[VonC]GrnEyedDvl

**Bolkonsky** · March 28, 2012, 09:01 AM

I'm sure your jaw hit the floor when you saw this, as did mine when the evidence was first presented to me. I received an anonymous tip from someone that claimed they had a conversation with a Hex member, who had reported that there was some suspicious activity regarding Hex member's timezones and attitudes. I did a little preliminary investigating and found that there was some truth to the statement. I dug through some old logs with my Tech Staff access, and was pretty shocked by what I found:

220 ftp.twcenter.net FTP server (sftpd(16) Mo Jun 20 18:32:59 EST 2011) ready.
USER grneyeddvl
331 Password required for grneyeddvl
PASS
230-Checking disk usage, please wait.
230- Your disk usage is:
230- Home/WWW: 1.23 gigabytes
230 User grneyeddvl@twcenter.net logged in.
SYST
215 UNIX Type: L8 Version: BSD-198911
PWD
257 "home/grneyeddvl" is current directory.
CD "/var/www/forums/hash"
257 MKD command successful.
TYPE A
RETR passwd.sha
LIST

So why was GrnEyedDvl downloading the password hash on June 20th? Well if you guys will remember, sometime in January it was announced that he had bought the site from Garb, 6 months. It is my belief that he had attempted to brute-force the passwords, so he could take over Hex accounts to ensure that he would get the yes-votes needed. However he was caught by Squid at the time. He was apparently quick enough in covering his tracks though, and made it seem like he had been hacked.

All that made sense, until I investigated further. Rather than going through the noisy AdminCP, which would leave a trail, he decided to take the lower risk, though still risky, by manually changing their password and email field with a MySQL query. He thought he deleted the relevant logs, but he never commited the Git changes, and I found them by recalling the git and investigating the formerly deleted logs. I found that on July 2nd, GrnEyedDvl ran this query:

Jul 2 grneyeddvl - mysql> select username from userid (1200) and replace password x3kkWj5;

Userid 1200 being Trajan

Jul 2 grneyeddvl - mysql> select username from userid (26684) and replace password x3kkWj5;

TheFirstONeill

Jul 2 grneyeddvl - mysql> select username from userid (23386) and replace password x3kkWj5;

Squid

It was confirmed by the anonymous Hex member that those were the three members needed to obtain the unanimous vote required for the selling of the site. I also checked the AdminCP logs to find something else.

GED has been hard deleting accounts under the premise that they are spambots, but he let a couple slip up in the logs:

July 6 2011 User GrnEyedDvl deleted User Account squid2
July 6, 2011 User GrnEyedDvl deleted User Account TheSecondONeill

Most certainly not coincidence. The amount of evidence is most certainly overwhelming, I really don't know what to say, other than that we, as the Curia, need to rise up once again to free the site from the tyranny of it's current administration. It took me a good long two days just to get the guts to post this, but in the end I decided that if we're investing our time into a fake site, I'd rather end up banned than to have this weighing on my conscience.

**Magicman2051** · March 28, 2012, 09:21 AM

This is... whoa.

I just realised, if you look at this thread you can see a clear pattern in the conversation between GED and Squid, it was staged.

**M D** · March 28, 2012, 09:27 AM

Im afraid this news is so very grave, but KILL THE WITCH! Support. On a separate note, where is Gort?

**Augustus Lucifer** · March 28, 2012, 09:30 AM

I think now we all know what the green eye is.... it's the eye of an ogre!

**Harry Lime** · March 28, 2012, 09:31 AM

I'm sorry but technical logs mean nothing to me and I don't know what a hash is for, except eating or smoking. Are you saying that GED has access to all our passwords now? Has he replaced the aforementioned Hex members with his own presence? I thought I hadn't seen TFON around but put that down to Man City's haltering form. Squid, however I spoke to the other day although he didn't seem as friendly as usual, I still can't believe it was GED incognito, if that's what you're saying.

**Augustus Lucifer** · March 28, 2012, 09:42 AM

Originally Posted by Harry Lime

I'm sorry but technical logs mean nothing to mean and I don't know what a hash is for, except eating or smoking. Are you saying that GED has access to all our passwords now? Has he replaced the aforementioned Hex members with his own presence? I thought I hadn't seen TFON around but put that down to Man City's haltering form. Squid, however I spoke to the other day although he didn't seem as friendly as usual, I still can't believe it was GED incognito, if that's what you're saying.

