chupacabra

ok all... as much as i like ccBill, i am having an issue w/ their script that they do not seem able to help w/ so far. for the last two weeks, i am having to watch my .htpasswd like a hawk because someone is going through their script and adding password-pairs w/ impunity somehow... they are obviously calling to the script directly in some fashion and it is adding their password-pairs, bypassing any of my servers security in the process. when i check the ccbill.log file, i see that even ccBill's system *knows* that the password-pairs in question are invalid, as the log file will display lines such as:

Hacker registered to XXX.XXX.XXX.XXX <-- some ip address
ADD=hacker:9dS/4.gS6x

(note that there is no subscription ID number, and no start or end date associated w/ these entry's!)

now, this is what is pissing me off... their system/script obviously is aware that the call to add-user is coming from somewhere other than the approved subnet/ip-range of ccBill, hence the note that the user is being added by a "hacker"... so why does the bogus user get added at all? why not just *not* give them access??? i have to pay for this bandwidth, so i certainly don't want to let hackers in for free..!

i have spoken w/ install over at ccBill numerous times about this lately, and they could not explain to me why their system is allowing these users to be added... they did have me update my version of the ccbill-local.cgi file, and they checked my server to make sure that it was all setup properly, it is. again, this is not a security issue w/ our server (which is running current/patched freeBSD and apache), the ccBill script is being called to directly, resulting in the rogue users being granted access.

any other ccBill users experience this problem, and if so, do you know of any solution that will help in some way? i realize that i can rename the script to something unique, but that is not a real solution, as it will be easy for any would-be hacker to locate the new script name and continue to add their password-pairs. any advice or insight about this issue would be greatly appreciated, i am tired of watching all of our .htpasswd files night and day!

lastly, i must stress and make clear, we still feel ccBill is easily the best of the third-party processor options, and wouldn't even consider moving to another processor... ccBill has *never* been late w/ a payment to us, and as of last week, finished refunding the $750 VISA registration fee to us in total. they are tops in our book, this is our only gripe... and we're hoping that there is a fix or resolution to it. thx all..!

Petr

http://ksoze.deny.de/ccbill_exp.html

?

ZoiNk

I assumed it was common knowledge that anyone can add userid/passwords if you used CCbill. Been happening for ages, and is very common.
ZoiNk

__________________
"People can have the Model T in any color - so long as it's black." - Henry Ford

chupacabra

whoa. this is just plain frightening. we always keep an eye on our .htpasswd files, and since we only started seeing this a short while back, we assumed this was a new issue/exploit. can anyone knowledgable about these matters, or anyone at ccBill chime in and clarify this? truly disturbing..!

Naughty

"CCBill-Local.cgi Exploiter v0.21 (8 Mar 2000)"

Wow, this stuff is still working???

__________________
seks.ai for sale - ping me

Petr

I dunno... I just found it on Google...

NitroPhil

chupacabra,

Just a thought but your admin pass (for the ccbill-local script) or your private key file may have been compromised/guessed. If someone (aka "hacker") has the password or private key, usernames can be added all day. Your best bet is to ensure that the "secure" directory is indeed secure and change both the admin pass and the private key. CCBill may have to change your private key for you.

-Phil

__________________
<a href="http://www.lightspeedcash.com"> Make money at the speed of light!</a><br>
- Wouldn't it be cool to own a retarded monkey?

chupacabra

thx Nitrophil... when you refer to the 'admin pass', are you speaking of the pass that we use to log into ccBill's web admin, or something else? that is the only password we have in reference to any ccBill service..

NitroPhil

Some of the ccbill-local scripts have an "admin password" associated with them. This is seperate from your pass to login to their admin section and it may not even exist. If it does exist, it's possible to insert users if someone knows what it is. Same goes for your private key. I'm sure CCBill can help you change this info. Drop me a line if you have questions.


-Phil
ICQ: 1108 2919

__________________
<a href="http://www.lightspeedcash.com"> Make money at the speed of light!</a><br>
- Wouldn't it be cool to own a retarded monkey?

Que?

Ive asked them(ccbill) repetedly why all my password issues are with ccbill which is my backup processor.

But they know naaathing....

Do not think my admin login is compromised.
Non valid logins and hacked valid ones. Mainly embarrasing towards the non pass trading members, and a general pain as it takes time to clear up .

