Bonsai Nut
Nuttier than your average Nut
Maybe too much information for some of you, but in case you are curious about site hacks read on.
On the post dealing with BonsaiTalk's demise, I mentioned the fact that BonsaiNut had been hacked (via a vBulletin security hole) and that a backdoor had allowed a fake admin account to import malware into the site, which in turn started to chip away at the site from the inside.
One of the challenges with these hacks is that it is not always immediately apparent that the site has been hacked. The malware does what it does, and it slowly infects the site and chips away at the integrity of the site as well as security protocols. In the case of Bonsai Nut, we had several malware executables inserted into the site software (I think 10 major ones), all of which did slightly different things. Some created fake user accounts, for example. One bad one was a brute force password hacker.
One of the first signs that the site had been hacked was the fact that site response slowed way down. I checked the server status (good), and found that the site was suddenly making a TON of server calls - much higher than usual. It turns out the one of the malware programs was a password hacker that was (through trial and error) attempting to hack all the user names and passwords on the site. It was only an alpha-numeric hacker (A-Z and 0-9) so if you had a special character in your password you would have been completely safe. But with time (particularly if users used short passwords) it would have hacked all the user accounts and passwords on the site.
With time. One single alpha-numeric character has 36 possible combinations (a-z, 0-9). A two-digit password has 1.296 possible combinations (36 ^2). An 8 digit password has 2,821,110,000,000 possible combinations. If you have a long password, it takes a LONG time to hack. If the password recognizes upper and lower case letters, it is almost exponentially more difficult to hack - and adding special characters brings the total number of possible combinations to 93 per character. So the brute force password hacker was pinging the server with bad password after bad password, to see if any would stick. Normally, if through the site software, someones attempts to log into the site with a bad password, we do a couple of things - first we slow the server calls down so you can't check password verification except every few seconds, and second, if you get several fails, you are timed out of the system (if not locked out entirely). But these were direct server calls from inside the site code and inside of the security wall. It was bringing the server to its knees.
Now why do I share all of this with you? I don't think a single password was hacked, because I caught the exploit pretty quickly. HOWEVER... why would anyone care that they had a hacked user name and a matching password for a bonsai forum site? They wouldn't. There is no money there. However... if you use the SAME user name and SAME password on other sites, you are opening yourself up for abuse. I don't doubt that the first time this malware reported back a positive user name and password, there is a good chance that another program would ping PayPal, Visa, MasterCard, Wells Fargo, etc, with the same user name and password, and see if any would be accepted. Please NEVER use the same user name and password on several sites - especially if they are tied to monetary accounts. Understand that not even I know what password you use for BonsaiNut. The best I can do is reset it if you forget it, or create a temporary one that you can change the moment you have site access. This is one small example of why Internet security is really important - a bonsai site hack could open the door into a bank account if you don't use reasonable security best practices. Use long passwords. Use unique passwords (and user names) for each account. Change your passwords regularly. And consider two-step verification (via cell phone or security fob) for anything important.
On the post dealing with BonsaiTalk's demise, I mentioned the fact that BonsaiNut had been hacked (via a vBulletin security hole) and that a backdoor had allowed a fake admin account to import malware into the site, which in turn started to chip away at the site from the inside.
One of the challenges with these hacks is that it is not always immediately apparent that the site has been hacked. The malware does what it does, and it slowly infects the site and chips away at the integrity of the site as well as security protocols. In the case of Bonsai Nut, we had several malware executables inserted into the site software (I think 10 major ones), all of which did slightly different things. Some created fake user accounts, for example. One bad one was a brute force password hacker.
One of the first signs that the site had been hacked was the fact that site response slowed way down. I checked the server status (good), and found that the site was suddenly making a TON of server calls - much higher than usual. It turns out the one of the malware programs was a password hacker that was (through trial and error) attempting to hack all the user names and passwords on the site. It was only an alpha-numeric hacker (A-Z and 0-9) so if you had a special character in your password you would have been completely safe. But with time (particularly if users used short passwords) it would have hacked all the user accounts and passwords on the site.
With time. One single alpha-numeric character has 36 possible combinations (a-z, 0-9). A two-digit password has 1.296 possible combinations (36 ^2). An 8 digit password has 2,821,110,000,000 possible combinations. If you have a long password, it takes a LONG time to hack. If the password recognizes upper and lower case letters, it is almost exponentially more difficult to hack - and adding special characters brings the total number of possible combinations to 93 per character. So the brute force password hacker was pinging the server with bad password after bad password, to see if any would stick. Normally, if through the site software, someones attempts to log into the site with a bad password, we do a couple of things - first we slow the server calls down so you can't check password verification except every few seconds, and second, if you get several fails, you are timed out of the system (if not locked out entirely). But these were direct server calls from inside the site code and inside of the security wall. It was bringing the server to its knees.
Now why do I share all of this with you? I don't think a single password was hacked, because I caught the exploit pretty quickly. HOWEVER... why would anyone care that they had a hacked user name and a matching password for a bonsai forum site? They wouldn't. There is no money there. However... if you use the SAME user name and SAME password on other sites, you are opening yourself up for abuse. I don't doubt that the first time this malware reported back a positive user name and password, there is a good chance that another program would ping PayPal, Visa, MasterCard, Wells Fargo, etc, with the same user name and password, and see if any would be accepted. Please NEVER use the same user name and password on several sites - especially if they are tied to monetary accounts. Understand that not even I know what password you use for BonsaiNut. The best I can do is reset it if you forget it, or create a temporary one that you can change the moment you have site access. This is one small example of why Internet security is really important - a bonsai site hack could open the door into a bank account if you don't use reasonable security best practices. Use long passwords. Use unique passwords (and user names) for each account. Change your passwords regularly. And consider two-step verification (via cell phone or security fob) for anything important.
Last edited:
