|
ccBill-local.cgi compromised? Rogue users added..???
ok all... as much as i like ccBill, i am having an issue w/ their script that they do not seem able to help w/ so far. for the last two weeks, i am having to watch my .htpasswd like a hawk because someone is going through their script and adding password-pairs w/ impunity somehow... they are obviously calling to the script directly in some fashion and it is adding their password-pairs, bypassing any of my servers security in the process. when i check the ccbill.log file, i see that even ccBill's system *knows* that the password-pairs in question are invalid, as the log file will display lines such as:
Hacker registered to XXX.XXX.XXX.XXX <-- some ip address ADD=hacker:9dS/4.gS6x (note that there is no subscription ID number, and no start or end date associated w/ these entry's!) now, this is what is pissing me off... their system/script obviously is aware that the call to add-user is coming from somewhere other than the approved subnet/ip-range of ccBill, hence the note that the user is being added by a "hacker"... so why does the bogus user get added at all? why not just *not* give them access??? i have to pay for this bandwidth, so i certainly don't want to let hackers in for free..! :feels-hot i have spoken w/ install over at ccBill numerous times about this lately, and they could not explain to me why their system is allowing these users to be added... they did have me update my version of the ccbill-local.cgi file, and they checked my server to make sure that it was all setup properly, it is. again, this is not a security issue w/ our server (which is running current/patched freeBSD and apache), the ccBill script is being called to directly, resulting in the rogue users being granted access. any other ccBill users experience this problem, and if so, do you know of any solution that will help in some way? i realize that i can rename the script to something unique, but that is not a real solution, as it will be easy for any would-be hacker to locate the new script name and continue to add their password-pairs. any advice or insight about this issue would be greatly appreciated, i am tired of watching all of our .htpasswd files night and day! lastly, i must stress and make clear, we still feel ccBill is easily the best of the third-party processor options, and wouldn't even consider moving to another processor... ccBill has *never* been late w/ a payment to us, and as of last week, finished refunding the $750 VISA registration fee to us in total. they are tops in our book, this is our only gripe... and we're hoping that there is a fix or resolution to it. thx all..! |
|
I assumed it was common knowledge that anyone can add userid/passwords if you used CCbill. Been happening for ages, and is very common.
ZoiNk |
whoa. this is just plain frightening. we always keep an eye on our .htpasswd files, and since we only started seeing this a short while back, we assumed this was a new issue/exploit. can anyone knowledgable about these matters, or anyone at ccBill chime in and clarify this? truly disturbing..!
|
Quote:
Wow, this stuff is still working??? |
I dunno... I just found it on Google...
|
chupacabra,
Just a thought but your admin pass (for the ccbill-local script) or your private key file may have been compromised/guessed. If someone (aka "hacker") has the password or private key, usernames can be added all day. Your best bet is to ensure that the "secure" directory is indeed secure and change both the admin pass and the private key. CCBill may have to change your private key for you. -Phil |
Quote:
|
Quote:
-Phil ICQ: 1108 2919 |
Ive asked them(ccbill) repetedly why all my password issues are with ccbill which is my backup processor.
But they know naaathing.... Do not think my admin login is compromised. Non valid logins and hacked valid ones. Mainly embarrasing towards the non pass trading members, and a general pain as it takes time to clear up . |
Make sure you have lots of upsells in your members area and enjoy the extra traffic... :thumbsup
|
That does seem to be quite a common problem. It doesn't help that it's now not possible to overwrite those passes through webmaster admin. I had the scripts updated but that doesn't seem to have fixed it for me. I was told that moving the password files above the HTML level should fix it, but others will know more about that.
|
Quote:
|
i brought this up before and i am fucking glad that someone else is poiting it out.
it first started when Pennywize would disable accounts for password sharing violation. but every fucking time i went to the admin section of the CCBILLl website to remove the compromised username/password in question it, would say "Account Not Found". CCBILL has record of all accounts on your website. they either tell you if the account is active or not active, but not "Not Found" for god sake. i knew that i did not add those fucken usern/pass pairs there and i know that CCBILL knows better than to give out freebies to my sites. how the fuck are they doing this? that the thing i am the most curious to know about. watch your password files if you're using CCBILL. somebody is definitely playing foul. |
Quote:
|
I remember awhile back CCbill's network was compromised... there are probably people running around with the ccbill client keys for tons of clients.
