WARNING: about /login Vulnerabilities

[~*¤£ôv认Gí®|¤*~]

i posted the exact post on Vladd's forum also, fyi  
the following was found at:

http://kraine.atspace.com/Lex.html

which has probably been taken down by now.
please keep this in mind, and watch your servers

OK f**kheads. the following script is a metis .mxl which cracks room logins from a wordlist.txt. for this to work you need to place the code into mxc.xml within the plugins folder, within ur metis 2.7 test folder. then you need to create a new folder in C: called robotexts, and within this new folder another folder called logs. when u fire up metis u have to go to settings and set the logs to be saved to c:\\robotexts\logs. Place in the C:\\robotexts folder a textfile of all the possible logins you can think of, one login per line, and call this wordlist.txt

Once its running send the bot into the target room and sum1 say (+_-) to activate it, or have the bot pm itself with the same thing- (+_-)

Watch the bot screen for the logins it attempts. when it finds a working login it sees "Access changed to:" in the room logs- this is a large part of why this script is special- and tells you on the bot screen the login that worked. simple as that. The effectiveness of this cracker depends on ur wordlist file. fill it with every login that you would use, that ur target might use, that Mr.Average might use. my wordlist also has the 100 most common Pets names, 100 most common male names, and 100 most common female names, as well as every english word.



TO PROTECT URSELF AGAINST THIS SCRIPT:

(1) Use logins with abstract numbers like ur full date of birth

(2) Use logins with a few capital letters thrown in

(3) Use logins with ascii and punctuation

(4) KEEP AN EYE ON YOUR SERVER SCREEN!!!!!!!!!



Technically if sum1 could be bothered they could make a wordlist that would get past these measures, but then it would take an infinate amount of time for them to find the login, considering the flood control in most rooms. A better measure would be for sum1 to code a lil script like moogle from the mxcontrol code vault which reads the SERVER room logs and checks for failed logins in real time. if sum1 else doesnt do it then I will soon.



SCROLL DOWN FOR THE SCRIPT.........







<?xml version="1.0" standalone="no">

<config> // Main configuration File





// Please have a look at the Metis Userguide

// for an explanation of all elemts and settings

// (File Metis.chm)



<BadwordPenalty enable="1" exclude="1"/>

<AutoKick enable="1" warnings="2"/>

<BadLangWarning value="I'd watch that tone of voice, %NAME%, if I was you."/>

<BadLangPreKick value="You have been warned, %NAME%. Final words are not permitted. Bye."/>

<RedirectCommand value="/kick %RAWNAME%"/>

<BotFloodControl value="10"/>

<UserFloodControl TimeFrame="10" MaxTriggerPerFrame="10" BanTime="240"/>

<NickSeparator value="._ "/>

<SecureParam value="1"/>

<SecureNickname value="0"/>

<ConfigEditor value="notepad.exe"/>

<MinimizeToTray value="1"/>

<EnableBeep value="1"/>

<EnableUpdateCheck value="1"/>



<DefaultCmdFloodProt value="1"/>

<DefaultCmdType value="normal"/>

<EnableBeep value="1"/>

<EnableUpdateCheck value="1"/>



<OnJoinRoom type="script" mode="thread">

<out type="control">/mxc run</out>

<out type="sleep" extdata="1500"></out>

<out delay="2370">/bot</out>

<out type="push"extdata="logline">1</out>

</OnJoinRoom>



<command type="script"mode="thread"usergroup="">

<in>(+_-)</in>..............................................................................................................



LMFAO U THINK IMMA LET ANYONE HAVE THIS? F**KIN REALITY CHECK TIME BRETREN:

Lex the room cracking bot was developed to crack deviant rooms, kiddypics n kiddyvids in particular. Four people in the world have possesion of Lex in full working order, and all of these people have a different version of the wordlist. The ultimate future for Lex is for her to hydra- 10 lil bots all with different portions of a VERY large wordlist, all working in unison, communicating through pms. Lex 3.0 is close to being finished. And no- you wont see this version of her either. Of course she can be used to crack any room at all- BUT SHE WILL NEVER BE ABUSED IN THIS WAY- SOME OF US WERE BLESSED WITH THAT MODICUM OF DECENCY.

A few personal words to a certain individual: You will never make the tiny fragment of code you have work as a room cracker. you certainly have the time but sorely lack the patience and logic required to make somethin like this work. The truth is that Lex is my first ever attempt at scripting metis, and i finished her within a week. Soak that up buttercup =DDDDDDDDDDDDDDDDDDDDDDD

In testing Lex I cracked all 5 different rooms that i tested her on. All of the hosts were aware of what i was doing and why, and all of those hosts now have very secure passes- without resorting to f**kin ascii dumbness LMFAO@ rich "i have developed some code that will protect your room..." *cough*and a full power login for myself right down the bottom of the config*cough*



Mk. lil richy heard about what lex can do cos i told him direct. Obviously he dont got the prerequisites to script anything like this so he asked Sabre to help, got no help so he asked Badass of RD. The protective measures i outlined above will protect you from ANY login cracking bot anyone else comes up with. it couldnt be simpler: WEAK LOGIN: c**t STRONG VERSION OF THE SAME LOGIN: !@C**t@!....... You get the idea.



