Originally Posted by raymor

Thanks for handling this reponsibly, contacting NATS first and then going to
full disclosure mode only when it became necesary. As a security professional
who works with a lot of NATS sites, and someone who has previously
raised questions about the security implications of having that kind of data
on the web server at all as well as specific concerns about NATS, this is
of great interest to me and leaves me with a question.

Most of the "symptoms" you describe could be explained by a simpler problem
that that "*Someone* has access to TMM's clients database with your admin
logins and passwords.". There are numerous other ways for a cracker to get
the admin user name and password. Most webmasters choose poor passwords,
with "admin:admin" being common, as are certain variations on that.
You don't have to crack TMM's database to get in when the password is
that obvious. Most webmasters use passwords based on English words,
such a dictionary attack is simple enough. More likely, any PHP script
anywhere on the server might be exploited and used to read the password
from the database. Based on what you've posted, the only evidence that
the bad guy(s) have access to the TMM database is:



Is that a solid pattern that you saw repeatedly, or is it a case where it
happened one time that the cracker definitely was gone and then came back
shortly after TMM was given admin access?





Agreed - they have an impressive product and the current crop of people there
seem to be good people. Some on this board know we once had some
intellectual property concerns regarding the actions of somewhere who no
longer works there, but that's been properly taken care of by TMM. My interest
is in helping webmasters who use NATS and TMM to take care of any problems
so that everyone can get back to the business of getting the porn to the people.