You may have noticed that since yesterday, CR has not been up and URLs like http://ji4wrifhsnawaw7t.onion/forum/index.php?action=profile;area=account
have been spitting out error messages like "Connection Problems: Sorry,
SMF was unable to connect to the database. This may be caused by the
server being busy. Please try again later."
This is because CR was insecure, not anonymous, and has been hacked,
very similar to the recent Drugslist/Cantina/Black-Goblin/Utopia
problems. Yesterday I was PMed my cleartext password and PIN for my CR account; the hacker had completely compromised CR and told me:
...the server is so insecure, it is riddled with sql injections. the
smf was also leaking the server ip... not that it mattered, but 100%
amateur. there was no real transactions but it was available and plain
text.. could have rooted it im sure, if i cared. everything was
plaintext
I believe his claims about the lack of password protection: my
passwords are generated by Lastpass and generally at least 20 characters
long, so bruteforcing a hash would be difficult. (You might think that
every programmer in the world appreciates that passwords must be stored
hashed, but CR proves that there is no level of incompetence a market
cannot reach, although I'm not sure if that's worse than Black Goblin's problems.)
This is an example of why you must avoid password reuse and must use
different passwords on each market you might be active on - the owners
could be shockingly incompetent and reveal your password to anyone in
the world who can read the database.
He provided further notes and details from the CR server:
SQLs
debian-sys-maint@localhost ( 46.244.10.113) site is up on clearnet, lulz
cannabdb
5.5.24-0ubuntu0.12.04.1
debian-sys-maint|*09F6CB5A0E18242AF79E2CB4918D4B3F89C39CE0
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false messagebus:x:103:106::/var/run/dbus:/bin/false whoopsie:x:104:107::/nonexistent:/bin/false landscape:x:105:110::/var/lib/landscape:/bin/false sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin manager:x:1000:1000:manager,,,:/home/manager:/bin/bash debian-tor:x:107:115::/var/lib/tor:/bin/bash ftp:x:108:116:ftp daemon,,,:/srv/ftp:/bin/false
nikunj:x:1001:1001::/var/www:/bin/sh
hi nikunj
/etc/hosts
127.0.0.1 localhost 46.244.10.113 savage.cyberbunker.com savage # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters
SMF leaking server IP from multiple places.
<head>
<link rel="stylesheet" type="text/css" href="http://46.244.10.113/forum/Themes/default/css/index.css?fin20" />
<script type="text/javascript" src="http://46.244.10.113/forum/Themes/default/scripts/script.js?fin20"></script>
<script type="text/javascript" src="http://46.244.10.113/forum/Themes/default/scripts/theme.js?fin20"></script>
<script type="text/javascript"><!-- // --><![CDATA[
var smf_theme_url = "http://46.244.10.113/forum/Themes/default";
var smf_default_theme_url = "http://46.244.10.113/forum/Themes/default";
var smf_images_url = "http://46.244.10.113/forum/Themes/default/images";
var smf_scripturl = "http://ji4wrifhsnawaw7t.onion/forum/index.php";
var smf_iso_case_folding = false;
var smf_charset = "ISO-8859-1";
var ajax_notification_text = "Loading...";
var ajax_notification_cancel_text = "Cancel";
// ]]></script>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
Sad and pathetic. The only good thing I can say about CR's operator
is that it seems he appreciates the gravity of his problems and have not
tried to bluff or lie about them like some have.
RIP CannabisRoad (2-7 February 2014).
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
you type: | you see: |
*italics* | italics |
**bold** | bold |
[reddit!](https://reddit.com) | reddit! |
* item 1 * item 2 * item 3 | |
> quoted text | quoted text |
Lines starting with four spaces are treated like code:
if 1 * 2 < 3: print "hello, world!"
| Lines starting with four spaces are treated like code:
if 1 * 2 < 3: print "hello, world!" |
~~strikethrough~~ | strikethrough |
super^script | superscript |
[–]appl3blim 7 points8 points9 points (0 children)
[–][deleted] 2 points3 points4 points (1 child)
[–]gwern[S] 2 points3 points4 points (0 children)
[–]rdmtrz[🍰] 1 point2 points3 points (0 children)
[–]Promo4Trevor -1 points0 points1 point (0 children)
reddit gold
In Summation
Want to say thanks to %(recipient)s for this comment? Give them a month of reddit gold.
Please select a payment method.
Give gold often? Consider buying creddits to use, they're 40% cheaper if purchased in a set of 12.
Would you like to learn more about giving gold?
reddit gold
In Summation
Want to say thanks to %(recipient)s for this submission? Give them a month of reddit gold.
Please select a payment method.
Give gold often? Consider buying creddits to use, they're 40% cheaper if purchased in a set of 12.
Would you like to learn more about giving gold?