Someone is selling stolen account passwords!

Post Reply
User avatar
SONOFSATAN
Member
Posts: 47
Joined: Mon Dec 07, 2015 16:55
IRC: SONOFSATAN stevr59
In-game: SONOFSATAN
Location: floridia USA
Contact:

Someone is selling stolen account passwords!

by SONOFSATAN » Post

I had a player today named mirciol ip-addy 151.25.141.71 selling stolen account passwords from Banana Land severs wich i had my admin ban this player for doing such here what he posted in chat. (02/14/18 06:43:02 PM) [mirciol]: i give away(sell)password of stoled account with diams and everything (a lot)of server(Banana Land)
(02/14/18 06:43:37 PM) [mirciol]: i guess noone wants........ passing this along for other severs to be on the look out.
SONOS Raspberry pi server nyx.no-ip.org:30001
SONOS -MT server www.swh59.com:30002

Chem871
Member
Posts: 999
Joined: Sat Aug 19, 2017 21:49
GitHub: Chemguy99
In-game: Chem Nyx
Location: My Basement's Attic

Re: Selling stolen account passwords!

by Chem871 » Post

I remember TELESIGHT banned you from Skywars, because you yourself were a hacker.
What is SCP-055?

User avatar
SONOFSATAN
Member
Posts: 47
Joined: Mon Dec 07, 2015 16:55
IRC: SONOFSATAN stevr59
In-game: SONOFSATAN
Location: floridia USA
Contact:

Re: Selling stolen account passwords!

by SONOFSATAN » Post

Chem871 wrote:I remember TELESIGHT banned you from Skywars, because you yourself were a hacker.
I dont recall playing there and for being hacker all i ever did was use a hacked client. and most who know me know me as being helpfull and nice.
SONOS Raspberry pi server nyx.no-ip.org:30001
SONOS -MT server www.swh59.com:30002

User avatar
VanessaE
Moderator
Posts: 4655
Joined: Sun Apr 01, 2012 12:38
GitHub: VanessaE
IRC: VanessaE
In-game: VanessaE
Location: Western NC
Contact:

Re: Selling stolen account passwords!

by VanessaE » Post

Guys, anyone who claims to have "stolen" minetest passwords is full of shit. I'm reasonably sure my server machine (which is where Bananaland is hosted) has no way in except for the few legit users, and there's no way at all for a minetest client to retrieve a server's passwords file.

More likely, he has simply figured out a few users' passwords. A lot of people when they create accounts on a website or minetest server simply pick a common word, or use their birthday, or stuff like 123456 or just "password". Stuff that's easily guessed.
You might like some of my stuff: Plantlife ~ More Trees ~ Home Decor ~ Pipeworks ~ HDX Textures (64-512px)

User avatar
rubenwardy
Moderator
Posts: 6972
Joined: Tue Jun 12, 2012 18:11
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy
Location: Bristol, United Kingdom
Contact:

Re: Selling stolen account passwords!

by rubenwardy » Post

If they do have passwords, it's likely due to the owner telling them or using an easy password (eg: "password" or their username)
Renewed Tab (my browser add-on) | Donate | Mods | Minetest Modding Book

Hello profile reader

User avatar
SONOFSATAN
Member
Posts: 47
Joined: Mon Dec 07, 2015 16:55
IRC: SONOFSATAN stevr59
In-game: SONOFSATAN
Location: floridia USA
Contact:

Re: Selling stolen account passwords!

by SONOFSATAN » Post

VanessaE wrote:Guys, anyone who claims to have "stolen" minetest passwords is full of shit. I'm reasonably sure my server machine (which is where Bananaland is hosted) has no way in except for the few legit users, and there's no way at all for a minetest client to retrieve a server's passwords file.

More likely, he has simply figured out a few users' passwords. A lot of people when they create accounts on a website or minetest server simply pick a common word, or use their birthday, or stuff like 123456 or just "password". Stuff that's easily guessed.
Stolen or not i just posted what he said on my server. and ban his acount for it. stolen or quessed he should not be selling or giving a way user accounts.
SONOS Raspberry pi server nyx.no-ip.org:30001
SONOS -MT server www.swh59.com:30002

User avatar
Vapalus
Member
Posts: 112
Joined: Wed Nov 15, 2017 17:16

Re: Someone is selling stolen account passwords!

by Vapalus » Post

The usual trick is to create a server yourself, and to try the logins people were using on your server somewhere else.
This is probably one of the bigger issues with passwords and password policies...
A man much wiser than me once said: "go away, you are bothering me"

