The only people with sufficient access to sort it out seems to be nvrspk (different timezone), sierk (different timezone, mr.osh (away since 5 months ago?), and Jin (busy/away?)

Give AGMs access so somebody whos here in our timezone can fix errors/hackings

I believe Sammeth has access as the redirecting of hxl has been sorted (so obviously somebody has fixed it.) I dont think its just those 4 who have access to the site FTP ;)

Sam did post he does have it but it's been playing up and hasn't been able to access it for a few days.

Shouldnt be too hard of connecting to an ftp server? But he must have access seeing as it has all been sorted out (the redirecting etcetera)

Mrs.McCall removed the redirect, because as News Manager he has the right access. I did redirect to Habbox via the HxL cPanel but that was hastily removed by one of those sexually deprived people. They haven't exactly done anything severe, just caused a minor inconvenience. It's a shame that one member of staff fell victim during this.

I only have manager perms on Habbox but as Scotty said its been playing up. Its just testament to how little they've actually done :P

Shouldnt be too hard of connecting to an ftp server? But he must have access seeing as it has all been sorted out (the redirecting etcetera)
That's HxL thought not hx.com admin

Yeah, I outlined this in my thread. However, you have to see the other side also. Management are very reluctant to give people full admin access to the sites and rightly so, for obvious reasons. I'm sure after this there has to be a change because things were dealt with well enough but still room for improvement. For example, the article was there for quite a while and HxL being redirected.

Yeah, I outlined this in my thread. However, you have to see the other side also. Management are very reluctant to give people full admin access to the sites and rightly so, for obvious reasons. I'm sure after this there has to be a change because things were dealt with well enough but still room for improvement. For example, the article was there for quite a while and HxL being redirected.

The problem with that is that only news manager, site editors, senior news reports and agms have access to edit ALL habbox.com articles. I logged on later than usual and, as Sam's perms weren't fixed, deleted it straight away.

I'm sure after this there has to be a change because things were dealt with well enough but still room for improvement. For example, the article was there for quite a while and HxL being redirected.

I wasn't there when it all happened, but I've picked things up.

I think its unreasonable that you said it wasnt done quick enough. Not every day that habbox.com gets hacked so it's hard to keep your head straight when there's people running about claiming habbox has been hacked.

And by the looks of it, they dealt with it very well and they're keeping it updated

I think it's very impressive tbh! :D

I wasn't there when it all happened, but I've picked things up.

I think its unreasonable that you said it wasnt done quick enough. Not every day that habbox.com gets hacked so it's hard to keep your head straight when there's people running about claiming habbox has been hacked.

And by the looks of it, they dealt with it very well and they're keeping it updated

I think it's very impressive tbh! :D

If you actually read about before jumping to conclusions you'd see I was the first to congratulate them on their reaction. However, I'm sure they will agree there was room for improvement, that isn't me being unreasonable but merely a fact.

You can't use the excuse "it's not every day habbox gets hacked". There should be actions to prevent managers using similar passwords for everything they use. Of course, I'm not going to put blame on anybody as that isn't my job and if anyone is to fault I have no doubt nvrspk4 will deal with them privately.

I think the reaction to the threat of the forum was remarkable. Garion placed a temporary ban on ,Jess, account within a minute of the realisation it was her who had been compromised. However, the article on Habbox.com was there for quite a while. Like Joey pointed out people weren't online. They can't be online all the time but for people who don't use the forum and went onto the site the article was advertising they were at threat and that's a dangerous place to be.

Even as a normal member I would like to think I did what I could to help which did include me being banned on a forum I won't mention :8 so I don't really want to have to listen to you, who wasn't even online, lecturing me.

The bigger issue here was actually a little bit of a misunderstanding over passwords where we just couldn't find the right one for a little bit.

The only thing that would have helped them would be access to the root of Habbox which for obvious reasons is given out to the GM, Techie, and Site Owner. While you can reset CPanel PWs the root is the highest level of access.

The way the CPanel works is that the PW can only be changed from the root. Therefore, the managers will be able to go back and forth with the hackers until someone arrives to reset the root. However if the root is taken then its much more difficult.

We would much rather have the site messed up for a couple hours extra than have to deal with the root being compromised.

We try and minimize the number of people having access to things for safety reasons, for a while I made HxL managers send their changes through Mr.OSH after Habbox got hacked last time and we decided on more stringent security measures but gave them access when he went away, and in the end a HxL manager got hacked.

