Verotel password problems - STILL! - GoFuckYourself.com

doober · 03-25-2004, 05:23 PM

A little while back there was huge post on Verotel's password files being accessd/haxored and being posted on various boards.

Im still having this problem, 99% is my verotel users...What was the solution to these problems for those using verotel?

I would do a search but Lensman shut it off cause Amp was attacking gfy thru it.

Dirty F · 03-25-2004, 05:25 PM

Verotel is going out of business one of these days anyway, you might as well switch now to keep the damage minimal.

xenophobic · 03-25-2004, 05:26 PM

I added the following to one of our clients verotel script:

$remote_address = $ENV{'REMOTE_ADDR'};
$remote_address =~m!^195.20.32! || die "access denied to $remote_address to run this script.";

near the top, that stops anyone but verotels class C range from running the script.

people were saying it's more likely verotel themselves were hacked because only verotel passwords were leaking, not ccbill etc.

zentz · 03-25-2004, 05:28 PM

Quote:

Originally posted by Battuss
Verotel is going out of business one of these days anyway, you might as well switch now to keep the damage minimal.

where did you got those informations ?

doober · 03-25-2004, 05:30 PM

Quote:

Originally posted by Battuss
Verotel is going out of business one of these days anyway, you might as well switch now to keep the damage minimal.

I have switched, using ccbill as matter of fact even tho they have been buggy as hell!
did well with them for 2 weeks then it just all went to shit...

What do you know about verotel?
Speak up please, people are listening

Dirty F · 03-25-2004, 05:30 PM

Quote:

Originally posted by zentz

where did you got those informations ?

Nowhere. Dont listen to me.

chupacabra · 03-25-2004, 05:32 PM

Quote:

Originally posted by xenophobic
I added the following to one of our clients verotel script:

$remote_address = $ENV{'REMOTE_ADDR'};
$remote_address =~m!^195.20.32! || die "access denied to $remote_address to run this script.";

near the top, that stops anyone but verotels class C range from running the script.

people were saying it's more likely verotel themselves were hacked because only verotel passwords were leaking, not ccbill etc.

looks like extremely valuable information/advice for anyone running Verotel's script to me..!

doober · 03-25-2004, 05:38 PM

Thx Xeno, Ill see what i can do with that snippet of code.
Got to figure out where to paste it lol

Shoplifter · 03-25-2004, 05:39 PM

I had heard that somone had managed to get a grip on the method used to generate the Verotel number pairs. If you have a list of 10000 or so valid pairs you will be able to brute force any Verotel site. Same thing with Ibill 900 pincodes, on occasion they will leak out as well.

xenophobic · 03-25-2004, 05:41 PM

I normally do it towards the top, near where all the settings variables are, password, directory etc.
to ensure it executes first.

doober · 03-25-2004, 05:44 PM

Quote:

Originally posted by xenophobic
I normally do it towards the top, near where all the settings variables are, password, directory etc.
to ensure it executes first.

So just cut and paste in the verotelrum.pl at the very top before all the code?

Shoplifter · 03-25-2004, 05:49 PM

Quote:

Originally posted by doober

So just cut and paste in the verotelrum.pl at the very top before all the code?

This is a good step but there are others.

Firstly you should rename verotelrum.pl and if you are having trouble that would solve most of it. The other thing is to review your apache access_log to see where it is being executed and by whom. Chances are you will find nothing out of the ordinary.

On one of my sites I got a really slick Ibill password hacker causing me grief. I thought he was somehow able to view the .htpasswd file and was then decrypting the passwords. But I sure as shit don't see how. There is a new breed of password hackers now who are really good.

xenophobic · 03-25-2004, 05:56 PM

.htpasswd should utilize the MD5 hash algorithm, which is a one way hash, so it cannot be decrypted, just brute forced with a dictionary attack.
also .ht* is protected in the default apache config, to stop it being displayed.

