Even an idiotic noob like me (MasterTonberry) can go to Babelfish and click Translate Webpage, and i'll put up a few things w1r3d said on here, (or at least, what Babel Fish makes of it) while he was arguing with Martian~Blood:

w1r3d: excrement Indian I do not need a super computer to crackear md5, with rainbow tables I can crackear almost everything in less than 2 minutes, am ke is, you call it as you call it were hack, and I can bolber it to aser and it was cookies neither scripts nor nothing, was PURE HACK!

w1r3d: ke changes to me of address by ke? by my IP? this in cafe Internet, of a network wireless, aside ay as 5 wireless aki opened ke and I can be in favor changing, kieres to see? cheka my IP another one bes jajaja

Just go to babelfish.altavista.com and translate http://www.ozmita.com/foro/punbb/upload/viewtopic.php?id=2667&p=2
from Spanish into English... yes, it's far from perfect, but you can get a general picture.
Someone needs to get this guy arrested if he's stealing paypal accounts... this can't be good.

~AreS]

Canada2170 Posts

September 06 2006 02:17 GMT

#107

He uploaded a pre-made script (yes, a script that he downloaded off the Internet) and gained control that way. Pure hack? Script kiddie.

AnT_bErG[ImK]

United Kingdom24 Posts

September 06 2006 02:19 GMT

#108

If we can control PGTour by downloading scripts off the internet... this can't be good. Surely there is a way to prevent this?

FreeZEternal

Korea (South)3396 Posts

September 06 2006 02:24 GMT

#109

Even with rainbow tables, it depends what's the maximum length of the password, and if it contains letter and/or digits, and if it is uppercase or lowercase=.=. I doubt he got 32 paypal accounts.

B.S

~AreS]

Canada2170 Posts

September 06 2006 02:25 GMT

#110

On September 06 2006 11:19 AnT_bErG[ImK] wrote:
If we can control PGTour by downloading scripts off the internet... this can't be good. Surely there is a way to prevent this?

It's actually quite simple. On PGTour, we had an upload section for the staff to use. Eventually we branched it off so people could upload replays for complaints, and whatnot. Well, this script wasn't written by Chr1s. This was a premade upload script that they borrowed because it was only for private use when it was first used. What the script failed to do was check the file extension, meaning users were able to upload .php files and execute them.

This problem will undoubtedly be fixed, and it's easy to do so. So, in short, he got lucky. Mind you, he did know what he was doing to an extent.

ShabZzoY!

Great Britain760 Posts

September 06 2006 02:26 GMT

#111

seriously why would someones BW username be the same as their paypal account
(+ same argument with passwords)

Gimli[Legie]

Czech Republic47 Posts

September 06 2006 02:26 GMT

#112

so no progress so far?
edit: And pls what are those paypal accounts?

AnT_bErG[ImK]

United Kingdom24 Posts

September 06 2006 02:28 GMT

#113

I see... well, let's hope this hole is sealed soon. I for one will support pat all the way =)

Was w1r3d originally an admin, or has someone leaked an admin pass ?

~AreS]

Canada2170 Posts

September 06 2006 02:29 GMT

#114

On September 06 2006 11:26 ShabZzoY! wrote:
seriously why would someones BW username be the same as their paypal account
(+ same argument with passwords)

When you register, you need to put in your e-mail address. There's a good chance someone used the same e-mail. However, it's extremely unlikely that he got any paypal accounts, because first of all, there are hundreds of thousands of accounts on PGTour. He would have to crawl the database and grab the e-mail address for each, as well as the MD5 of their passwords, then try to crack it and attempt to log in.

Sounds like bullshit to me.

On September 06 2006 11:28 AnT_bErG[ImK] wrote:
Was w1r3d originally an admin, or has someone leaked an admin pass ?

As far as we know, he wasn't an admin. However, he could have and probably was masking his IP while doing this, so we'll never know.

But no passwords were compromised.

FreeZEternal

Korea (South)3396 Posts

September 06 2006 02:29 GMT

#115

Of course he knew what he was doing if he was able to delete DB tables -.-; using an exploit in pgtour.

AnT_bErG[ImK]

United Kingdom24 Posts

September 06 2006 02:29 GMT

#116

On September 06 2006 11:26 ShabZzoY! wrote:
seriously why would someones BW username be the same as their paypal account
(+ same argument with passwords)

Because you might have registered the same email on PGT as you use for paypal... and your email IS your username on PayPal.

ShabZzoY!

Great Britain760 Posts

September 06 2006 02:31 GMT

#117

Even more reason for the password to be unique...

AnT_bErG[ImK]

United Kingdom24 Posts

September 06 2006 02:35 GMT

#118

Because some people have difficulty remembering one password as it is, which is why many sites have autologin or password remembrance functions.

ShabZzoY!

Great Britain760 Posts

September 06 2006 02:38 GMT

#119

I always thought it would be hard to move money about online without a trail

Either way, if hes stealing money hes playing a dangerous game

AnT_bErG[ImK]

United Kingdom24 Posts

September 06 2006 02:40 GMT

#120

On September 06 2006 11:29 ~AreS] wrote:

Show nested quote +

As far as we know, he wasn't an admin. However, he could have and probably was masking his IP while doing this, so we'll never know.

But no passwords were compromised.

He mentioned something about a 'super-script' that would do this for him.