Tried to open http://www.tribot.org/ and it says its been hacked :o ouch lol. Some smart people out there?

Meh, so typical of the person who hacked the website to act all cocky

e.e
I used that password in their database for every single password/website I've ever been on.

Hope they don't target me.

I'd like to say I'm surprised but it's not the case. As long as there's people making bots just to generate profit then there will always be motivation for someone to come along and exploit them.

I'm sorry but I just can't show any empathy for them. IMO they're no different from the other bots so again, I'm sorry if it sounds cruel but I don't give two sh--- about them.

e.e
I used that password in their database for every single password/website I've ever been on.

Hope they don't target me.

Time to change your password?


I'd like to say I'm surprised but it's not the case. As long as there's people making bots just to generate profit then there will always be motivation for someone to come along and exploit them.

I'm sorry but I just can't show any empathy for them. IMO they're no different from the other bots so again, I'm sorry if it sounds cruel but I don't give two sh--- about them.

To me they *seem* fairly similar to our mindset(never even visited their forums though personally I guess, so what do I know) with community work with the occasional money-grubber.

They had it coming. TriBot use to be a great learning community but it just turned into a money whore after 07 came out.

e.e
I used that password in their database for every single password/website I've ever been on.

Hope they don't target me.

I hope you get targeted so that you learn a lesson...

Followed.
And what are those things about Trilez "redacted" ORPG and all that. I know the one thing is IP..

Why are you guys wishing bad things?? I hope all the personal information is safe and no harm will be inflected upon any any user.

Wish they would protect their servers better, also why are tribot staff not acknowledging/denying the hack? oh wait, they are Tribot.

e.e
I used that password in their database for every single password/website I've ever been on.

Hope they don't target me.

Don't worry, it's encrypted with MD5 as long as your character is above 7 they won't even bother to try and crack the hash.

Don't worry, it's encrypted with MD5 as long as your character is above 7 they won't even bother to try and crack the hash.

If they STILL have direct access to the DB, I wouldn't trust anything 10 chars or less due to GPU decryption techniques.

Time to change your password?



To me they *seem* fairly similar to our mindset(never even visited their forums though personally I guess, so what do I know) with community work with the occasional money-grubber.
Everything changed when the option for RuneScape 2007 was added..

Community grew extremely fast, everyone paid for VIP, eventually TRiLeZ his PayPal even got suspended. TRiLeZ also said Script Writer would get a share of his profit, this has never happened. Loads of DDOS attacks, attempts to crack the loader, private script loaders, premium scripts, etc.

All just to earn money basicly.
Right now I might aswell script for any other reflection/injection bot.

People just being money whores is all

Everything changed when the option for RuneScape 2007 was added..

Community grew extremely fast, everyone paid for VIP, eventually TRiLeZ his PayPal even got suspended. TRiLeZ also said Script Writer would get a share of his profit, this has never happened. Loads of DDOS attacks, attempts to crack the loader, private script loaders, premium scripts, etc.

All just to earn money basicly.
Right now I might aswell script for any other reflection/injection bot.


07 is a fad. It's a fashion statement. Either that or ppl really hate EOC. I don't see why ppl have to bot a game to get irl money. I think trilez could easily just pay for the allatori full version instead of the trial version he uses to ob tribot. :l

Then again, allatori does kinda suck. Any ideas why he doesn't use ZKM? That was sorta bound to happen with the mass amount of gold farmers wanting to bot on 07. Why though? Everyone seems like they're either in it for the gold or just wants to turn 07 into EOC with the mass amount of bots.

e.e
I used that password in their database for every single password/website I've ever been on.

Hope they don't target me.

That's why, for all forums, I just use the auto generated password and when my cookies for saved pass expire, I request a new one.

07 is a fad. It's a fashion statement. Either that or ppl really hate EOC. I don't see why ppl have to bot a game to get irl money.