It's more than likely they're accessing the verotellog.txt which contains userid/password combo.

xenophobic · 03-25-2004, 06:58 PM

You can greatly limit your exposure to a web based intrusion with a few simple
changes.

CGI scripts: do you need all the ones you have? you may have changed scripts or
stopped using a script but did not delete/disable the older version, check your
directories for executable scripts you are not using, they might be vulnerable.

avoid world writable permissions on your scripts & files, I have seen people who write
data to their other websites who keep their home and public_html world writable
so their other site can write files to it (bad idea!)

If the web server can write to your home directory or files, the attacker can insert backdoors, or
even deface your webpage, I notice a lot of the credit card processing companies require your .htpasswd
to be world-writable so their scripts can write to it, if an attacker can gain control of apache (via CGI or
direct exploitation) they can insert their own username or passwords into your password file(s), I am often
amazed that insecurely coded CGI scripts are issued by CC merchants, with the nature of the information they
process, and the amount of profit they make I would have thought they would have their scripts audited for
security problems by a third-party - but alas no, if you know anyone who knows perl/python ask them to check
your scripts for you, especially for input validation attacks, via metacharacters - anyone who is worth their
salt will know how to locate/fix these for you.

Ensure your provider has patched the web server for known vulnerabilities, I still see web servers vulnerable
to remote exploitation via PHP,openSSL and the apache chunking exploit (apache-nosejob.c)
this information barely scratches the surface of web security, whole books and web sites have been wrote
about the subject but if you're interested here are a few sites that cover some of the topics above:

http://www.cgisecurity.com/
http://www.w3.org/Security/Faq/www-security-faq.html
http://www.onlamp.com/lpt/a/4045
http://www.cert.org/tech_tips/cgi_metacharacters.html
http://www.donkboy.com/html/cgi_exploits.htm
http://www.linuxsecurity.com/feature...ting-http.html

sweet7 · 03-26-2004, 01:48 PM

Quote:

Originally posted by Shoplifter

This is a good step but there are others.

Firstly you should rename verotelrum.pl and if you are having trouble that would solve most of it. The other thing is to review your apache access_log to see where it is being executed and by whom. Chances are you will find nothing out of the ordinary.

What calls the verotelrum.pl file?

SoundMan · 03-26-2004, 01:49 PM

Quote:

Originally posted by Battuss
Verotel is going out of business one of these days anyway, you might as well switch now to keep the damage minimal.

What he said!

xenophobic · 03-26-2004, 02:27 PM

Quote:

Originally posted by sweet7

What calls the verotelrum.pl file?

verotel themselves call it, they sometimes rename it themselves (rum.pl/rum2.pl sitename.pl) if you change it, would be worth emailing them about it, however renaming a file stops nothing, anyone determined enough can find the actual file name, normally through weaknesses of other scripts on the server, or the webserver itself.

doober · 03-29-2004, 09:58 AM

Quote:

Originally posted by xenophobic
I added the following to one of our clients verotel script:

$remote_address = $ENV{'REMOTE_ADDR'};
$remote_address =~m!^195.20.32! || die "access denied to $remote_address to run this script.";

near the top, that stops anyone but verotels class C range from running the script.

people were saying it's more likely verotel themselves were hacked because only verotel passwords were leaking, not ccbill etc.

Update:

added this snipet of code and over the weekend 20 more accounts were cracked!
So my problem still exists...this is startin to really piss me off!

anyone else, or am I alone?

body · 03-29-2004, 09:59 AM

why not moving to websitebilling?

doober · 03-29-2004, 10:06 AM

Quote:

Originally posted by body
why not moving to websitebilling?

Did you even bother reading any part of this thread?

<b><font size ="7">I already said I was with ccbill. Im just having problems with some older verotel subscribers.</font></b>

V_RocKs · 03-29-2004, 10:19 AM

What website are you running?

nudecanada · 03-29-2004, 11:21 AM

Quote:

Originally posted by doober

Update:

added this snipet of code and over the weekend 20 more accounts were cracked!
So my problem still exists...this is startin to really piss me off!

anyone else, or am I alone?

You are not alone! lol

Here is my situation.

I renamed verotelrum.pl
I renamed the .txt file in which verotel stores usernames.
My password file, and verotel txt files are not in the home directory where my sites are.

Each and every one of my Verotel un/pw have been posted on passboards. Every single one of them. My site was NOT brute forced. Not a chance. I have scripts that log brute force attacks, and not once has anyone run a verotel combo list on my site.

Get this. I have CCBill running as well. Not one of my CCBill un/pw have been compromised.

I seeded my pass file with fairly easy un/pw that are in combo lists etc. eg. test123 type shit. None of them have been brute forced.

Only my Verotel un/pw' have been shared. Every single one of them.

Verotel is blaming me, of course. I blame them. There are too many people, on too many different servers, on too many different networks, on too many different hosts etc. for Verotel to say that servers are being breached, people are sniffing passwords on my network, my server is hacked etc.

Bullshit.

I think it is on their end. Someone is sniffing packets on their network, or something else is wrong. Maybe there are backdoors into their servers?

Read their forums. There are too many people with the exact same problem for Verotel to even think of saying their customers have hacked servers, there are packet sniffers on the customer's networks etc.

Nothing is 100% secure, but I am absolute certain that my Verotel un/pw are not being breached on my end. It is on their end.

doober · 03-29-2004, 11:53 AM

After reading their board its obivous that its not on our end.
Now, how the hell do i make this shit stop?

fucking verotel

doober · 03-30-2004, 09:51 AM

Am in the only getting hamered day in day out with this shit?
Is the only solution to completely remove the User from the passfile?

No one else is having this problem?

looks like im fucked

pornguy · 03-30-2004, 10:37 AM

One way to stop this is get rid of them. We use them as well and have not had any problems yet, but have been watching.

If you also run ccbill, create a UN and PW for them and stop the rebills on V. The just stop using V. You may loose some cash at the start, but it will work out in the long run. You are loosing bandwidth etc. to these people...

doober · 03-30-2004, 10:56 AM

I hear what your saying Pornyguy, Also i have not used them in awhile but i still have rebills coming in with them and some of these people have been members for a long time.

There has to be a better way to handle this.
I cant beleive im the only complaining about it either since a few people use them here. Strange that im the only being hit, worse part is if I change them right now in a few hours they will be cracked again...fucking retarded im telling you!
Almost as if the verotel staff is rigth there as i change them and 2 seconds later they are posting the passwords themselves on password boards...sounds crazy but what the hell, how can shit leak so quick unless:
a) its an inside job
or
b) the admin doors are wide open for anyone to retrieve member information.

Christ I dont know what to think anymore.

at this point it wouldnt hurt for verotel to say something on this, the silence here an on their board is deafening

chupacabra · 03-30-2004, 11:11 AM

doober, i use Verotel on a couple of smallish paysites (read 300-400 members) and haven't run into this problem at all (so far)... are you sure someone isn't accessing your .htpasswd files in some way, that just happens to know how to decrpyt their passwords? also, are you running any sort of protection script on your server to keep track of how many IP addresses use the same password-pair? we use pw sentry to catch rogue accounts and it works pretty flawlessly for us, it will lock an account after it is used by toom any surfers and send am email to you so you can take appropriate action..

doober · 03-30-2004, 12:15 PM

Chupacabra, Im suing pennywize and keep getting emails all the time.
The only passwords getting hammered are the verotel ones.
From what i see on their board im not alone and it has happened before and then suddenly stopped but now it started once again and has not stopped for almost a week....its getting lame and I know for a fact that it cant be on my side.
Like i said I change one pass now and in 10 mins it will be used somehwere else

pathetic

nudecanada · 03-30-2004, 12:37 PM

doober - are you on a dedicated server, or a shared server? And what OS is it running?

chupacabra - same as above?

