JUST GOT HACKED, paysite owners any ideas? - GoFuckYourself.com

Matt_WildCash · 12-04-2003, 04:02 PM

Hey guys

Just got up to 30 new accounts blocked by pennywize and all with prefixed usernames like

p2e_974039
p2e_947721
p2e_924163
p2e_924148
etc etc etc

We use Epoch, MPA2, Electracash & CCbill right now. & Pennywize to protect the usernames from abuse.

And we just dropped PSWbilling last month.

Any ideas if any of these processors are vunerable to hackers doing this with password files? We are looking into our servers being hacked as an option.

Burning up the members area with mass bandwidth right now, a huge video archive like wildpass.com just burning it up with hacked accounts. Fun and games

$5 submissions · 12-04-2003, 04:19 PM

brute force pw extraction script?

Matt_WildCash · 12-04-2003, 04:30 PM

Quote:

Originally posted by $5 submissions
brute force pw extraction script?

Pennywize stops brute force hacking attempts pretty well, a few might get through if they have a huge amount of good proxies but even then not that many, problem is these passwords are being created within the system somewhere. 58 blocked passwords today and counting

Madball · 12-04-2003, 04:40 PM

Were there any transactions behind those usernames? Check if they're from checking, Electracash is open like a barn door.

4Pics · 12-04-2003, 04:43 PM

means one of those scripts is creating the password.

You need to figure out what they are using (hopefully you have apache logs and can see where they are getting added)

if you need help icq me

JSA Matt · 12-04-2003, 04:46 PM

You may want to look into your ccbill scripts.. DO NOT use common directory names with ccbill. There are huge lists that have all the common directory paths for ccbill and many other processors. Use something unique like %_--29AusmAW-_$ as the directory

JSA Matt · 12-04-2003, 04:47 PM

Quote:

Originally posted by Madball
Were there any transactions behind those usernames? Check if they're from checking, Electracash is open like a barn door.

I would like to know more about this...

matt AT jasonandalex DOT com

please

tical · 12-04-2003, 04:52 PM

i've heard about some hackers being able to do what they like w/ ccbill, not sure how true it is though

Matt_WildCash · 12-04-2003, 05:04 PM

Electracash, interesting. Could you send me some more info at
matt a_t wildcash.com

Thanks guys.

Oh and nope the accounts don't seem to have any processing behind them, just the passwords are being added somehow

JSA Matt · 12-04-2003, 05:13 PM

Quote:

Originally posted by Driven
Oh and nope the accounts don't seem to have any processing behind them, just the passwords are being added somehow

Like I said before, check into your CCbill scripts. If you are using a common directory name, someone may have found the script that adds passwords to your htaccess and taken advantage

Matt_WildCash · 12-04-2003, 05:59 PM

We've ruled out CCbill as we are only just setting them up and they are not fully active yet.

the pricks added 140 passwords we just removed them, they were spread out threwout the password file, must of been adding them for awhile using a script or something. Then unleashed them today

Juicy D. Links · 12-04-2003, 06:08 PM

Dude if you did get hacked dont mention it here. Alot of talented people here on and just reading that will just try to fuck with you now.

liquidmoe · 12-04-2003, 06:12 PM

if you have any 777 files in your setup follow matt's advice, dont use common directory paths. otherwise hit up your processor and see if they have logged IPs for the usernames you mentioned, if its all from the same IP you can ask them to block it out.

Matt_WildCash · 12-04-2003, 06:24 PM

Good advice Juicy, thanks for the help guys.

12-04-2003, 04:02 PM	#1
Matt_WildCash Confirmed User Join Date: Jan 2003 Posts: 1,699	JUST GOT HACKED, paysite owners any ideas? Hey guys Just got up to 30 new accounts blocked by pennywize and all with prefixed usernames like p2e_974039 p2e_947721 p2e_924163 p2e_924148 etc etc etc We use Epoch, MPA2, Electracash & CCbill right now. & Pennywize to protect the usernames from abuse. And we just dropped PSWbilling last month. Any ideas if any of these processors are vunerable to hackers doing this with password files? We are looking into our servers being hacked as an option. Burning up the members area with mass bandwidth right now, a huge video archive like wildpass.com just burning it up with hacked accounts. Fun and games

12-04-2003, 04:19 PM	#2
$5 submissions I help you SUCCEED Industry Role: Join Date: Nov 2003 Location: The Pearl of the Orient Seas Posts: 32,195	brute force pw extraction script? __________________ Need a NON-ADULT income stream? We build your YOUTUBE CHANNEL for only $20 per video! For Hire: $3/hour or $400 per month Marketing Specialist Virtual Assistants

12-04-2003, 04:40 PM	#4
Madball Confirmed User Join Date: May 2002 Location: Oslo, Norway Posts: 748	Were there any transactions behind those usernames? Check if they're from checking, Electracash is open like a barn door. __________________ <a href="http://www.homepageofthedead.com"><img src="http://board.gofuckyourself.com/images/globill_88x31.gif"></a>

12-04-2003, 04:43 PM	#5
4Pics Confirmed User Industry Role: Join Date: Dec 2001 Posts: 7,952	means one of those scripts is creating the password. You need to figure out what they are using (hopefully you have apache logs and can see where they are getting added) if you need help icq me

12-04-2003, 04:46 PM	#6
JSA Matt So Fucking Banned Join Date: Aug 2003 Location: San Diego, CA Posts: 5,464	You may want to look into your ccbill scripts.. DO NOT use common directory names with ccbill. There are huge lists that have all the common directory paths for ccbill and many other processors. Use something unique like %_--29AusmAW-_$ as the directory

12-04-2003, 04:52 PM	#8
tical Confirmed User Join Date: Feb 2002 Location: Las Vegas Posts: 6,504	i've heard about some hackers being able to do what they like w/ ccbill, not sure how true it is though

12-04-2003, 05:04 PM	#9
Matt_WildCash Confirmed User Join Date: Jan 2003 Posts: 1,699	Electracash, interesting. Could you send me some more info at matt a_t wildcash.com Thanks guys. Oh and nope the accounts don't seem to have any processing behind them, just the passwords are being added somehow

12-04-2003, 05:59 PM	#11
Matt_WildCash Confirmed User Join Date: Jan 2003 Posts: 1,699	We've ruled out CCbill as we are only just setting them up and they are not fully active yet. the pricks added 140 passwords we just removed them, they were spread out threwout the password file, must of been adding them for awhile using a script or something. Then unleashed them today

12-04-2003, 06:08 PM	#12
Juicy D. Links So Fucking Banned Industry Role: Join Date: Apr 2001 Location: N.Y. -Long Island -- Posts: 122,992	Dude if you did get hacked dont mention it here. Alot of talented people here on and just reading that will just try to fuck with you now.

12-04-2003, 06:12 PM	#13
liquidmoe Confirmed User Join Date: Mar 2002 Location: NY Posts: 4,994	if you have any 777 files in your setup follow matt's advice, dont use common directory paths. otherwise hit up your processor and see if they have logged IPs for the usernames you mentioned, if its all from the same IP you can ask them to block it out.

12-04-2003, 06:24 PM	#14
Matt_WildCash Confirmed User Join Date: Jan 2003 Posts: 1,699	Good advice Juicy, thanks for the help guys.