TNT Has Been Hacked

[Q]

Q, I'm one of those clear everything after I visit any site kind of people. I've been laughed at by friends, telling me I'm "paranoid". Guess what, better to be paranoid than lose my and the other people who use this computer's information - any of it.

"Paranoid", heh. It's usually people who take zero precautions and feel invincible that say that. Grocery store clerks make fun of me covering my hand while I punch in my PIN #, but nobody has ever stolen my PIN # and I don't care who thinks I'm being silly covering my hand -it's not their money at stake, it's mine lol.

I have a friend who had almost nothing in her account, isn't a serious player, and felt she'd never get her account stolen. So she used 'diamond' as her password, and one day she couldn't log in. They left her email intact, she retrieved the password they had set: 'emerald'. Just a joker, but there she was with an account worth nothing and that had hardly been played on, never chatted on the boards or ran a shop, and someone broke into it.


No matter how invisible you feel on Neopets, it does not mean nobody will want to break into your account. This was all a good reminder that you just can't wander about being obvlivious or feeling like nobody would bother with your account, whether it's a megamillion high profile account or one with a Cheat trophy and the contents of a newbie pack.

[jbolack]

Arwen I did not say they could get that information through cookies. I said if they were able to get access to a mod account they could look up anyone's information through mod resouces. *huggles* No harm tho. =D

Last edited by jbolack on Tue Jan 17, 2006 10:18 pm, edited 1 time in total.

[Skynetmain]

All right, everyone, it's fixed.

...And it's time for me to go to bed. *yawn*

Yay! Thanks for all the help, Minor Duke King dolphinling. (You have to agree that king -ling makes a good ryhme all the time). All my info is right where I left it last night. Rest well my liege.

[shapu]

I can't recall exactly, but I vaguely recall that neopets once had a process that logged you off if you logged in from another location. This was some time ago, but it would be sort of an instant clue that you'd been CGd. I recognize that this isn't binding cookies to IP addresses, but is similar.

Anyway, I fail to see how having to log in to neopets every so often would be all that big of an issue. If I have to type in my password twice a day rather than twice a month, with the knowledge that this keeps me safer, then I'd have no problem with it.

Other than that, thanks for the updates Dolphinling.

[Morningstar]

Morningstar, I'm sorry you had to go through that. That you went back to the shop and then to the lookup is alot more than I would have done. So, you cleared everything, changed your password each time. Did you also change the password to your email, just in case?

EC, I changed my passwords for pretty much everything I could think of, except the kitchen sink. And did it each time within seconds of going back back the shop and then within seconds of going to the lookup. Thank goodness, I had a piece of paper and pen next to me. Then ran all of my various scans and then changed all of my cookies again.

I must say that this has got the big negg dealers freaked. Cause whoever was doing this was doing it with neggs. I don't know what else. But, definitely neggs. Negg buyers are afraid to go to other people's shops, user lookups--even for those that they know and trust and have been friends with. Sad.

[ArwenEarendil]

jbolack: Ah. I see what you mean now.

Regardless, I highly doubt that a regular neopets moderator can view your information. I'm pretty sure that it is strictly confidential, and that you would have to log in as neoadmini to view such information.

[Mongrel]

It would be really nice if you could only be logged in on one place at a time, and anyone who tried to log in from another place while you were still logged in wouldn't be able to do so. Another good option would be a "Something has happened" type thing that would pop up saying "Someone has tried to access your account at [date] on [time]. If this was not you, we recommend deleting your cookies and changing your password as someone may be attempting to invade your account." I mean, something along those lines could help a lot, if you happened to be online and someone tried to hack you.

[yabramokids]

my friend told me that a few years ago, on april fools day, someone put everyones username and password onto the main page or something like that. anybody know what im talking about?

[theonlysaneone]

This was a post about right/wrong/stuff, but I fixed it. Anyway, I have no idea what's going on here, because I'm about as computer-illiterate as one can be, but I'm just going to do what the front page on PPT says. I did still do lab ray though... not going to miss that.

Last edited by theonlysaneone on Tue Jan 17, 2006 11:43 pm, edited 1 time in total.

[ahoteinrun]

...

I'm not sure if you guys realise, but Matt kindly posted a note (and i'll quote)

Please, do not talk about whether evil commands respect, as that is a topic for the Debating board, and if youw ant to talk about it, can you keep it htere. This is a board for discussing potential problems/solutions/effect with the Neopets holes.

Now. I really don't believe that you guys are in the habbit of blatantly ignoring the requests of moderators, but if the continuation of the above topic continues, bad things such as warnings, or locked topics will happen.