`V´§wìt©(-)©ódÉ`V´ ¯ì)'Ì)`Víç`\/ípér´(Í'(í¯ ´ì)'Ì)Èzè|{íé|(Í'(í`

[Anonymous]

To clear up this problem...i never asked Sabre to help at all i just warned him of this bot

No mention woz made bout him helping creating a similar version

and BadAss...well hes not even online at the moment so...

decide for urselves about this statement
but it is possible to improve this "LEX" bot but the easy way would be to have a copy of the existing scripting
alas this wont happen so ive started working on it from scratch

NOT to hack rooms
just to prove him wrong - i.e. that he aint as special a programmer as he thinks and that i can script it if i want

[switchcode]

what you dont say is much funnier than what you do richy.
 http://www.mxcontrol.org/modulesphp?name=Forums&file=viewtopic&t=1470

[switchcode]

btw its "scripting"- which is a no brainer, as opposed to "coding" which requires a cup of coffee Kthx

[~*¤£ôv认Gí®|¤*~]

either way..it's takin down a room that you have no say in weather or not it's on winmx...

you wanna get rid of the pedos and the nasty ppl that support them...get thier ip's and turn 'em in...do it legal..

don't be stupid

[Me Here]

Thanks LoverGirl foryour post and information, which was also quoted in the MX Hosts section a few days ago so that our hosts could be made aware of whats happening and to keep any rumors from spreading.

As this is a problem that all hosts should be made aware of and learn how to deal with it, there is specific advice in our MX Hosts section on how to keep your logins safe and deal with this type of script.

If your not already a member of that section please send me a pm on site here or post here:

https://forum.winmxworld.com/index.php?topic=522.0

[switchcode]

i decide my own level of involvement lovergirl. cracking a pedo room is not illegal- and even if it was, id still do it. This is simply a difference between someone that accepts and someone that is proactive.

[Bearded Blunder]

i decide my own level of involvement lovergirl. cracking a pedo room is not illegal- and even if it was, id still do it.

In most countries cracking ANY room is illegal, though the chances host of a pedo room would risk reporting you for it are small.. though if they were hosting from a country where it was legal to run such a place they might do so..

HOWEVER, cracking a pedo room, at the very best, simply moves them in disgust to another network, to continue peddling their filth & continue abusing kids directly or indirectly to make it.. this isn't a very savvy approach.

REPORTING them through the proper channels, may see them imprisoned & actually STOP them

Think On

[switchcode]

im aware of this. im the founding ex-member of a 45 strong clan. although i have now left the clan, every one of us has reported the same sets of ips to their isps and local police departments. This is just the beginning. An isp cannot ignore 45 different users from different sources all reporting the same people, along with screenshots of their shares and a recorded time and date for that particular ip.

[KM]

unfortunately, an ISP can ignore whatever they want to, as far as they see it they have a load of screen shots and alligations sent by some unknown people telling them to cut off someone who is paying them money, it doesn't make much buisiness sense to be getting rid of customers on the word of some unknown people - they only take notice of things when they absolutely have to

[ñòóKýçrÕôK]

unfortunately, an ISP can ignore whatever they want to, as far as they see it they have a load of screen shots and alligations sent by some unknown people telling them to cut off someone who is paying them money, it doesn't make much buisiness sense to be getting rid of customers on the word of some unknown people - they only take notice of things when they absolutely have to

Unfortunately KM is absolutely right on this. As most of you know or are learning about MEAN MAX, he is an AOLer. I have contacted AOLTos 3 times about MEAN MAX. The last time they sent me back an e-mail which basicly says if it doesn't happen ON AOL they aren't responcible and will not pursue it.

[ñòóKýçrÕôK]

i decide my own level of involvement lovergirl. cracking a pedo room is not illegal- and even if it was, id still do it. This is simply a difference between someone that accepts and someone that is proactive.

You're not actually cracking the room, you're cracking their pc. What if I cracked your pc now? Do you think you would still be so quick to jump to your decision if someone took something away from you that you earned? Like what they do or not, whoever said you would just make them move on to a new network and likely bring more abuse to more children was exactly right. Do it legally of say fuck it. That's the ONLY right way to do it. Destruction of a person's private property depending on the value of that property can be treated as a violation of more than 1 federal law because YES, it is HIGHLY ILLEGAL.