I think the system is fine how it is.

The bigger issue here was actually a little bit of a misunderstanding over passwords where we just couldn't find the right one for a little bit.

The only thing that would have helped them would be access to the root of Habbox which for obvious reasons is given out to the GM, Techie, and Site Owner. While you can reset CPanel PWs the root is the highest level of access.

The way the CPanel works is that the PW can only be changed from the root. Therefore, the managers will be able to go back and forth with the hackers until someone arrives to reset the root. However if the root is taken then its much more difficult.

We would much rather have the site messed up for a couple hours extra than have to deal with the root being compromised.

We try and minimize the number of people having access to things for safety reasons, for a while I made HxL managers send their changes through Mr.OSH after Habbox got hacked last time and we decided on more stringent security measures but gave them access when he went away, and in the end a HxL manager got hacked.

I think the system is fine how it is.

Yeah and at the end of they day there are numerous things in place to ensure that managers don't get hacked. They are told not to use the same passwords which unfortunately didn't happen in this case.

However, if they listened and took all advice given to them it's very unlikely they'd be compromised. Even when it does happen (it's bound to) the right actions are in place to ensure that there isn't much damage then.

It could have potentially been dangerous to official status mind you if more articles had been posted on habbox.com with pornography or anything real graphic. This wasn't the case and because of the incident people will be more alert to dangers, hopefully anyway.

To put things in perspective, by giving out additional access we would decrease the amount of time it would take to restore our site but increase the chances of getting hacked more frequently which in turn would cause more down time.

If our servers are compromised at the level of access that Myself, sierk and nvr operate at then we would be down for about a week we may not even fully recover from it. I think that our news manager and A(GM)'s handled the issue very very well. I didn't take me too long to sort out my end of things habboxlive.com was sorted in 30 mins and despite the few set backs with habbox.com which increased the time to 45 mins we were up and runnings fairly quickly.

this hacking has actually been a blessing in disguise as I noticed something whilst fixing the site that could have caused us a lot of issues later on.

Yeah and at the end of they day there are numerous things in place to ensure that managers don't get hacked. They are told not to use the same passwords which unfortunately didn't happen in this case.

However, if they listened and took all advice given to them it's very unlikely they'd be compromised. Even when it does happen (it's bound to) the right actions are in place to ensure that there isn't much damage then.

It could have potentially been dangerous to official status mind you if more articles had been posted on habbox.com with pornography or anything real graphic. This wasn't the case and because of the incident people will be more alert to dangers, hopefully anyway.

Even if she had used all different passwords, it wouldn't have changed anything lol. Its very difficult to be perfect and there will be mess ups. To expect that none of our managers will ever be hacked is unrealistic. There may be consequences when they do, its not like we'll brush it off, but we also contingency plan for it.

No, it wouldn't have :P I've spoken to staff, as long as its reasonable what happened, and you email them to let them know about it (as I did) and you show that you took reasonable precautions which didn't help, they let it go.

Even if she had used all different passwords, it wouldn't have changed anything lol. Its very difficult to be perfect and there will be mess ups. To expect that none of our managers will ever be hacked is unrealistic. There may be consequences when they do, its not like we'll brush it off, but we also contingency plan for it.

No, it wouldn't have :P I've spoken to staff, as long as its reasonable what happened, and you email them to let them know about it (as I did) and you show that you took reasonable precautions which didn't help, they let it go.
It would have because she wasn't keylogged but iStealer. She hadn't typed all the passwords in but because of the fact all her passwords were so similar it was easy for them to jump around. So it probably would have changed the situation.

It was reasonable what happened only because Dlox didn't care. If he had put a phisher up and loads of habbox users had been hacked I'm not so sure they would have seen that as "reasonable". I certainly wouldn't have and he could have easily put a link to one in the article and even pretended to be a real news reporter as more people would have fallen for it. Luckily he has no GCSEs so would never have thought of anything so imaginative.

It would have because she wasn't keylogged but iStealer. She hadn't typed all the passwords in but because of the fact all her passwords were so similar it was easy for them to jump around. So it probably would have changed the situation.

It was reasonable what happened only because Dlox didn't care. If he had put a phisher up and loads of habbox users had been hacked I'm not so sure they would have seen that as "reasonable". I certainly wouldn't have and he could have easily put a link to one in the article and even pretended to be a real news reporter as more people would have fallen for it. Luckily he has no GCSEs so would never have thought of anything so imaginative.
Or he doesn't really care about ruining the site that much?
I have 'gained access' to other fansites and deleted an article or two but not post links to phishing sites or what ever, just to prove there was an exploit.