__________________
Send *c*cia out to deep space:<br>
Donate to <a href="http://www.impai.org/">IMPA</a>

Mark

Make sure you have lots of upsells in your members area and enjoy the extra traffic...

shunga

That does seem to be quite a common problem. It doesn't help that it's now not possible to overwrite those passes through webmaster admin. I had the scripts updated but that doesn't seem to have fixed it for me. I was told that moving the password files above the HTML level should fix it, but others will know more about that.

__________________
Clockwork Cash - ICQ: 355-26-288 / Email: admin AT clockworkcash DOT com
Asian Paysites : Exclusive Content : NATS or CCBill
Thai Cuties : Shave Asians : JAVondemand

chupacabra

the same thing crossed my mind, but i cant see what difference that would make... i mean, if the script itself is writing the password-pairs into the .htpasswd, then it won't matter where you move it to, the script will still know where it is regardless. this isn't a vulnerability of the .htpasswd file, it is the script itself allowing these pairs to be written in..

Mr Cheeks

i brought this up before and i am fucking glad that someone else is poiting it out.

it first started when Pennywize would disable accounts for password sharing violation. but every fucking time i went to the admin section of the CCBILLl website to remove the compromised username/password in question it, would say "Account Not Found". CCBILL has record of all accounts on your website. they either tell you if the account is active or not active, but not "Not Found" for god sake.

i knew that i did not add those fucken usern/pass pairs there and i know that CCBILL knows better than to give out freebies to my sites.

how the fuck are they doing this? that the thing i am the most curious to know about. watch your password files if you're using CCBILL. somebody is definitely playing foul.

chupacabra

alchemist, i definitely share your ire on this issue, i really don't think for a second that ccBill is giving out accounts to our sites on purpose, but i don't understand why it has not been addressed and corrected, this seems a major security breech to me and should definitely be a priority to their tech's... i have spoken w/ them many times about it and they are totally noncommital about any resolution forthcoming. like i said before, i really like ccBill as a processor, but this should really be addressed... i was really hoping someone from ccBill would comment on this issue here..!

goBigtime

I remember awhile back CCbill's network was compromised... there are probably people running around with the ccbill client keys for tons of clients.

I don't know why CCbill has not generated and reissued keys to everyone yet

goBigtime

Totally. It's their job to process our transactions, keep our members areas secure from non-customers, and pay us on time.

I'm not sure if they haven't reissued keys because they don't want the headache of having to reinstall the keys on thousands of machines, that they don't want to admit to the compromises within their network, or maybe they just don't care =(




:waaaaah Corvette!!!


BUt hey whats the deal with this though Corvette? Why won't you guys issue new keys to everyone? Obviously your servers have been compromised & hackers have the keys, or your scripts are weak or something. Everyone I know who uses CCbill has the same problem of rogue accounts being created.

Got an official GFY word on the situation? Maybe we the few of GFY can get this patched up for all of your other paying customers



EDIT: Btw, when I was testing this, I was no longer processing new sales with CCbill. The script was still active, but there weren't any sales pages pointing to it. I also seperated the .htpasswd files using multmod_auth so I could still have my old CCbill htpasswd file and also start with a fresh one that would have access to the members areas (even though it shouldn't need access since it shouldnt have had any more users added)... but sure enough, it would get about 3-5 "hacker" sounding names added every day.

To me this is a leaked key. And since it happens to everyone I know with CCbill, I assume that everyone has their keys leaked. Really surprised this hasn't been addressed officially.

corvette

chupacabra,

There is a new CCBill .cgi script that is close to being released. Without going into too much detail, it is supposed to be the ?latest and greatest?. It addresses issues that have been brought up in the past and it is very feature-rich, working in correlation with our new reporting system. We have had excellent results with our beta testing.

Contact me and I will see what it would take to get you to start using it. chupacabra, you have my icq.

Anybody else, feel free to email me at [email protected]

__________________
If you need a good company for check writing services, then check out checkissuing, and for webhosting, check out Phoenix NAP

goBigtime

Mark,

But it's a waste of your clients bandwidth to keep them EXPLOITABLE like this. Why don't you (Not you, CCbill) contact them? I assure you it's happening to damn near everyone & your tech guys know all about it.

Why don't you guys make it a priority to let people know that version X.XX is vulnerable or keys need to be reissued or whatever & get clients to update?

Ugh I hate security holes.



