Someone is selling stolen account passwords!

User avatar
SONOFSATAN
Member
 
Posts: 45
Joined: Mon Dec 07, 2015 16:55
Location: floridia USA
IRC: SONOFSATAN stevr59
In-game: SONOFSATAN

Someone is selling stolen account passwords!

by SONOFSATAN » Thu Feb 15, 2018 00:34

I had a player today named mirciol ip-addy 151.25.141.71 selling stolen account passwords from Banana Land severs wich i had my admin ban this player for doing such here what he posted in chat. (02/14/18 06:43:02 PM) [mirciol]: i give away(sell)password of stoled account with diams and everything (a lot)of server(Banana Land)
(02/14/18 06:43:37 PM) [mirciol]: i guess noone wants........ passing this along for other severs to be on the look out.
SONOS Raspberry pi server nyx.no-ip.org:30001
SONOS -MT server www.swh59.com:30002
 

Chem871
Member
 
Posts: 724
Joined: Sat Aug 19, 2017 21:49
Location: Ankh-Morpork
GitHub: Chemguy99
In-game: Chem Nyx
 

User avatar
SONOFSATAN
Member
 
Posts: 45
Joined: Mon Dec 07, 2015 16:55
Location: floridia USA
IRC: SONOFSATAN stevr59
In-game: SONOFSATAN

Re: Selling stolen account passwords!

by SONOFSATAN » Thu Feb 15, 2018 01:16

Chem871 wrote:I remember TELESIGHT banned you from Skywars, because you yourself were a hacker.

I dont recall playing there and for being hacker all i ever did was use a hacked client. and most who know me know me as being helpfull and nice.
SONOS Raspberry pi server nyx.no-ip.org:30001
SONOS -MT server www.swh59.com:30002
 

User avatar
VanessaE
Moderator
 
Posts: 4117
Joined: Sun Apr 01, 2012 12:38
Location: Waynesville, NC
GitHub: VanessaE
IRC: VanessaE
In-game: VanessaE

Re: Selling stolen account passwords!

by VanessaE » Fri Feb 16, 2018 19:44

Guys, anyone who claims to have "stolen" minetest passwords is full of shit. I'm reasonably sure my server machine (which is where Bananaland is hosted) has no way in except for the few legit users, and there's no way at all for a minetest client to retrieve a server's passwords file.

More likely, he has simply figured out a few users' passwords. A lot of people when they create accounts on a website or minetest server simply pick a common word, or use their birthday, or stuff like 123456 or just "password". Stuff that's easily guessed.
You might like some of my stuff: Plantlife ~ More Trees ~ Home Decor ~ Pipeworks ~ HDX Textures (16-512px)
 

User avatar
rubenwardy
Moderator
 
Posts: 5247
Joined: Tue Jun 12, 2012 18:11
Location: United Kingdom
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy

Re: Selling stolen account passwords!

by rubenwardy » Fri Feb 16, 2018 19:45

If they do have passwords, it's likely due to the owner telling them or using an easy password (eg: "password" or their username)
 

User avatar
SONOFSATAN
Member
 
Posts: 45
Joined: Mon Dec 07, 2015 16:55
Location: floridia USA
IRC: SONOFSATAN stevr59
In-game: SONOFSATAN

Re: Selling stolen account passwords!

by SONOFSATAN » Sat Feb 17, 2018 02:33

VanessaE wrote:Guys, anyone who claims to have "stolen" minetest passwords is full of shit. I'm reasonably sure my server machine (which is where Bananaland is hosted) has no way in except for the few legit users, and there's no way at all for a minetest client to retrieve a server's passwords file.

More likely, he has simply figured out a few users' passwords. A lot of people when they create accounts on a website or minetest server simply pick a common word, or use their birthday, or stuff like 123456 or just "password". Stuff that's easily guessed.
Stolen or not i just posted what he said on my server. and ban his acount for it. stolen or quessed he should not be selling or giving a way user accounts.
SONOS Raspberry pi server nyx.no-ip.org:30001
SONOS -MT server www.swh59.com:30002
 

User avatar
Vapalus
Member
 
Posts: 76
Joined: Wed Nov 15, 2017 17:16

Re: Someone is selling stolen account passwords!

by Vapalus » Mon Feb 19, 2018 09:06

The usual trick is to create a server yourself, and to try the logins people were using on your server somewhere else.
This is probably one of the bigger issues with passwords and password policies...
A man much wiser than me once said: "go away, you are bothering me"
 

User avatar
GamerPro999
Member
 
Posts: 57
Joined: Mon Dec 18, 2017 16:49
In-game: GamerPro999

Re: Someone is selling stolen account passwords!

by GamerPro999 » Mon Feb 19, 2018 13:30

Mirciol come on the Survival X server too. he said he give bank account with a lot of money by giving diamond, messe and gold. i see it yesterday (18 Feb 2018) thx to ban him on that server cause he create trouble ;-)
In Game Name: GamerPro999
 

User avatar
ExeterDad
Member
 
Posts: 1628
Joined: Sun Jun 01, 2014 20:00
Location: New Hampshire U.S.A
In-game: ExeterDad

Re: Someone is selling stolen account passwords!

by ExeterDad » Mon Feb 19, 2018 15:22

Vapalus wrote:The usual trick is to create a server yourself, and to try the logins people were using on your server somewhere else.
This is probably one of the bigger issues with passwords and password policies...

