:I think you can do much more than this. Additionally you need to consider that the attacker may use several computers to make the attempts.Spearmint2 wrote:(or we could do 2-3 per second if the server and attacker were on a fast connect perhaps)
In the case of Linux Mint, where the database is available on the HD of the hacker, a few thousands of attempts every seconds are not unlikely.
But I agree that with a 20 digits password, you are safe for several months. Nevertheless, my gmail password is 25 digits.
To the person who mentioned using the same password for all logins, with only two or three additional characters added to differentiate each: Congratulations! You are effectively using two- or three-character passwords . Might want to fix that. Otherwise, if anyone ever decides to hack your passwords, they'll probably end up wasting the services of computerized hacking tools/software... when a four-year old could simply guess it in a couple minutes .
Regards,
MDM
Mint 18 Xfce 4.12.
If guns kill people, then pencils misspell words, cars make people drive drunk, and spoons made Rosie O'Donnell fat.
If guns kill people, then pencils misspell words, cars make people drive drunk, and spoons made Rosie O'Donnell fat.
Re: Linux Mint Forums Back After Double Attack
For those that have problems thinking up passwords, and don't want to use a password manager; Linux already thought of this:
Type the following into the terminal
apg -s -a 1 -m 30 -n 30
You'll get 30 unique 30 character passwords. How you use these passwords is up to you (maybe encrypt a list of passwords - use another file as a coded reference to each password in the list - store both files on a usb stick - or...)
Type the following into the terminal
apg -s -a 1 -m 30 -n 30
You'll get 30 unique 30 character passwords. How you use these passwords is up to you (maybe encrypt a list of passwords - use another file as a coded reference to each password in the list - store both files on a usb stick - or...)
Re: Linux Mint Forums Back After Double Attack
A good password cracker is probably randomizing the attempts.MtnDewManiac wrote: He also postulated that his password would be the last combination (out of all the possibilities) that would be guessed, which seems to be about as realistic as thinking that your name will be the last one in the phone book (assuming that your last name DOESN'T begin with "Zyz," lol).
I am wondering since a few days, if it's possible to guess the length of a password by looking at the hash sum.
Meaning: if I have a 25 digits password, does the hacker know it? or does he have to try 12, 15, 20 digits passwords also?
Does the hash sum reflect the letters used? What I mean is: if my password is AAAAA, would the hash sum show a pattern? The same if it's 121212. Or does the hash consider the position of the letter and leads to a different results for the first A and for the last one.
The real question is: would a 50 digits password where you use always the same letter be more powerful than a 8 random digits password?
Re: Linux Mint Forums Back After Double Attack
That would be the end for that hash.killer de bug wrote:I am wondering since a few days, if it's possible to guess the length of a password by looking at the hash sum.
Meaning: if I have a 25 digits password, does the hacker know it? or does he have to try 12, 15, 20 digits passwords also?
You can check this yourself: Install gtkhash - ore nemo-gtkhash, which does the same, but as a properties-page of nemo - and check the hashsums (you have about 2 dozen hashes there), and compare a zero-byte file (e.g. gksu.lock in our home) with an ISO-image (about 1.5 GB): the length of the same is for both files the same, even a very weak as Adler or crc32. That means, even a legitimate admin shouldn't not be able to tell, if my password has 8 or 30 characters.
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Linux Mint Forums Back After Double Attack
I know it doesn't work for wpa-handshake files. If you could guess the password length from the hash, my pen testing would have been a lot easier...
(At least, no way that I'm aware of.)
(At least, no way that I'm aware of.)
Re: Linux Mint Forums Back After Double Attack
Ok! Thanks!Cosmo. wrote:That would be the end for that hash.
[...]That means, even a legitimate admin shouldn't not be able to tell, if my password has 8 or 30 characters.
So theoretically, this password is really strong, because you would have to test shorter combinations before thinking of such a long (stupid) password:
Code: Select all
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa