loco12

Fuck knows how this has happened as I have strongbox installed and its working fine. But 400 of my passwords were posted on a password site.

I have noticed Strongbox has been knocking out more members daily in the last month. So how do these thieves get access to the password files?

Checked server stats and only me thats been logged on.

Thoughts?

Sebastian Sands

What's your site?

c0py-BANNED FOR LIFE

whats the forum url

WarChild

Sounds like a security issue with a script running on your server or your server setup . You'd be surprised how many people leave their password files, for instance, available for public access.

__________________
.

gaymale

If your stats show only you have been logging in, maybe whoever did this got your id and password. Might want to change your pasword.

__________________

ladida

MAGIC!1

What's your site, what's the forum, how many members you have, where do you host....

__________________
agentGFY *at* gmail.com

loco12

But only my IP shows up. If someone else was using my login their IP would be different to mine..

WarChild

They don't need to be logging in to your server.

If you have any scripts running, they may be vulnerable through a variety of measures. Basically, someone could take control of your server by having the script(s) run commands. To you it would appear nobody "logged in" to your server.

Your password file may even web accessable. That is, can someone just type in yoursite.com/passwords.txt (or whatever) and retreive the password file?

I'm no security expert, especially in regards to web servers, so you'll probably want to get some help from somebody that is. Do you know any good admins that could do a quick once over on your site?

You could get some more information by letting us know exactly what you're running script and members protection wise. Maybe someone can point out a vulnerable script from its name.

__________________
.

Phil

don't give the ul name or minusonebit will have it posted on his blog

__________________
Ask Phil

loco12

My password file is safe from typins. I use strong box for protection. Use CCBill and Epoch for processing.

I have emailed Ray Morris and hopefully he can take a look to see what the problem is and how it happened.

WarChild

Alright bud just trying to give you some simple advice. Good luck with finding the problem. Hopefully you know people more knowledgable than me.

__________________
.

jeffrey

Switch to Phantom Frog and you wouldnt have this problem.

__________________
Coming Soon!

loco12

Why is that? What does Phantom Frog do differently that Stronbox is lacking at?

jeffrey

www.phantomfrog.com
I dont get money from posting that, lol.
But I so use them.

With phantom frog even if all your passwords were shared everyone would get blocked so no one that shouldn't have access would get in. And with the automated password recovery the real member can easily get a new password sent to their email instantly so they can log on to your site.

This means you wouldn't have to change the password for 400 users, and they wouldn't have to wait more then a few seconds to finish beating off.

__________________
Coming Soon!

sumphatpimp

password stealing and server hacking is a lot easier then you think.
the bad guys run a script 24/7 spidering one ip after another getting whatever info it can about operating system, scripts or whatever the server has installed. Once the script has that information it goes through what exploits it knows exists for that operating system or scripts. then the attack happens and takes your passwords or whatever it can. all this usually from an exploited server, so they don't get caught. and the owners of the server don't even know it.

loco12

Just been reading up about Phantom Frog and it does look like it would solve the problem.

Will save on posting out new passwords to members as well.

jeffrey

thats one of the reasons I got it.
I love waking up in the morning and seeing that a member or 2 recovered their own password at some ungodly hour. Those members are now still happy they could beat off after getting back from the bar and will have that much more reason to rebill

__________________
Coming Soon!

loco12

The amount of blocked passwords from members and only a few email asking for a new password. Many are too embarressed to ask me and cancel, so again this seems a good idea.

jeffrey

Damn, never would have thought about people being too embarrassed to ask for a new pass and just cancel.
Just contact Bill, he is a great guy to deal with. And actually has a phone number that he answers which is nice.

I dont have your member base, but even with what I have the cost is worth not having to deal with the passwords all the time. Means I can skiing for the weekend and be fine with my blackberry.

__________________
Coming Soon!

mrwilson

Strongbox can be easily bruteforced using a proxy list and wordlist and many of the bruteforce tools available.

instead of usernames you could perhaps use emails?
or make the username and password longer with #'s and other characters.

Phantomfrog is also recommended...

