I hope this is B.S. - ccbill

[Sleepy]

True ? Not true ? ..prob not.. hope not..

----------------------------------------------------------------------

It appears that perhaps tens of thousands of username/passwords for valid
shell logins ALL ACROSS THE NET may have been compromised at CCBILL,
a large internet credit card/check processor used for e-commerce and
adult sites, read carefully!!

Well, after the user complaint below, we began some investigation
and found about 6 of these IRC bots running on our network as well.
All with a fartone.conf and fartone eggdrop irc daemon listening
on port 9872... this is across 6 different machines alone in our
server farm, so far that we have found, we are scanning right now
to find out if there are more listening on port 9872 in our address
spaces.

Interestingly enough, the common tie between all these compromised
accounts is that they are ALL CCBILL customers. Being CCBILL customers,
they have all their userid and password information to ssh to their
website(s)/server(s) to update scripts and databases as required.
Was CCBILL hacked? OR do they have someone inside who has released
the user information abroad? We called a couple other hosts whom
we communicate with and voila.. they have boxes with IRC bots
running on port 9872 as well... also CCBILL clients.

It appears whomever has obtained the CCBILL list of usernames/passwords
systematically SSH's into their customers server, installs the irc
eggdrop bot and leaves.

I have found no instances of root kits, or anything else malicious
being performed or installed. In fact, in all 6 instances they left
all their .tar and config files, AND their .history files intact.
Looking thru normal daily log files would not tip you off to any sort
of compromise at all -No multiple password failures, etc etc because
they already have the correct password to login

It is my opinion that Cavecreek/CCBILL has had a breach of security
thus releasing user ids and logins on various servers around the
internet. CCBILLS customer base is in the tens of thousands.

It appears the bots are merely sitting and listening waiting for
commands for perhaps a large distributed DoS attack, it does not
appear that they are logging any sensitive data transmitted thru
the server(s). I tcpdumped the port and logged in and out of the
server to make sure it wasnt transmitting any data elsewhere. I
also confirmed that the bots were not logging anything locally
either.

I have attached a sample output of strings on the binary file
called 'fartone' for your review, please note there are *several*
cavecreek machines who are listed as well as many others.
ALL these machines below have been verified to have port 9872 open
and listening with perhaps this same type IRC Eggdrop bot running.
Also please note, all these servers/domains listed below are
current CCBILL subscribers:

ares# strings fartone
#4v: eggdrop v1.6.7 -- betty -- written Wed Dec 19 02:00:00 2001
goldeneye - bfoN
--BOTADDR insecure.nl:4567/4567
--BOTFL ghp
--HOSTS *!*[email protected]
--LASTON 1008733201 #(_(_)============D
--XTRA created 1008544330
--PASS 0dz32ajse1wsg
arsch - bfoN
--HOSTS *!*jb@*.t-dialin.net
--LASTON 1008721551 #testtest
--BOTADDR 123.123.123.123:25432/25432
--XTRA created 1008687422
--PASS fnh4psb7x07rnr
Nitallica - bfoN
--HOSTS *!*[email protected]
--LASTON 1008723944 #torisbots
--BOTADDR smtp.webpipe.net:6000/6000
--XTRA created 1008687422
--PASS 29tuhow2of
FrauAntje - bfoN
--HOSTS *!*[email protected]
--BOTADDR cc118955-b.groni1.gr.nl.home.com:5555/5555
--XTRA created 1008687422
--LASTON 1008715911 #fattool
--PASS 6qgkm19qzmqr41
hispa - bfoN
--HOSTS *!*[email protected]
--HOSTS *!*[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR thunder2.cwihosting.com:9872/9872
--XTRA created 1008687422
--PASS 4rg6kei8cz
livedom - bfoN
--HOSTS *!*[email protected]
--HOSTS *!*[email protected]
--BOTADDR s1.ss.klmz.mi.voyager.net:9872/9872
--XTRA created 1008687422
--PASS chahi5e10yz
fetishUSA - bfoN
--HOSTS *!*[email protected]
--HOSTS *!*[email protected]
--BOTADDR fetish-usa.com:9872/9872
--XTRA created 1008687422
--LASTON 1008714534 #fattool.-user
--PASS el44md4jsx
edik - bfoN
--HOSTS *[email protected]
--HOSTS *!*[email protected]
--LASTON 1008721551 #testtest
--BOTADDR 216.143.123.202:9872/9872
--XTRA created 1008687422
--PASS lpk748otq4
undergrou - bfoN
--HOSTS *[email protected]
--LASTON 1008721551 #testtest
--BOTADDR undergroundmpegs.com:9872/9872
--XTRA created 1008687422
--PASS h9raa3sbzib1isl
cartoon-x - bfoN
--HOSTS *[email protected]
--HOSTS *!*[email protected]
--LASTON 1008721551 #testtest
--BOTADDR dynamic.cavecreek.net:9872/9872
--XTRA created 1008687422
--PASS jsuf82v4gity
plump - bfoN
--HOSTS *[email protected]
--HOSTS *!*[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR viper.acceleratedweb.net:9872/9872
--XTRA created 1008687422
--PASS 01rc6sicoh9
dara - bfoN
--HOSTS *[email protected]
--HOSTS *!*[email protected]
--HOSTS *!*[email protected]
--LASTON 1008721551 #testtest
--BOTADDR 209.67.61.60:9872/9872
--XTRA created 1008687422
--PASS 1r52f5hl8ua3
asian - bfoN
--HOSTS *[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR asianpornoground.com:9872/9872
--XTRA created 1008687422
--PASS 8kbbvw1d82r
flashx - bfoN
--HOSTS *[email protected]
--LASTON 1008721551 #testtest
--BOTADDR flashdiet.net:9872/9872
--XTRA created 1008687422
--PASS r1mict2o4p3m2g
bonker - bfoN
--HOSTS *[email protected]
--BOTADDR la2.reliablehosting.com:9872/9872
--XTRA created 1008687422
--LASTON 1008689564 #fattool
--PASS mstz9bj3w1
cypo - bfoN
--HOSTS *[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR 66.78.56.62:9872/9872
--XTRA created 1008687422
--PASS b051yatpxv78
adult - bfoN
--HOSTS *[email protected]
--LASTON 1008721551 #testtest
--BOTADDR 216.66.37.130:9872/9872
--XTRA created 1008687422
--PASS 8vk58u93xm0cp
steenbok - bfoN
--HOSTS *[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR navajo.b-h-e.com:9872/9872
--XTRA created 1008687422
--PASS ky613fzu65pt9
betty - bfoN
--HOSTS *[email protected]
--BOTADDR 216.226.153.165:9872/9872
--XTRA created 1008687422
--PASS svhcr3jpb98bk88
silky - bfoN
--HOSTS *[email protected]
--LASTON 1008721551 #testtest
--BOTADDR www36.mediaserve.net:9872/9872
--XTRA created 1008703816
vixie - bfoN
--HOSTS *[email protected]
--LASTON 1008721551 #testtest
--BOTADDR zeus.envex.net:9872/9872
--XTRA created 1008703839
c0wboy - bfoN
--HOSTS *[email protected]
--LASTON 1008737794 #(_(_)============D
--BOTADDR arizonasex.com:9872/9872
--XTRA created 1008703859
reddawg - bfoN
--HOSTS *[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR 216.215.232.6.nw.nuvox.net:9872/9872
--XTRA created 1008703890
blaq - bfoN
--HOSTS *[email protected]
--HOSTS *!*[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR www.retronudes.com:9872/9872
--XTRA created 1008704719
bigdick - bfoN
--HOSTS *[email protected]
--HOSTS *!*[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR playawhile.com:9872/9872
--XTRA created 1008705304
serve - bfoN
--HOSTS *[email protected]
--HOSTS *!*[email protected]
--LASTON 1008731356 #(_(_)============D
--BOTADDR server.iicinternet.com:9872/9872
--XTRA created 1008706464
pedal - bfoN
--HOSTS *[email protected]
--BOTADDR www1.leftcoast.net:9872/9872
--XTRA created 1008707679
sizco - bfoN
--HOSTS *[email protected]
--HOSTS *!*[email protected]
--LASTON 1008737609 #(_(_)============D
--BOTADDR virtual1.sizco.net:9872/9872
--XTRA created 1008708744
melody - bfoN
--HOSTS *[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR 64.242.242.9:9872/9872
--XTRA created 1008710553
cukinsin - bfoN
--HOSTS *[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR 209.115.38.113:9872/9872
--XTRA created 1008711094
slettebak - bfoN
--HOSTS *[email protected]
--HOSTS *!*[email protected]
--LASTON 1008737670 #(_(_)============D
--BOTADDR stgeorge.janey1.net:9872/9872
--XTRA created 1008712167
tussy - bfoN
--HOSTS *[email protected]
--LASTON 1008721551 #testtest
--BOTADDR fs2.reliablehosting.com:9872/9872
--XTRA created 1008712187
hrm - bfoN
--HOSTS *[email protected]
--BOTADDR infiniti.isprime.com:9872/9872
--XTRA created 1008713730
--LASTON 1008713966 #jungbusch
fister - bfoN
--HOSTS *[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR or9.reliablehosting.com:9872/9872
--XTRA created 1008713748
buttfuck - bfoN
--HOSTS *[email protected]
--HOSTS *!*[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR www.bridgetfox.com:9872/9872
--XTRA created 1008715635
nude - bfoN
--HOSTS *!*[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR host210.southwestmedia.com:9872/9872
--XTRA created 1008717613
kippe - bfoN
--HOSTS *!*[email protected]
--LASTON 1008727382 #(_(_)============D
--BOTADDR 207.71.95.100@9872:3333/3333
--XTRA created 1008718483
lecker - bfoN
--HOSTS *!*[email protected]
--LASTON 1008723944 #torisbots
--BOTADDR ladynylons.com@9872:3333/3333
--XTRA created 1008718866
cf - hjmnoptx
--HOSTS -telnet!*@*
--HOSTS [email protected]
--PASS +kqP.7.9x36e.
--XTRA created 1008425222
cf_ - fhjmnoptxZ
--HOSTS *[email protected]
--LASTON 1008727068 @bums
--PASS +SO3pi.h66XB1
--XTRA created 1008426075
chumash - fhpYZ
--HOSTS *[email protected]
--HOSTS *[email protected]
--PASS +ghTan/8SXJw1
--COMMENT 1st Offense Badword
--XTRA created 1008426757
m00b - h
--HOSTS *!b00m@*.planet.arrakis.cz
--LASTON 1008733043 #0dayxxxpasswords
--PASS +REjnv1Q0DAf/
--XTRA created 1008440044
Cyberwolf - h
--HOSTS *!Blah@*.rr.com
--PASS +HPw7k0X0/X51
--XTRA created 1008442445
w33d - hY
--HOSTS *[email protected].*
--PASS +w/e/c.r8kog/
--XTRA created 1008455421
--COMMENT 1st Offense Badword
_maddog_ - hY
--HOSTS *!*ouchabl@*.dial.net4b.pt
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008459615
undernetx - hY
--HOSTS *!*dernetx@*.east.verizon.net
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008460443
O2B3 - hY
--HOSTS *!*frischr@*.xtra.co.nz
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008460560
xxxxx - hY
--HOSTS *!cf@*.and.shine
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008465019
^[FTO1]^ - hY
--HOSTS *![FTO1]^@*.astound.net
--PASS +w/e/c.r8kog/
--XTRA created 1008465619
--COMMENT 1st Offense Badword
showty - hE
--HOSTS *[email protected].*
--PASS +w/e/c.r8kog/
--COMMENT 2 Bad Word Offenses
--XTRA created 1008470243
_mysdick - hY
--HOSTS *[email protected]
--LASTON 1008732953 #0dayxxxpasswords
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008473951
Shareef_A - hY
--HOSTS *[email protected].*
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008477957
aHiMz - hY
--HOSTS *[email protected].*
--PASS +w/e/c.r8kog/
--COMMENT 1st Offense Badword
--XTRA created 1008480641
sr - hjmnoptx
--HOSTS *[email protected]
--LASTON 1008715929 @goldeneye
--PASS +9fX2h.WNiV41
--XTRA created 1008539610
bigwave - h
--HOSTS *!*[email protected]
--LASTON 1008704750 #jungbusch
--PASS +shNEb1VEXSl1
--XTRA created 1008541504
qon - h
--HOSTS *!jbcqon@*.t-dialin.net
--LASTON 1008701006 #jungbusch
--PASS +HUtku0I/W6R.
--XTRA created 1008678075
qonbot - h
--HOSTS *!qon@*.t-dialin.net
--HOSTS *!*achgott@*.t-dialin.net
--LASTON 1008701417 #jungbusch
--PASS +HUtku0I/W6R.
--XTRA created 1008678105
ice2k - h
! #jungbusch 1008706286 fov
--HOSTS *!fisch@*.t-dialin.net
--LASTON 1008706286 #jungbusch
--PASS +riut8.jEw3u0
--XTRA created 1008705970
stiffy - bfoN
--HOSTS *!*[email protected]
--BOTADDR otis.siteprotect.com@9872:3333/3333
--XTRA created 1008720570
moese - bfoV
--HOSTS *!*[email protected]
--BOTADDR ns14.reliablehosting.com@9872:3333/3333
--XTRA created 1008721358
moepsy - bfoN
--HOSTS *!*[email protected]
--LASTON 1008723455 #fattool
--BOTADDR katarina.super.nu@9872:3333/3333
--XTRA created 1008723363
sicker - bfoN
--HOSTS *!*[email protected]
--LASTON 1008726564 #0dayxxxpasswords
--BOTADDR 1-nude-girls-sex-pictures.com@9872:3333/3333
--XTRA created 1008724705
pullo - bfoN
--HOSTS *!*[email protected]
--LASTON 1008727313 #0dayxxxpasswords
--BOTADDR co60.reliablehosting.com@9872:3333/3333
--XTRA created 1008725430
wixer - bfoN
--HOSTS *!*[email protected]
--LASTON 1008727314 #0dayxxxpasswords
--BOTADDR co60.reliablehosting.com@9871:3333/3333
--XTRA created 1008725589
bums - bfoN
--HOSTS *!*[email protected]
--BOTADDR 365host.com@9872:3333/3333
--XTRA created 1008726771
gretl - bfoN
--HOSTS *!*[email protected]
--LASTON 1008727314 #0dayxxxpasswords
--BOTADDR saturn.iwebhosting.com@9871:3333/3333
--XTRA created 1008726906