User avatar
GamerPro999
Member
Posts: 57
Joined: Mon Dec 18, 2017 16:49
In-game: GamerPro999

Re: Someone is selling stolen account passwords!

by GamerPro999 » Post

Mirciol come on the Survival X server too. he said he give bank account with a lot of money by giving diamond, messe and gold. i see it yesterday (18 Feb 2018) thx to ban him on that server cause he create trouble ;-)
In Game Name: GamerPro999

User avatar
ExeterDad
Member
Posts: 1717
Joined: Sun Jun 01, 2014 20:00
In-game: ExeterDad
Location: New Hampshire U.S.A

Re: Someone is selling stolen account passwords!

by ExeterDad » Post

Vapalus wrote:The usual trick is to create a server yourself, and to try the logins people were using on your server somewhere else.
This is probably one of the bigger issues with passwords and password policies...
This is completely wrong. The plain text passwords never make it to the server. They are hashed and unusable with Minetest's SRP mechanism. The only way a server operator would know the password is if the player requested the password was reset by the Admin, and the player gave the Admin a password to change it to.

User avatar
Linuxdirk
Member
Posts: 3217
Joined: Wed Sep 17, 2014 11:21
In-game: Linuxdirk
Location: Germany
Contact:

Re: Someone is selling stolen account passwords!

by Linuxdirk » Post

ExeterDad wrote:The only way a server operator would know the password is if the player requested the password was reset by the Admin, and the player gave the Admin a password to change it to.
Well …

https://github.com/minetest/minetest/issues/6858

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: Someone is selling stolen account passwords!

by sorcerykid » Post

It's possible to compromise accounts that have been purged from the authentication database. This is one of the reasons accounts on my server are preserved indefinitely and after a period of 90 days are automatically disabled.

User avatar
TechNolaByte
Member
Posts: 465
Joined: Wed May 10, 2017 21:00
GitHub: TechNolaByte

Re: Selling stolen account passwords!

by TechNolaByte » Post

SONOFSATAN wrote:
Chem871 wrote:I remember TELESIGHT banned you from Skywars, because you yourself were a hacker.
I dont recall playing there and for being hacker all i ever did was use a hacked client. and most who know me know me as being helpfull and nice.
Uhh you just said you don't recall playing there then you said you used a hacked client(which is what hacking is) on that server
if I'm wrong please let me know
The great quest of alchemy neither failed nor attained gold; programmers are those great alchemists who transmute caffeine into code.

User avatar
VanessaE
Moderator
Posts: 4655
Joined: Sun Apr 01, 2012 12:38
GitHub: VanessaE
IRC: VanessaE
In-game: VanessaE
Location: Western NC
Contact:

Re: Someone is selling stolen account passwords!

by VanessaE » Post

RSL, using a so-called "hacked" client does not itself constitute hacking. That's merely cheating, which imho is still a bannable offense. Nevermind that Minetest being free open source software means there's really no such thing as a "hacked client" in the first place. It's merely a client that has been modified in a way that makes it easier to cheat, but not which has simply been modified to make it easier to use normally or patched to fix a bug or something.

Hacking a server requires more than just a non-standard client, it requires actively trying to breach the server's security to reveal or gain access to data stored there that isn't normally made available to clients, or to grant oneself abilities and materials only accessible by normal play (if at all), such as granting oneself "creative" priv, or giving oneself a more powerful tool such as an admin pick.

Such things depend on there being exploits and vulnerabilities on the server (either Minetest itself, or in one of the external services or tools running on the machine hosting the Minetest instance), such as the WorldEdit //lua vulnerability that happened a while back, or if someone were to, say, find a way to break in via ssh.
You might like some of my stuff: Plantlife ~ More Trees ~ Home Decor ~ Pipeworks ~ HDX Textures (64-512px)

User avatar
TechNolaByte
Member
Posts: 465
Joined: Wed May 10, 2017 21:00
GitHub: TechNolaByte

Re: Someone is selling stolen account passwords!

by TechNolaByte » Post

VanessaE wrote:RSL, using a so-called "hacked" client does not itself constitute hacking. That's merely cheating, which imho is still a bannable offense. Nevermind that Minetest being free open source software means there's really no such thing as a "hacked client" in the first place. It's merely a client that has been modified in a way that makes it easier to cheat, but not which has simply been modified to make it easier to use normally or patched to fix a bug or something.

