Someone steals our customer passwords regularly - GoFuckYourself.com

adonis · 10-10-2007, 11:22 PM

I noticed someone is accessing our site using our customers' passwords. He's using the same IP address (at least I know one of his IP addresses). He's using only selected passwords of the last day (He generally doesn't use older passwords). He sometimes shares a password with a few others.

I think he's not using brute force attack, because we log failed logins, nothing weird there...

He can access customers' mails (at least one of them), because I changed a password and emailed the customer, 5 minutes later he tried the new password.

If some password is used by a few different IP numbers in a day, it is suspended temporarily with a warning message. He sees the message and continously tries to enter for hours. He has other passwords but he insists on the latest one he has.

This is very weird. Does someone have any logical idea?

Martin3 · 10-10-2007, 11:30 PM

You sure it's not just the ip(s) of some web cache servers like AOL or some other big ISP?

DatingGold · 10-10-2007, 11:33 PM

these are the kinds of things you dont post on boards lol

RawAlex · 10-10-2007, 11:35 PM

Sounds like a torrent site ripper bot with a nice backdoor into a few people's PCs.

You might want to watch those signups and see if they have an affiliate in common, and also see how long before they cancel / chargeback / card reported stolen.

minusonebit · 10-10-2007, 11:36 PM

Yeah, it sounds like you have been hacked.

adonis · 10-11-2007, 12:04 AM

Quote:

Originally Posted by RawAlex

Sounds like a torrent site ripper bot with a nice backdoor into a few people's PCs.

You might want to watch those signups and see if they have an affiliate in common, and also see how long before they cancel / chargeback / card reported stolen.

What is torrent site ripper? I scanned my computer with Kaspersky, Ad-Aware and Spybot. Nothing found... They don't have a common affiliate.

d-null · 10-11-2007, 12:09 AM

Quote:

Originally Posted by Martin3

You sure it's not just the ip(s) of some web cache servers like AOL or some other big ISP?

what he said... this even happens with some more localized isps

WiredGuy · 10-11-2007, 12:10 AM

You sure its not specific clients sharing the passwords? Are you putting any kind of password strength to make sure they're not simple passwords?
WG

After Shock Media · 10-11-2007, 12:26 AM

Do you have something such as strongboxxx protecting your members area?
Are you using totally random user/pass or letting people choose their own?
You aware one IP may be a proxy and it could be an entire forum using it?

wateva · 10-11-2007, 01:02 AM

the ip most probs will be a proxy............

adonis · 10-11-2007, 01:28 AM

Quote:

Originally Posted by After Shock Media

Do you have something such as strongboxxx protecting your members area?
Are you using totally random user/pass or letting people choose their own?
You aware one IP may be a proxy and it could be an entire forum using it?

Even if it's a proxy, one person is using it, and he gives away passwords to one or two people, or a limited group. I know he's one person using the proxy, because of cookies and browser info in the http headers are same...

Our visitors choose their passwords, but this guy doesn't enter a wrong password. He starts using it 15 minutes, or several hours after signup.

If you had access to the whole member database, wouldn't you try another username if the one you try is suspended because of multiple access?? Yes you would, but this guy doesn't try other ones, only the latest. This is weird. I think he can see new login pairs,

MikeSmoke · 10-11-2007, 02:42 AM

Don't know if you use pennywize, but i was stumped with a similar problem until I dumped them and went with strongbox......

TeenCat · 10-11-2007, 03:11 AM

hello man. are you receiving emails when new member arrived? if yes, go and change your email password now! what payment system do you use? it depends on it cause there are at least two payment system completely hacked so if you are on one of them it is the reason. so, change password to your email, change password to access your payment system account, change path to your .htpasswd and to your log and database files and if it will not help, change billing system ;) if this will not help, go and hire some security expert who will help you in few moments ;) best wishes with your sites!

hjnet · 10-11-2007, 04:12 AM

Quote:

Originally Posted by adonis

He sees the message and continously tries to enter for hours.

Sounds like a bot to me, or a really really horny dude

SmokeyTheBear · 10-11-2007, 04:30 AM

a few things should stand out to help explain what's going on..

#1
a real person doesnt repeatedly try a dead password this should be a pretty standard indicator this is a bot of some sort or a proxy

#2 if they are getting fresh passes with no common affiliate then there isnt too many holes. it has to be in the email or billing.. if the numbers are less than 10% then its possible its something like zango scooping the passes

but i would say theres a good pos your mail server is compromised and they are running the passes thru a proxy

SmokeyTheBear · 10-11-2007, 04:39 AM

is the ip close to thia
82.165.140.113

Mickey Mouse · 10-11-2007, 09:46 AM

I'm far from an expert as I've had a few problems in this area myself, but I'd second the recommendation for YOU to change your password to your email. I might also recommend using Gmail or Hushmail and accessing both via https. Gmail defaults to non https, so you'll have to type in the https to access it via SSL and remain on SSL. These systems will not only encrypt your Username and Password, but also everything you send--but only if access via https.

