(Originally posted in another sub and now re posted here) Last few days there were several threads regarding xss stuff, site being hacked, database taken, passwords in plain text etc...
no proof provided so far by /u/whyusheep even though he had repeated requests from several users - including myself (i even offered to pay him for solid proof)
The example of xss obviously not working with the id:xxxx
In SR2 DoctorClu also stated its FUD
The Utopia Admin claims:
" - Passwords are encrypted and salted so using rainbow tables to get plain passwords will never work the fact he saying that he got a few plain passwords already sounds very impossible.
- There are no 'admin accounts' on the market with 'more rights' , everything is done by an external CMS system so saying he got 'JLaw's', account with admin rights is bullshit. "
So why is the site treated like it was hacked and removed from the sidebar etc... what am i missing here?
so far it looks like someone just posted some stuff and managed to have the site removed from the sidebar. any insight from the mods / security guys here will be appreciated.
EDIT: tl;dr of this thread - Time will tell, there is not going to be a proof containing actual data.
EDIT2: Utopia admin in their forum regarding this thread and the closed registration thing: someone was using an automatic registration using mechanize to register thousands accounts. Will make registrations 'invite only' so we can create a network of trusted sellers/customers.
EDIT3: I gave up and will keep following
I took over his admin account and was using it, ask his low number vendors. I chatted with a few of them under his account. /u/97 was a funny chat.
Notice he shut down registration, you can't PM anymore unless you deposit, you can't use the forums unless you deposit. These are not the actions of a site that everything is going swimmingly.
I got his salt - that is not hard to accomplish when you have root. You should be worried he doesn't bcrypt.
The admin is full of shit, trying to cover his ass while his site is falling apart. I'm playing games with him now because he called me out, if he doesn't think LE can't break into his shitty CakePHP CMS, he is an idiot.
He is running scared now. Don't fuck with me.
Deepdot I'm starting to suspect you are related to them, and if I end up doing research and you are - don't expect me to let you off easy.
Edit: Registration is back up, and now one arm of my attack continues.
Edit: Registration is back down...
Edit: Site down for emergency unscheduled updates.... :)
Edit. Site down completely... :)
Edit: Back up but registration is still down ;)
Edit: Site back down again completely ... :) Don't worry guys whyusheep only correctly identified the webserver software, the framework software, the password encryption algorithm. Hes probably lying about the site and database being compromised, not JLaw. Keep your money on the site, there is no way he could have leveraged root access and got the salt. :)
Edit: Lol hope you didn't register and deposit money recently because his solution was to delete every user in the database since yesterday. Registrations still down.
Edit: Login disabled now :) Yeah the site falling apart isn't evidence guys, its just some guy coincidentally saying the site has terrible security while the admins frantically shutdown features.
Edit: Its just a user controller error on login, its still good, its still good. It only says the userController is missing. This means they have no development server, they develop on the fly on the production server. This is the kind of professional operation JLaw runs.
Edit: Registration is back but still effectively closed, captcha can never be correct. Giving the illusion the problem is fixed when it is not.
Edit: And now suddenly only registration by invite only. This is totally a coincidence. :) Its a new feature guys, its not that his site is broken.