To whoever hacked into my Database

Ferrous Cranus nikos.gr33k at gmail.com
Tue Nov 12 14:37:04 CET 2013


Στις 11/11/2013 11:36 πμ, ο/η Νίκος Αλεξόπουλος έγραψε:
> Στις 6/11/2013 5:25 μμ, ο/η Νίκος Γκρ33κ έγραψε:
>> Okey let the hacker try again to mess with my database!!!
>>
>> He is done it twice, lets see if he will make it again!
>>
>> I'am waiting!
>
> I can't believe your ignorance. You're actually telling a huge group of
> developers from all over the globe that your site is impenetrable. Do
> you know how ridiculous you sound? Have you stopped and thought that
> maybe people have better things to do than try to hack your stupid circa
> 1990 website? My three year old could have modified your database. It
> doesn't take a pro to take down your 'security'. Have you not read up on
> anything these people have suggested? Cross Site Scripting? SQL
> Injection? Digital Piracy? Private User Information? No.. you haven't.
> That's why your code is starting to look like this:
> if not '..' in page and not page == '/etc/passwd' and
> os.path.isfile(page) and os.path.exists('/cgi-bin' + page) and cookieID
> == 'some_secret' and host == 'superhost.gr' and
> hacker_is_not_being_mean_today:
>     load_site()
>
> load_private_user_phone_numbers_and_then_post_a_screenshot_for_everyone_to_see()
>
> else:
>     play_pre_millenium_music_and_load_lots_of_gifs()
> wait___go_back_and_load_pirated_music_and_gifs_from_1995_anyway(extra_sauce=True)
>
> You can't sue me for posting the code to your site, there was no copyright.
> I guess my whole point is, if someone really cared I'm sure they could
> get into your site. They could get into a lot of sites that were created
> by people way smarter than you. Ever heard of apache exploits? cpanel
> exploits? for that matter..python exploits? Some of this is beyond your
> control. Actually, all of this is beyond your personal control, you lack
> the capability. What I meant to say is that you could not possibly fix
> all of this even if you were a better python programmer. Be glad 'she'
> wasn't mean.
>
> ======================================
>
> Somebody this morning sent me an email as nikos.sucks at gmail.com sayign
> the above.
> My code is not like you provided you ignorant.
>
> # is it a python file or an html template?
> if page and page in os.listdir( cgi_path ):
>      pyvalid = True
> elif os.path.isfile( file ):
>      page = file.replace( path, '' )
>      htmlvalid = True
> else:
>      file = 'forbidden'
> ....
> ....
> if 'forbidden' in file:
>      print( '''<h2><font color=red>Δεν επιτρέπεται η απευθείας πρόσβαση
> στο script παρά μόνον μέσω της αρχικής σελίδας!    Ανακατεύθυνση σε
> 5...''' )
>      print( '''<meta http-equiv="REFRESH"
> content="5;URL=http://superhost.gr">''' )
>      sys.exit(0)
> ....
> ....
> if cookieID != 'wont_say' and ( htmlvalid or pyvalid ) and re.search(
> r'(amazon|google|proxy|cloud|reverse|fetch|msn|who|spider|crawl|ping)',
> host ) is None:
>      # do database insertion here
>
>
> Tell the mighty female hacker to polish her nails, do her hair and fix a
> good meal.
>
> She is incompetent just like yourself.
>
> These all is just an excuse of not being able to mess with my script
> again, because is she could she would.


Numerous attempts so far but no break through and database mess 2 days now.

Okey i think its safe to say that manipulation of databases through my 
script's variables cannot happen again.



More information about the Python-list mailing list