Password thieves

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Sexsitesurfer
    Confirmed User
    • Aug 2005
    • 3157

    #1

    Password thieves

    http://www.xxxpass.se/pass2/2007-03-28-(5567).php

    Anyone know these people?

    Fuckers!
    Paul
    DDF Productions
    Marketing manager
    Skype: Marketing.DDF
    ICQ: 316302313
    Cell: +36 30 732 6076
    [email protected]
  • bizarrejan
    Confirmed User
    • May 2006
    • 1487

    #2
    nope sorry cant help

    Comment

    • Humpy Leftnut
      Confirmed User
      • Apr 2007
      • 1292

      #3
      *bookmarks*

      That's funny, this is how I started my review site in 2002, by using a password hacking IRC channel to gain access to the sites. So many sites were shit back then, and we really tried to review the bad ones as well as the good ones. And really, who lets you into their shitty site so you can tear them a new one?

      I always figured I was the only one who was breaking in to make people money though, so how mad can they be!

      But yeah I feel your pain, they cause real problems, but things are a lot harder for them nowadays.

      Couple tips: they use brute force cracking programs to run password lists of people who have previously signed up to porn sites. Usually people use the same username and password, so they'll work on many different sites over the years.

      1> if you can, use a form based login, not a pop-up password box as is normal
      2> add a human sentry to the form, captcha
      3> Block IP's of people who try more than 50+ login attempts in a 15 minute period
      4> pick usernames for people
      5> force long passwords with letters, capital letters and a number. every extra character makes the number of possibilities way more.
      Humpy Leftnut - Pornsumer Reviews

      Comment

      • rowan
        Too lazy to set a custom title
        • Mar 2002
        • 17393

        #4
        Why did you post the full URL? GFY is full of surfers...

        Comment

        • Randyyy
          Confirmed User
          • Jan 2007
          • 2240

          #5
          most of the links don't work
          need video editing done? hit me up!
          ICQ: 10347906

          Comment

          • Sexsitesurfer
            Confirmed User
            • Aug 2005
            • 3157

            #6
            Originally posted by rowan
            Why did you post the full URL? GFY is full of surfers...
            Shit... can a mod edit it?

            I always try to think of this as a webmasters' board....
            Paul
            DDF Productions
            Marketing manager
            Skype: Marketing.DDF
            ICQ: 316302313
            Cell: +36 30 732 6076
            [email protected]

            Comment

            • Humpy Leftnut
              Confirmed User
              • Apr 2007
              • 1292

              #7
              I know of 2 other review sites other than ASS to start with hacked passwords too actually :D
              Humpy Leftnut - Pornsumer Reviews

              Comment

              • HighSociety
                Confirmed User
                • Jun 2005
                • 1786

                #8
                get strongbox
                http://www.highsociety.com
                http://www.playgirl.com
                http://www.cheri.com


                Jonathan "JC" Maldini
                ICQ: 223 643

                Comment

                • Dirty Dutchman
                  Confirmed User
                  • Mar 2007
                  • 235

                  #9
                  Glad my site aint in there (maybe I should say yet?)
                  These guys have been busy...

                  Is hacking not illigal though? And isnt it so that a good host removes illigal sites?

                  Webcams, 6 bucks, match making. Superb promo tools!


                  New Naughty Luci Rev Share coming

                  Comment

                  • Dirty Dutchman
                    Confirmed User
                    • Mar 2007
                    • 235

                    #10
                    Let me add to this that after trying at least 40 links, I am happy to discover that 0 worked....

                    Webcams, 6 bucks, match making. Superb promo tools!


                    New Naughty Luci Rev Share coming

                    Comment

                    • Sexsitesurfer
                      Confirmed User
                      • Aug 2005
                      • 3157

                      #11
                      Originally posted by Dirty Dutchman
                      Let me add to this that after trying at least 40 links, I am happy to discover that 0 worked....
                      I presume they get blocked, as ours did.
                      Paul
                      DDF Productions
                      Marketing manager
                      Skype: Marketing.DDF
                      ICQ: 316302313
                      Cell: +36 30 732 6076
                      [email protected]

                      Comment

                      • PowerCum
                        CjOverkill
                        • Apr 2003
                        • 1328

                        #12
                        Ok... my main problem is how can I get my paysites listed on such place on regular basis.
                        You will be amazed how much money can you make by listing your sites to these lists... then of course you also must know what to do with the surfers they send you or you will end with a BIG BW bill and nothing in exchange.

                        Thank you for the link. I will submit my sites to them tomorrow at some time when I finish a couple of fixes
                        CjOverkill Traffic Trading Script
                        Free, secure and fast traffic trading script. Get your copy now

                        Comment

                        • rotowa85
                          Confirmed User
                          • Feb 2007
                          • 278

                          #13
                          Originally posted by Humpy Leftnut
                          *bookmarks*
                          1> if you can, use a form based login, not a pop-up password box as is normal
                          2> add a human sentry to the form, captcha
                          3> Block IP's of people who try more than 50+ login attempts in a 15 minute period
                          4> pick usernames for people
                          5> force long passwords with letters, capital letters and a number. every extra character makes the number of possibilities way more.
                          thats some good advice, altho i must say that altho its harder to crack passwords that use forms logins its still possible. and blocking ip addresses is pointless, any good hacker will be using proxies.

                          i also think its a bad idea to pick peoples passwords for them, correct me if im wrong but i think ccbill uses computer generated usernames and passwords. and the fact is that if you can get hold of and a ccbill log file (which isnt very difficult from some sites) and decrypt it (which isnt very difficult) you get access not only to all the passwords for that site but to the format that the usernames and passes are in which makes creating a username:password list alot easier.

                          and on that if you havent already then password protect your log files, cos i know for a fact that their are still sites out their which havent and that is a serious lack in security
                          Last edited by rotowa85; 04-10-2007, 04:38 AM.

                          Comment

                          • raymor
                            Confirmed User
                            • Oct 2002
                            • 3745

                            #14
                            Originally posted by made2ordervideos
                            get strongbox
                            He's referring to:
                            http://bettercgi.com/strongbox/

                            Strongbox also matches the suggestions that Humpty made:
                            1> if you can, use a form based login, not a pop-up password box as is normal
                            2> add a human sentry to the form, captcha
                            3> Block IP's of people who try more than 50+ login attempts in a 15 minute period

                            We can also help with his other suggestions:
                            4> pick usernames for people
                            5> force long passwords with letters, capital letters and a number.
                            > every extra character makes the number of possibilities way more.

                            You said:
                            > http://www.xxxpass.se/pass2/2007-03-28-(5567).php
                            > Anyone know these people?

                            Yes, our spider database has thousands of passwords we've found on that site.
                            For historical display only. This information is not current:
                            support@bettercgi.com ICQ 7208627
                            Strongbox - The next generation in site security
                            Throttlebox - The next generation in bandwidth control
                            Clonebox - Backup and disaster recovery on steroids

                            Comment

                            • raymor
                              Confirmed User
                              • Oct 2002
                              • 3745

                              #15
                              Originally posted by rotowa85
                              blocking ip addresses is pointless, any good hacker will be using proxies.
                              Indeed, which is why you block those proxies using something like Strongbox.

                              Originally posted by rotowa85
                              i also think its a bad idea to pick peoples passwords for them,
                              Any reason for that? If you DON'T choose their passwords for them, a suprisingly
                              large number will choose the word "password" as their password. Another large
                              percentage will make their password the same as their user name and their user name
                              is easy to get.

                              correct me if im wrong but i think ccbill uses computer generated usernames and passwords.
                              It can be set to generate user names and passwords, random ones that suck.
                              It can also be set to use GOOD user names and passwords generated by our tool.