Sure he keylogged who ever it was, but that might just be to say that "blahblah of staff hasn't got much knowledge of what happens" or isn't very liable?

It was sarcasm, I don't think people take GCSEs in hacking habbo fansites. I was merely highlighting they were hardly handling anyone serious just some deluded child who met his girlfriend through Habbo and learnt to read on Habbo and I am being deadly serious.

It was sarcasm, I don't think people take GCSEs in hacking habbo fansites. I was merely highlighting they were hardly handling anyone serious just some deluded child who met his girlfriend through Habbo and learnt to read on Habbo and I am being deadly serious.
I thought you more meant it was someone who doesn't go to school, not got any school awards (*** r gsces)

Oh speaking of mindless.

I have just been reading ***** and apparently somebody called "Adam Walsh" is dealing with out finances and they are concentrating their efforts on him :S?

Last time I checked our finances aren't controlled by an "Adam Walsh".

You sly dog!!!

Who is Adam Walsh?

Also, is Habbox hosted on a proper host? I presume it is. (by proper i mean someone like umm, godaddy or some crap)

It was sarcasm, I don't think people take GCSEs in hacking habbo fansites. I was merely highlighting they were hardly handling anyone serious just some deluded child who met his girlfriend through Habbo and learnt to read on Habbo and I am being deadly serious.

omg it was Fry.

In reply to the actual thread topic though - there was a security problem so you suggest giving out full admin access to more people? Unfortunately whilst people should really be more careful with their details (especially when it can involve other people as this case did) even those who do protect themselves properly as they are told to can find themselves at risk if someone really determined comes along. The benefit of potentially faster reaction doesn't come close to the problem of increased risk. If 4 people have admin access then adding even one more makes for a 25% bigger target

Adam Welsh is Adzeh the ex agm lol o.O

I think really what this has shown is the lack of security shown amongst staff members, for example, I see in people's desktop screenshots they just leave ModCP passwords and things in text files, you may as well Digg it or something!

These staff members should be somewhat clued up about how to treat sensitive data like that and how to NOT get keyloggers and to only download files from trusted sources, and perhaps this could be added to the application process.

What I have seen though are quick reaction times from the staff members and I applaud them :)

I still think Habbox should invest in SSL Certificates for MOD/ADMINCP + site admin

Thats not going to help, especially in situations like this.

Thats not going to help, especially in situations like this.
Why? Or if they set it so joomla admin can only be accessed by xxx ips

Why? Or if they set it so joomla admin can only be accessed by xxx ips
Dynamic IP's?

Why? Or if they set it so joomla admin can only be accessed by xxx ips

Not everyone has a static IP... and SSL won't help if an mod is keylogged surely?

Dynamic IP's?
Certificates again then? Not many people have dynamic IPs though???

Most ISP will assign ips dynamically, static generally will cost extra.
SSL wont help in the slightest since no direct hacking is occurring. If they have the pw, then the password will work whatever.

I do think Habbox are safe enough for a habbo fansite. Sure there will always be security breaches because the vast majority of staff are teenagers, not people who have depths of knowledge about internet security.

I do think Habbox are safe enough for a habbo fansite. Sure there will always be security breaches because the vast majority of staff are teenagers, not people who have depths of knowledge about internet security.

Not really just a fansite thing, very few people can really keep much secure. The reason real business's/organizations avoid breaches is because they never actually give the managers and other staff access to any of the IT systems, they instead have an IT dept, who those mangers and other staff ask when they want something done.
Result is compromising any staff/manager account wouldn't allow any access to do any harm, and the IT staff generally dont get comprised as to get the job, basic computer skills and an understanding of computer security is generally required :p

Not really just a fansite thing, very few people can really keep much secure. The reason real business's/organizations avoid breaches is because they never actually give the managers and other staff access to any of the IT systems, they instead have an IT dept, who those mangers and other staff ask when they want something done.
Result is compromising any staff/manager account wouldn't allow any access to do any harm, and the IT staff generally dont get comprised as to get the job, basic computer skills and an understanding of computer security is generally required :p

Yeah, however such actions can't going to be taken for a fansite because it isn't a real business/organisation. All management can do is drill in basic safety measures to their staff. Hackers will always find a new loophole which many people will fall for. However, now the threat of the program "iStealer" that was used is around hopefully people will be a lot more careful what they're downloading.