Please note the .history file just from this one account,
and this is merely a small sample, please note, these are
all CCBILL accounts:

ssh -l f215109 www.extremeteens.net
telnet www.extremeteens.net
ssh -l amfight www.amfight.com
ssh -l sm-online www.sm-online.net
telnet www.musicchief.com
telnet www.studspa.com
ssh -l gmill www.G2mil.com
ssh -l sweetcreme www.sweetcreme.com
ssh -l roach www.exposedfantasy.com
ssh -l tfi0080192 www.whores.telinco.co.uk
ftp www.whores.telinco.co.uk
ssh -l jen11sex www.jensex.com
ssh -l webusr www.asianvixens.net
ssh -l freakfest www.chicagofreakfest.com
telnet www.gangbang-wife.com
ftp gangbang-wife.com
ssh -l gangbang ganbang-wife.com
ssh -l gangbang gangbang-wife.com
ssh -l norfun www.norfun.com
ssh -l doublejay doublejay.ultraadult.com
ftp ultraadult.com
ftp www.internetpleasure.net
telnet www.internetpleasure.net
ssh -l admin www.internetpleasure.net
ftp www.internetpleasure.net
mail
w
ftp www.teenpussy2001.com
w
ssh -l livedom www.livedom.com
ssh -l dmartin2 www.sweetcuties.com
w
ssh -l fetish www.fetish-usa.com
ssh -l dodger www.dodger.co.uk
ssh -l beavis www.eroticamazon.com
w
ls
ssh -l www.thebondagechanne www.thebondagechannel.com
ftp www.thebondagechannel.com
ssh -l hispa hispamagic.com
ssh -l dodger www.dodger.co.uk
ssh -l livedom www.livedom.com
ssh -l fetish www.fetish-usa.com
ssh -l jen11sex www.jensex.com
ssh -l stephenp www.thefun-times.com
ssh -l barbie www.VoyeurCamCondo.com
ssh -l eve3 www.strumpfhosen-girls.com
ssh -l melody www.undergroundmpegs.com
mail
telnet www.AMAHO.COM
ssh -l blueflamedesigns www.blueflamedesigns.com
ssh -l dynamic www.cartoon-x.net
ssh -l u1498 www.plumptious.com
ssh -l rowan55 www.dirtydara.com
ssh -l barbara www.asianpornoground.com
ssh -l alenko www.alenko.com
ssh -l hispa hispamagic.com
ssh -l livedom www.livedom.com
ssh -l melody www.undergroundmpegs.com
ssh -l u1498 www.plumptious.com
ssh -l rowan55 www.dirtydara.com
ssh -l rburdwood www.southcouple.com
ssh -l flashdiet flashdiet.net
ssh -l cypo www.cypo.com
ssh -l u44048 adultfrontier.com
ssh -l u44048 www.adultfrontier.com
ssh -l avrcon avrcon.com
ssh -l sara www.boobtique.com
ssh -l extreme-g www.xtreme-girls.com
ssh -l lynnol www.lynncarroll.net
exit
ssh -l www.extremeteens.net
/bin/bash
ssh -l websex www.websex.org
ssh -l playsi www.silkyplay.com
ssh -l linda www.nastylinda.com
ssh -l ndevine www.nikkidevine.com
ssh -l belleleigh www.belleleigh.com
ssh -l gtdfor www.arizonasex.com
ssh -l voyearexpo www.voyeurexpo.com
/bin/bash
ssh -l voyeurexpo www.voyeurexpo.com
ssh -l markiemark www.profitbusiness.com
telnet www.analaddiction.com
ssh -l pplump www.proudly-plump.com
ssh -l taboo www.incesttaboo.com
ssh -l legendaryreddog www.legendaryreddog.com
telnet www.adultamateursexpictures.com
ssh -l miami miamistudios.com
ssh -l envex www.envex.net
ssh -l voyeurmyth www.voyeurmyth.com
ssh -l netpimp www.exhibitionfetish.com
ssh -l teressam www.teressamoss.com
ssh -l gospeltr www.gospeltribune.com
ssh -l mcooper www.findfreefiles.com
telnet www.retronudes.com
ssh -l nyguy www.playawhile.com
ssh -l wickedgamers www.wickedgamers.net
ssh -l wengle www.hentaidimension.com
ssh -l nudistphotogallery www.nudistphotogallery.net