Hacking a server requires more than just a non-standard client, it requires actively trying to breach the server's security to reveal or gain access to data stored there that isn't normally made available to clients, or to grant oneself abilities and materials only accessible by normal play (if at all), such as granting oneself "creative" priv, or giving oneself a more powerful tool such as an admin pick.

Such things depend on there being exploits and vulnerabilities on the server (either Minetest itself, or in one of the external services or tools running on the machine hosting the Minetest instance), such as the WorldEdit //lua vulnerability that happened a while back, or if someone were to, say, find a way to break in via ssh.
Oh ok I'm sorry. Thanks for correcting me
The great quest of alchemy neither failed nor attained gold; programmers are those great alchemists who transmute caffeine into code.

User avatar
SONOFSATAN
Member
Posts: 47
Joined: Mon Dec 07, 2015 16:55
IRC: SONOFSATAN stevr59
In-game: SONOFSATAN
Location: floridia USA
Contact:

Re: Selling stolen account passwords!

by SONOFSATAN » Post

RSLRedstonier wrote:
SONOFSATAN wrote:
Chem871 wrote:I remember TELESIGHT banned you from Skywars, because you yourself were a hacker.
I dont recall playing there and for being hacker all i ever did was use a hacked client. and most who know me know me as being helpfull and nice.
Uhh you just said you don't recall playing there then you said you used a hacked client(which is what hacking is) on that server
if I'm wrong please let me know
like i said i don't recall ever playing on that sever.. i mainly used the client on the pizza server and the admin was OK with that. i used it a lot on there helping players remove water from giefing. and doing sky builds. to be honest i never played on that many severs and the ones who ban me was over using this name. i never used the client to harm a sever or other players, now i have cheated to removed protected gerfing so i could help played clean up after a dreamchrusher , MVK and whyulie attack. but i am one of the most hated player on minetest an that's mainly due to my name and over use of caps and typos. but that there problem as most who know me know i am super nice and helpful. but now i don't play that much most of my time is working be hide the scene working on the sever.
Last edited by SONOFSATAN on Thu Feb 22, 2018 04:50, edited 1 time in total.
SONOS Raspberry pi server nyx.no-ip.org:30001
SONOS -MT server www.swh59.com:30002

User avatar
SONOFSATAN
Member
Posts: 47
Joined: Mon Dec 07, 2015 16:55
IRC: SONOFSATAN stevr59
In-game: SONOFSATAN
Location: floridia USA
Contact:

Re: Someone is selling stolen account passwords!

by SONOFSATAN » Post

VanessaE wrote:RSL, using a so-called "hacked" client does not itself constitute hacking. That's merely cheating, which imho is still a bannable offense. Nevermind that Minetest being free open source software means there's really no such thing as a "hacked client" in the first place. It's merely a client that has been modified in a way that makes it easier to cheat, but not which has simply been modified to make it easier to use normally or patched to fix a bug or something.

Hacking a server requires more than just a non-standard client, it requires actively trying to breach the server's security to reveal or gain access to data stored there that isn't normally made available to clients, or to grant oneself abilities and materials only accessible by normal play (if at all), such as granting oneself "creative" priv, or giving oneself a more powerful tool such as an admin pick.

Such things depend on there being exploits and vulnerabilities on the server (either Minetest itself, or in one of the external services or tools running on the machine hosting the Minetest instance), such as the WorldEdit //lua vulnerability that happened a while back, or if someone were to, say, find a way to break in via ssh.
i did have player once who in chat ran a script and then he had the giveme privs not sure if he was using a hacked client or he found a way to give him self privs but when i ran a privs check he had normal prvs but he gave him self 9999999 cloud blocks wich i removed he used to play on the pizza sever and some how was able to by pass procters and ban players who he didnt like. and he loved to spam the sever a lot. i ask him how he did it he said he ran scripts to get what he wanted.
SONOS Raspberry pi server nyx.no-ip.org:30001
SONOS -MT server www.swh59.com:30002

User avatar
VanessaE
Moderator
Posts: 4655
Joined: Sun Apr 01, 2012 12:38
GitHub: VanessaE
IRC: VanessaE
In-game: VanessaE
Location: Western NC
Contact:

Re: Someone is selling stolen account passwords!

by VanessaE » Post

Whatever he did, his client was not what gave him the extra privs, he found an exploit in the server. The worldedit vulnerability I mentioned was one such exploit, and could be used to do exactly as you describe.
You might like some of my stuff: Plantlife ~ More Trees ~ Home Decor ~ Pipeworks ~ HDX Textures (64-512px)

Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot] and 26 guests