I'm still a fan of OSRS simply because it's pre EoC as well as pre graphics update. I liked when combat was simple and rune armor looks like rune armor. The year, to me, doesn't make much difference, but I like it for its simplicity; I'd imagine many people would agree with that.

Evidently getting a job is out of the question for these people, and I'm like you, it doesn't make sense when you can make more in a day than you could in a month of gold-farming, hoping you don't get banned and hoping people will buy your gold as opposed to the other 1,000 sellers.

If they STILL have direct access to the DB, I wouldn't trust anything 10 chars or less due to GPU decryption techniques.

A 7 character password with just letters(Lowercase) takes my GPY around 2 hours.

Let's say there is something around 5k registered on the forum 5000*2 = 10000/24 = 416 days to crack the whole DB.
And if the passwords are salted and require both numbers and uppercase letter we can say it takes something around 1-1,5 days to crack one password without using a rainbow table.

And why would they even think about cracking the passwords ?

You're safe :)
I think they are just some skids that want's to be cool, doubt they got any experience with password cracking.

A 7 character password with just letters(Lowercase) takes my GPY around 2 hours.

Let's say there is something around 5k registered on the forum 5000*2 = 10000/24 = 416 days to crack the whole DB.
And if the passwords are salted and require both numbers and uppercase letter we can say it takes something around 1-1,5 days to crack one password without using a rainbow table.

And why would they even think about cracking the passwords ?

You're safe :)
I think they are just some skids that want's to be cool, doubt they got any experience with password cracking.

http://www.golubev.com/hashgpu.htm Let's see... using this GPU technique on a single graphics card from 2009 could solve 2,731,452,307 possibilities per second. Based on the average stylized 8 digit caps and numeric password, that would be solved in under a minute (52 * 26 * 26 *26 *26 *26 *26 * 10). In roughly 3 days, they could have 5,000 passwords with that. But let's say they used the GPU in my laptop instead... It would take about 16 hours in that case (even faster if they use multiple GPUs, still have DB access, used a more advanced algorithm, used a dictionary attack, etc) to get everyone's 8 digit or less password.

A 7 character password with just letters(Lowercase) takes my GPY around 2 hours.

Let's say there is something around 5k registered on the forum 5000*2 = 10000/24 = 416 days to crack the whole DB.
And if the passwords are salted and require both numbers and uppercase letter we can say it takes something around 1-1,5 days to crack one password without using a rainbow table.

And why would they even think about cracking the passwords ?

You're safe :)
I think they are just some skids that want's to be cool, doubt they got any experience with password cracking.
How exactly does it guess the passwords? Like how does it verify if it is a valid password or not does it check with some unauthorized method

07 is a fad. It's a fashion statement. Either that or ppl really hate EOC. I don't see why ppl have to bot a game to get irl money. I think trilez could easily just pay for the allatori full version instead of the trial version he uses to ob tribot. :l

Then again, allatori does kinda suck. Any ideas why he doesn't use ZKM? That was sorta bound to happen with the mass amount of gold farmers wanting to bot on 07. Why though? Everyone seems like they're either in it for the gold or just wants to turn 07 into EOC with the mass amount of bots.
No idea but the main reason to modify the client is to avoid the verification. Especially in the first two weeks when it came out the DDOS attacks were massive and people couldn't even bot half of the time. If you modified it and thus were able to bot 24/7 you could rake in massive amounts of gold, and money. Because the prices were insane, around 25$/m during that time.

Obviously it was hard to make money but if the goldfarmers thought everything out and started to bot silk 24/7 on 50 accounts they could really rake in thousands of dollars. Which some have most definately done.

I have no idea why he didn't obfuscate it properly. With JAD I could already determine some fields that I needed to modify in order to bypass it. I believe some people also changed the verification urls to their own server.

You got https://tribot.org/inc/session_handle.php?action=isvip when starting the 2007 client and https://tribot.org/inc/session_handle.php?action=getusername during runtime I believe. To create the initial session I believe https://tribot.org/inc/session_handle.php?action=create&username=1&password=2 is used. I'm not too sure about web-related stuff though but the pages seem to work.

