How can these hackers insert passes to my passwd file. - GoFuckYourself.com

alibaba · 10-31-2002, 10:39 AM

I checked all myservers, referer checked all processor scripts, but some still can insert 'cucumber', 'natasha', etc... passwords to my sites. I use a Sun box

Anybody knows how they do it?

chupacabra · 10-31-2002, 11:19 AM

alibaba, if you are using a third-party processor like iBill, ccBill, etc., they most likely are not adding the password pairs through any security hole in your server, much more likely that they are being added through a weakness or exploit in the scripts of your processor... we use ccBill, and occasionally will see 'rogue' password pairs appear out of nowhere like this... if using ccBill, check the ccBill logs in your /secure directory, you will see that the password pairs in question were in fact added by the processors script somehow, and will usually even have a subscription ID number associated w/ them that is bogus... i've spoken to ccBill at length about this issue in the past, and some of the higher tech's there have acknowledged that the system has been compromised on occasion, and it is to be expected w/ such a far-flung processor... many undesirables are probably plugging away at this very moment looking for a hole. they always get them plugged quickly it seems, and i just delete the errant password pairs when they arrive. a real point of interest to me is that most of the pairs that appear unexpectedly never show any usage in my pw sentry logs, which has always baffled me... happy halloween all you freaks..!

alibaba · 10-31-2002, 01:15 PM

Quote:

Originally posted by chupacabra
alibaba, if you are using a third-party processor like iBill, ccBill, etc., they most likely are not adding the password pairs through any security hole in your server, much more likely that they are being added through a weakness or exploit in the scripts of your processor... we use ccBill, and occasionally will see 'rogue' password pairs appear out of nowhere like this... if using ccBill, check the ccBill logs in your /secure directory, you will see that the password pairs in question were in fact added by the processors script somehow, and will usually even have a subscription ID number associated w/ them that is bogus... i've spoken to ccBill at length about this issue in the past, and some of the higher tech's there have acknowledged that the system has been compromised on occasion, and it is to be expected w/ such a far-flung processor... many undesirables are probably plugging away at this very moment looking for a hole. they always get them plugged quickly it seems, and i just delete the errant password pairs when they arrive. a real point of interest to me is that most of the pairs that appear unexpectedly never show any usage in my pw sentry logs, which has always baffled me... happy halloween all you freaks..!

Actually I'm not using CCBill on my sites. I use IBill, Epoch and MSBill. I'm checking the referer if it's refered by the processors server in the script. So technically there is no way to do that. But somehow some freaks find away. My password sentry deletes these password when they are shared. But generally they don't share this, porbably using for their own. In any way I see a hit in a day in my stats. Not an actual usage, just a hit to members area. This makes me think that a robot checks the password in case it's still valid. This really looks pro, not a lame work they do.

The Other Steve · 10-31-2002, 02:24 PM

Chupacabra - we've had the same problem and while they may not show up in your sentry logs ours do show up in our server stats for the pay site.

I don't want to join the 'let's bash the Russians' group but the usernames that these people use is often similar to what I've seen from people from that area of the world.

I have also noticed that when they install one they will often add a second that goes totally unused. I guess they're putting that one in just in case we spot the first one. Fortunately our pay site is small enough that we can usually spot odd usernames.

BV · 10-31-2002, 05:04 PM

Quote:

Originally posted by alibaba
'natasha'

I think we have had that one shared as well. I've seen it on password sites too. My reasoning was that it is a common username, thus Bruit forced on many sites. BUT if you say it is one that was added to you htpass file, things that make you go hmmm.

Shark · 10-31-2002, 05:58 PM

Most of the password sites try and get their users to use a common public proxy to keep the compromised access open as long as possible, some sites even provide an anonymous proxy url field box on the password site for ease of use.

This may be why your not picking them up as being shared usernames.

I have noticed in my server stats in the last week that I received hundreds of hits consecutively from a bot or something that was looking for my ibill script by looking for the default script name and then variations of the name and common directory names that people may place their ibill script in.

It was also probing for other script names that look like they would belong to other well known authentication scripts.

I'm not sure if someone has found a way to create username sets via the ibill script on our servers but they were definitely looking for it for some reson.

I am going to be changing the names of my scripts to longer, harder to find names just incase.

10-31-2002, 10:39 AM	#1
alibaba Registered User Join Date: Oct 2002 Location: Not too far Posts: 89	How can these hackers insert passes to my passwd file. I checked all myservers, referer checked all processor scripts, but some still can insert 'cucumber', 'natasha', etc... passwords to my sites. I use a Sun box Anybody knows how they do it?

10-31-2002, 02:24 PM	#4
The Other Steve Confirmed User Join Date: Dec 2001 Location: Sunny Queensland - perfect one day and better the next. Posts: 2,106	Chupacabra - we've had the same problem and while they may not show up in your sentry logs ours do show up in our server stats for the pay site. I don't want to join the 'let's bash the Russians' group but the usernames that these people use is often similar to what I've seen from people from that area of the world. I have also noticed that when they install one they will often add a second that goes totally unused. I guess they're putting that one in just in case we spot the first one. Fortunately our pay site is small enough that we can usually spot odd usernames. __________________ Left intentionally blank ... just like my brain

10-31-2002, 11:19 AM	#2
chupacabra Confirmed User Join Date: Sep 2002 Posts: 3,626	alibaba, if you are using a third-party processor like iBill, ccBill, etc., they most likely are not adding the password pairs through any security hole in your server, much more likely that they are being added through a weakness or exploit in the scripts of your processor... we use ccBill, and occasionally will see 'rogue' password pairs appear out of nowhere like this... if using ccBill, check the ccBill logs in your /secure directory, you will see that the password pairs in question were in fact added by the processors script somehow, and will usually even have a subscription ID number associated w/ them that is bogus... i've spoken to ccBill at length about this issue in the past, and some of the higher tech's there have acknowledged that the system has been compromised on occasion, and it is to be expected w/ such a far-flung processor... many undesirables are probably plugging away at this very moment looking for a hole. they always get them plugged quickly it seems, and i just delete the errant password pairs when they arrive. a real point of interest to me is that most of the pairs that appear unexpectedly never show any usage in my pw sentry logs, which has always baffled me... happy halloween all you freaks..!

10-31-2002, 05:58 PM	#6
Shark Confirmed User Industry Role: Join Date: Feb 2002 Posts: 205	Most of the password sites try and get their users to use a common public proxy to keep the compromised access open as long as possible, some sites even provide an anonymous proxy url field box on the password site for ease of use. This may be why your not picking them up as being shared usernames. I have noticed in my server stats in the last week that I received hundreds of hits consecutively from a bot or something that was looking for my ibill script by looking for the default script name and then variations of the name and common directory names that people may place their ibill script in. It was also probing for other script names that look like they would belong to other well known authentication scripts. I'm not sure if someone has found a way to create username sets via the ibill script on our servers but they were definitely looking for it for some reson. I am going to be changing the names of my scripts to longer, harder to find names just incase.