The database doesn't store passwords in plain text format, it "hashes" them by running them through a hashing algorithm and adding a salt value, which makes them look like they're stored as gibberish. It uses that value to transform your text input when you login to what the database recognizes, so that if someone did get their hands on a password file somewhere it'd require them to do some cracking of the hash algorithm.

I believe vBulletin currently uses SHA-1 hashing, which isn't the most secure due to the fact it produces a code with less bits, and may be vulnerable to collision attacks. vBulletin 4 did upgrade the hash to SHA-2, which is a couple of orders of magnitude more difficult to crack (nobody has even suggested a viable disturbance vector to my knowledge). Makes you wonder why the vB4 upgrade has been taking so long.......

**M D** · March 28, 2012, 09:41 AM

I think this runs far deeper Harry, I think GED may even have infiltrated the Council that cannot be named

**Bolkonsky** · March 28, 2012, 09:44 AM

It's possible to change the passwords via the ACP or MySQL Query (which is what he ended up doing) but cracking their passwords, and logging directly into their accounts to change them would leave far less of a trail.

**M D** · March 28, 2012, 09:44 AM

When will Martial Law be coming into effect? As I need to hide some stuff

**Harry Lime** · March 28, 2012, 09:52 AM

Originally Posted by Major Darling

I think this runs far deeper Harry, I think GED may even have infiltrated the Council that cannot be named

You mean the Sanhedrin? Yes, I named it and now I'm damned but it doesn't matter any more. It went when he went.

Originally Posted by Augustus Lucifer

The database doesn't store passwords in plain text format, it "hashes" them by running them through a hashing algorithm and adding a salt value, which makes them look like they're stored as gibberish. It uses that value to transform your text input when you login to what the database recognizes, so that if someone did get their hands on a password file somewhere it'd require them to do some cracking of the hash algorithm.

I believe vBulletin currently uses SHA-1 hashing, which isn't the most secure due to the fact it produces a code with less bits, and may be vulnerable to collision attacks. vBulletin 4 did upgrade the hash to SHA-2, which is a couple of orders of magnitude more difficult to crack (nobody has even suggested a viable disturbance vector to my knowledge). Makes you wonder why the vB4 upgrade has been taking so long.......

Yes, that is suspicious but I'm holding back on jumping to assumptions until....

a) I hear some corroborating evidence. Bolk could be covering up for something he did.

b) If the allegations are true, an explanation from GED. There may well be a rational, uncorrupted reason for this.

**GrnEyedDvl** · March 28, 2012, 10:00 AM

Originally Posted by Harry Lime

b) If the allegations are true, an explanation from GED. There may well be a rational, uncorrupted reason for this.

I dont have to explain a god damned thing.

**Bolkonsky** · March 28, 2012, 10:20 AM

Originally Posted by GrnEyedDvl

I dont have to explain a god damned thing.

Except you do. You've said it yourself multiple times that this is just as much everyone else's site as it is yours. We're the people that make it up, the people that keep it running. If it weren't for us, you would have a

ing site to buy, let alone explain! I'll be honest, I would have supported you buying the site regardless, but if you're gonna go around sneaking and changing stuff like that, you can forget it, I don't want to be a part of it.

**Hobbes** · March 28, 2012, 11:01 AM

Originally Posted by GrnEyedDvl

I dont have to explain a god damned thing.

Is that because you can't or because you want appear superior? Please GED, you must have something to say, I mean you are being accused of manipulation, you can't just ignore it.

**Harry Lime** · March 28, 2012, 11:06 AM

Originally Posted by GrnEyedDvl

I dont have to explain a god damned thing.

Excuse me? As one of the members who brought you into Hex in the first place I would expect at least a modicum of respect and a great deal more accountability in explaining your actions. I was willing to give you the benefit of the doubt but your removal of the Tech staff is damning enough evidence. If you really wanted to cover stuff up you should have permabanned them and then we would be right back to Ogre again, wouldn't we? Which, and I'm assuming here, would be what you wanted all along. A not so benevolent dictatorship. I can't see any other explanation here......unless you can give one?

If this isn't sorted out quickly and to everyone's satisfaction (probably not yours) I can see mass resignations from staff, some very dodgy moderators being appointed, well-respected members of this house banned for stating their opposition and hurried phone-calls in airports. It's funny how history repeats itself.