GoFuckYourself.com - Adult Webmaster Forum - View Single Post - How many of you know how to crack a password of a paysite?

Dragon Curve · 10-12-2002, 04:18 AM

Protecting a single picture is easy, I've done it on many paysites. Basically you disable access to *.jpg or *.gif or *.mpg or WHATEVER in your .htaccess file (for Apache, IIS will be different) - you can find info on doing this by reading the Apache docs. Then you write a "frontend" script to interface with the JPEGs. This can be done in any language but I've implemented it in Perl and PHP.

Basically what you do is have it spit out the header with the Content-Type of image/jpeg or image/gif ra ra ra and then read from a file, and spit it out to the browser. Works perfect. This is great if you want to limit user's bandwidth, or prevent multiple IPs from accessing images etc. etc. You can have immense customization.

Regarding hacking/cracking, breaking an HTTP auth password is a walk through the park. In fact, breaking most passwords on a paysite is fairly easy. What you need to do (and also make clear in disclaimers etc.) is limit the number of IPs a user can have connected at the same time, for starters. This way, if your password is broken, and the cracker decides to post your password to 5 zillion users on his pathetic XXX Passwords site, users won't get in. You can also consider suspending the account if this happens. The user may be unhappy, yes, but I think it's ultimately a better alternative than having 200GB of bandwidth being used up and paying 20 times what the user pays for that month.

You then also prevent the same IP from hammering your site (i.e. brute forcing, even dictionary cracking). All this can be done with simple Perl/PHP scripts (that is, if you're not using htaccess). If you ARE using .htaccess I'm fairly certain there are Apache modules that you can use that do just this.

There are many other methods you can use to safeguard password cracking, not solve it however.

The main concern with paysites, or in fact ANY sites these days, is the mere fact they are insecure overall. Breaking into paysites is generally EASIER to do by breaking into the whole box. The fact is, most don't have system administrators, and the ones that do are not competent enough to keep up to date with security issues.

This imposes much higher danger than a simple breaking of a password to the members' area. All they have to do is hide the amount of bandwidth you're using, backdoor your members' area, hide their files, hide everything and give people free access to the site and there'd be virtually know way of you knowing.

Employing a COMPETENT system adminstrator is important in my opinion. But hey, that's just me :P

10-12-2002, 04:18 AM
Dragon Curve Confirmed User Join Date: Oct 2002 Posts: 252	Protecting a single picture is easy, I've done it on many paysites. Basically you disable access to .jpg or .gif or *.mpg or WHATEVER in your .htaccess file (for Apache, IIS will be different) - you can find info on doing this by reading the Apache docs. Then you write a "frontend" script to interface with the JPEGs. This can be done in any language but I've implemented it in Perl and PHP. Basically what you do is have it spit out the header with the Content-Type of image/jpeg or image/gif ra ra ra and then read from a file, and spit it out to the browser. Works perfect. This is great if you want to limit user's bandwidth, or prevent multiple IPs from accessing images etc. etc. You can have immense customization. Regarding hacking/cracking, breaking an HTTP auth password is a walk through the park. In fact, breaking most passwords on a paysite is fairly easy. What you need to do (and also make clear in disclaimers etc.) is limit the number of IPs a user can have connected at the same time, for starters. This way, if your password is broken, and the cracker decides to post your password to 5 zillion users on his pathetic XXX Passwords site, users won't get in. You can also consider suspending the account if this happens. The user may be unhappy, yes, but I think it's ultimately a better alternative than having 200GB of bandwidth being used up and paying 20 times what the user pays for that month. You then also prevent the same IP from hammering your site (i.e. brute forcing, even dictionary cracking). All this can be done with simple Perl/PHP scripts (that is, if you're not using htaccess). If you ARE using .htaccess I'm fairly certain there are Apache modules that you can use that do just this. There are many other methods you can use to safeguard password cracking, not solve it however. The main concern with paysites, or in fact ANY sites these days, is the mere fact they are insecure overall. Breaking into paysites is generally EASIER to do by breaking into the whole box. The fact is, most don't have system administrators, and the ones that do are not competent enough to keep up to date with security issues. This imposes much higher danger than a simple breaking of a password to the members' area. All they have to do is hide the amount of bandwidth you're using, backdoor your members' area, hide their files, hide everything and give people free access to the site and there'd be virtually know way of you knowing. Employing a COMPETENT system adminstrator is important in my opinion. But hey, that's just me :P