I don't think it would be too hard to redirect them.. can't you just edit your hosts file to redirect these to your own site?

No idea but the main reason to modify the client is to avoid the verification. Especially in the first two weeks when it came out the DDOS attacks were massive and people couldn't even bot half of the time. If you modified it and thus were able to bot 24/7 you could rake in massive amounts of gold, and money. Because the prices were insane, around 25$/m during that time.

Obviously it was hard to make money but if the goldfarmers thought everything out and started to bot silk 24/7 on 50 accounts they could really rake in thousands of dollars. Which some have most definately done.

I have no idea why he didn't obfuscate it properly. With JAD I could already determine some fields that I needed to modify in order to bypass it. I believe some people also changed the verification urls to their own server.

You got https://tribot.org/inc/session_handle.php?action=isvip when starting the 2007 client and https://tribot.org/inc/session_handle.php?action=getusername during runtime I believe. To create the initial session I believe https://tribot.org/inc/session_handle.php?action=create&username=1&password=2 is used. I'm not too sure about web-related stuff though but the pages seem to work.

I don't think it would be too hard to redirect them.. can't you just edit your hosts file to redirect these to your own site?

If you are on windows, Tyler scans the hosts file and detects if you have tribot.org pointing to another IP address. Also the TRiBot connects with SSL so you will need the correct certs on a webserver.

Have a look at what ss23 has come up with:

https://github.com/ss23/tribot-authentication

Woopty do lmao..

Had my account compromised, probably nothing to do with Tribot but odd that it happened now, i've got no clue how my account was hacked. `wilco seems to know how though - since he pmed me on irc telling me my username and informing me that my password is compromised then saying 'nvm'.

Just odd and weird to be honest, had the same user login to my Oldschool Rs account - he logged in - stayed at the same 1x1 square i logged out and didn't try anything, he also attempted to login to EoC but was repelled by Jag twice. He didn't use a VPN/proxy and the IP i got from the user is valid and belongs to the UK.

Am confident i didn't click on any phishing link, didn't download any keyloggers (ran combo Fix/malwarebytes: no keyloggers detected) didn't leave my password on any pastebin or paste.villavu.com upload.

Oh i also don't have a Tribot Vip, i use my friend's vip account. I use a random password on forums my RS password is purely Unique and not replicated anywhere else, i use a different password for every site/email/forum/account.

think only `wilco knows but he hasn't been returning any of my pms for whatever reason. Guess am lucky i had no items lost but till i know how i got hacked i cant play the game, for now pmed my friend the password change link that you get sent to your email once you request a password change, he changed the pw so no one has access to my runecape account :p.

Could it be tribot?

nvm i uploaded something to pastebin with my username/password lmao am so retarded.

Is your TriBot pass the same as your rs pass?


Look at the edit above, am retarded, wilco did me a favor lol. God don't ever forget your info on pastebin rofl.... Don't ever mess with wilco either.

Look at the edit above, am retarded, wilco did me a favor lol.

Ah ok, thanks

http://www.golubev.com/hashgpu.htm Let's see... using this GPU technique on a single graphics card from 2009 could solve 2,731,452,307 possibilities per second. Based on the average stylized 8 digit caps and numeric password, that would be solved in under a minute (52 * 26 * 26 *26 *26 *26 *26 * 10). In roughly 3 days, they could have 5,000 passwords with that. But let's say they used the GPU in my laptop instead... It would take about 16 hours in that case (even faster if they use multiple GPUs, still have DB access, used a more advanced algorithm, used a dictionary attack, etc) to get everyone's 8 digit or less password.

I will come back with my own numbers in a sec.

How exactly does it guess the passwords? Like how does it verify if it is a valid password or not does it check with some unauthorized method

It's a hash? For example, letter 'a' has MD5 hash of 0cc175b9c0f1b6a831c399e269772661. You systematically go through different password combinations until you get the same hash. Simple.