                              and the fact is that if you can get hold of and a ccbill log file (which isnt very difficult from
                              some sites) and decrypt it (which isnt very difficult) you get access not only to all the passwords for that site but to the format that the usernames and passes are in which makes creating a username:password list alot easier.
                              Kind of close, but no. The CCBill log doesn't include the password and it's not encrypted.
                              Also this has nothing at all to do with choosing the user's password for them, BTW.
                              The CCBill log and other files are IDENTICAL whether the user chooses the password,
                              the password is random characters assigned by CCBill, or it's a good password genertaed
                              by our tool.
                              What you're thinking of is the password file, .htpasswd, which every password protected
                              site has. A very few sites store the list in a database rather than a file, but that makes
                              no difference becuse they are both just about equally readable. Way back in the day
                              the passwords in the password file used to be encrypted using a type of encryption called DES,
                              which can now be cracked in seconds. CCBill and the other processors all still use DES
                              as the default and make it easy for a cracker to get most of your passwords. We routinely
                              update the scripts that the processor's give you to use a much stronger type of encryption
                              called "salted MD5".
                              More info about all of this can be found on this page:
                              http://bettercgi.com/strongbox/passgen/
                              For historical display only. This information is not current:
                              support@bettercgi.com ICQ 7208627
                              Strongbox - The next generation in site security
                              Throttlebox - The next generation in bandwidth control
                              Clonebox - Backup and disaster recovery on steroids

                              Comment

                              • Humpy Leftnut
                                Confirmed User
                                • Apr 2007
                                • 1292

                                #16
                                You're right that if you use a simple, or even complex algorithm to generate a "key" or password, and have enough of these generated passwords, a good cracker can figure out the system.

                                But the hing is with security is that anything is breakable, it's just how hard, time consuming and expensive it is to crack. Kind of like car thieves, they go for easy targets, they don't want to stand outside a car for hours pondering ways to get in. It's it's not easy, they will move on.

                                So if I have your user name, and you have a 4 digit password, it only takes a standard computer a few minutes, if that, to run *every* possible 4 letter password that could exist. a, b, aa, bb, ab, and so on. If you add Capital letters and numbers, the possibilities are more.

                                However if you're looking at an 8 or 9 digit password, we're talking days to figure it out, and probably impossible through a web form without getting all your proxies blocked.

                                If you don't like the idea of randomly generating passwords, I'd suggest just forcing them to make it at least 8 characters long, and have a capital letter and number in it.

                                More of you should use Strongbox, it sounds like this guy knows what he's doing, and while form based attempts are indeed crackable, you're again cutting down the number of people willing to put in the time. Most password crackers have very little knowledge of this stuff, they're not the same people that are going to break in, deshadow your password file or decrypt your forced passsword algo.. They're probably 15 year old kids playing with a password cracking windows program and some proxies.
                                Humpy Leftnut - Pornsumer Reviews

                                Comment

                                • pornmasta
                                  Too lazy to set a custom title
                                  • Jun 2006
                                  • 20016

                                  #17
                                  - use verotel (or any bill scheme that use random passwords)
                                  - use turing protections
                                  - warn on your login page, that brute force is useless.
                                  Also most cracker knows that with some payment processor brute force is useless.

                                  Strongbox is not a very good option, imo.

                                  Comment

                                  • Jace
                                    FBOP Class Of 2013
                                    • Jan 2004
                                    • 35562

                                    #18
                                    Originally posted by pornmasta
                                    - use verotel (or any bill scheme that use random passwords)
                                    - use turing protections
                                    - warn on your login page, that brute force is useless.
                                    Also most cracker knows that with some payment processor brute force is useless.

                                    Strongbox is not a very good option, imo.
                                    I have run it for 6 years on a paysite that gets quite a bit of password crackers attempting to rip my shit, strongbox gets them every time and I have never had a password posted to a password forum that was successful

                                    in fact, before strongbox (using ccbill) I had my entire members password list posted....since strongbox that has never happened

                                    Comment

                                    • shoeaholicanon
                                      Confirmed User
                                      • Feb 2007
                                      • 1003

                                      #19
                                      bah i dunno

                                      Comment

                                      • TeenCat
                                        Too lazy to set a koala
                                        • Jan 2007
                                        • 16139

                                        #20
                                        be glad for those password thieves. they are not stealing from you, but from private boards and are publishing real h*ckers hard work and without sites like this you will never find our that password to your site is h*cked and public

                                        6bot
                                        / Coming again very soon!
                                        Svit Zlin Radio 24/7!

                                        Comment

                                        • Humpy Leftnut
                                          Confirmed User
                                          • Apr 2007
                                          • 1292

                                          #21
                                          Originally posted by TeenCat
                                          be glad for those password thieves. they are not stealing from you, but from private boards and are publishing real h*ckers hard work and without sites like this you will never find our that password to your site is h*cked and public
                                          Well that's assuming you enjoy spending your life scouring the web for people who posted passwords. I think most people would rather..


                                          SET IT, AND FORGET IT!
                                          Humpy Leftnut - Pornsumer Reviews

                                          Comment

                                          • TeenCat
                                            Too lazy to set a koala
                                            • Jan 2007
                                            • 16139

                                            #22
                                            Originally posted by Humpy Leftnut
                                            SET IT, AND FORGET IT!
                                            get the source, ban your passwords, leave the source private, thats the way i meant it

                                            6bot
                                            / Coming again very soon!
                                            Svit Zlin Radio 24/7!

                                            Comment

                                            • pornmasta
                                              Too lazy to set a custom title
                                              • Jun 2006
                                              • 20016

                                              #23
                                              Originally posted by Jace
                                              I have run it for 6 years on a paysite that gets quite a bit of password crackers attempting to rip my shit, strongbox gets them every time and I have never had a password posted to a password forum that was successful

                                              in fact, before strongbox (using ccbill) I had my entire members password list posted....since strongbox that has never happened

                                              yes strongbox gives a protection, however it is not unbreakable, with brute force attack, you have to run the attack slowly with >500 proxies. Off course most people don't use so much proxies, but strongbox is not unbreakable.
                                              Also ccbill's pass scheme can be very weak sometimes, if it is 6/8 user/pass choosen from the users.
                                              I have never seen a verotel password posted, you have to use an other way that brute force to enter.
                                              Also it is possible to break turing protections, but it is hard.

                                              So if you ban ips 30 minutes after 3 unsuccesfull attempts, with a free turing protection you should have a pretty unexpensive protection.
                                              (at least against brute force)
                                              If you see you full password database posted you should be warned that yo may have a keylogger on your server.
                                              Because if your password are crypted it is usually not possible to crack more than 70% of the password from a database. (with online brute force you have to use a corrupted combo database)
                                              Switch from des to freebsd md5 could be a solution to prevent password offline cracking. (for stolen db).

                                              need a perfect10 password ?
                                              http://www.google.com/search?hl=en&s...ssword&spell=1

                                              and perfect10 started a lawsuit against these sites... (or against google)

                                              Comment

                                              • pornmasta
                                                Too lazy to set a custom title
                                                • Jun 2006
                                                • 20016

                                                #24
                                                http://img96.imageshack.us/img96/3741/temp2uz5.jpg

                                                Comment

                                                • pornmasta
                                                  Too lazy to set a custom title
                                                  • Jun 2006
                                                  • 20016

                                                  #25
                                                  http://img412.imageshack.us/img412/4889/temp2wf1.jpg

                                                  Comment

                                                  • tony299
                                                    lurker
                                                    • Aug 2002
                                                    • 57021

                                                    #26
                                                    thats fucked up

                                                    Comment

                                                    • TeenCat
                                                      Too lazy to set a koala
                                                      • Jan 2007
                                                      • 16139

                                                      #27
                                                      only webmasters are f*cked up, if they will have some simple script with "3ips and password blocked and new sent max three times to email" there is nothing to be affraid of search engines, cause there will be no alive passwords but that will be not so big adventure and drama

                                                      6bot
                                                      / Coming again very soon!
                                                      Svit Zlin Radio 24/7!

                                                      Comment

                                                      • raymor
                                                        Confirmed User
                                                        • Oct 2002
                                                        • 3745

                                                        #28
                                                        pornmasta you talk a lot about Strongbox for someone who has probably never
                                                        even seen it and I know for sure you haven't broken it. Noone claimed the $5,000
                                                        prize for cracking a Strongbox site, so it seems to be awefully secure.