CCbill is almost starting to shine through as the processor of choice these days... take the regins & start addressing all these problems and concerns of the clients and you guys will be golden




Ah I didn't notice that you said the new ccbill script was close to being released... I guess you guys will issue new keys at that time

realed

I use CCBILL and they are a very good company. Always pay on time and technical support is excellent but if this is true then we need an official response to these claims.

I must admit that I have some reservations with regards to the security and reliability of their cgi scripts.... that ccbill-local file tends to corrupt quite frequently on my paysite domains and on one of my sub accounts in particular we are constantly experiencing user-add problems... ( new username/password combos not being added successfully to password file )

CCBILL blame it on "network issues" but that is not really an adquate answer for me. If this problem was affecting their payment scripts I'm sure the network issues would be resolves soon enough :-)

Other than that they are on top of the game!

Terry
www.voyeurzine.com

Rip

I think, possibly I have had a few of these also, however, is it possible to simply change the htaccess to alieviate this

Ie;

RewriteCond %{HTTP_REFERER} !^http://*.ccbill.com.* [NC]
RewriteCond %{HTTP_REFERER} !^http://www.yourpaysite.com.* [NC]

I am not sure, how to do it -so I am asking??

I think that I have had some experience with this problem, and some also with the bogus check transactions, where the user would apply with a false check, get a user/pass prior to the transaction being completed and gain access for a number of munites before the script deleted the invalid user/ password again

another would be to rename the ccbill folder to something a little more difficult?

corvette

Very close, in fact, we are working on several large projects simultaneously that are going to be released soon?the cgi script, the new CCBill Reports, the CCBill dialer and subsequent ?900? option, the planning of The Phoenix Forum in early April, etc.

Once released, I am sure that everyone is going to be very pleased. The beta testing went very well with it. Until the official release, send me an email with your account # and I will see what I can do?

Email address is above

__________________
If you need a good company for check writing services, then check out checkissuing, and for webhosting, check out Phoenix NAP

jeroman

I'm so happy it was not only me :-))))))))))))
Now I know what happened.

AGREE - CCBILL Should have let everyone know about this.
Another minus to them for this.

Now lets see where I have the notes about minus and pluses for
processors....

mistressofnite

Looks like someone got into my ccbill .htpasswd too - you can edit these files in notepad and reupload incidentally.

My paysite is not active at the moment but here are the weird log entries - odd how there's no IP address associated with 2 of the entries:


chmod: /usr/home/sites/sitename/html/ccbill/secure/current.log: Operation not permitted
[Thu Feb 6 16:21:17 2003] [error] [client 64.38.194.13] File does not exist: /usr/home/sites/sitename/html/cgi-bin
chmod: /usr/home/sites/sitename/html/ccbill/secure/current.log: Operation not permitted


That one IP is CCbill, so does this mean CCbill admin did this or no?

Rochard

We used to notice similar problems along these lines. However, thanks to Phil, we are covered.

__________________
“The choice is no longer between right or left. The choice is between normal and crazy.”
- Sarah Huckabee Sanders

YNOT MAIL | THE BEST ADULT MAILING SOLUTION

chupacabra

i could be wrong, but that looks more like your log file is not CHMOD'd to the right value (maybe because the site is not active?), and ccBill's script tried to write to it and failed..? just a thought..

corvette

Mistressofnite,
The log files that you posted simply mean that the ccbill local is running under an access level that is not permitted to make the requested changes to the current.log. This is a normal error that can be easily corrected if you contact CCBill technical support so that we can correct the permissions on your server.

let me know if you need any help with this

[email protected]

__________________
If you need a good company for check writing services, then check out checkissuing, and for webhosting, check out Phoenix NAP

CosmicKitten

yeah it sucks ass... has happened to me several times with a small paysite... gotta delete the punks who break in like that.

hope its fixed soon, that is good news.

mistressofnite

Ok, thanks. I set it up though and tested it out thru CCbill and everything looked ok. Thanks to all for the advice.

wimpy

There is a simple solution to this. I can't quote it exactly, but I've seen it and can describe it.

The Epoch script I have has a few lines of code at the very top that says:
IF IP does not equal (epoch's IP number here)
THEN die
ELSE continue

Why can't the CCBill script have the same few lines of code? It should.

__________________
Fyodor Dostoyevsky wrote: "Every man has reminiscences which he would not tell to everyone but only his friends. He has other matters in his mind which he would not reveal even to his friends, but only to himself, and that in secret. But there are other things which a man is afraid to tell even to himself, and every decent man has a number of such things stored away in his mind."

icq 8243657