What I know to be true.

6 07 2010

One of  my websites users has had their account hacked into. I don’t really know where to begin with all of this, so I’ll just state the facts as they are and allow readers to draw their own conclusions.

My website keeps a log of all the IP addresses that are used to access users accounts. An IP address is kind of like an online signature, its generally unique to each computer / network used and provides access to all kinds of information such as location or internet service provider. Every time a user signs into the website, a note is made of their IP address.

The victim only ever uses their home computer to access my website and uses Sky Broadband as their internet service provider. Yesterday the following IP address accessed the victims account: . This is not their usual IP address so I put the IP into infosniper; a website that traces information about IPs. You can do it yourself, and see that the information return tells us that the IP registers to Germany and is not provided by Sky Broadband. The victims account was clearly being accessed by somebody else.

I carried on digging, this time using the revolutionary technique of wacking the IP address into Google. You can see the results here. The second result is illuminating. It records that a website with the address of http://www.yoxy.co.uk is registered to the anomalous IP. Visiting this website shows that it is a proxy server website. A proxy server allows you to mask your IP (online identity). Instead of your own IP being viewed by websites, the IP belonging to the proxy server gets viewed.

I tried it out for myself by putting my websites address (www.riftforum.com) into yoxy.co.uk, logging in as myself and then checking the logs to see what IP was recorded. You can see the results:

It can clearly been seen that my IP is now the same as the hackers. It’s therefore obvious that the hacker is not a nefarious German, but someone else pretending to be one. You can have a go at this yourself too, just go to riftforum.com and you will see my site. Go to yoxy.co.uk, input riftforum, and you will see what it looks like to be banned from my site.

The victims account was accessed totally normally, nothing strange other than the IP. They just logged in with the victims account details. I asked the victim if they used the password on any other websites. The answer was yes – on three other phpbb forums but the password was cryptic and unguessable.

I then tried to work out if it was possible to easily obtain the passwords from a forum website. The answer is yes – if you are an Administrator. All the forum data is stored in a database. The database contains a table called users which contains information such as username password etc. Here is an example from a test database I set up:

The password is highlighted in the red box. The account we are looking at has a username of victim and a password of ‘password’. Its been encrypted and garbled beyond use to anyone other than Russel Crowe. To find out how phpbb encrypts passwords, you can consult the documentation here. Scroll down until the security section and find the password hashing line. You will notice two columns, one for phpbb v2, and one for phpbb v3. Both versions encrypt passwords, however if you mouse over the little question mark next to the tick, you find out that the newer version uses an enhanced version of the encryption method (MD5).

Its therefore important to find out what version of the phpbb software the websites the victim used were running. Heres the list-

http://lakemalawicichlids.co.uk/phpBB3/docs/INSTALL.html - phpbb v3

http://lakemalawi.co.uk/forum3/docs/INSTALL.html - phpbb v3

http://malawiforum.co.uk/docs/INSTALL.html - phpbb v2

So there are two types of forum software in operation here. I downloaded phpbb v2 and set up another test database with the same test username and password (victim, password). It looks a bit different with a simpler table structure as you can see.

The password has been encrypted again also. Lets compare the it with the one from my earlier test database which was using phpbb 3.

Phpbb 2 – 5f4dcc3b5aa765d61d8327deb882cf99

Phpbb 3 – $H$9M8q27O74vu2MW5FNjPuIIUXRPWdjc1

They are completely different. We found from the documentation that the passwords are encrypted with MD5, so lets google for a MD5 decrpyter. Putting the encrypted passwords into the decrypter shows that only the passwords from php 2 can be decrypted. Finding this out requires no great expertise, just admin rights to a phpbb 2 forum and google.

To recap.

  • My user had their account accessed by someone hiding their identity with a proxy server.
  • The own account password was used.
  • The password was only used on 4 websites.
  • Only Phpbb v2 forums can have passwords decrypted.

As I stated earlier, readers can draw their own conclusions.

Trouble in ForumLand

3 06 2010

Im posting this on behalf of Ben Dwinger, who has found himself banned on http://www.lakemalwi.co.uk

he posted the following message in this thread and its quite a long read. Incidentally I am also banned from that form, my crime was to call a raging anti semite (“Hitler had the right idea but was undiplomatic”) a cunt. Well its all out in the open now. If anyone reading this also disapproved of the flagrant bias being shown on lakemalawi.co.uk, why not try out www.riftform.com.

Heres bens post…

just want to point out how disgusted I am with the way this forum is run and by some of the people running it!

I always thought this was a decent enough forum originally but was mainly using MF. It seemed to be run by people with a good amount of knowledge albeit that LM had a bit of a stuffy serious image. Not much banter and threads seemed to be locked too easily.

I was invited to become a MOD on here and thought I would give it a go but it has shown me why it’s bad for a forum to be controlled (in the background) by a shop/seller.

The bias towards Natural World was a little shocking to say the least!

For everyone’s information.. and let be honest now.. I stepped down as a mod! I didn’t get removed by Richard.. I asked to quit as I wasn’t comfortable being part of the team with some of the attitudes! It was solely my decision.