Email is two way, so even if your security is good, there could be an issue on the end of your new user. Similarly, you don't know if they have other security problems--the customer is the person you have no control over.

Your own security is another matter. Take a look at your home security. Make a strong wireless password if accessing via wireless, and consider VPN if using a connection in a hotel as many hotels use hubs not switches--they don't care about your security.

It's also probably time to change your password on your server's control panel as well as well as all the sites. Make sure your passwords are strong. Need help generating strong passwords? See https://www.grc.com/passwords.htm for a free password generator.

Make sure your password file is not web accessable. Obvious, but you'd be surprised.

Make sure your members' user names and passwords are strong. Probably not happening if your users are selecting their own.

99 times out of 100 if someone gets ahold of someone else's password it's because it was "given" to them. Meaning the customer put it up at some password sharing board. I don't tell my customers that I have password protection scripts, so many don't think I'll catch them. While others will wait until near the end of their membership and then share it. I've given serious thought about hiring a collection agency to go after these customers for the extra bandwidth, but luckily my password protection script always catches this before long and cuts them off.

Also, why not block the IP? Of course he'll just find a way to access from another, but curious why you didn't try anyway.

raymor · 10-11-2007, 10:04 AM

If they seem to be getting passwords belonging to many different legitimate
users, they are likely ripping your password file. Here is the solution:
http://bettercgi.com/strongbox/passgen/

(See mainly the part about using modern encryption for the password file).

Mickey Mouse · 10-11-2007, 10:07 AM

Also, very important. Don't use the same passwords for different things. For example, some of these Post Pic for Rating and Traffic sites are simply a trap to find out what User Name and Passwords you like to use. There are certainly many other types of sites out there doing the same. You sign up and then they'll use that user name and password to try to access you site, email, etc. So, make sure to use different passwords for different things.

ladida · 10-11-2007, 11:29 AM

Quote:

Originally Posted by raymor

If they seem to be getting passwords belonging to many different legitimate
users, they are likely ripping your password file. Here is the solution:
http://bettercgi.com/strongbox/passgen/

(See mainly the part about using modern encryption for the password file).

Market your product less and write things that make sense. If they are ripping his password file (you wrote that), then your product is useless in that. Less false marketing, more support.

raymor · 10-12-2007, 01:17 PM

Quote:

Originally Posted by ladida

Market your product less and write things that make sense. If they are ripping his password file (you wrote that), then your product is useless in that. Less false marketing, more support.

Actually the link I posted isn't for our product, it's information and a free tool
to stop password file ripping. before you tear into someone offering assistance,
it might be good to actually look at the link.

Back to the original topic, a cracker could have modified the processor's add
script to email them the new user names and passwords. Use ctrl-f in Notepad
or your favorite text editor and look for "sendmail".

10-10-2007, 11:33 PM	#3
DatingGold $6 PER EMAIL JOiN Industry Role: Join Date: Feb 2003 Location: California Posts: 13,185	these are the kinds of things you dont post on boards lol __________________ 9 Years of SOLID payouts and conversions! ADULT DATING - $100 PPS LIVE CAMS - $214 PPS WWW.DATINGGOLD.COM ICQ: 27442303

10-11-2007, 12:10 AM	#8
WiredGuy Pounding Googlebot Industry Role: Join Date: Aug 2002 Location: Canada Posts: 34,482	You sure its not specific clients sharing the passwords? Are you putting any kind of password strength to make sure they're not simple passwords? WG __________________ I play with Google.

10-11-2007, 12:26 AM	#9
After Shock Media It's coming look busy Join Date: Mar 2001 Location: "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn". Posts: 35,299	Do you have something such as strongboxxx protecting your members area? Are you using totally random user/pass or letting people choose their own? You aware one IP may be a proxy and it could be an entire forum using it? __________________ [email protected] ICQ:135982156 AIM: Aftershockmed1a MSN: [email protected]

10-11-2007, 02:42 AM	#12
MikeSmoke Confirmed User Join Date: Nov 2002 Location: SoCal Posts: 3,233	Don't know if you use pennywize, but i was stumped with a similar problem until I dumped them and went with strongbox...... __________________ icq: 541-739-92

10-11-2007, 03:11 AM	#13
TeenCat Too lazy to set a koala Industry Role: Join Date: Jan 2007 Location: CZ/EU forever! Posts: 16,139	hello man. are you receiving emails when new member arrived? if yes, go and change your email password now! what payment system do you use? it depends on it cause there are at least two payment system completely hacked so if you are on one of them it is the reason. so, change password to your email, change password to access your payment system account, change path to your .htpasswd and to your log and database files and if it will not help, change billing system ;) if this will not help, go and hire some security expert who will help you in few moments ;) best wishes with your sites! __________________ 6bot / Coming again very soon! Svit Zlin Radio 24/7!