Reason I am asking is because some old Epoch scripts could be used to root a server, but it could only be done through an exploit in RedHat linux, I forget which kernel.

Maybe it is the same for Verotel scripts.

chupacabra · 03-30-2004, 12:41 PM

Quote:

Originally posted by doober
Chupacabra, Im suing pennywize and keep getting emails all the time.
The only passwords getting hammered are the verotel ones.
From what i see on their board im not alone and it has happened before and then suddenly stopped but now it started once again and has not stopped for almost a week....its getting lame and I know for a fact that it cant be on my side.
Like i said I change one pass now and in 10 mins it will be used somehwere else

pathetic

huh, that is strange then... i haven't had a problem like that w/ Verotel pw's at all so far, and am not familiar w/ Pennywize... can you see the IP's accessing the offending accounts by chance, are they using proxies to log in..?

chupacabra · 03-30-2004, 12:46 PM

Quote:

Originally posted by nudecanada
doober - are you on a dedicated server, or a shared server? And what OS is it running?

chupacabra - same as above?

Reason I am asking is because some old Epoch scripts could be used to root a server, but it could only be done through an exploit in RedHat linux, I forget which kernel.

Maybe it is the same for Verotel scripts.

nudecanada, i'm on a colo'd freeBSD box, noone has root on it but me and my host..

Basic_man · 03-30-2004, 12:47 PM

Quote:

Originally posted by Battuss
Verotel is going out of business one of these days anyway, you might as well switch now to keep the damage minimal.

I think so !

doober · 03-30-2004, 12:58 PM

Quote:

Originally posted by nudecanada
doober - are you on a dedicated server, or a shared server? And what OS is it running?

Yes dedicated and its runing Linux

Quote:

Originally posted by chupacabra

huh, that is strange then... i haven't had a problem like that w/ Verotel pw's at all so far, and am not familiar w/ Pennywize... can you see the IP's accessing the offending accounts by chance, are they using proxies to log in..?

Yes I can see the Ip's and there from all over the place, russia china gbr canada usa ect ect...

xenophobic · 03-30-2004, 01:07 PM

I think you will find that it is more likely that something is occuring on verotels end, that might be a hack on their servers, or their traffic is sniffed, even with modifications to the perl script which worked and stopped anyone but verotel calling it - there was another password incident, this wasn't a password sharing either, the account was over a year old.
other things point at this:
a: people with other merchants are not having the same problems.
b: their CGI script isn't being exploited (at least in our case)
c: mod_security's logs do not display any suspicious activity, nor does apache logs.

seeing has verotel had ftp access to this box, I also checked lastlog and no suspicious logins from the account concerned! - doesn't leave much else BUT them being owned.

03-25-2004, 05:23 PM	#1
doober Confirmed User Join Date: Jul 2003 Location: in yoOoo kitchen Posts: 6,984	Verotel password problems - STILL! A little while back there was huge post on Verotel's password files being accessd/haxored and being posted on various boards. Im still having this problem, 99% is my verotel users...What was the solution to these problems for those using verotel? I would do a search but Lensman shut it off cause Amp was attacking gfy thru it.

03-29-2004, 09:59 AM	#19
body Confirmed User Industry Role: Join Date: Oct 2002 Posts: 5,012	why not moving to websitebilling? __________________ The Goddess Of Steps

03-30-2004, 10:37 AM	#25
pornguy Too lazy to set a custom title Industry Role: Join Date: Mar 2003 Location: Homeless Posts: 62,911	One way to stop this is get rid of them. We use them as well and have not had any problems yet, but have been watching. If you also run ccbill, create a UN and PW for them and stop the rebills on V. The just stop using V. You may loose some cash at the start, but it will work out in the long run. You are loosing bandwidth etc. to these people... __________________ PornGuy skype me pornguy_epic AmateurDough The Hottes Shemales online! TChicks.com \| Angeles Cid \| Mariana Cordoba \| MAILERS WELCOME!