Respect the staff and comply with their wishes

Strait from the Forum Rules and Guidelines

[everconfused]

Okay okay *whooshes in*

To my knowledge, the CGer more or less has been "stopped". How long that is, I don't know. But looking at Kaos'/Infamous' directory, the CGer is still up there and loaded, including the cookie.php file.

Oh yes. Another thing to know is that Kaos isn't ONE person. To my belief it's two. The mastermind behind majority of this is Infamous, whom I, and several IRC mods have talked to. He actually had pretty good knowledge of scripts, accompanied with a rather large resource of deragatory comments.

It looks like Chase (the more common "Kaos" on the boards) simply goes into the accounts, takes the action, blah... making him look like a scapegoat. That's just mine and some other's opinion though.

Lastly, maybe its been mentioned, I dunno *skims board*, but disable JavaScript. You can run across the CGer, but not get CGed if you disable JaveScript. Me and some others tested this several times. (Reason being, as someone noted before... it's run through javascript.)

What happened with the monitor was that she got CGed obviously. Of course, she was newly hired, and hadn't much but basic monitor privileges. You'd have to log in as neoadmin to actually change the news page.

Hydro: not to support TNT or anything, but IMHO, I don't think they hacked. Definitions of hacking though, are for the Debate board. It's easy to trace his IP, they already have. You can even find his address (a couple of us found this through a WHOIS - we're led to believe that it is Infamous') They can't take legal action without good evidence - you'd have to actually catch him cookie grabbing (fair enough - we caught the cg file).

jbolack: Your personal information isn't stored in cookies. Technically, your password isn't either, but all it really is, is encoding in MD5. If a person actually got into your account, they can't see your actual personal information (assuming that you didn't put in a real country/province/state/zip code/whatever - short of a email. Even then, you still have a pretty darned wide area.)

Chase? at one point said that infamous was the one who originally wrote the cg, that he was distributing it. Then he said that he came up with another one on his own. Scapegoat? Hardly. And of course this last mess couldn't have been 1 or even just 2 persons. Just too much, too wide-spread. As to legal action - if they find these people then they can confiscate their computers, yes? As to IP, kaos said he was using neighbors' wireless without their knowledge. So, there's something else against him, but makes it a little more difficult to narrow it down as to address. That that thing is still up and active is worrisome. Even if they can't use what they've got now, what's to stop them from trying to change it so this all starts again. And "more or less stopped" doesn't really make me feel very secure.

I hope you or someone has given TNT any and all information you have on this thing, where it is, if you have an actual IP, names, etc.

Disabling js - someone, I believe on the BD chat said that he'd done that a couple of weeks ago and ended up frozen for an unfair advantage. So that's against the rules technically. And a couple of people did have js disabled along with the adblock/scriptblock with FF this weekend and still got grabbed *shrugs* so I don't know.

Premium accounts that were grabbed - if the person had logged into their webmail, even with a different password (which you should have and never use your neo webmail as your neo email for your account), that cookie still has neopets on it - therefore, with access to the webmail they also have access to the user admin panel - which has your name, address, phone #, part of your cc# or other payment method. If it wasn't possible then peoples' premium financial and personal information wouldn't have been able to have been ss and posted around, now would it.

Moongewl, a SSH that someone else was trying to log into your account would be great! I have sent in numerous times over the last 3 years to ideas and suggestions that something be implemented so that only 1 person could be in any account at any given time.

Last edited by everconfused on Tue Jan 17, 2006 11:42 pm, edited 1 time in total.

[theonlysaneone]

...

I'm not sure if you guys realise, but Matt kindly posted a note (and i'll quote)

Please, do not talk about whether evil commands respect, as that is a topic for the Debating board, and if youw ant to talk about it, can you keep it htere. This is a board for discussing potential problems/solutions/effect with the Neopets holes.

Now. I really don't believe that you guys are in the habbit of blatantly ignoring the requests of moderators, but if the continuation of the above topic continues, bad things such as warnings, or locked topics will happen.

Respect the staff and comply with their wishes

Strait from the Forum Rules and Guidelines

Oops... I'm so sorry. I didn't see that right off, but now that I look back, it's right there. Won't let it happen again.

[octochan]

yikes. I only just found out about this whole CG thing, and I was on neo yesterday. I didn't go to the boards at all, but I did visit a few shops and lookups from the shop wiz and trading post. I've changed the password for my main account, is it necessary to change all my side account passwords too?