10-10-2007, 11:22 PM	#1
adonis Confirmed User Join Date: Oct 2002 Posts: 231	Someone steals our customer passwords regularly I noticed someone is accessing our site using our customers' passwords. He's using the same IP address (at least I know one of his IP addresses). He's using only selected passwords of the last day (He generally doesn't use older passwords). He sometimes shares a password with a few others. I think he's not using brute force attack, because we log failed logins, nothing weird there... He can access customers' mails (at least one of them), because I changed a password and emailed the customer, 5 minutes later he tried the new password. If some password is used by a few different IP numbers in a day, it is suspended temporarily with a warning message. He sees the message and continously tries to enter for hours. He has other passwords but he insists on the latest one he has. This is very weird. Does someone have any logical idea?

10-10-2007, 11:30 PM	#2
Martin3 Confirmed User Join Date: Oct 2005 Location: Houston Posts: 1,529	You sure it's not just the ip(s) of some web cache servers like AOL or some other big ISP? __________________ 264-543-302

10-10-2007, 11:35 PM	#4
RawAlex So Fucking Banned Join Date: Oct 2003 Location: In a house. Posts: 9,465	Sounds like a torrent site ripper bot with a nice backdoor into a few people's PCs. You might want to watch those signups and see if they have an affiliate in common, and also see how long before they cancel / chargeback / card reported stolen.

10-10-2007, 11:36 PM	#5
minusonebit So Fucking Banned Join Date: Feb 2006 Location: [email protected] Posts: 7,391	Yeah, it sounds like you have been hacked.

10-11-2007, 01:02 AM	#10
wateva So Fucking Banned Join Date: Jul 2007 Posts: 492	the ip most probs will be a proxy............

10-11-2007, 04:30 AM	#15
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	a few things should stand out to help explain what's going on.. #1 a real person doesnt repeatedly try a dead password this should be a pretty standard indicator this is a bot of some sort or a proxy #2 if they are getting fresh passes with no common affiliate then there isnt too many holes. it has to be in the email or billing.. if the numbers are less than 10% then its possible its something like zango scooping the passes but i would say theres a good pos your mail server is compromised and they are running the passes thru a proxy __________________ hatisblack at yahoo.com

10-11-2007, 04:39 AM	#16
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	is the ip close to thia 82.165.140.113 __________________ hatisblack at yahoo.com

10-11-2007, 09:46 AM	#17
Mickey Mouse Confirmed User Industry Role: Join Date: Apr 2006 Posts: 104	I'm far from an expert as I've had a few problems in this area myself, but I'd second the recommendation for YOU to change your password to your email. I might also recommend using Gmail or Hushmail and accessing both via https. Gmail defaults to non https, so you'll have to type in the https to access it via SSL and remain on SSL. These systems will not only encrypt your Username and Password, but also everything you send--but only if access via https. Email is two way, so even if your security is good, there could be an issue on the end of your new user. Similarly, you don't know if they have other security problems--the customer is the person you have no control over. Your own security is another matter. Take a look at your home security. Make a strong wireless password if accessing via wireless, and consider VPN if using a connection in a hotel as many hotels use hubs not switches--they don't care about your security. It's also probably time to change your password on your server's control panel as well as well as all the sites. Make sure your passwords are strong. Need help generating strong passwords? See https://www.grc.com/passwords.htm for a free password generator. Make sure your password file is not web accessable. Obvious, but you'd be surprised. Make sure your members' user names and passwords are strong. Probably not happening if your users are selecting their own. 99 times out of 100 if someone gets ahold of someone else's password it's because it was "given" to them. Meaning the customer put it up at some password sharing board. I don't tell my customers that I have password protection scripts, so many don't think I'll catch them. While others will wait until near the end of their membership and then share it. I've given serious thought about hiring a collection agency to go after these customers for the extra bandwidth, but luckily my password protection script always catches this before long and cuts them off. Also, why not block the IP? Of course he'll just find a way to access from another, but curious why you didn't try anyway. __________________ I'm not a pornographer, I'm an ARTIST! Currently traveling southeast Asia shooting Asian girl and ladyboy content. e-mail: support [at] baregirls . com

10-11-2007, 10:04 AM	#18
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	If they seem to be getting passwords belonging to many different legitimate users, they are likely ripping your password file. Here is the solution: http://bettercgi.com/strongbox/passgen/ (See mainly the part about using modern encryption for the password file). __________________ For historical display only. This information is not current: support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids

10-11-2007, 10:07 AM	#19
Mickey Mouse Confirmed User Industry Role: Join Date: Apr 2006 Posts: 104	Also, very important. Don't use the same passwords for different things. For example, some of these Post Pic for Rating and Traffic sites are simply a trap to find out what User Name and Passwords you like to use. There are certainly many other types of sites out there doing the same. You sign up and then they'll use that user name and password to try to access you site, email, etc. So, make sure to use different passwords for different things. __________________ I'm not a pornographer, I'm an ARTIST! Currently traveling southeast Asia shooting Asian girl and ladyboy content. e-mail: support [at] baregirls . com