NeoMallers Site News (important!) + scam

Submitted by saudor on Mon, 22/03/2010 - 6:50pm
As some of you know, NeoMallers' database has been accessed through a staff account on this site. Using that account, they were able to disable the security set on this site and run a php code that essentially allowed them to upload a "Shell Tool" This allowed access into the file system (where all the neomallers files are stored). With access to the file system, they were able to retrieve the database password in addition to hijacking the main index.php file of this site which recorded password logins to this site as of March 8th and archived them into a text file. The bad news is, it appears the entire database was downloaded. the good news is, passwords are stored in an one-way encryption so those of you who used non-dictionary words, you are safe for the most part. [b]But you should still change your passwords. [/b] Good news is, there was minimal damage and I was able to trace where and how they got in and every single piece of code they tried to execute and what failed and what actually worked. Also, moderators no longer have full access to the site. A new "moderation layer" will be developed as time allows in order to restore these powers but in a much more secure environment. I apologize for this "mishap" and hope it will never happen again.
Forums: 
Development & Suggestions
  • 15524 reads

well technically, they got in to the database. But shouldnt happen again even with access to a mod account.
----------------------------- [color=purple]Protect your account[/color] http://www.neopets.com/~punchback_bob CG information & more
saudor | Tue, 23/03/2010 - 12:48pm |

kol be sedher thanx
giant242 | Tue, 23/03/2010 - 12:58pm |

Thank you Dmitri for letting us know what happened, unlike Neopets which keeps us in the dark and guessing. I use different emails for Neopets and Neomallers, and I changed both passwords on both accounts, I think I should be good. So, from what I just read, I believe I understood it as a Mod from this site hacked into the database? Why would they do that, I trust all of the mods here... *** [size=10]Current shop size: 135/700 Want to help? Click below! www.neopets.com/browseshop.phtml?owner=nioe_yemar&misc Owner of The Rainbow Fields Mall! www.neopets.com/~Mynynae - Places to Go, Things to See![/size]
[url]http://www.neopets.com/browseshop.phtml?owner=nioe_yemar&NB[/url] - Nioe's Emporium of Medicine and Cures! :* [url]http://www.neopets.com/~Fiylayla[/url] - Join Rainbow Fields Mall!
nioe_yemar | Tue, 23/03/2010 - 4:23pm |

No someone got into a mod account and used that account to weaken security and upload the script. Seems like their neomallers password was similar to that of another fansite
----------------------------- [color=purple]Protect your account[/color] http://www.neopets.com/~punchback_bob CG information & more
saudor | Tue, 23/03/2010 - 4:26pm |

~ May ~ I'm glad it's back, I was scared... Neomallers is that one site I never thought would go down O.O
~ May ~
mayarend | Tue, 23/03/2010 - 6:25pm |

Thanks for letting us know! :). Much appreciated.
Nina | Tue, 23/03/2010 - 6:32pm |

Just curious; is it against the law to hack into a copyrighted web page? another point Personally I think it would be funny if you used an IP tracker on that address to find out where the person lives, then call them and start screaming through the phone XD. --- Step outside, take a breath of fresh air, then look down to see if you have a new text message.
[color=Gray]Good Idea: Feeding stray kittens in the park. Bad Idea: Feeding stray kittens in the park... to a bear.[/color]
davymuncher | Tue, 23/03/2010 - 6:49pm |

scary stuff, thanks for the update!
choochiegirl | Tue, 23/03/2010 - 7:35pm |

updated
----------------------------- [color=purple]Protect your account[/color] http://www.neopets.com/~punchback_bob CG information & more
saudor | Fri, 26/03/2010 - 4:44am |

All websites are technically copyrighted; all works are copyrighted upon the moment of creation (you don't need to do anything specific to obtain a copyright). Due to the nature of websites, a copyright disclaimer is displayed so people know that the content is not available for other people to use; rather than to say "you shalt not hack this site". All websites are protected by law against hackers (which doesn't really offer 'protection' so much as an option for vengeance). There are state and federal laws against hacking, and they do vary depending on where you live, which is also affected by who created/owns the website, where it is hosted, and who hacks into it. But generally, the severity of punishment relates to the level of harm (or potential harm) done. Such that I couldn't see someone going to jail for hacking into Neomallers (as much as that displeases me). Copyright is one of those things that is largely misunderstood by people. If you want to prove ownership of something, mail a copy of it to yourself and don't open the envelope. If ever you have to prove in court that something is your creation, you just display the envelope and hope that the date on the postmark is earlier than whatever 'proof' your opponent has.
darkelvensfi | Fri, 26/03/2010 - 7:32am |

Pages