hacking - GoFuckYourself.com

smileygirls · 12-09-2002, 08:26 AM

Anyone know how to prevent hacking of htaccess?
We use pennywize, but many ppl I have talked to say, this is not enough. Any ideas?

JamesK · 12-09-2002, 08:35 AM

MarcoTC · 12-09-2002, 08:39 AM

Most 'hackers' use stolen creditcards # and sign up via an AOL account using an address of the CC's country of origin. If they had enough of it, they post the username/pw on a password site.

People then think their site is hacked while it's not.

If you use Apache 1.23.26 (or higher) and your Linix box doesn't contain all kind of shit that have open ports (webmin etc.) and the box is normally closed with IPChains, you're pretty much done.

Pennywize should then take care of brute force password tries and multiple users logging in from different IP's with the same username and password.

smileygirls · 12-09-2002, 10:06 AM

Thanks. We dont have any bandwidth spurts or even problems really regarding password trading, since penny does take care of that, but I have a few members bitch and moan about how they are not trading their passes and blah blah blah.. and that the htaccess has been hacked and that their pass was just stolen...

We dont keep that info on our sites or servers, so IF these members are telling the truth, which I highly doubt, then hackers are able to find a pass here and there, that works, before penny blocks from brute force and it just happens to be one of those complaining ho's passes.

I guess I just to confirm if htaccess is replaceable with a better means of protection against this or what should I tell these guys, IF they are honest?

Should I just change their userpass once and slap em on the wrist and if it happens again, they're fucked? That is what I do now. Only if they write, which is rare. Maybe 1 a month or max 2.

JayJay · 12-09-2002, 12:20 PM

Quote:

Originally posted by MarcoTC
Most 'hackers' use stolen creditcards # and sign up via an AOL account using an address of the CC's country of origin. If they had enough of it, they post the username/pw on a password site.

People then think their site is hacked while it's not.

If you use Apache 1.23.26 (or higher) and your Linix box doesn't contain all kind of shit that have open ports (webmin etc.) and the box is normally closed with IPChains, you're pretty much done.

Pennywize should then take care of brute force password tries and multiple users logging in from different IP's with the same username and password.

your wrong dick wad
If they used a stolen CC then there not a hacker

Simon-interaid · 12-09-2002, 01:09 PM

Smiley,

Make sure your .htaccess file and .htpasswd are not in the same directory.

And the directory you put your .htpasswd in or whatever the password database is called, is not in a web viewable directory.

Put it above the public_html or whatever your home directory is.
so if you have this:

/home/smiley/public_html ---> which shows the content of smiley.com lets say...

and your protecting /home/smiley/public_html/members

and you have .htaccess in the /home/smiley/public_html/members

make sure you put your .htpasswd somewhere like this
/home/smiley/db/.htpasswd

or a directory like that which you can't access through the browser by typing in a url.

and than have your .htaccess point to /home/smiley/db/.htpasswd
for its password database.

Hope this helps.

MarcoTC · 12-09-2002, 03:39 PM

Quote:

Originally posted by JayJay

your wrong dick wad
If they used a stolen CC then there not a hacker

read moron.

12-09-2002, 08:26 AM	#1
smileygirls Confirmed User Join Date: Aug 2002 Location: Ask Stormy... :) Posts: 182	hacking Anyone know how to prevent hacking of htaccess? We use pennywize, but many ppl I have talked to say, this is not enough. Any ideas? __________________ <a href="http://www.stormyfriday.com" target="_blank"><img src="http://www.panchodog.com/graphics/stobutton.gif"></a>

12-09-2002, 08:35 AM	#2
JamesK hi Industry Role: Join Date: Jun 2002 Posts: 16,731	lol __________________ M3Server - NATS Hosting

12-09-2002, 10:06 AM	#4
smileygirls Confirmed User Join Date: Aug 2002 Location: Ask Stormy... :) Posts: 182	Thanks. We dont have any bandwidth spurts or even problems really regarding password trading, since penny does take care of that, but I have a few members bitch and moan about how they are not trading their passes and blah blah blah.. and that the htaccess has been hacked and that their pass was just stolen... We dont keep that info on our sites or servers, so IF these members are telling the truth, which I highly doubt, then hackers are able to find a pass here and there, that works, before penny blocks from brute force and it just happens to be one of those complaining ho's passes. I guess I just to confirm if htaccess is replaceable with a better means of protection against this or what should I tell these guys, IF they are honest? Should I just change their userpass once and slap em on the wrist and if it happens again, they're fucked? That is what I do now. Only if they write, which is rare. Maybe 1 a month or max 2. __________________ <a href="http://www.stormyfriday.com" target="_blank"><img src="http://www.panchodog.com/graphics/stobutton.gif"></a>

12-09-2002, 01:09 PM	#6
Simon-interaid Confirmed User Join Date: Sep 2002 Location: Vancouver Posts: 814	Smiley, Make sure your .htaccess file and .htpasswd are not in the same directory. And the directory you put your .htpasswd in or whatever the password database is called, is not in a web viewable directory. Put it above the public_html or whatever your home directory is. so if you have this: /home/smiley/public_html ---> which shows the content of smiley.com lets say... and your protecting /home/smiley/public_html/members and you have .htaccess in the /home/smiley/public_html/members make sure you put your .htpasswd somewhere like this /home/smiley/db/.htpasswd or a directory like that which you can't access through the browser by typing in a url. and than have your .htaccess point to /home/smiley/db/.htpasswd for its password database. Hope this helps. __________________ we buy domains with typin traffic. icq me 8566256

12-09-2002, 08:39 AM	#3
MarcoTC Confirmed User Join Date: Oct 2002 Location: Behind you Posts: 108	Most 'hackers' use stolen creditcards # and sign up via an AOL account using an address of the CC's country of origin. If they had enough of it, they post the username/pw on a password site. People then think their site is hacked while it's not. If you use Apache 1.23.26 (or higher) and your Linix box doesn't contain all kind of shit that have open ports (webmin etc.) and the box is normally closed with IPChains, you're pretty much done. Pennywize should then take care of brute force password tries and multiple users logging in from different IP's with the same username and password.