[email protected] wrote:
>
>
> Here is a message regarding a hack attempt. They have stated that the
> hack was also from our server 216.226.xxx.xxx. How can we check who/what
> happened from that server. The details from there logs are below.
>
> Stan
> ****
>
> -------- Original Message --------
> From: - Tue Dec 18 21:57:22 2001
> X-UIDL: c531b934e8e90feedce1e9ab85425a46
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 00000000
> Received: from gelt.cavecreek.net (gelt.cavecreek.net [64.38.195.170])
> by zeus.xxxxxxxxxx (8.8.5/8.8.5) with ESMTP id AAA22149 for
> <stan@xxxxxxxxxx>; Wed, 19 Dec 2001 00:49:52 -0500 (EST)
> Received: from biz-link.com (cx832301-d.chnd1.az.home.com
> [24.14.253.216]) by gelt.cavecreek.net (8.11.2/8.11.1) with ESMTP id
> fBJ5thY93497; Tue, 18 Dec 2001 22:55:44 -0700 (MST) (envelope-from
> [email protected])
> Message-ID: <[email protected]>
> Date: Tue, 18 Dec 2001 22:56:28 -0700
> From: Jeff Wolkove <[email protected]>
> Reply-To: [email protected]
> Organization: SVM
> X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U)
> X-Accept-Language: en
> MIME-Version: 1.0
> To: [email protected], stan@xxxxxxxxx
> CC: [email protected]
> Subject: Illegal hacking activity
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> X-UIDL: c531b934e8e90feedce1e9ab85425a46
>
> LEGAL NOTICE TO [email protected] and stan@xxxxxxxxxx
> Courtesy Copy To: [email protected]
>
> One of your users illegally accessed a server I own and illegally
> installed and ran software on it. The hacker gained access to the
> system using a hacked or stolen password and installed "eggdrop"
> an IRC bot with the capability of launching distributed denial
> of service attacks.
>
> This hacker accessed my system from cc118955-a.groni1.gr.nl.home.com
> by FTP as per the following entry in my system FTP logs. All times
> are Mountain Standard Time (Arizona, USA).
>
> Dec 18 11:48:04 gelt ftpd[23349]: connection from
> cc118955-a.groni1.gr.nl.home.com (213.51.147.235)
>
> The user also accessed the system using interactive SSH from
> 216.226.xxx.xxx
> according to the following entries in syslog
>
> Dec 18 11:37:51 gelt sshd2[16845]: DNS lookup failed for
> "216.226.xxx.xxx".
> Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor's local password
> accepted.
> Dec 18 11:38:02 gelt sshd2[16845]: Password authentication for user
> gtdfor accepted.
> Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor, coming from
> 216.226.xxx.xxx, authenticated.
>
> This is a private server and the gtdfor user ID is used only by myself,
> the system administrator. This is a unix-level login, not a web site
> account. This(these) user(s) therefore gained access illegally.

----------------------------------------------------------------------
http://www.securityfocus.com/archive/75/246360
and http://www.securityfocus.com/archive/75

[Kimmykim]

How many times am I going to say this...

If there is an issue we will certainly let you know.

For the record, the boxes that accept and store the webmaster information have ZERO to do with the boxes that run card or checking transactions.

[jimmy3way]

Okay I'm a tech retard, I understand what this is, but is it bad?

Some bored Cavecreek sysadmin? Some clever-clever hacker getting ready to replace the CIA's homepage with 'DEEZ NUTZ' in +6 Arial?

[Sleepy]

Im sorry Kimmykim, this topic is new to me. I know that the thread was
started by a guy who used to be my partner's programmer. He is not stupid
or a ccbill heckler. Add it all up and the topic has some credibility.

Your saying this is entirely false and nothing even similar has happened ?
Have I missed this topic elsewhere and it has already been clearly explained ?
Thanks

[FATPad]

Topic is new to me, too.

It definitely doesn't sound good, but what exactly does it mean?

[Kimmykim]

I've addressed it on every other board on the net it would appear.

We've seen no proof and haven't been able to verify any problem at this point.

If we do, I will let you all know.

As for there being tens of thousands or even thousands, well no.

[cyberpunk]

let me start by saying that my only affilation with CCbill is I use them to procress for some of our sites.

while I do know the internal workings of any of ccbill's systems. I do have a great deal of experice prior to my life as an adult webmaster in security and such.

The likely hood of this happening are is VERY low.

If you want to be 100% paranoid change the ccbill acct passed they don't need it once the scripts are installed.

TO me this sounds more like someone tring to cause trouble then a real issue.



------------------
got EVIL?.... get EVIL! Make $$ from traffic you didn't even know you had plus earn a bonus on all refered webmasters

over 4000 new images released, for the rest of the month buy one CD get one FREE!

Get PAID on FREE joins and a 50$ signup bonus

[NikKay]

I have 3 emails sitting in my box this morning with this same message. And one came from ReliableHost, which we used to host with.
"Hello Customers,

Some of the message boards have posts stating that one of CCBill's
servers has been broken in to and that customer username and password
information to ssh to their website(s)/server(s) has been released.

Although we have not been able to verify this with CCBill, as a precautionary
measure we ask that you change your password for your account on our
servers and with CCBill.

If you need assistance doing that, please let us know."




------------------
NikKayyy
http://www.HotWiredNet.com

[Kimmykim]

Nik -- Please let your host know that we appreciate the situation being handled tactfully.

Anyone who may be uncomfortable with the situation should by all means change their server log ins.

When we have specific information to report to our clients we will. In the meantime we are still taking a very close look at the entire situation, and until we've come to some conclusions there's not much more I will have to say about it.

[shunga]

Let's wait until someone proves there's a serious problem before we all panic. I'm concerned, but not unduly worried.

[tvo]

Quote:

Originally posted by Kimmykim:
I've addressed it on every other board on the net it would appear.

We've seen no proof and haven't been able to verify any problem at this point.

If we do, I will let you all know.

As for there being tens of thousands or even thousands, well no.

You've got to be friggin' joking, right? Your security people said that there definately *IS* a problem, woke people up in the middle of the night to tell them about it, had a big meeting to figure out what you were going to do about it and then informed [bleep] that you would be sending out an email to all of our clients regarding the situation.

You're simply setting yourself up for a HUGE fall if you don't come clean on this one.

I *KNOW* [bleep] personally. He called me at 4am on 12/19 to let me know what was up. I just spoke to him about your now denying the compromise. He said, "I don't wish them any ill will. I am simply protecting my network and trying to help other network operators protect theirs."

Go ahead and play Microsoft if you want. Deny the problem, hope it will go away.

We'll continue to play full disclosure.


--tvo

[tvo]

Quote:

Originally posted by Kimmykim:
How many times am I going to say this...

If there is an issue we will certainly let you know.

For the record: the boxes that accept and store the webmaster information have ZERO to do with the boxes that run card or checking transactions.

For the record: We never said there was a CC info leak. We said that you had an apparent compromise and that the username/passwords that had been supplied to CCBill for installation/maintainance purposes were being used to log into CCBill customer machines and install IRC related programs in an apparent attempt to create a huge distributed bot-net for the purposes of dDos.

For the record: I have now talked to over 40 individuals who had said "bots" installed on their machines on 12/19 and 12/20 by someone who logged in using the username/password provided to CCBill for installation/maintenance purposes.

For the record: The *ONLY* thing that any of these individuals had in common was that they used CCBill for processing and that they had *not* disabled the CCBill account after installation.

For the record: You're going to lose more customers by lieing about this problem than by being honest, getting the word out and having your customers REMOVE the programs installed by the person(s) illegally using the accounts and change the passwords/disable the CCBill logins.

--tvo


[This message has been edited by tvo (edited 12-20-2001).]

[tvo]

CCBill finally fesses up!

On 12/20/01 at 1:59 PM [email protected] <[email protected]> wrote:

CCBill has had an incident that compromised a minimal percentage of our customer's hosting server user names and passwords.
While we are investigating the circumstances, as an added precaution, we feel it is important that all of our customers consider the following:

In order for your account to have been potentially affected, your setup must meet the following criteria:

1. Unix/Linux box.
2. Submitted ftp/telnet/ssh information about your current server to CCBill.

At this time we are asking all of our CCBill clients to take the following steps:

1. Please change your server password(s) or have your host do so.
2. Please have your host scan your server(s) for an installation of 'eggdrop' and to see if port 9872 is open.
3. If the instance does occur and your host is unfamiliar with how to disable the installation, please have them contact [email protected] with the Subject line - Eggdrop removal - and someone in our support department will contact them immediately.

We want you to know that:

1. We have corrected the source of the problem.
2. We are working diligently to discover who was behind this.
3. No other systems at CCBill were affected and only hosting passwords need to be changed.

Any other questions may be addressed to your sales person at CCBill.

Ron Cadwell, CEO

-----

So, what-do-ya-have-to-say-for-yourself NOW, Kimmykim?

--tvo

[Kimmykim]

I'd be more concerned about what you had to say tvo.

Interesting that you've got a grand total of 3 posts.

