Page 1 of 1

Someone is selling stolen account passwords!

PostPosted: Thu Feb 15, 2018 00:34
by SONOFSATAN
I had a player today named mirciol ip-addy 151.25.141.71 selling stolen account passwords from Banana Land severs wich i had my admin ban this player for doing such here what he posted in chat. (02/14/18 06:43:02 PM) [mirciol]: i give away(sell)password of stoled account with diams and everything (a lot)of server(Banana Land)
(02/14/18 06:43:37 PM) [mirciol]: i guess noone wants........ passing this along for other severs to be on the look out.

Re: Selling stolen account passwords!

PostPosted: Thu Feb 15, 2018 00:59
by Chem871
I remember TELESIGHT banned you from Skywars, because you yourself were a hacker.

Re: Selling stolen account passwords!

PostPosted: Thu Feb 15, 2018 01:16
by SONOFSATAN
Chem871 wrote:I remember TELESIGHT banned you from Skywars, because you yourself were a hacker.

I dont recall playing there and for being hacker all i ever did was use a hacked client. and most who know me know me as being helpfull and nice.

Re: Selling stolen account passwords!

PostPosted: Fri Feb 16, 2018 19:44
by VanessaE
Guys, anyone who claims to have "stolen" minetest passwords is full of shit. I'm reasonably sure my server machine (which is where Bananaland is hosted) has no way in except for the few legit users, and there's no way at all for a minetest client to retrieve a server's passwords file.

More likely, he has simply figured out a few users' passwords. A lot of people when they create accounts on a website or minetest server simply pick a common word, or use their birthday, or stuff like 123456 or just "password". Stuff that's easily guessed.

Re: Selling stolen account passwords!

PostPosted: Fri Feb 16, 2018 19:45
by rubenwardy
If they do have passwords, it's likely due to the owner telling them or using an easy password (eg: "password" or their username)

Re: Selling stolen account passwords!

PostPosted: Sat Feb 17, 2018 02:33
by SONOFSATAN
VanessaE wrote:Guys, anyone who claims to have "stolen" minetest passwords is full of shit. I'm reasonably sure my server machine (which is where Bananaland is hosted) has no way in except for the few legit users, and there's no way at all for a minetest client to retrieve a server's passwords file.

More likely, he has simply figured out a few users' passwords. A lot of people when they create accounts on a website or minetest server simply pick a common word, or use their birthday, or stuff like 123456 or just "password". Stuff that's easily guessed.
Stolen or not i just posted what he said on my server. and ban his acount for it. stolen or quessed he should not be selling or giving a way user accounts.

Re: Someone is selling stolen account passwords!

PostPosted: Mon Feb 19, 2018 09:06
by Vapalus
The usual trick is to create a server yourself, and to try the logins people were using on your server somewhere else.
This is probably one of the bigger issues with passwords and password policies...

Re: Someone is selling stolen account passwords!

PostPosted: Mon Feb 19, 2018 13:30
by GamerPro999
Mirciol come on the Survival X server too. he said he give bank account with a lot of money by giving diamond, messe and gold. i see it yesterday (18 Feb 2018) thx to ban him on that server cause he create trouble ;-)

Re: Someone is selling stolen account passwords!

PostPosted: Mon Feb 19, 2018 15:22
by ExeterDad
Vapalus wrote:The usual trick is to create a server yourself, and to try the logins people were using on your server somewhere else.
This is probably one of the bigger issues with passwords and password policies...

This is completely wrong. The plain text passwords never make it to the server. They are hashed and unusable with Minetest's SRP mechanism. The only way a server operator would know the password is if the player requested the password was reset by the Admin, and the player gave the Admin a password to change it to.

Re: Someone is selling stolen account passwords!

PostPosted: Mon Feb 19, 2018 18:20
by Linuxdirk
ExeterDad wrote:The only way a server operator would know the password is if the player requested the password was reset by the Admin, and the player gave the Admin a password to change it to.

Well …

https://github.com/minetest/minetest/issues/6858

Re: Someone is selling stolen account passwords!

PostPosted: Mon Feb 19, 2018 19:41
by sorcerykid
It's possible to compromise accounts that have been purged from the authentication database. This is one of the reasons accounts on my server are preserved indefinitely and after a period of 90 days are automatically disabled.

Re: Selling stolen account passwords!

PostPosted: Wed Feb 21, 2018 20:35
by RSLRedstonier
SONOFSATAN wrote:
Chem871 wrote:I remember TELESIGHT banned you from Skywars, because you yourself were a hacker.

I dont recall playing there and for being hacker all i ever did was use a hacked client. and most who know me know me as being helpfull and nice.

Uhh you just said you don't recall playing there then you said you used a hacked client(which is what hacking is) on that server
if I'm wrong please let me know

Re: Someone is selling stolen account passwords!