This is completely wrong. The plain text passwords never make it to the server. They are hashed and unusable with Minetest's SRP mechanism. The only way a server operator would know the password is if the player requested the password was reset by the Admin, and the player gave the Admin a password to change it to.
 

User avatar
Linuxdirk
Member
 
Posts: 1398
Joined: Wed Sep 17, 2014 11:21
Location: Germany
GitHub: 4w
In-game: Linuxdirk

Re: Someone is selling stolen account passwords!

by Linuxdirk » Mon Feb 19, 2018 18:20

ExeterDad wrote:The only way a server operator would know the password is if the player requested the password was reset by the Admin, and the player gave the Admin a password to change it to.

Well …

https://github.com/minetest/minetest/issues/6858
 

User avatar
sorcerykid
Member
 
Posts: 737
Joined: Fri Aug 26, 2016 15:36
Location: Illinois, USA
In-game: Nemo

Re: Someone is selling stolen account passwords!

by sorcerykid » Mon Feb 19, 2018 19:41

It's possible to compromise accounts that have been purged from the authentication database. This is one of the reasons accounts on my server are preserved indefinitely and after a period of 90 days are automatically disabled.
 

User avatar
RSLRedstonier
Member
 
Posts: 422
Joined: Wed May 10, 2017 21:00
Location: some were in middle earth
GitHub: RSL-Redstonier
In-game: RSLRedstonier

Re: Selling stolen account passwords!

by RSLRedstonier » Wed Feb 21, 2018 20:35

SONOFSATAN wrote:
Chem871 wrote:I remember TELESIGHT banned you from Skywars, because you yourself were a hacker.

I dont recall playing there and for being hacker all i ever did was use a hacked client. and most who know me know me as being helpfull and nice.

Uhh you just said you don't recall playing there then you said you used a hacked client(which is what hacking is) on that server
if I'm wrong please let me know
"A programmer is just a tool which converts caffeine into code"

try out my skytest mod always being updated!
https://forum.minetest.net/viewtopic.php?f=9&t=17568
 

User avatar
VanessaE
Moderator
 
Posts: 4117
Joined: Sun Apr 01, 2012 12:38
Location: Waynesville, NC
GitHub: VanessaE
IRC: VanessaE
In-game: VanessaE

Re: Someone is selling stolen account passwords!

by VanessaE » Wed Feb 21, 2018 23:53

RSL, using a so-called "hacked" client does not itself constitute hacking. That's merely cheating, which imho is still a bannable offense. Nevermind that Minetest being free open source software means there's really no such thing as a "hacked client" in the first place. It's merely a client that has been modified in a way that makes it easier to cheat, but not which has simply been modified to make it easier to use normally or patched to fix a bug or something.

Hacking a server requires more than just a non-standard client, it requires actively trying to breach the server's security to reveal or gain access to data stored there that isn't normally made available to clients, or to grant oneself abilities and materials only accessible by normal play (if at all), such as granting oneself "creative" priv, or giving oneself a more powerful tool such as an admin pick.

Such things depend on there being exploits and vulnerabilities on the server (either Minetest itself, or in one of the external services or tools running on the machine hosting the Minetest instance), such as the WorldEdit //lua vulnerability that happened a while back, or if someone were to, say, find a way to break in via ssh.
You might like some of my stuff: Plantlife ~ More Trees ~ Home Decor ~ Pipeworks ~ HDX Textures (16-512px)
 

User avatar
RSLRedstonier
Member
 
Posts: 422
Joined: Wed May 10, 2017 21:00
Location: some were in middle earth
GitHub: RSL-Redstonier
In-game: RSLRedstonier

Re: Someone is selling stolen account passwords!

by RSLRedstonier » Thu Feb 22, 2018 00:29

VanessaE wrote:RSL, using a so-called "hacked" client does not itself constitute hacking. That's merely cheating, which imho is still a bannable offense. Nevermind that Minetest being free open source software means there's really no such thing as a "hacked client" in the first place. It's merely a client that has been modified in a way that makes it easier to cheat, but not which has simply been modified to make it easier to use normally or patched to fix a bug or something.

