HOw can a password site post 400 of my passwords?
 

Fuck knows how this has happened as I have strongbox installed and its working fine. But 400 of my passwords were posted on a password site.

I have noticed Strongbox has been knocking out more members daily in the last month. So how do these thieves get access to the password files?

Checked server stats and only me thats been logged on.

Thoughts?

What's your site?

whats the forum url :)

Sounds like a security issue with a script running on your server or your server setup . You'd be surprised how many people leave their password files, for instance, available for public access.

If your stats show only you have been logging in, maybe whoever did this got your id and password. Might want to change your pasword.

MAGIC!1

What's your site, what's the forum, how many members you have, where do you host....

But only my IP shows up. If someone else was using my login their IP would be different to mine..

They don't need to be logging in to your server.

If you have any scripts running, they may be vulnerable through a variety of measures. Basically, someone could take control of your server by having the script(s) run commands. To you it would appear nobody "logged in" to your server.

Your password file may even web accessable. That is, can someone just type in yoursite.com/passwords.txt (or whatever) and retreive the password file?

I'm no security expert, especially in regards to web servers, so you'll probably want to get some help from somebody that is. Do you know any good admins that could do a quick once over on your site?

You could get some more information by letting us know exactly what you're running script and members protection wise. Maybe someone can point out a vulnerable script from its name.

don't give the ul name or minusonebit will have it posted on his blog

My password file is safe from typins. I use strong box for protection. Use CCBill and Epoch for processing.

I have emailed Ray Morris and hopefully he can take a look to see what the problem is and how it happened.

Alright bud just trying to give you some simple advice. Good luck with finding the problem. Hopefully you know people more knowledgable than me.

Switch to Phantom Frog and you wouldnt have this problem.

Why is that? What does Phantom Frog do differently that Stronbox is lacking at?

www.phantomfrog.com
I dont get money from posting that, lol.
But I so use them.

With phantom frog even if all your passwords were shared everyone would get blocked so no one that shouldn't have access would get in. And with the automated password recovery the real member can easily get a new password sent to their email instantly so they can log on to your site.

This means you wouldn't have to change the password for 400 users, and they wouldn't have to wait more then a few seconds to finish beating off.

password stealing and server hacking is a lot easier then you think.
the bad guys run a script 24/7 spidering one ip after another getting whatever info it can about operating system, scripts or whatever the server has installed. Once the script has that information it goes through what exploits it knows exists for that operating system or scripts. then the attack happens and takes your passwords or whatever it can. all this usually from an exploited server, so they don't get caught. and the owners of the server don't even know it.

Just been reading up about Phantom Frog and it does look like it would solve the problem.

Will save on posting out new passwords to members as well.

:) thats one of the reasons I got it.
I love waking up in the morning and seeing that a member or 2 recovered their own password at some ungodly hour. Those members are now still happy they could beat off after getting back from the bar and will have that much more reason to rebill :)

The amount of blocked passwords from members and only a few email asking for a new password. Many are too embarressed to ask me and cancel, so again this seems a good idea.

Damn, never would have thought about people being too embarrassed to ask for a new pass and just cancel.
Just contact Bill, he is a great guy to deal with. And actually has a phone number that he answers which is nice.

I dont have your member base, but even with what I have the cost is worth not having to deal with the passwords all the time. Means I can skiing for the weekend and be fine with my blackberry.

Strongbox can be easily bruteforced using a proxy list and wordlist and many of the bruteforce tools available.

instead of usernames you could perhaps use emails?
or make the username and password longer with #'s and other characters.

Phantomfrog is also recommended...

Thanks for the tip.

u know, thats a great fucking point man. currently i only have strongbox myself and phantomfrog posted by jeffrey looks really interesting.

jeffrey, if i signup for this do you have ref code or is there any reward for you?

Hey dude..

Setup a on .htaccess

Error 401 http://to your full page ad

and kill all the passwords..

try it..

No ref code. :(
but if you let Bill know Jeff from seannalust sent ya he would at least know its me :)

Melvin got me to use phantomfrog :) And I am glad I did. He switched from strongbox.

phantom frog looks interesting.

is it possible to configure strongbox to automatically reset password and send out new passwords to members?

eeeeeeeeeeeeeeeeeek

Bill is the man! I was recommended by Clement from Deluxe Pass and once Bill installed Phantom Frog...all troubles were over with. It not only stops password trading, but also brute force attacks. Bill is a grouchy fucker, but nobody knows their shit better than him. I highly recommend it. :thumbsup

That many passwords ....

I would install and run http://www.chkrootkit.org/

Someone has managed to drop a shellscript that gives him access to the root and all folders ....

No point in changing password software protection .

Who's a grouchy fucker?
 

Lol, now you're going to hurt Bill's feelings if he reads this board Robbie. I switched to Phantom Frog in September of '06 and I have no intention of going anywhere else for my site security. I tried Pennywize, IPROT, Password Sentry and a few more, but in my humble opinion PhantomFrog kicks everybody's ass. If you're in doubt about how your current security system is performing, have Bill install the Frog Demo for you. You're going to freak when you see how many guys are sneaking in under your nose!

Since I got onboard with Phantom Frog, my password management workload has been cut down to nearly zip! Yeah, there's still a few dim bulbs who will still write you to get a new password, but not many. If you let your members know how to get help when they need it, most will just retrieve their own passwords and be on their way. Sweet!

Oh, and Bill is not the "grouchy fucker" he's made out to be. He's a fuckin' sweetheart! One thing I do have to agree with Robbie on is that he really DOES know his shit and support is top notch.

LOL! Actually I messaged Bill and showed him this thread. :) He then showed me something brand new that he is unveiling on Jan. 2 I'll leave it to him to announce it to the world...but if you have a paysite and are wondering if there are any other ways to monetize your content...then you need to contact Bill.
Ironically, the thing he has just built is EXACTLY what I have been looking for over the last couple of months as I have been making deals to maximize the income from the Claudia-Marie.Com website to even greater heights (there never seems to be enough money for my drug and whore habits LOL)
I'm having Bill install this new product on my server as we speak. And one of the great things about it is the fact that he is so anal about security that I won't have to worry about anybody stealing from me.
Go over to phantomfrog.com and contact Bill if you are a paysite owner. I think you're going to like what he will show you with this new product.
Hell, I would post the URL to the new product...but I didn't ask him if it was okay yet. He's still working on putting up some screenshots of the admin so I won't reveal it to everybody yet. But again, if you are a paysite owner...just get over to phantomfrog.com and use his contact info and ask him about it. Tell him you read a post over here by Robbie about some super secret mystery software he is about to release. :)

Your first and biggest mistake...

Putting all of your paysites on the same server as your free sites.

bukkakeblogger.com

This wordpress version is full of exploits...

Who me? You're mistaken my friend. My tgp's are on their own dedicated server. My first and biggest mistakes were my first three wives. :1orglaugh But as far as setting up my sites on servers...if you knew me, you'd know that I got that covered pretty well. :)
But I'm hip to what you're trying to say. Especially with all the easy hacks through blogs, forums, etc. I try to make sure my stuff is as safe as possible. Plus I couldn't possibly handle the loads on one server...I'm running about 15 terrabytes of bandwidth a month and I haven't even checked how many megs per second I'm pushing.
It's crazy. I'm just glad that bandwidth is cheap these days. Could you imagine those kinda numbers back 10 years ago? I remember when the cheapest bandwidth you could get was a buck fifty a gig. Now I pay 14 cents. :)

BTW.. No matter what you use for password management, it still has to conform to the AOL rule. (x) number of IP's over (y) number of minutes. So it won't magically kill passwords when they are shared individually like in a message board via PM's or in a chatroom.

One way to try and do this is to log the region from the IP... Then associate that region to the account. Would stop tons of this.

No, I am talking to the thread starter who was asking how so many passwords could end up being posted.

Oh, okay. :) I got worried and thought I was doing something wrong.

Frog will. First time the guy logs in it records his IP address. Then whenever it is used at any geo location that doesn't fit with his IP address it gets shut down. The original user has to get a new password. Then when he logs in with his ip address it is recorded again. Then if the forum or aol or whatever uses it BAM they are nailed again. It's what makes phantomfrog work when the others don't. And it's got a cool "virtual velocity" function that is pretty funny to watch. Like when a guy logs in from Australia and then from Russia two minutes later it calculates how fast in miles per hour a person would have to be traveling. :1orglaugh

Pennywise
 

I had similar probs.....installed pennywize which has seemed to stop password abuse but like everyone has pointed out....I seem to be having alot of passwords blocked, but no emails from members? I heard alot about other scripts....anyone have an opinion on Pennywize?

tia

If everyone would implement this, we'd have about 40% more money to spread around.