Like when I was compromised when I was Admin it was because of "reverting". Habbox now has measures to ensure no other staff member will ever fall foul of this method.

Reverting? Is that like resetting the password or something...

It's a form that you send to microsoft. Basically, anyone can compromise any hotmail account all you need to find is name, dob, IP once you have IP you can fill most of the other boxes in. So they adapted a script called IPGet which allowed you to get an IP from anyone on your messenger.

It's a form that you send to microsoft. Basically, anyone can compromise any hotmail account all you need to find is name, dob, IP once you have IP you can fill most of the other boxes in. So they adapted a script called IPGet which allowed you to get an IP from anyone on your messenger.
Yeah I got reverted ages ago. They got my IP from a forum and bsed the rest

It would have because she wasn't keylogged but iStealer. She hadn't typed all the passwords in but because of the fact all her passwords were so similar it was easy for them to jump around. So it probably would have changed the situation.

It was reasonable what happened only because Dlox didn't care. If he had put a phisher up and loads of habbox users had been hacked I'm not so sure they would have seen that as "reasonable". I certainly wouldn't have and he could have easily put a link to one in the article and even pretended to be a real news reporter as more people would have fallen for it. Luckily he has no GCSEs so would never have thought of anything so imaginative.

Not true, all of her passwords were logged by firefox, and thats where it came from. The reason we know this is they got the MODCP, Habbox Site Admin, HxL CP passwords all of which I can assure you were different. So in that sense it didn't matter whether her PWs were different.


You sly dog!!!

Who is Adam Walsh?

Also, is Habbox hosted on a proper host? I presume it is. (by proper i mean someone like umm, godaddy or some crap)

Adzeh. The payments were sent to him because he was the HxL Manager at the time and the HxL ad money was used to buy jingles. Well done *****, all the money to Adam Walsh!!! :rolleyes:


Certificates again then? Not many people have dynamic IPs though???

I do! For example, ***** thinks they're leet and exposed my IP, but not a single digit of the IP there is right, even the first two.

I do! For example, ***** thinks they're leet and exposed my IP, but not a single digit of the IP there is right, even the first two.
nvr is leeeeeeet too lol at them thinking Adam had all the money.

Not true, all of her passwords were logged by firefox, and thats where it came from. The reason we know this is they got the MODCP, Habbox Site Admin, HxL CP passwords all of which I can assure you were different. So in that sense it didn't matter whether her PWs were different.



Adzeh. The payments were sent to him because he was the HxL Manager at the time and the HxL ad money was used to buy jingles. Well done *****, all the money to Adam Walsh!!! :rolleyes:



I do! For example, ***** thinks they're leet and exposed my IP, but not a single digit of the IP there is right, even the first two.

So she had all her passwords saved on firefox?! There are numerous programs which have been used to grab these. There needs to be up to date staff information on the latest threats and methods these online "hackers" are using which would have prevented this. Not like it's new.

I don't think they know that Adam hasn't been on here for **** knows how long...

They do now. They hacked his Habbo, Hotmail, Facebook, Myspace and what not anyway.

Adam was a good guy

He couldn't keep his mouth closed or his pants on and this is just online.

Not true, all of her passwords were logged by firefox, and thats where it came from. The reason we know this is they got the MODCP, Habbox Site Admin, HxL CP passwords all of which I can assure you were different. So in that sense it didn't matter whether her PWs were different.

For something that requires such security it would seem wise not to let a browser, especially one with so many add-ons that it's easy to manipulate, store all of the top level passwords.

For something that requires such security it would seem wise not to let a browser, especially one with so many add-ons that it's easy to manipulate, store all of the top level passwords.

Hindsight is 20/20. In fairness to her, this has never really been addressed in any of the security messages, in fact at certain points when keyloggers were very common, we encouraged managers to save these passwords because they would be keylogged but hackers would be stopped at access screens because those were saved. Its saved us numerous times before. That's really what the access screen is for, to prevent hackers from automatically getting in.

But now we'll have to look over with our security team the feasibility of perhaps protecting these firefox passwords more carefully. Its really a gamble either way, and I believe the iStealer would still effectively keylog. When people save some access passwords, keyloggers will be much less effective, but we have no similar guarantee for iStealers.