hacking

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • smileygirls
    Confirmed User
    • Aug 2002
    • 182

    #1

    hacking

    Anyone know how to prevent hacking of htaccess?
    We use pennywize, but many ppl I have talked to say, this is not enough. Any ideas?
    <a href="http://www.stormyfriday.com" target="_blank"><img src="http://www.panchodog.com/graphics/stobutton.gif"></a>
  • JamesK
    hi
    • Jun 2002
    • 16731

    #2
    lol
    M3Server - NATS Hosting

    Comment

    • MarcoTC
      Confirmed User
      • Oct 2002
      • 108

      #3
      Most 'hackers' use stolen creditcards # and sign up via an AOL account using an address of the CC's country of origin. If they had enough of it, they post the username/pw on a password site.

      People then think their site is hacked while it's not.

      If you use Apache 1.23.26 (or higher) and your Linix box doesn't contain all kind of shit that have open ports (webmin etc.) and the box is normally closed with IPChains, you're pretty much done.

      Pennywize should then take care of brute force password tries and multiple users logging in from different IP's with the same username and password.
      go sig yourself

      Comment

      • smileygirls
        Confirmed User
        • Aug 2002
        • 182

        #4
        Thanks. We dont have any bandwidth spurts or even problems really regarding password trading, since penny does take care of that, but I have a few members bitch and moan about how they are not trading their passes and blah blah blah.. and that the htaccess has been hacked and that their pass was just stolen...

        We dont keep that info on our sites or servers, so IF these members are telling the truth, which I highly doubt, then hackers are able to find a pass here and there, that works, before penny blocks from brute force and it just happens to be one of those complaining ho's passes.

        I guess I just to confirm if htaccess is replaceable with a better means of protection against this or what should I tell these guys, IF they are honest?

        Should I just change their userpass once and slap em on the wrist and if it happens again, they're fucked? That is what I do now. Only if they write, which is rare. Maybe 1 a month or max 2.
        <a href="http://www.stormyfriday.com" target="_blank"><img src="http://www.panchodog.com/graphics/stobutton.gif"></a>

        Comment

        • JayJay
          Confirmed User
          • Jun 2002
          • 3739

          #5
          Originally posted by MarcoTC
          Most 'hackers' use stolen creditcards # and sign up via an AOL account using an address of the CC's country of origin. If they had enough of it, they post the username/pw on a password site.

          People then think their site is hacked while it's not.

          If you use Apache 1.23.26 (or higher) and your Linix box doesn't contain all kind of shit that have open ports (webmin etc.) and the box is normally closed with IPChains, you're pretty much done.

          Pennywize should then take care of brute force password tries and multiple users logging in from different IP's with the same username and password.
          your wrong dick wad
          If they used a stolen CC then there not a hacker

          Comment

          • Simon-interaid
            Confirmed User
            • Sep 2002
            • 814

            #6
            Smiley,


            Make sure your .htaccess file and .htpasswd are not in the same directory.



            And the directory you put your .htpasswd in or whatever the password database is called, is not in a web viewable directory.



            Put it above the public_html or whatever your home directory is.
            so if you have this:

            /home/smiley/public_html ---> which shows the content of smiley.com lets say...

            and your protecting /home/smiley/public_html/members

            and you have .htaccess in the /home/smiley/public_html/members


            make sure you put your .htpasswd somewhere like this
            /home/smiley/db/.htpasswd

            or a directory like that which you can't access through the browser by typing in a url.


            and than have your .htaccess point to /home/smiley/db/.htpasswd
            for its password database.


            Hope this helps.
            we buy domains with typin traffic. icq me 8566256

            Comment

            • MarcoTC
              Confirmed User
              • Oct 2002
              • 108

              #7
              Originally posted by JayJay


              your wrong dick wad
              If they used a stolen CC then there not a hacker
              read moron.
              go sig yourself

              Comment

              Working...