I don't know why CCbill has not generated and reissued keys to everyone yet :( |
Quote:
Totally. It's their job to process our transactions, keep our members areas secure from non-customers, and pay us on time. I'm not sure if they haven't reissued keys because they don't want the headache of having to reinstall the keys on thousands of machines, that they don't want to admit to the compromises within their network, or maybe they just don't care =( :waaaaahh :waaaaah Corvette!!! BUt hey whats the deal with this though Corvette? Why won't you guys issue new keys to everyone? Obviously your servers have been compromised & hackers have the keys, or your scripts are weak or something. Everyone I know who uses CCbill has the same problem of rogue accounts being created. Got an official GFY word on the situation? Maybe we the few of GFY can get this patched up for all of your other paying customers :) EDIT: Btw, when I was testing this, I was no longer processing new sales with CCbill. The script was still active, but there weren't any sales pages pointing to it. I also seperated the .htpasswd files using multmod_auth so I could still have my old CCbill htpasswd file and also start with a fresh one that would have access to the members areas (even though it shouldn't need access since it shouldnt have had any more users added)... but sure enough, it would get about 3-5 "hacker" sounding names added every day. To me this is a leaked key. And since it happens to everyone I know with CCbill, I assume that everyone has their keys leaked. Really surprised this hasn't been addressed officially. |
chupacabra,
There is a new CCBill .cgi script that is close to being released. Without going into too much detail, it is supposed to be the ?latest and greatest?. It addresses issues that have been brought up in the past and it is very feature-rich, working in correlation with our new reporting system. We have had excellent results with our beta testing. Contact me and I will see what it would take to get you to start using it. chupacabra, you have my icq. Anybody else, feel free to email me at [email protected] |
Quote:
But it's a waste of your clients bandwidth to keep them EXPLOITABLE like this. Why don't you (Not you, CCbill) contact them? I assure you it's happening to damn near everyone & your tech guys know all about it. Why don't you guys make it a priority to let people know that version X.XX is vulnerable or keys need to be reissued or whatever & get clients to update? Ugh I hate security holes. CCbill is almost starting to shine through as the processor of choice these days... take the regins & start addressing all these problems and concerns of the clients and you guys will be golden :) Ah I didn't notice that you said the new ccbill script was close to being released... I guess you guys will issue new keys at that time :thumbsup |
I use CCBILL and they are a very good company. Always pay on time and technical support is excellent but if this is true then we need an official response to these claims.
I must admit that I have some reservations with regards to the security and reliability of their cgi scripts.... that ccbill-local file tends to corrupt quite frequently on my paysite domains and on one of my sub accounts in particular we are constantly experiencing user-add problems... ( new username/password combos not being added successfully to password file ) CCBILL blame it on "network issues" but that is not really an adquate answer for me. If this problem was affecting their payment scripts I'm sure the network issues would be resolves soon enough :-) Other than that they are on top of the game! Terry www.voyeurzine.com |
I think, possibly I have had a few of these also, however, is it possible to simply change the htaccess to alieviate this
Ie; RewriteCond %{HTTP_REFERER} !^http://*.ccbill.com.* [NC] RewriteCond %{HTTP_REFERER} !^http://www.yourpaysite.com.* [NC] I am not sure, how to do it -so I am asking?? I think that I have had some experience with this problem, and some also with the bogus check transactions, where the user would apply with a false check, get a user/pass prior to the transaction being completed and gain access for a number of munites before the script deleted the invalid user/ password again another would be to rename the ccbill folder to something a little more difficult? |
Quote:
Once released, I am sure that everyone is going to be very pleased. The beta testing went very well with it. Until the official release, send me an email with your account # and I will see what I can do? Email address is above |
I'm so happy it was not only me :-))))))))))))
Now I know what happened. AGREE - CCBILL Should have let everyone know about this. Another minus to them for this. Now lets see where I have the notes about minus and pluses for processors.... |
Looks like someone got into my ccbill .htpasswd too - you can edit these files in notepad and reupload incidentally.
My paysite is not active at the moment but here are the weird log entries - odd how there's no IP address associated with 2 of the entries: chmod: /usr/home/sites/sitename/html/ccbill/secure/current.log: Operation not permitted [Thu Feb 6 16:21:17 2003] [error] [client 64.38.194.13] File does not exist: /usr/home/sites/sitename/html/cgi-bin chmod: /usr/home/sites/sitename/html/ccbill/secure/current.log: Operation not permitted That one IP is CCbill, so does this mean CCbill admin did this or no? |
We used to notice similar problems along these lines. However, thanks to Phil, we are covered.
|
Quote:
|
Mistressofnite,
The log files that you posted simply mean that the ccbill local is running under an access level that is not permitted to make the requested changes to the current.log. This is a normal error that can be easily corrected if you contact CCBill technical support so that we can correct the permissions on your server. let me know if you need any help with this [email protected] |
yeah it sucks ass... has happened to me several times with a small paysite... gotta delete the punks who break in like that.
hope its fixed soon, that is good news. |
Ok, thanks. I set it up though and tested it out thru CCbill and everything looked ok. Thanks to all for the advice.
|
There is a simple solution to this. I can't quote it exactly, but I've seen it and can describe it.
The Epoch script I have has a few lines of code at the very top that says: IF IP does not equal (epoch's IP number here) THEN die ELSE continue Why can't the CCBill script have the same few lines of code? It should. |
| All times are GMT -7. The time now is 05:39 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123