You may have noticed that since yesterday, CR has not been up and URLs like http://ji4wrifhsnawaw7t.onion/forum/index.php?action=profile;area=account have been spitting out error messages like "Connection Problems: Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later."
This is because CR was insecure, not anonymous, and has been hacked, very similar to the recent Drugslist/Cantina/Black-Goblin/Utopia problems. Yesterday I was PMed my cleartext password and PIN for my CR account; the hacker had completely compromised CR and told me:
...the server is so insecure, it is riddled with sql injections. the smf was also leaking the server ip... not that it mattered, but 100% amateur. there was no real transactions but it was available and plain text.. could have rooted it im sure, if i cared. everything was plaintext
I believe his claims about the lack of password protection: my passwords are generated by Lastpass and generally at least 20 characters long, so bruteforcing a hash would be difficult. (You might think that every programmer in the world appreciates that passwords must be stored hashed, but CR proves that there is no level of incompetence a market cannot reach, although I'm not sure if that's worse than Black Goblin's problems.) This is an example of why you must avoid password reuse and must use different passwords on each market you might be active on - the owners could be shockingly incompetent and reveal your password to anyone in the world who can read the database.
He provided further notes and details from the CR server:
SQLs
debian-sys-maint@localhost ( 46.244.10.113) site is up on clearnet, lulz
cannabdb
5.5.24-0ubuntu0.12.04.1
debian-sys-maint|*09F6CB5A0E18242AF79E2CB4918D4B3F89C39CE0
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false messagebus:x:103:106::/var/run/dbus:/bin/false whoopsie:x:104:107::/nonexistent:/bin/false landscape:x:105:110::/var/lib/landscape:/bin/false sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin manager:x:1000:1000:manager,,,:/home/manager:/bin/bash debian-tor:x:107:115::/var/lib/tor:/bin/bash ftp:x:108:116:ftp daemon,,,:/srv/ftp:/bin/false
nikunj:x:1001:1001::/var/www:/bin/sh
hi nikunj
/etc/hosts
127.0.0.1 localhost 46.244.10.113 savage.cyberbunker.com savage # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters
SMF leaking server IP from multiple places.
<head>
<link rel="stylesheet" type="text/css" href="http://46.244.10.113/forum/Themes/default/css/index.css?fin20" />
<script type="text/javascript" src="http://46.244.10.113/forum/Themes/default/scripts/script.js?fin20"></script>
<script type="text/javascript" src="http://46.244.10.113/forum/Themes/default/scripts/theme.js?fin20"></script>
<script type="text/javascript"><!-- // --><![CDATA[
var smf_theme_url = "http://46.244.10.113/forum/Themes/default";
var smf_default_theme_url = "http://46.244.10.113/forum/Themes/default";
var smf_images_url = "http://46.244.10.113/forum/Themes/default/images";
var smf_scripturl = "http://ji4wrifhsnawaw7t.onion/forum/index.php";
var smf_iso_case_folding = false;
var smf_charset = "ISO-8859-1";
var ajax_notification_text = "Loading...";
var ajax_notification_cancel_text = "Cancel";
// ]]></script>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
Sad and pathetic. The only good thing I can say about CR's operator is that it seems he appreciates the gravity of his problems and have not tried to bluff or lie about them like some have.
RIP CannabisRoad (2-7 February 2014).
And the DNM graveyard continues to grow. We should make a memorial video like they do on the oscars.