> Using the Cangjie input method, I found those keystrokes build and translate to Question 1 [甠題1火].
It doesn't. Cangjie doesn't use a numeric digit in its encoding, so it should be interpreted as x + 4 + ivygA + 51 + F if it has any remote chance to be Cangjie but the first two of them would be invalid. It is neither Zhuyin because 4 signifies a tone mark which goes after a syllable but x alone gives you a single consonant (ㄌ for l) so it can't be a full syllable.
An attacker gained administrator access to the forum in question. The admin changed passwords and continued to observe more password bruteforcing attempts from the attacker.
The attempts were made to the forum's mobile login endpoint using different IP addresses from a proxy pool. Strangely the attacker would rotate the username once or twice every hour but stick to the same password, x4ivygA51F. The admin later modified the forum software to hash the plaintext password locally before sending it to the server, and the attacks promptly stopped. First of all, I don't think the admin realized validating a hash from the client without hashing it twice would actually make security worse.
From what I can tell, this is largely Discuz's login flow:
- Server has `sitekey` and `authkey`; they are unique and permanent for each Discuz site
- Generate `formhash = md5(timestamp_days / 115, user_id, sitekey)` and embed in HTML
- Client POSTs username and password with `formhash`
- Server validates
- Server generates `discuz_auth_key = md5(authkey, user_agent)` which is used to encrypt user ID and password
- Server hands out `auth` cookie with the encrypted string
The cookie is used on subsequent visits to authenticate. My guess is the attacker created throwaway accounts on the forum to perform a known-plaintext attack on the forum's sitekey and authkey.
For the record, if you search this password in Google but with a date range before 2019-01-01 you will end up with some actual reversed password list that gives two email addresses for this password, where they are almost same and only differ by dots. Spam bots don't do that, so it might well be a manual (!) mass account creation.
It doesn't. Cangjie doesn't use a numeric digit in its encoding, so it should be interpreted as x + 4 + ivygA + 51 + F if it has any remote chance to be Cangjie but the first two of them would be invalid. It is neither Zhuyin because 4 signifies a tone mark which goes after a syllable but x alone gives you a single consonant (ㄌ for l) so it can't be a full syllable.