[Butterflyhornet]

Eek. This really burns. I can't have any fun browsing pet pages anymore.

I don't know how the heck I'm suppost to advertise on the neoboards and ask for beauty contest votes? I mean I can vote by looking at the compressed images uploaded to their server, but on 2nd thought, what if?

I shudder to think. Maybe that isn't possible, but it still is a MAJOR dissapointment to not be able to look at the "better pict" or less compressed images and extravigant look-ups and pet pages people make. At least not without being very fearful.

I guess I can do what I did this week so far which was avoid posting on the neoboards altogether. What a bummer.

Probably means I will not win for a lo-o-o-ong time. Also a shame because Tairrena has had a near perfect BC record, meaning there hasn't been a week she hasn't gotten a trophy that she was entered. knock on wood

I fear this month will be the exception if I can't find enough offsite voters.
(BTW I plan to enter her in the 27th. I think if she placed 1st that week, then I'd have her on both the top and bottom of the past winner's page?)


I really hate those people that have to spoil the fun for everyone.

I really hope TNT can solve this, though I fear that may mean losing the privlidge of being able to edit your own pages.

[ArwenEarendil]

Chase? at one point said that infamous was the one who originally wrote the cg, that he was distributing it. Then he said that he came up with another one on his own. Scapegoat? Hardly. And of course this last mess couldn't have been 1 or even just 2 persons. Just too much, too wide-spread. As to legal action - if they find these people then they can confiscate their computers, yes? As to IP, kaos said he was using neighbors' wireless without their knowledge. So, there's something else against him, but makes it a little more difficult to narrow it down as to address. That that thing is still up and active is worrisome. Even if they can't use what they've got now, what's to stop them from trying to change it so this all starts again. And "more or less stopped" doesn't really make me feel very secure.

As a matter of fact, if you think about it, it CAN be 2 people. All you need is one person to run across the CGer, then either can go in, and alter a shop code. That being done, some people may run across the infected shop, giving either even more shops to infect. Keep going to this cycle, and you have a tree of infected shops. As to infected userlookups, people may have had easy passwords to crack. Infamous is the person that created the code; speaking to him has led me to infer that he is the one behind all the code. Chase, if you will, is the "public relations". As to using his neighbor's wireless, anyone can do that. It's only hacking if its WEP (or any other password type) encoded. If he uses it then without their permission, THEN it is truly called hacking. Why? Because he's forcing himself into a password-protected zone.

Heck, even in some areas of the US (say, Beverly Hills), you can take a laptop with WiFi enabled, and have a nearly steady connection on a highway.

I say "more or less stopped" because for now, it appears as if his code is blocked. You never know, there may be ways around the blocks TNT has put.

I hope you or someone has given TNT any and all information you have on this thing, where it is, if you have an actual IP, names, etc.

That, is pending. I probably will though, though i'm going to consult with others first.

Disabling js - someone, I believe on the BD chat said that he'd done that a couple of weeks ago and ended up frozen for an unfair advantage. So that's against the rules technically. And a couple of people did have js disabled along with the adblock/scriptblock with FF this weekend and still got grabbed *shrugs* so I don't know.

He was frozen because he probably attempted to restock, or buy an item from a usershop. Disabling JS stops the popup, which gives you a slightly faster advantage. If you don't buy items from usershops, or rs, you're fine.

Even though some people had JS disabled, they were probably too late. It's likely they were grabbed, and then they disabled JS. Disabling JS after you've been CGed does nothing, you've already been grabbed. Thus, why I always disable it before I head to a user-edited page. 'Sides, it's not likely i'm going to buy something.

Adblock doesn't stop CGers because it stops ads. Such as *.swf. It doesn't block JS code to my knowledge. Scriptblock only blocks it if its configured right. Simply installing it won't work. Even then, parts of code might slip by.

Premium accounts that were grabbed - if the person had logged into their webmail, even with a different password (which you should have and never use your neo webmail as your neo email for your account), that cookie still has neopets on it - therefore, with access to the webmail they also have access to the user admin panel - which has your name, address, phone #, part of your cc# or other payment method. If it wasn't possible then peoples' premium financial and personal information wouldn't have been able to have been ss and posted around, now would it.

This is a new insight for me, seeing as I've never used premium, and probably never will touch it. Thanks though, I'll keep this in mind.

I've checked this post over. IMO, I don't see anything exactly debatable, though I have provided a situation in a different perspective. I dunno if this would count as a debate; feel free to edit/tell me if it is, so I'll know for sure next time.