                                                        Teencat, that kind of naive counting worked fine until September of 1999 when all the crackers
                                                        started using proxy lists. Since then you HAVE to be smarter than that.
                                                        Also of course a single AOL, Earthlink, or DTAG user may show up as 6 different IPs
                                                        in one hour, so naively counting IPs liek that will block your AOL, Earthlink, and DTAG customers.
                                                        For historical display only. This information is not current:
                                                        support@bettercgi.com ICQ 7208627
                                                        Strongbox - The next generation in site security
                                                        Throttlebox - The next generation in bandwidth control
                                                        Clonebox - Backup and disaster recovery on steroids

                                                        Comment

                                                        • More Booze
                                                          Confirmed User
                                                          • Mar 2004
                                                          • 5116

                                                          #29
                                                          What a crappy site. No pass I tried worked!

                                                          Comment

                                                          • pornmasta
                                                            Too lazy to set a custom title
                                                            • Jun 2006
                                                            • 20016

                                                            #30
                                                            Originally posted by raymor
                                                            pornmasta you talk a lot about Strongbox for someone who has probably never
                                                            even seen it and I know for sure you haven't broken it.
                                                            ...
                                                            Noone claimed the $5,000
                                                            prize for cracking a Strongbox site, so it seems to be awefully secure.
                                                            .

                                                            Very interresting.

                                                            Comment

                                                            • BucksMania
                                                              Confirmed User
                                                              • Oct 2005
                                                              • 3758

                                                              #31
                                                              wow one of my sites is listed like 3 times there, but pennywize did its job

                                                              Comment

                                                              • Violetta
                                                                Affiliate
                                                                • Jul 2004
                                                                • 28735

                                                                #32
                                                                7 urls to my site. I'm glad I am using proxypass...

                                                                Fuckers...
                                                                Last edited by Violetta; 05-15-2007, 08:36 AM.
                                                                M&A Queen

                                                                Comment

                                                                • pinkz
                                                                  Mr 1%
                                                                  • May 2005
                                                                  • 1397

                                                                  #33
                                                                  this is simmilar to ultrapasswords dot com

                                                                  none of the passwords work you just get sent to the main tour of the supposidly hacked sites

                                                                  quite ingenious if you think about it the surfer thinks he or she is going to get a freebie instead they get sent to a 1 dollar trial pass (which in my books is almost free) in their frustration they will probbably sign up!! webmaster is quids in!
                                                                  $$$$ Video Secrets $$$$

                                                                  Comment

                                                                  • Zoose
                                                                    Confirmed User
                                                                    • Aug 2006
                                                                    • 268

                                                                    #34
                                                                    Originally posted by raymor
                                                                    pornmasta you talk a lot about Strongbox for someone who has probably never
                                                                    even seen it and I know for sure you haven't broken it. Noone claimed the $5,000
                                                                    prize for cracking a Strongbox site, so it seems to be awefully secure.
                                                                    Somehow I don't see someone doing something illegal claiming a prize. Strongbox is way better then anything else out there but I have seen a couple of Strongbox protected sites with working passwords being shared a while back. Who knows how the passwords were actually obtained though.. they could have been shared or carded and not cracked. Ultimately though, I think Strongbox is the happy medium as far as site security, if you make it any more of a pain in the ass to log in or surf the site you're going to piss off your legitimate customers.

                                                                    Comment

                                                                    • gmr324
                                                                      Confirmed User
                                                                      • Aug 2006
                                                                      • 1199

                                                                      #35
                                                                      Another Solution

                                                                      Many of these password trading sites are outside of
                                                                      the US. Time has proven that they have multiple lives
                                                                      and just rear their ugly heads over and over again
                                                                      after being shut down.

                                                                      You can easily use Google to pinpoint exactly who is
                                                                      publishing stolen passwords from your sites.
                                                                      Basically, in Advanced Search Mode in Google, use the
                                                                      template:

                                                                      "http://*:*@xxx.com/members"

                                                                      There will always be malicious hackers who get their
                                                                      kicks by publishing stolen passes. The trick is to
                                                                      make sure those stolen passes DO NOT WORK. That takes
                                                                      all the fun away from hacking them and will discourage
                                                                      leechers if all they find are dead passwords in those
                                                                      trading forums.

