Password hacking sites collecting log in info

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • H.I.G
    Confirmed User
    • Mar 2004
    • 926

    #1

    Password hacking sites collecting log in info

    How are these password hacking site collecting login info from members?

    It's hard to believe that most members would give out their log in info. I do have a script to block out multiple IP's and suspend accounts during hacks.

    But my question is, how are these hack sites gettin all these log in info to pay sites?
  • SteveLightspeed
    Confirmed User
    • Jul 2001
    • 7940

    #2
    I think *some* of them set up free sites, where all you need to do is create a profile --- people think they are smart by giving fake email addresses to gain entry, but what they've really given away is the same user/pass that they use on every site they join.

    Then the "hacker" just runs them like keys, until they find the ones that work on your site too.
    Last edited by SteveLightspeed; 05-15-2006, 07:02 PM.
    Abra-cadabra!

    Comment

    • H.I.G
      Confirmed User
      • Mar 2004
      • 926

      #3
      thanks steve.

      Comment

      • V_RocKs
        Damn Right I Kiss Ass!
        • Nov 2003
        • 32448

        #4
        Where do these forums get the info?

        #1 - Payment processors. Some are hackable or were hacked years ago. The nice thing for hackers is very few of you force the users to accept a server made password. So if they get to continuously use kobe08:lakers1 for years, hacking a processor 3 years ago is just as good as hacking it today.

        #2 - Stealing your DB or passfiles via your sponsor program. Many of you have used forum software like phpBB which is notorious for having holes. Some of you have used affiliate software that had holes allowing for the downloading of your database (with unencrypted passwords) or your password files (with encrpyted passwords that are notoriously easy to decrpyt).

        #3 - Your websites have scripting vulnerabilities.

        index.php?page=templates/about.php

        becomes,

        index.php?page=../ccbill/private/.htpasswd

        Or even more devistating, the hacker downloads the .htpasswd file located in your admin directory. Now he decrypts your passwords and then uses the banner uploading scheme to upload a shell. Now he has access to run commands on your server.

        echo "select username,password from members" > /usr/bin/mysql/bin/mysql -u admin -pevil1man -D pa2

        Now he has all of your unencrypted passwords... sweet.. And no need to crack them against your l33t login software like strongbox because these all work.... they are from your current DB...

        #4 - The hackers all trade their DB's and passfiles with each other. Now when they steal your encrypted .htpasswd file they have no problem getting 90% of it cracked in less than an hour since they have 3 million porn surfers passwords to try it against...

        So where do they get these passwords? NOT FROM THE SURFERS YOU FUCKING MORONS! THEY ARE GETTING THEM FROM YOU!

        Comment

        • V_RocKs
          Damn Right I Kiss Ass!
          • Nov 2003
          • 32448

          #5
          Ohh..

          #5 - Hosting.... Many adult hosting companies are vulnerable to attacks for various reasons... The biggest being their support ticket systems... Shit... Some of them use "off the shelf" software that they haven't upgraded for 2 or 3 years... Now google for their version "softwarename 3.4.5 exploit" and see what you get... Maybe if they are large enough you will have access to 1/8th of the adult industry. Affiliate programs, large big name TGP's and the smaller ones you'd like to steal ideas or code from...

          Comment

          • Nismo
            Confirmed User
            • May 2002
            • 4977

            #6
            Alot of them also come from sponsors themselves, carders, and hackers that brute forced them.
            i buy massive xxx dating traffic.

            Comment

            • studiocritic
              Confirmed User
              • Jun 2005
              • 2442

              #7
              Originally posted by V_RocKs
              echo "select username,password from members" > /usr/bin/mysql/bin/mysql -u admin -pevil1man -D pa2


              that wouldn't work.. | not >

              or < from the other side of the command
              254342256

              Comment

              • BlingDaddy
                Confirmed User
                • Apr 2004
                • 6343

                #8
                Everyone is "secure" even NATS. Threads like this make me divert traffic elsewhere.
                Every Day... Bling Daddy's Masturbation Station!
                Bling Daddy's Masturbation Station!

                The Daily Bag of Douche - Humor at it's FINEST.

                Comment

                • Libertine
                  sex dwarf
                  • May 2002
                  • 17860

                  #9
                  You people give most crackers waaay too much credit. Most simply download a simple brute forcing program, a proxy list and (un/pw) dictionary lists, and they're all set to go. Cracking can be done without knowing anything about computers.

                  Of course, the username/password dictionaries were gathered by others, from other sites, often years ago, but since people are predictable, combo's work again and again and again. (qwerty:asdfgh, james:bond, username:password, etc.)
                  /(bb|[^b]{2})/

                  Comment

                  • V_RocKs
                    Damn Right I Kiss Ass!
                    • Nov 2003
                    • 32448

                    #10
                    Originally posted by studiocritic


                    that wouldn't work.. | not >

                    or < from the other side of the command
                    Teach me to write something without testing it first...

                    But the method is still the same and widely used.

                    Comment

                    • V_RocKs
                      Damn Right I Kiss Ass!
                      • Nov 2003
                      • 32448

                      #11
                      Originally posted by punkworld
                      You people give most crackers waaay too much credit. Most simply download a simple brute forcing program, a proxy list and (un/pw) dictionary lists, and they're all set to go. Cracking can be done without knowing anything about computers.

                      Of course, the username/password dictionaries were gathered by others, from other sites, often years ago, but since people are predictable, combo's work again and again and again. (qwerty:asdfgh, james:bond, username:password, etc.)
                      Notice I said hackers, not crackers... And yes, MOST do get off the shelf (so to speak) software and download their lists from forums. But when I started playing around myself 7 years ago there were a handful of people cracking websites and even less hacking them... Now the percentages are still the same (hackers to crackers) but there are more of each...

                      In 2003 I'd say there were about 10 to 20 people who could hack a server worth a damn and now there are 100 to 200... And so many people make it so fucking easy that once you have 5000 password files you just get bored...

                      Comment

                      • V_RocKs
                        Damn Right I Kiss Ass!
                        • Nov 2003
                        • 32448

                        #12
                        Originally posted by BlingDaddy
                        Everyone is "secure" even NATS. Threads like this make me divert traffic elsewhere.
                        To what? Mainstream? They have their own problems.....

                        Comment

                        • nekrom
                          Confirmed User
                          • Mar 2004
                          • 921

                          #13
                          Yup by doing everything V_RocKs just mentioned.

                          Thats also aside from all the script kiddies that just grab an off the shelf brute forcing software, bung in some proxies/judges add a combo list and start hamering away at a paysite that's still using finger boxes instead of form based login.

                          2cents
                          -N
                          Free Traffic

                          Comment

                          Working...