03-25-2004, 05:25 PM	#2
Dirty F Too lazy to set a custom title Industry Role: Join Date: Jul 2001 Posts: 59,204	Verotel is going out of business one of these days anyway, you might as well switch now to keep the damage minimal.

03-25-2004, 05:26 PM	#3
xenophobic Confirmed User Join Date: Mar 2004 Location: Dallas Posts: 874	I added the following to one of our clients verotel script: $remote_address = $ENV{'REMOTE_ADDR'}; $remote_address =~m!^195.20.32! \|\| die "access denied to $remote_address to run this script."; near the top, that stops anyone but verotels class C range from running the script. people were saying it's more likely verotel themselves were hacked because only verotel passwords were leaking, not ccbill etc.

03-25-2004, 05:38 PM	#8
doober Confirmed User Join Date: Jul 2003 Location: in yoOoo kitchen Posts: 6,984	Thx Xeno, Ill see what i can do with that snippet of code. Got to figure out where to paste it lol

03-25-2004, 05:39 PM	#9
Shoplifter Richest man in Babylon Industry Role: Join Date: Jan 2002 Location: Posts: 10,002 Posts: 5,726	I had heard that somone had managed to get a grip on the method used to generate the Verotel number pairs. If you have a list of 10000 or so valid pairs you will be able to brute force any Verotel site. Same thing with Ibill 900 pincodes, on occasion they will leak out as well.

03-25-2004, 05:41 PM	#10
xenophobic Confirmed User Join Date: Mar 2004 Location: Dallas Posts: 874	I normally do it towards the top, near where all the settings variables are, password, directory etc. to ensure it executes first.

03-25-2004, 05:56 PM	#13
xenophobic Confirmed User Join Date: Mar 2004 Location: Dallas Posts: 874	.htpasswd should utilize the MD5 hash algorithm, which is a one way hash, so it cannot be decrypted, just brute forced with a dictionary attack. also .ht* is protected in the default apache config, to stop it being displayed. It's more than likely they're accessing the verotellog.txt which contains userid/password combo.

03-25-2004, 06:58 PM	#14
xenophobic Confirmed User Join Date: Mar 2004 Location: Dallas Posts: 874	You can greatly limit your exposure to a web based intrusion with a few simple changes. CGI scripts: do you need all the ones you have? you may have changed scripts or stopped using a script but did not delete/disable the older version, check your directories for executable scripts you are not using, they might be vulnerable. avoid world writable permissions on your scripts & files, I have seen people who write data to their other websites who keep their home and public_html world writable so their other site can write files to it (bad idea!) If the web server can write to your home directory or files, the attacker can insert backdoors, or even deface your webpage, I notice a lot of the credit card processing companies require your .htpasswd to be world-writable so their scripts can write to it, if an attacker can gain control of apache (via CGI or direct exploitation) they can insert their own username or passwords into your password file(s), I am often amazed that insecurely coded CGI scripts are issued by CC merchants, with the nature of the information they process, and the amount of profit they make I would have thought they would have their scripts audited for security problems by a third-party - but alas no, if you know anyone who knows perl/python ask them to check your scripts for you, especially for input validation attacks, via metacharacters - anyone who is worth their salt will know how to locate/fix these for you. Ensure your provider has patched the web server for known vulnerabilities, I still see web servers vulnerable to remote exploitation via PHP,openSSL and the apache chunking exploit (apache-nosejob.c) this information barely scratches the surface of web security, whole books and web sites have been wrote about the subject but if you're interested here are a few sites that cover some of the topics above: http://www.cgisecurity.com/ http://www.w3.org/Security/Faq/www-security-faq.html http://www.onlamp.com/lpt/a/4045 http://www.cert.org/tech_tips/cgi_metacharacters.html http://www.donkboy.com/html/cgi_exploits.htm http://www.linuxsecurity.com/feature...ting-http.html

03-29-2004, 10:19 AM	#21
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,409	What website are you running?

