Password hacking sites collecting log in info
 

How are these password hacking site collecting login info from members?

It's hard to believe that most members would give out their log in info. I do have a script to block out multiple IP's and suspend accounts during hacks.

But my question is, how are these hack sites gettin all these log in info to pay sites?

I think *some* of them set up free sites, where all you need to do is create a profile --- people think they are smart by giving fake email addresses to gain entry, but what they've really given away is the same user/pass that they use on every site they join.

Then the "hacker" just runs them like keys, until they find the ones that work on your site too.

thanks steve.:thumbsup

Where do these forums get the info?

#1 - Payment processors. Some are hackable or were hacked years ago. The nice thing for hackers is very few of you force the users to accept a server made password. So if they get to continuously use kobe08:lakers1 for years, hacking a processor 3 years ago is just as good as hacking it today.

#2 - Stealing your DB or passfiles via your sponsor program. Many of you have used forum software like phpBB which is notorious for having holes. Some of you have used affiliate software that had holes allowing for the downloading of your database (with unencrypted passwords) or your password files (with encrpyted passwords that are notoriously easy to decrpyt).

#3 - Your websites have scripting vulnerabilities.

index.php?page=templates/about.php

becomes,

index.php?page=../ccbill/private/.htpasswd

Or even more devistating, the hacker downloads the .htpasswd file located in your admin directory. Now he decrypts your passwords and then uses the banner uploading scheme to upload a shell. Now he has access to run commands on your server.

echo "select username,password from members" > /usr/bin/mysql/bin/mysql -u admin -pevil1man -D pa2

Now he has all of your unencrypted passwords... sweet.. And no need to crack them against your l33t login software like strongbox because these all work.... they are from your current DB...

#4 - The hackers all trade their DB's and passfiles with each other. Now when they steal your encrypted .htpasswd file they have no problem getting 90% of it cracked in less than an hour since they have 3 million porn surfers passwords to try it against...

So where do they get these passwords? NOT FROM THE SURFERS YOU FUCKING MORONS! THEY ARE GETTING THEM FROM YOU!

Ohh..

#5 - Hosting.... Many adult hosting companies are vulnerable to attacks for various reasons... The biggest being their support ticket systems... Shit... Some of them use "off the shelf" software that they haven't upgraded for 2 or 3 years... Now google for their version "softwarename 3.4.5 exploit" and see what you get... Maybe if they are large enough you will have access to 1/8th of the adult industry. Affiliate programs, large big name TGP's and the smaller ones you'd like to steal ideas or code from...

Alot of them also come from sponsors themselves, carders, and hackers that brute forced them.

:error

that wouldn't work.. | not >

or < from the other side of the command

Everyone is "secure" even NATS. Threads like this make me divert traffic elsewhere.:2 cents:

You people give most crackers waaay too much credit. Most simply download a simple brute forcing program, a proxy list and (un/pw) dictionary lists, and they're all set to go. Cracking can be done without knowing anything about computers.

Of course, the username/password dictionaries were gathered by others, from other sites, often years ago, but since people are predictable, combo's work again and again and again. (qwerty:asdfgh, james:bond, username:password, etc.)

Teach me to write something without testing it first...

But the method is still the same and widely used.

Notice I said hackers, not crackers... And yes, MOST do get off the shelf (so to speak) software and download their lists from forums. But when I started playing around myself 7 years ago there were a handful of people cracking websites and even less hacking them... Now the percentages are still the same (hackers to crackers) but there are more of each...

In 2003 I'd say there were about 10 to 20 people who could hack a server worth a damn and now there are 100 to 200... And so many people make it so fucking easy that once you have 5000 password files you just get bored...

To what? Mainstream? They have their own problems.....

Yup by doing everything V_RocKs just mentioned.

Thats also aside from all the script kiddies that just grab an off the shelf brute forcing software, bung in some proxies/judges add a combo list and start hamering away at a paysite that's still using finger boxes instead of form based login.

2cents
-N