[Rip]

Well, I am checking the servers, and I hope that there are not too many big problems for other webmasters, but ccbill has always been a pretty steady processor... so a bump in the road, perhaps... nothing more

Teaches us not to be lazy and leave the same passwords laggin around

------------------
$$ Get Your Hot NEW Banner$ From Dirty Gold $$
JackThumbsTGP - - - VideoKAT-ViDeOpOsT
- Post Gallieries - - - - - - - Trade Traffic -

[Kimmykim]

Its a very minimal percentage Rip, and you know that if you have any questions or need anything from us, just let us know --

[tvo]

Quote:

Originally posted by Kimmykim:
I'd be more concerned about what you had to say tvo.

Interesting that you've got a grand total of 3 posts.

What I've got to say is that for you, as a representative of CCBill, to deny having a compromise, KNOWING FULL WELL THAT YOU DID, was dishonest at best and most definately added to the potential for damage to the systems that were compromised.

As for my only having 3 posts here, what does that have to do with ANYTHING? At least I haven't been lieing.

You had a compromise. You were notified in a very timely manner with overwhelming evidence of said compromise. You chose to wait nearly 38 hours before notifying your customers of this compromise -- a situation that most DEFINATELY led to more of their servers being accessed illegally. It will be some time before the full ramifications of both the compromise and your lack of IMMEDIATE full disclosure will be known. It goes without saying that had you not waited, less systems would have been compromised.

--tvo


[This message has been edited by tvo (edited 12-20-2001).]

[Kimmykim]

4 posts, let's go for 5.

[Gary]

TVO, Kim spends her nights giving me erotic massages and doesn't have time to call the office every 5 minutes. But fortunately, CCBILL has many tech people who refuse to touch me and can spend their time working.

[rollin2]

cavecreek is a pioneer in this industry, as well as the non-adult industry.

i wouldn't worry about ccbill or the problem they had, and i am sure kimmykim was unaware of it at the time.

just a lame hacker, with nothing better to do then find a site called "rootshell" and learn how to exploit a server...

all will be worked out, ccbill is very professional with these things, and i hope ccbill catches the crook!

[tvo]

Quote:

Originally posted by Gary:
TVO, Kim spends her nights giving me erotic massages and doesn't have time to call the office every 5 minutes. But fortunately, CCBILL has many tech people who refuse to touch me and can spend their time working.

Gary,

Good for you and Kim and the massages and all. That might be a reason for her not knowing had CCBill not been notified by 0400 EST on the 19th of December of the issue.

Having spent the past 36 hours dealing unauthorized logins to customer machines and comparing notes with other NSPs, I had the number of hours wrong in my previous message (edited and corrected now). (I lost a day somewhere.)

CCBill knew for ALL of the business day on the 19th that they had had a compromise. Instead of notifying customers that they should change passwords or disable accounts, they simply played damage control. I know of numerous people who called CCBill with regards to this compromise and they all got the same line. A flat-out denial that there had been a compromise.

--tvo

[Gary]

your jealous aren't you? I can understand that.

[rollin2]

kimmykim is hot

she was the one with black hair / goth style @ the convention right?

IA i think

[willow]

This is certainly a bit of a fuck up, but these things happen.

You can also bitch about the response times and deniability, but because you don't really know what's going on behind closed doors at CCBill, you can't really form an opinion on how soon to generally raise the alarm.

What does concern me, from a purely paranoid point of view, is the advice given.
Simply advising a single port check and changing a password on sensitive boxes is a joke. Without some other way of verifying that nothing else is tampered with (and there are a few) you've really got little choice but a fresh install.
Check any serious security companies recommendation on this, they'll agree.

Somebody was good enough to get this far. If it was you would you have left a backdoor here or there? Maybe not on every machine, but CCBill don't know for sure what happened on every machine, just those that somebody noticied were listening on a certain port.

Very sloppy security intrusion reaction policy CCBill. Sorry. Anyone can take a hit, but you've got to face up to the full possible consequences. I hope you're privately working with your clients with this advice.

[tvo]

Quote:

Originally posted by willow:
This is certainly a bit of a fuck up, but these things happen.

You can also bitch about the response times and deniability, but because you don't really know what's going on behind closed doors at CCBill, you can't really form an opinion on how soon to generally raise the alarm.

The moment that you receive a telephone call from a network operator who provides documentation that points to the fact that you have had a compromise that potentially released thousands of VALID username/password pairs for customer machines, the steps should be taken to notify the customers. You don't have to tell them WHY they need to change those passwords, etc because at this point, you're not absolutely sure what has happened. A post-mortum on this type of incident takes time.