L-Pink

Thanks for the tip.

zigx

u know, thats a great fucking point man. currently i only have strongbox myself and phantomfrog posted by jeffrey looks really interesting.

jeffrey, if i signup for this do you have ref code or is there any reward for you?

__________________
_,.:'`- Club JK . com --> 60% payouts
RSS, Hosteds, POTD, Your Mother, etc... CCBill

GPS

Hey dude..

Setup a on .htaccess

Error 401 http://to your full page ad

and kill all the passwords..

try it..

__________________
no sig!

jeffrey

No ref code.
but if you let Bill know Jeff from seannalust sent ya he would at least know its me

Melvin got me to use phantomfrog And I am glad I did. He switched from strongbox.

__________________
Coming Soon!

tony286

phantom frog looks interesting.

darling2

is it possible to configure strongbox to automatically reset password and send out new passwords to members?

HouseHead

eeeeeeeeeeeeeeeeeek

__________________

Robbie

Bill is the man! I was recommended by Clement from Deluxe Pass and once Bill installed Phantom Frog...all troubles were over with. It not only stops password trading, but also brute force attacks. Bill is a grouchy fucker, but nobody knows their shit better than him. I highly recommend it.

__________________
-Robbie
ClaudiaMarie.Com

directfiesta

That many passwords ....

I would install and run http://www.chkrootkit.org/

Someone has managed to drop a shellscript that gives him access to the root and all folders ....

No point in changing password software protection .

__________________
I know that Asspimple is stoopid ... As he says, it is a FACT !

But I can't figure out how he can breathe or type , at the same time ....

Lucky06

Lol, now you're going to hurt Bill's feelings if he reads this board Robbie. I switched to Phantom Frog in September of '06 and I have no intention of going anywhere else for my site security. I tried Pennywize, IPROT, Password Sentry and a few more, but in my humble opinion PhantomFrog kicks everybody's ass. If you're in doubt about how your current security system is performing, have Bill install the Frog Demo for you. You're going to freak when you see how many guys are sneaking in under your nose!

Since I got onboard with Phantom Frog, my password management workload has been cut down to nearly zip! Yeah, there's still a few dim bulbs who will still write you to get a new password, but not many. If you let your members know how to get help when they need it, most will just retrieve their own passwords and be on their way. Sweet!

Oh, and Bill is not the "grouchy fucker" he's made out to be. He's a fuckin' sweetheart! One thing I do have to agree with Robbie on is that he really DOES know his shit and support is top notch.

Robbie

LOL! Actually I messaged Bill and showed him this thread. He then showed me something brand new that he is unveiling on Jan. 2 I'll leave it to him to announce it to the world...but if you have a paysite and are wondering if there are any other ways to monetize your content...then you need to contact Bill.
Ironically, the thing he has just built is EXACTLY what I have been looking for over the last couple of months as I have been making deals to maximize the income from the Claudia-Marie.Com website to even greater heights (there never seems to be enough money for my drug and whore habits LOL)
I'm having Bill install this new product on my server as we speak. And one of the great things about it is the fact that he is so anal about security that I won't have to worry about anybody stealing from me.
Go over to phantomfrog.com and contact Bill if you are a paysite owner. I think you're going to like what he will show you with this new product.
Hell, I would post the URL to the new product...but I didn't ask him if it was okay yet. He's still working on putting up some screenshots of the admin so I won't reveal it to everybody yet. But again, if you are a paysite owner...just get over to phantomfrog.com and use his contact info and ask him about it. Tell him you read a post over here by Robbie about some super secret mystery software he is about to release.

__________________
-Robbie
ClaudiaMarie.Com

V_RocKs

Your first and biggest mistake...

Putting all of your paysites on the same server as your free sites.

V_RocKs

bukkakeblogger.com

This wordpress version is full of exploits...

Robbie

Who me? You're mistaken my friend. My tgp's are on their own dedicated server. My first and biggest mistakes were my first three wives. But as far as setting up my sites on servers...if you knew me, you'd know that I got that covered pretty well.
But I'm hip to what you're trying to say. Especially with all the easy hacks through blogs, forums, etc. I try to make sure my stuff is as safe as possible. Plus I couldn't possibly handle the loads on one server...I'm running about 15 terrabytes of bandwidth a month and I haven't even checked how many megs per second I'm pushing.
It's crazy. I'm just glad that bandwidth is cheap these days. Could you imagine those kinda numbers back 10 years ago? I remember when the cheapest bandwidth you could get was a buck fifty a gig. Now I pay 14 cents.