I also don’t have fan club and I haven’t written anything that isn’t fact.

The fish Inc thread was the catalyst for the whole episode.

It was unpleasant to read and as I stated at the time should have been left as a factual review by people who have been. At the end of the day the average customer wants to walk into a shop and buy good fish. They don’t want to know the background politics and that’s what was being brought up in it. It was all very wrong.

As for Colin… Michelle and I have never slagged NW or Colin off but have stated facts! I had a lot of time for Colin and would have loved to have seen NW do well but there are/were issues that need addressing!

Fish from Natural World have a high mortality rate and quite often people aren’t sorted out with refunds of replacements.

I will now back up my arguements

I bought the following fish from Natural World:

Male Zebra Chilumba – Didn’t eat, was emaciated when I got him and just sat at the top of the tank and then eventually died.
Male Zebra Chilumba – replacement which I paid for myself was bullied and died (not NWs fault)
4 Zebra Mbowe – Bought as 2 pairs and got them home and they vented as 3m/1f… Colin said he would source me another female.. never happened. 3 died the same way as the first Zebra Chilumba
6 Afra Ndonga – Colin seemed to think that they were 4m/2f but were all male. I was however happy to keep them all and Colin did a good deal on price and said he would source me fems from next shipment. All healthy.
Female F1 Membe Deep – was a male and was easy enough to find this out when I vented at home. I guess a genuine mistake so didn’t make a big deal about it!

Now Michelle..

Bought pair of Dwarf Lombardoi, and male died. Colin was supposed to replace or sort something out. He repeatedly ignored her pm’s and emails about this to the point that she gave up.
Long Pelvic Mdoka male – was emaciated and ended up kicking of a massive outbreak of what we think was columnaris in her tank. This resulted in massive losses.

Now I know of quite a few other people that have had similar problems with fish dying or not being sexed properly and then not getting anything back, like there is no interest after the sale has gone though. Adrian even told me himself that he had huge losses in Wilds from NW with no comeback.

Now if this had been the behavior of another shop it would be shot down totally wouldn’t it?

I or all the others I have spoken to have never had this kind of problem from Fish Inc, Mike Whittaker or Kevin Smith at Ramsey who all do Wild Caughts as well. So as far as I am concerned NW is 4th choice for me as it can be money down the drain.

And I’m sorry Colin you don’t quarantine fish yourself.. Tan does it… and I am not convinced he does the best job either especially as if the rumours are true they get quarantined at his home in the centralised system? Is this right? Spread the bugs about hey?

PM Reader – Someone found a thread on a PHP forum written by you Richard, asking about a PM reader? Explain that one? It was there for anyone to see. That’s what happens when your user name is the same ;-)

Colin’s slur about me not being a proper Malawi keeper.. and that my fish are all oversized and unhealthy. Get your a*s over to my house and see them yourself in person before making these claims.. or are we back in the realms of making statements with no facts to back them up… ie.. fish Inc

I also think that LM should make their members aware that Colin contributes considerably to the forum financially. Hence why NW is pushed for members to buy from. I have heard rumours about the figures paid that have apparently come from Colins mouth directly but would be nice to hear a bit of honesty.

So there you go… all out in the open and I wonder how long you have the balls to leave this thread up for people to see eh?

I won’t be blamed for this forums shortcomings or issues.

I may have been some time

7 05 2010

but I have been busy making this:


Email subscriptions

2 02 2010

Its now possible to subscribe to the Cichlid Diary, you just pop your email address into the box on the right. You can choose to have notifications the instant something new is posted or a weekly digest if you prefer. The email addresses are held by wordpress.com not me so you wont be getting spammed!

So far so good

31 01 2010

The Octozin course finished last week, after two days the fish were looking good – everyone was busy and seemed hungry. I tentatively tried a small amount of food and to my delight, everybody ate! It seems therefore that the treatment was successful so I have not repeated it. A few days on all the fish still seem healthy.

To recap, I after a death identified as bloat, I noticed a number of fish not eating. Initially I intended to treat only the affected fish in a hospital tank but it rapidly became apparent that I would not be able to contain all the afflicted fish in the 2ft tank I had available. I ceased feeding entirely and treated the main tank immediately, first doing a 60% water change then embarking on a 3 day course of Octozin at 4x dose. At the end of the Octozin course I did a 80% water change. After a further two days of observation I resumed feeding.

I will be changing the way I look after my fish in future: I will only feed in the evenings now when I can observe closely for an extended period. I will only feed pure spirulina flake sourced from Germany and I will keep enough medication on hand to be able to attack bloat as soon as I see it.

Octozin Day 3

27 01 2010

Yesterday was the end of the Octozin course so I did a very large water change, approximately 60%. Still no more loses and all fish are perky and active.

Looking good so far, will be monitoring closely for the next 2 days before deciding whether to do another course of treatment or not….

Approaching adulthood

26 01 2010

One of my juvenile Melanochromis dialeptos is changing from the juvenile colours seen here to his adult male colouration (which is midnight blue). He’s not quite there yet, and is currently a rather unattractive shade of brown:


Get every new post delivered to your Inbox.