03-29-2004, 11:53 AM	#23
doober Confirmed User Join Date: Jul 2003 Location: in yoOoo kitchen Posts: 6,984	After reading their board its obivous that its not on our end. Now, how the hell do i make this shit stop? fucking verotel

03-30-2004, 09:51 AM	#24
doober Confirmed User Join Date: Jul 2003 Location: in yoOoo kitchen Posts: 6,984	Am in the only getting hamered day in day out with this shit? Is the only solution to completely remove the User from the passfile? No one else is having this problem? looks like im fucked

03-30-2004, 10:56 AM	#26
doober Confirmed User Join Date: Jul 2003 Location: in yoOoo kitchen Posts: 6,984	I hear what your saying Pornyguy, Also i have not used them in awhile but i still have rebills coming in with them and some of these people have been members for a long time. There has to be a better way to handle this. I cant beleive im the only complaining about it either since a few people use them here. Strange that im the only being hit, worse part is if I change them right now in a few hours they will be cracked again...fucking retarded im telling you! Almost as if the verotel staff is rigth there as i change them and 2 seconds later they are posting the passwords themselves on password boards...sounds crazy but what the hell, how can shit leak so quick unless: a) its an inside job or b) the admin doors are wide open for anyone to retrieve member information. Christ I dont know what to think anymore. at this point it wouldnt hurt for verotel to say something on this, the silence here an on their board is deafening

03-30-2004, 11:11 AM	#27
chupacabra Confirmed User Join Date: Sep 2002 Posts: 3,626	doober, i use Verotel on a couple of smallish paysites (read 300-400 members) and haven't run into this problem at all (so far)... are you sure someone isn't accessing your .htpasswd files in some way, that just happens to know how to decrpyt their passwords? also, are you running any sort of protection script on your server to keep track of how many IP addresses use the same password-pair? we use pw sentry to catch rogue accounts and it works pretty flawlessly for us, it will lock an account after it is used by toom any surfers and send am email to you so you can take appropriate action..

03-30-2004, 12:15 PM	#28
doober Confirmed User Join Date: Jul 2003 Location: in yoOoo kitchen Posts: 6,984	Chupacabra, Im suing pennywize and keep getting emails all the time. The only passwords getting hammered are the verotel ones. From what i see on their board im not alone and it has happened before and then suddenly stopped but now it started once again and has not stopped for almost a week....its getting lame and I know for a fact that it cant be on my side. Like i said I change one pass now and in 10 mins it will be used somehwere else pathetic

03-30-2004, 12:37 PM	#29
nudecanada Confirmed User Join Date: Jan 2004 Location: Canada Posts: 793	doober - are you on a dedicated server, or a shared server? And what OS is it running? chupacabra - same as above? Reason I am asking is because some old Epoch scripts could be used to root a server, but it could only be done through an exploit in RedHat linux, I forget which kernel. Maybe it is the same for Verotel scripts.

03-30-2004, 01:07 PM	#34
xenophobic Confirmed User Join Date: Mar 2004 Location: Dallas Posts: 874	I think you will find that it is more likely that something is occuring on verotels end, that might be a hack on their servers, or their traffic is sniffed, even with modifications to the perl script which worked and stopped anyone but verotel calling it - there was another password incident, this wasn't a password sharing either, the account was over a year old. other things point at this: a: people with other merchants are not having the same problems. b: their CGI script isn't being exploited (at least in our case) c: mod_security's logs do not display any suspicious activity, nor does apache logs. seeing has verotel had ftp access to this box, I also checked lastlog and no suspicious logins from the account concerned! - doesn't leave much else BUT them being owned.