Hacking a server requires more than just a non-standard client, it requires actively trying to breach the server's security to reveal or gain access to data stored there that isn't normally made available to clients, or to grant oneself abilities and materials only accessible by normal play (if at all), such as granting oneself "creative" priv, or giving oneself a more powerful tool such as an admin pick.

Such things depend on there being exploits and vulnerabilities on the server (either Minetest itself, or in one of the external services or tools running on the machine hosting the Minetest instance), such as the WorldEdit //lua vulnerability that happened a while back, or if someone were to, say, find a way to break in via ssh.


Oh ok I'm sorry. Thanks for correcting me
"A programmer is just a tool which converts caffeine into code"

try out my skytest mod always being updated!
https://forum.minetest.net/viewtopic.php?f=9&t=17568
 

User avatar
SONOFSATAN
Member
 
Posts: 45
Joined: Mon Dec 07, 2015 16:55
Location: floridia USA
IRC: SONOFSATAN stevr59
In-game: SONOFSATAN

Re: Selling stolen account passwords!

by SONOFSATAN » Thu Feb 22, 2018 04:36

RSLRedstonier wrote:
SONOFSATAN wrote:
Chem871 wrote:I remember TELESIGHT banned you from Skywars, because you yourself were a hacker.

I dont recall playing there and for being hacker all i ever did was use a hacked client. and most who know me know me as being helpfull and nice.

Uhh you just said you don't recall playing there then you said you used a hacked client(which is what hacking is) on that server
if I'm wrong please let me know


like i said i don't recall ever playing on that sever.. i mainly used the client on the pizza server and the admin was OK with that. i used it a lot on there helping players remove water from giefing. and doing sky builds. to be honest i never played on that many severs and the ones who ban me was over using this name. i never used the client to harm a sever or other players, now i have cheated to removed protected gerfing so i could help played clean up after a dreamchrusher , MVK and whyulie attack. but i am one of the most hated player on minetest an that's mainly due to my name and over use of caps and typos. but that there problem as most who know me know i am super nice and helpful. but now i don't play that much most of my time is working be hide the scene working on the sever.
Last edited by SONOFSATAN on Thu Feb 22, 2018 04:50, edited 1 time in total.
SONOS Raspberry pi server nyx.no-ip.org:30001
SONOS -MT server www.swh59.com:30002
 

User avatar
SONOFSATAN
Member
 
Posts: 45
Joined: Mon Dec 07, 2015 16:55
Location: floridia USA
IRC: SONOFSATAN stevr59
In-game: SONOFSATAN

Re: Someone is selling stolen account passwords!

by SONOFSATAN » Thu Feb 22, 2018 04:46

VanessaE wrote:RSL, using a so-called "hacked" client does not itself constitute hacking. That's merely cheating, which imho is still a bannable offense. Nevermind that Minetest being free open source software means there's really no such thing as a "hacked client" in the first place. It's merely a client that has been modified in a way that makes it easier to cheat, but not which has simply been modified to make it easier to use normally or patched to fix a bug or something.

Hacking a server requires more than just a non-standard client, it requires actively trying to breach the server's security to reveal or gain access to data stored there that isn't normally made available to clients, or to grant oneself abilities and materials only accessible by normal play (if at all), such as granting oneself "creative" priv, or giving oneself a more powerful tool such as an admin pick.

Such things depend on there being exploits and vulnerabilities on the server (either Minetest itself, or in one of the external services or tools running on the machine hosting the Minetest instance), such as the WorldEdit //lua vulnerability that happened a while back, or if someone were to, say, find a way to break in via ssh.

i did have player once who in chat ran a script and then he had the giveme privs not sure if he was using a hacked client or he found a way to give him self privs but when i ran a privs check he had normal prvs but he gave him self 9999999 cloud blocks wich i removed he used to play on the pizza sever and some how was able to by pass procters and ban players who he didnt like. and he loved to spam the sever a lot. i ask him how he did it he said he ran scripts to get what he wanted.
SONOS Raspberry pi server nyx.no-ip.org:30001
SONOS -MT server www.swh59.com:30002
 

User avatar
VanessaE
Moderator
 
Posts: 4117
Joined: Sun Apr 01, 2012 12:38
Location: Waynesville, NC
GitHub: VanessaE
IRC: VanessaE
In-game: VanessaE

Re: Someone is selling stolen account passwords!

by VanessaE » Thu Feb 22, 2018 04:53

Whatever he did, his client was not what gave him the extra privs, he found an exploit in the server. The worldedit vulnerability I mentioned was one such exploit, and could be used to do exactly as you describe.
You might like some of my stuff: Plantlife ~ More Trees ~ Home Decor ~ Pipeworks ~ HDX Textures (16-512px)
 


Return to Servers



Who is online

Users browsing this forum: No registered users and 3 guests