                                                                      I represent a Next Generation Password Protection
                                                                      System called Phantom Frog that is based on the
                                                                      premise of providing 24/7 uninterrupted access to your
                                                                      valid members and none to hackers/leechers. Our system
                                                                      uses Geo-IP Tracking technology which will not even
                                                                      allow 2 friends to share the same password let alone a
                                                                      whole trading forum with hundreds of leechers!

                                                                      The second way we make life simple for webmasters
                                                                      is through Automated Member Support. So, if this
                                                                      abuse/sharing happens while you're sleeping or away,
                                                                      your legitimate paying member can have a
                                                                      fresh new password re-issued to them via email.
                                                                      As a result, the paying member is not blocked out of
                                                                      your website and isn't looking to cancel their
                                                                      membership.

                                                                      Our product is integrated with CCBill, NetBilling, Paycom,
                                                                      NATS, MPA3, Verotel, 2000Charge, SegPay, Jettis, and
                                                                      365Billing. We have stellar webmaster testimonials listed
                                                                      on our site.

                                                                      Phantom Frog has a simple FREE Trial Version which
                                                                      installs in 5 minutes or we can handle the complete
                                                                      demo installation for you from our end. Most of
                                                                      customers were motivated to purchase our password
                                                                      protection only 3 days after installing the demo!

                                                                      Chec out our recent partnership announcement with
                                                                      Mansion Productions:

                                                                      http://www.gofuckyourself.com/showthread.php?t=727421

                                                                      Visit this link to try our FREE demo:
                                                                      www.PhantomFrog.com/g

                                                                      Please feel free to contact me with any questions or
                                                                      feedback.

                                                                      [email protected]
                                                                      ICQ: 226948212

                                                                      Comment

                                                                      • TBrown
                                                                        Confirmed User
                                                                        • Oct 2006
                                                                        • 1519

                                                                        #36
                                                                        how about this:

                                                                        WWW.OPIUM.SE

                                                                        or

                                                                        www.forums.anticommon.com



                                                                        mcbrown

                                                                        Comment

                                                                        • mattz
                                                                          Confirmed User
                                                                          • Dec 2001
                                                                          • 7697

                                                                          #37
                                                                          sweet, thanks for the free porn!

                                                                          Comment

                                                                          • Iron Fist
                                                                            Too lazy to set a custom title
                                                                            • Dec 2006
                                                                            • 23400

                                                                            #38


                                                                            http://www.opium.se - Wow... nice teeth!
                                                                            i like waffles

                                                                            Comment

                                                                            • TBrown
                                                                              Confirmed User
                                                                              • Oct 2006
                                                                              • 1519

                                                                              #39
                                                                              Originally posted by mattz
                                                                              sweet, thanks for the free porn!
                                                                              welcome



                                                                              mcbrown

                                                                              Comment

                                                                              • SomeCreep
                                                                                :glugglug
                                                                                • Mar 2003
                                                                                • 26118

                                                                                #40
                                                                                Originally posted by sharphead

                                                                                Wow, that's fucking cool. Looks totally 3-D.

                                                                                Webair Hosting

                                                                                I use and recommend Webair for hosting.

                                                                                Comment

                                                                                • martinsc
                                                                                  Too lazy to set a custom title
                                                                                  • Jun 2005
                                                                                  • 27047

                                                                                  #41
                                                                                  Originally posted by sharphead


                                                                                  http://www.opium.se - Wow... nice teeth!
                                                                                  that's pretty cool
                                                                                  Make Money

                                                                                  Comment

                                                                                  • pornmasta
                                                                                    Too lazy to set a custom title
                                                                                    • Jun 2006
                                                                                    • 20016

                                                                                    #42
                                                                                    well a old solution was to add fake password that redirect to a tour, so if a bruteforcer tries to start an attack he will get fake password (very common) first, then, or it publish the pass, and it is good for your website, and i notice that there is too much fakes and stops.

                                                                                    Also, a famous forum is deny.de, you will (strangely) find a lot of adult webmaster there and they know the market.

                                                                                    Comment

                                                                                    Working...