__________________
-Robbie
ClaudiaMarie.Com

V_RocKs

BTW.. No matter what you use for password management, it still has to conform to the AOL rule. (x) number of IP's over (y) number of minutes. So it won't magically kill passwords when they are shared individually like in a message board via PM's or in a chatroom.

One way to try and do this is to log the region from the IP... Then associate that region to the account. Would stop tons of this.

V_RocKs

No, I am talking to the thread starter who was asking how so many passwords could end up being posted.

Robbie

Oh, okay. I got worried and thought I was doing something wrong.

__________________
-Robbie
ClaudiaMarie.Com

Robbie

Frog will. First time the guy logs in it records his IP address. Then whenever it is used at any geo location that doesn't fit with his IP address it gets shut down. The original user has to get a new password. Then when he logs in with his ip address it is recorded again. Then if the forum or aol or whatever uses it BAM they are nailed again. It's what makes phantomfrog work when the others don't. And it's got a cool "virtual velocity" function that is pretty funny to watch. Like when a guy logs in from Australia and then from Russia two minutes later it calculates how fast in miles per hour a person would have to be traveling.

__________________
-Robbie
ClaudiaMarie.Com

TiaLing

I had similar probs.....installed pennywize which has seemed to stop password abuse but like everyone has pointed out....I seem to be having alot of passwords blocked, but no emails from members? I heard alot about other scripts....anyone have an opinion on Pennywize?

tia

__________________


Trade Traffic and hardlinks

V_RocKs

If everyone would implement this, we'd have about 40% more money to spread around.

aico

anyone telling you to change your password protection script has no clue what they are talking about. Warchild and some others were giving you the correct answers.

Robbie

I have a clue. And I think that securing your server is of course step ONE. That should be a given. Then if you want to really stop all password trading and brute force attacks after your server is nailed down...then yes, you would want to change over to the phantom frog software. As far as I know it is the only security software of it's type. Warchild is giving some very solid advise. But shutting the doors on your server isn't gonna help stop people trading passwords, or stop the hundreds that are already out there, or keep you from the hours of headaches and work that goes with dealing with all that customer support. There is a lot more to what this guy is facing than just server security. Though obviously that should be job number one.

__________________
-Robbie
ClaudiaMarie.Com

D

Using NATS?

__________________
-D.
ICQ: 202-96-31

Robbie

That's true. If he's using NATS his passwords are definitely compromised. Another good reason to have a system that blocks them and changes the passwords. And another good reason to listen to Warchild and aico and get the security of the site (including the IP restriction of NATS) up to snuff.
It sucks that there are so many thieves out there and honest hard working people have to watch their backs every second.

__________________
-Robbie
ClaudiaMarie.Com

Robbie

Hey D....I like your sites. I'm gonna sign up and promote them. I can definitely use some hot black girl stuff on my tgp's. Love those big asses.

__________________
-Robbie
ClaudiaMarie.Com

D

Cool, man. Sign up tonight, and I should push your account through tomorrow. Beyond that, it's pretty straightforward. Let me know if there's anything you need.

__________________
-D.
ICQ: 202-96-31

Robbie

Just finished signing up. That's some funny shit on the Shorty Mac site. A rap for every scene description....pure genius! I love it.

__________________
-Robbie
ClaudiaMarie.Com

aico

I say again, Phantom Frog and Strongbox DO NOT protect your .htpasswd file. All of your 400 passwords are on that site because someone got access to your .htpasswd file, while PF and SB will protect your members area from people using those passwords, they will not, and DID NOT, protect your .htpasswd file, someone hacked your server and is still probably doing so.

loco12

Agree that the server must have been exploited by a script. I have contacted tech support and asked them to run a diagnostic on it. Changing all my passwords as well as an added precaution. And also dumping wordpress. The less scripts the better.

V_RocKs

I addressed the fact that his server was hacked.

PF is for after this happens... IT DOES HELP!