To the credit of the individual who was working when CCBill was first contacted with regards to the compromise, he did start waking people at CCBill up and letting them know. The fact that it took over 36hours for CCBill to make any mention of the incident to their customers is what is of most concern to me. Thankfully, I was called directly by another network operator just prior to CCBill being contacted. This was part of the "compare notes and make sure we're not calling Wolf" process. When the determination was made that of the multiple networks involved, the only common denominator was that the unauthorized accesses were all made to the CCBill accounts and that the files installed were nearly identical, it was decided that the most likely case was a compromise at CCBill. Then and ONLY then was the alarm raised to CCBill. At the same time, we started contacting customers and peers to inform them of the issue.

Quote:

What does concern me, from a purely paranoid point of view, is the advice given.
Simply advising a single port check and changing a password on sensitive boxes is a joke. Without some other way of verifying that nothing else is tampered with (and there are a few) you've really got little choice but a fresh install.
Check any serious security companies recommendation on this, they'll agree.

At least in the case of our customers, the accounts in question were non-root accounts that were also chrooted in most cases. We have found no evidence of the intruder even attempting to obtain root access. For that matter, until the alarm was sounded at BUGTRAQ by a peer of mine, the intruder(s) didn't even attempt to hide their tracks. By early evening 12/19/01 on the east coast, the intruders began trying to hide things using "..." and " " directories.

Quote:

Somebody was good enough to get this far. If it was you would you have left a backdoor here or there? Maybe not on every machine, but CCBill don't know for sure what happened on every machine, just those that somebody noticied were listening on a certain port.

Like I said in the last paragraph, I have not seen or been informed of any customer-machine intrustions that resulted in root access. (Unless some fool gave CCBill their root account and ALSO accepted logins to the root account from the outside world.) Most of your script-kiddie backdoor tools will need to be installed as root.

Quote:

Very sloppy security intrusion reaction policy CCBill. Sorry. Anyone can take a hit, but you've got to face up to the full possible consequences. I hope you're privately working with your clients with this advice.

Agreed.

--tvo

[This message has been edited by tvo (edited 12-20-2001).]

[Kimmykim]

Quote:

Originally posted by rollin2:
kimmykim is hot

she was the one with black hair / goth style @ the convention right?

IA i think

I am pretty sure you are thinking of Denise. I'm blonde all the way to the roots

[Gary]

Quote:

Originally posted by Kimmykim:
I am pretty sure you are thinking of Denise. I'm blonde all the way to the roots

Ya put your still hot.

[TheFLY]

Quote:

Originally posted by tvo:
When the determination was made that of the multiple networks involved, the only common denominator was that the unauthorized accesses were all made to the CCBill accounts and that the files installed were nearly identical, it was decided that the most likely case was a compromise at CCBill. Then and ONLY then was the alarm raised to CCBill. At the same time, we started contacting customers and peers to inform them of the issue.

It sounds to me like CCBill is being accused of having a superiority complex, "my servers are more important than your servers..." If I give you a password to my machine -- and you fuck up and leak that information to a hacker -- I would be pissed that I wasn't notified ASAP. Am I getting this right?

I suppose maybe KimmyKim would want to protect the image of security of the $$$ that CCBill is processing... no need to cause unnecessary alarm... especially for the many resellers that have nothing to do with this. Also half of the people on this board don't understand technical jargon... but I'm glad we got the real story here on GFY ;)

[This message has been edited by TheFLY (edited 12-20-2001).]

[Kimmykim]

Has nothing to do with protecting anything Fly -- we are as concerned with who did it, and what their ultimate goal from doing it (as you mentioned in another thread) as we are with the fact that it did occur in some instances.

I'm not going to say much besides that at the moment.

[SNOW]

You can all blow me...LOL..I would not worry tvo..Lets not jump the gun.. Give it a rest i'm sure everything will be ok..

[Kimmykim]

I do want to reiterate one thing guys -- a very small number of our clients were affected -- BUT if you are one of our clients, please do yourself right and check your boxes.

We've asked everyone to do so in case anyone may have slipped thru the cracks --

[railz]

It made Yahoo...
http://dailynews.yahoo.com/h/nm/2001...hack_dc_1.html

[Kimmykim]

It's Reuters, should be everywhere

[tvo]

From the Reuters by By Elinor Mills Abreu:

A quote from Tom Fisher, general manager of CCBill.

Quote:

Fisher said the CCBill had not contacted the FBI (news - web sites) because ''it's not that big of an issue.''

That is ridiculous! Just how many machines need to be affected before it IS a big deal Tom?

Quote:

In its e-mail to customers, CCBill said it had corrected the source of the problem and was working to discover who was behind the hack.

So, the l33t h@x0rz at CCBill couldn't protect their system from the initial compromise but, they suppose to have more resources than the federal government to track down the perpetrator(s)?

'Tis sad...

--tvo


[This message has been edited by tvo (edited 12-21-2001).]