Lolcow Email was Compromised -

Null

Ooperator
kiwifarms.net
TL;DR: An environment file from lolcow.email's frontend was leaked. If you use a lolcow.email address for something important, change its password. Change your account password regardless if you care about it.

The full technical explanation is below (which explains what definitely got leaked + what probably wasn't leaked) and the original email that alerted me to the leak is attached.


An email from a one-way email service has alerted me that the following information was leaked from the server.

  • The root password for the DB server responsible for account management and the web interface.
  • The application key for the front-end software used in cryptographic parts of the software, but not related to emails. I'm not actually sure it's used anywhere.
  • The password to the welcome@lolcow.email account which does not store sensitive information.

The email also claims the following have occurred:
  • " have Rooted [my] mail server"
  • "stolen all [my] emails over the last few weeks"

In addition, the email closes with this:
  • "We [/baphomet/] are not responsible for the terror threats."
  • "That was Null and Dynastia trying to throw shade on their enemies."
  • "In the port scan you will find Josh created two local TOR proxies on this and used them to loop his browser back and send the threats himself."
I am in the process of running checks and I have a few other people helping me. I have changed the compromised information in the mean time and shut down the HTTP-based frontend and inbox while I look at what's happened. The mail service itself is running and when the frontends are restored you can access your email through them normally.

As far as I know
, the following is safe:
  • User data.
  • User emails.
  • Mail logs.
  • Access logs.
  • Everything except that one file.

All information that was given to me came from one file: the environment file from the application front-end. This file on its own is not significant. Having the database password leaked does not mean the person has had access to the database. In order to access the database, you must be making a connection from the local server. With just the password you cannot accomplish this.

The root account for the server attacked does not appear to have been compromised. There is no indication that the MySQL server has been compromised. There is no indication that email inboxes have been compromised.

As a precaution I would say that if you've used the Lolcow Email service you would want to act as if the emails are compromised regardless. Reset passwords.


The email itself is attached to this post. I'm going to go over it line by line and briefly explain my thoughts on it.



"Greetings in the name of the lulz! Baphomet are writing to you in mutual solidarity. Vordy, Welshfag and the SJW are being emailed as Moon's main journalistic foes. Such as you are. We also copied in Bane and Likeicare."

There's only one person I've ever known who's called me "Moon". That person, I suspect, also used Lolcow Email months ago to send bomb threats to a few hospitals. When the FBI visited to collect an IP address from the mail log, I made no remark about it (as opposed to the first time this person did such a thing). Denying them publicity for their act, they could not claim to have known it had happened and write a blog post about it without revealing they did it themselves, or know someone who did.

This email starts things off right and immediately CC's in Samuel Collingwood Smith, Margaret Pless, and a few other people so relying on me to make a huge post about it isn't required.


"We hate Moon and so we have Rooted his mail server and stolen all his emails over the last few weeks. These will be released as and when it amuses us. There is a long term plan so we will take our time."

Yes, we the bad guys of /Baphomet/ hate Mr. Moon very much and have complicated bad guy schemes that involve the slow release of emails in a not-present time. I would like to reiterate we are the anonymous hackers known as Baphomet and we do not live in Hertfordshire, England.


"Don't use these to log in you will be traced, but Null will freak out. Kudos to Null for choosing so many secure services like Dovecot. The vulnerability is in his buggy as shit PHP code. 15 SQL Injection and / or Shell Injection Bugs. I shit you not. Poor Nully. This must be very stressful especially with his mother's sudden umemployment."

Right, so 80s hacker lingo aside, there's two claims worth elaborating on: They claim the vulnerability is the front-end and I believe it because the front-end .env file was what was leaked, that I can verify. If it did anything else besides reveal the environment file I can't say for sure.

Though this line is more interesting:
"This must be very stressful especially with his mother's sudden umemployment"

There is only a handful of people right now that know in the last few days a bombardment aimed at my mother's realestate company's office (and their executives), in combination with a slew of online attack articles calling her and her realestate company's employees pedophiles, forced them to revoke her license with them.
Those people also apparently hacked my email server and are from /Baphomet/, who hate me very much and are definitely not from Hertfordshire.


"Oh and we corrupted all the server logs too, by falsifying entries to throw blame on innocent parties for the hack. Aren't we nice?"

The logs are not corrupted. The IPs responsible for the attack came from Taiwan, China, and the TOR network.


"We are not responsible for the terror threats. That was Null and Dynastia trying to throw shade on their enemies. In the port scan you will find Josh created two local TOR proxies on this and used them to loop his browser back and send the threats himself."

This entire thing is baffling to me because we've never claimed that big-B /Baphomet/ (who definitely hate me, not in herts, etc) were responsible for the terrorist threats committed using my email server.

Furthermore, big-B /Baphomet/ (hate me, not in herts) would probably revel in taking credit for such a thing.

Furthermore, the accusation that specifically Dynastia and I (who the police should definitely arrest based on this email) were using Tor from the very fucking email server that we're being accused of sending threats from is preposterous to the point of hilarity.

To give you an anecdote, this accusation is the equivalent of a home invader saying he found camouflage and ghillie suits that don't exist in our house that he claims we used to break into our own house to prank dial 911.

The tail end of the email is a very basic port scan showing which ports were open (could be pinged by a remote server). All of them were open. This is really shitty practice but that's not the problem. The email claims that he found evidence of us running two Tor proxies by figuring out which ports were open. This claim is nonsense and I can't refute it any better. It's just technobabble.


"We are /Baphomet/."
"We are elite."
"We do not forgive."
"At all."

I am Josh.
I'm just some fucking guy.
I don't care what you do to me or my family.
Get bent, Sam.

p.s. lol calm down


(If you have any private concerns PM me.)


Fuck my ass.

I had a public view on some bullshit route that openly displayed phpinfo(), which includes the $_ENV variable which includes the fucking .env details. I did this because I had to pull details for the police at some point and I never removed it. All Sam did is find (or pay someone to find) this directory and threatened me with some fucking bullshit ass information he found on it.

nigga eat a dick

all y'all
 

Attachments

  • original_msg.txt
    29.2 KB · Views: 509
Last edited:

glass_houses

not a bumblebee
kiwifarms.net
Your mother's been laid off because her entire company was attacked, that's fucking awful. And they knew about it. Would her company have taken her off. their website and contact list quickly enough for the "I'm not a paedophile, YOU'RE the paedophile" brigade to spot it?
 

Luminous Being

Triangle
True & Honest Fan
kiwifarms.net
On a scale of 1 to domestic terrorist, how hard is it to accomplish what this "mysterious group" has done?

Would someon untrained in all things databases and online security, say, an aspiring lawyer that fancies himself a prosperous software consultant, be able to do this if they stumbled across a "guide" or something similar?

I know there are some people that hate the Farms and one of them tried to grab IP's through images. Their name escapes me, but it was a reference to some obscure figure from history that did investigations or something.

If someone knows, do tell. This is all witchcraft to me.
 
Top