JUST GOT HACKED, paysite owners any ideas?

[Matt_WildCash]

Hey guys

Just got up to 30 new accounts blocked by pennywize and all with prefixed usernames like

p2e_974039
p2e_947721
p2e_924163
p2e_924148
etc etc etc

We use Epoch, MPA2, Electracash & CCbill right now. & Pennywize to protect the usernames from abuse.

And we just dropped PSWbilling last month.

Any ideas if any of these processors are vunerable to hackers doing this with password files? We are looking into our servers being hacked as an option.

Burning up the members area with mass bandwidth right now, a huge video archive like wildpass.com just burning it up with hacked accounts. Fun and games

[$5 submissions]

brute force pw extraction script?

[Matt_WildCash]

Quote:

Originally posted by $5 submissions
brute force pw extraction script?

Pennywize stops brute force hacking attempts pretty well, a few might get through if they have a huge amount of good proxies but even then not that many, problem is these passwords are being created within the system somewhere. 58 blocked passwords today and counting

[Madball]

Were there any transactions behind those usernames? Check if they're from checking, Electracash is open like a barn door.

[4Pics]

means one of those scripts is creating the password.

You need to figure out what they are using (hopefully you have apache logs and can see where they are getting added)


if you need help icq me

[JSA Matt]

You may want to look into your ccbill scripts.. DO NOT use common directory names with ccbill. There are huge lists that have all the common directory paths for ccbill and many other processors. Use something unique like %_--29AusmAW-_$ as the directory

[JSA Matt]

Quote:

Originally posted by Madball
Were there any transactions behind those usernames? Check if they're from checking, Electracash is open like a barn door.

I would like to know more about this...

matt AT jasonandalex DOT com

please

[tical]

i've heard about some hackers being able to do what they like w/ ccbill, not sure how true it is though

[Matt_WildCash]

Electracash, interesting. Could you send me some more info at
matt a_t wildcash.com

Thanks guys.

Oh and nope the accounts don't seem to have any processing behind them, just the passwords are being added somehow

[JSA Matt]

Quote:

Originally posted by Driven
Oh and nope the accounts don't seem to have any processing behind them, just the passwords are being added somehow

Like I said before, check into your CCbill scripts. If you are using a common directory name, someone may have found the script that adds passwords to your htaccess and taken advantage

[Matt_WildCash]

We've ruled out CCbill as we are only just setting them up and they are not fully active yet.

the pricks added 140 passwords we just removed them, they were spread out threwout the password file, must of been adding them for awhile using a script or something. Then unleashed them today

[Juicy D. Links]

Dude if you did get hacked dont mention it here. Alot of talented people here on and just reading that will just try to fuck with you now.

[liquidmoe]

if you have any 777 files in your setup follow matt's advice, dont use common directory paths. otherwise hit up your processor and see if they have logged IPs for the usernames you mentioned, if its all from the same IP you can ask them to block it out.

[Matt_WildCash]

Good advice Juicy, thanks for the help guys.