PostPosted: Wed Feb 21, 2018 23:53
by VanessaE
RSL, using a so-called "hacked" client does not itself constitute hacking. That's merely cheating, which imho is still a bannable offense. Nevermind that Minetest being free open source software means there's really no such thing as a "hacked client" in the first place. It's merely a client that has been modified in a way that makes it easier to cheat, but not which has simply been modified to make it easier to use normally or patched to fix a bug or something.

Hacking a server requires more than just a non-standard client, it requires actively trying to breach the server's security to reveal or gain access to data stored there that isn't normally made available to clients, or to grant oneself abilities and materials only accessible by normal play (if at all), such as granting oneself "creative" priv, or giving oneself a more powerful tool such as an admin pick.

Such things depend on there being exploits and vulnerabilities on the server (either Minetest itself, or in one of the external services or tools running on the machine hosting the Minetest instance), such as the WorldEdit //lua vulnerability that happened a while back, or if someone were to, say, find a way to break in via ssh.

Re: Someone is selling stolen account passwords!

PostPosted: Thu Feb 22, 2018 00:29
by RSLRedstonier
VanessaE wrote:RSL, using a so-called "hacked" client does not itself constitute hacking. That's merely cheating, which imho is still a bannable offense. Nevermind that Minetest being free open source software means there's really no such thing as a "hacked client" in the first place. It's merely a client that has been modified in a way that makes it easier to cheat, but not which has simply been modified to make it easier to use normally or patched to fix a bug or something.

Hacking a server requires more than just a non-standard client, it requires actively trying to breach the server's security to reveal or gain access to data stored there that isn't normally made available to clients, or to grant oneself abilities and materials only accessible by normal play (if at all), such as granting oneself "creative" priv, or giving oneself a more powerful tool such as an admin pick.

Such things depend on there being exploits and vulnerabilities on the server (either Minetest itself, or in one of the external services or tools running on the machine hosting the Minetest instance), such as the WorldEdit //lua vulnerability that happened a while back, or if someone were to, say, find a way to break in via ssh.


Oh ok I'm sorry. Thanks for correcting me

Re: Selling stolen account passwords!

PostPosted: Thu Feb 22, 2018 04:36
by SONOFSATAN
RSLRedstonier wrote:
SONOFSATAN wrote:
Chem871 wrote:I remember TELESIGHT banned you from Skywars, because you yourself were a hacker.

I dont recall playing there and for being hacker all i ever did was use a hacked client. and most who know me know me as being helpfull and nice.

Uhh you just said you don't recall playing there then you said you used a hacked client(which is what hacking is) on that server
if I'm wrong please let me know


like i said i don't recall ever playing on that sever.. i mainly used the client on the pizza server and the admin was OK with that. i used it a lot on there helping players remove water from giefing. and doing sky builds. to be honest i never played on that many severs and the ones who ban me was over using this name. i never used the client to harm a sever or other players, now i have cheated to removed protected gerfing so i could help played clean up after a dreamchrusher , MVK and whyulie attack. but i am one of the most hated player on minetest an that's mainly due to my name and over use of caps and typos. but that there problem as most who know me know i am super nice and helpful. but now i don't play that much most of my time is working be hide the scene working on the sever.

Re: Someone is selling stolen account passwords!

PostPosted: Thu Feb 22, 2018 04:46
by SONOFSATAN
VanessaE wrote:RSL, using a so-called "hacked" client does not itself constitute hacking. That's merely cheating, which imho is still a bannable offense. Nevermind that Minetest being free open source software means there's really no such thing as a "hacked client" in the first place. It's merely a client that has been modified in a way that makes it easier to cheat, but not which has simply been modified to make it easier to use normally or patched to fix a bug or something.

Hacking a server requires more than just a non-standard client, it requires actively trying to breach the server's security to reveal or gain access to data stored there that isn't normally made available to clients, or to grant oneself abilities and materials only accessible by normal play (if at all), such as granting oneself "creative" priv, or giving oneself a more powerful tool such as an admin pick.

Such things depend on there being exploits and vulnerabilities on the server (either Minetest itself, or in one of the external services or tools running on the machine hosting the Minetest instance), such as the WorldEdit //lua vulnerability that happened a while back, or if someone were to, say, find a way to break in via ssh.

i did have player once who in chat ran a script and then he had the giveme privs not sure if he was using a hacked client or he found a way to give him self privs but when i ran a privs check he had normal prvs but he gave him self 9999999 cloud blocks wich i removed he used to play on the pizza sever and some how was able to by pass procters and ban players who he didnt like. and he loved to spam the sever a lot. i ask him how he did it he said he ran scripts to get what he wanted.

Re: Someone is selling stolen account passwords!

PostPosted: Thu Feb 22, 2018 04:53
by VanessaE
Whatever he did, his client was not what gave him the extra privs, he found an exploit in the server. The worldedit vulnerability I mentioned was one such exploit, and could be used to do exactly as you describe.