HACKERS

[Slyke]

OK! I don't know how many people will believe this. Some one got past the username & password on HFS. He gave me this message: "You could just take it down, could be safer.  Oh and tell rejetto, he really
does want to use a hash or at the very least some ohter scheme compared to the one he has now for
password 'encryption'.  

Maybe he will listen.

As for this, no malishous intent on my part.  
No harm done to worry about... but if someone can access the SAM files for windows it could open up everything.  
Just play it safe in the future. ^_^;

Enjoyed the company.
"

No matter how many times i changed the password he could get through.  This is pretty scary because any one can get access to your hard drives.

[~GeeS~]

First of all, be happy, at least you got a warning.
Secondly, I hope you saved your logs, just in case.
As I mentioned in some of my earlier post, with Opera you can endlessly try to guess the password without being kicked. If your pwd was weak, its easy to find out indeed.
I dont know the exact details of the authentication in HFS, but as long as the datatransfer isnt ssl, networktraffic can be sniffed, intercepted and the hash decrypted. So you should not try to hide your top secret stuff on your server or share your system files and give acces to your SAM files.
But legally, even with a weak protection, the intruder is breaking the law... and sometimes it can be useful to have a weak protection; like Guest:Guest.  
Just my 2cents.

Edit: And running a server requires some basic protections.  Send him to Guest:Guest@hfstest.ath.cx im curious  
And some questions:
What kind of username:passwords did you use?
Did you use them also to access other websites?
Where exactly was the message placed?
Did you give access to your hfs.ini or hfs.vfs files?
Could you been trojanned and keylogged?

[Anonymous]

Slyke

How did he give you that message?  Where did you read it?

[GeeS]

Don't panic!

I just looked into the source of hfs. The encoding can be found in hslib.pas and is Base64 encoding. (http://en.wikipedia.org/wiki/Base64)
The user:pwd is stored in hfs.ini (for example mine is: accounts=login:R3Vlc3Q6R3Vlc3Q=|enabled:yes|no-limits:no;) This base64 string can be resolved easily (http://www.securitystats.com/tools/base64.php) to Guest:Guest, it's only for testing, duh.

But I don't think this is Rejetto's problem.

In first instance the user has to safeguard his password and passwordstring. This in most cases the weakest part of the chain.
A sniffing-free communication line between browser and server isn't always available and https isn't (yet) available for HFS.
At least users should protect their computers and (W)LAN's against any kind of unauthorized access (www.google.com).

There are many ways to skin a cat ...

[rejetto]

(1)
HFS can't access SAM file... even the administrator can't, so it has apparently nothing to do with HFS.
I don't like when someone tells things just to shock.

(2)
HFS has no password encryption. So............................what encryption should i change?
I don't like when someone tells things just to shock.
This may sound strange to non-technicians, but actually even Apache does not encrypt passwords when you are connected via http:// (most of times).
Look at this forum, look other forums....passwords are not encrypted.

(3)
HFS does not share your hard drives. It does only if you told it to do so. Differently by "windows file sharing", most HFS users don't share whole drives.


(2bis)
if he was talking about on-disk password encryption, if someone can read your on-disk passwords, then he is ALREADY IN, by some other door.
base64 is not encryption, it is a non-human-readable encoding, just like asterisks, they are there just to protect passwords from human eyes, but software can.




and....i wonder why he wrote to you and not to me  :roll:

[Slyke]

I my old passwords were numbers and letters, since i'm no longer using them i'll post them here. Drive123 JmDYLyi7xr8M and then JxrcK59H and then Rh4vD2Vy and the username was just Tails and then Slyke. Yes, i did save my logs, it was just as if i had typed the password in myself. Yeah i think that i had a keylogger on maybe. When i activated the files walls he already had access to the place where i had my server located any way. So i changed my pass but because he downloaded the file system again after i had changed it (and moved it). He got my password again. At the time i had never figured this out so i was freaking out, lol. But yeah he told me how he did it. He had access to all files on the harddrive and he said that another hacker could of taken the SAM file. I shared my harddrives myself, like i enabled HFS to share them (with logins). We talked by making new files and uploading them. Hesaid that he was just lucky to find the right server.

[Slyke]

Sorry for double posting, but i think a way to stop them from getting the password even if they find a decrypter would be to use the password as the encryption, so that the encryption changes with each different password and they would have to do a trial and error to get through. Also a feature that can ban IPs after X amount of tries.

[Anonymous]

OMG
99% of all computerproblems are ...sitting in front of it! :roll:

The only weakness i've found after many tests, is the fact that the login for password protected pages does not give an "Unauthorized" after 3 false attempts with the Opera browser. I've checked the sourcecode, but could not find a fault. In order to prohibit brute force attacks or guessing, there should be a counter which blocks the IP for some time after some false attempts in a certain time interval. (BTW many webservers still have this behaviour, maybe its part of the protocol. The fact that IE behaves as expected could be an "feature" of IE. I don't use FF, so didn't test yet.)

I will try to compile a short help page about basic security measurements on running a server like HFS. "But most people don't read?"  :roll:

[Zor]

Slyke

Sounds to me like you don't know what you were doing and created your own vulnerabilities by not properly securing your server and your system in general for unauthorized access.  In addition, it appears to me that this hacker was a "friend" of your's or "someone you knew" who you had checking things out.  No hacker would have "conversations" with the system operator of the site they hacked into describing what they did to get in like you said! You might have even given him remote access to begin with or were using keyloggers.  

Your concerns would be more credible if you would have sent them "privately" direct to rejetto via PM rather than try to shock the forum into thinking HFS was a vulnerable as you say it is - which it isn't.

Go "play" with your computer but learn how to secure it first.

[Slyke]

What are you talking about? I already said it was a keylogger from a program that i probebly downloaded. I have a router and that's the firewall i use, i have to manually open up a port. I have 1 spare for another server that i use which wasn't on at that time and that's probebly how he got in. You may be right and that was a friend, but it didn't sound like any one i knew. As for posting it here, i freaked out. Good bye

[Anonymous]

I've been running HFS for years on a hacker server and never had a breach
from some of the best hackers in the US.. Believe me they have tried.. I think you created the breach and or your full of shit! HFS will only give access to the folders or drive root you give it access to with a password.. So if you gave a pass to your root your a dumb ass anyway..  What a dweeb..

Rejetto.. This dude is full of SHIT!! Fermented or otherwise..

[rejetto]

i often wondered if HFS is secure enough, and it's heartening to know that out there someone else made some test and all went ok

[Anonymous]

how does one "secure their server"  

[rejetto]

HFS is known to be secure out of the box.
on how securing other softwares you run, you should better check out a security tutorial. i would point you out one, but i know none.

[help420me]

This might help.