Security Holes in CCBILL
 

My tech sent me this email today about a huge problem he noticed with the CCBILL password management system......



There has been an exploit out for the ccbill password management for
quite some time now.

I noticed TONS of accounts being added (20 at a time) to our system, so
I called them up and they acknowledged the security hole and are "still
waiting for a fix" which is expected to be finished by the END of next
week.

oh yeah... and according to the two people I spoke with, their policy is
NOT to notify webmasters when there are security holes in ccbill
scripts.

the best they can do is rename the script so its harder to find.

so all we can do is wait for them to get their act together and fix
their shit, but dont expect to be notified. we are responsible for
watching out for their problems.


this is total bullshit. I just happened to be extremly lucky in
noticing a suspicious looking account and investigate it further to find
this huge mess. they should AT LEAST tell us when things like this crop
up. the whole reason we use password management is so that we DONT have
to maintain our members database with a fine tooth comb.

the only answer I could get out of anybody was 'talk to your sales rep'.

even Ibill wasn't this bad when it came to security updates.

yeah ccbill is bad news imo. switch and watch your retention go sky high.

one word , 5 letters.

e
p
o
c
h

one thing i love about ccbill as an affiliate webmaster is having multiple sites on one account. cheques are sent out quick too.

epoch used to be a nightmare

globill

:)

Epoch is awful for affiliates. No click counting, no nothing.

epoch and jettis's scripts are insecure too (add-passwd.cgi) - at least, almost every single one i've ever seen has been. they claim to have better ones now, but.. i've yet to see them installed.

The "fix" that they are working on is easy as hell. Contact me if you want it. ICQ 5061408.

I noticed these hackers in our logs as well and patched their crappy script. It's literally less than a line to fix it.

Edit: I looked at their most recent script just now and they did some crappy fixes to it, so perhaps you just have a slightly older version. I had to point this hole out to them about a month ago.

Cheers,
Backov

you know what, i am so happy someone brought this up. i've noticed the same motherfucking thing lately.
actually what i do is compare the number of active usernames to the entries in the stupid password file. and of course it's usually off at least by a dozen users.

the most fucked up thing is that i noticed this one account that shouldn't ve been there in the first place, removed it, the mofo poped back up the very next day. wtf? CCBILL needs to get their fucking act right instead off talkin about eternal fix searches

This is certainly not the case and I would love to know who told you this. If you can, please have your tech email me with that information.

We do have a new cgi that we will be unveiling soon, but it is one that is more feature-rich (it allows real-time user add/delete features, etc) that will work in conjunction with our new reporting site to offer our clients enhanced reporting and an improved interface. That must have been what was referred to.

If our clients are noticing any possible CCBill issues with their account, I would strongly recommend that they contact our technical department. [email protected] We have to mange password files and such on many different platforms in numerous server environments and, like most technology companies, have created patches/fixes for different issues that might have arisen.

If you have any problems/issues/questions, please contact us. We will get them looked at ASAP.

My programmer can also point out flaws and backdoors into
your systems and into my site.

Most EVERY hacker that has hacked my site has always
came via CCBILL!

Want facts, more then happy to provide that too.

Corvett,

I pointed out the hole in your scripts to your phone techs about a month ago. The most recent script I got from you incorporated my fix. (IP limiting)

What I REALLY want to know is how the hackers that are exploiting this hole got ahold of my private_key in the first place (and obviously lots of others) - since my box wasn't compromised, I have to assume it was compromised on your end.

Also, since this key is compromised, why is there NO WAY to change this key? I can't change it myself, and when asked your techs said they couldn't change it either.

Combine this with the fact that someone not me mailed our members list (some spamtrap adddresses, so WE got shit for it) - and I'd say you guys have got some serious employee related security holes.

Edit: I'd also like to point out that they didn't use my fix verbatim but modified it a bit, and displayed the skill level of retarded high school programmers. Stop hiring off the short bus - if that's the level of skill your programmers have, then no wonder you have security problems. Don't take this as a personal attack - this is my professional opinion, and I've been doing this almost 17 years now.

Cheers,
Backov

Well this is getting interesting , we also have had a problem with our members data being sold to spammers I thought that maybe it had come from IBILL but now I wonder, could CCBILL have a mole?

What's the deal over there?

I will say that within hours of posting here on GFY , CCBILL contacted me direct with a "beta" fix to the problem. We have installed it and waiting to see what happens next. IBILL would have never contacted me, I would still be on hold waiting to talk to the one guy they have in Password Managment.

I hate to go public with issues like this but maybe this will make CCBILL take a second look at whats going on around them.

I love CCBILL even with this problem, none of us is perfect, ok well maybe Boneprone is.

One word, fugataboutit ;)

No one is perfect, I do like the guys from Epoch alot and have no problem recommending them or CCBill. As a matter of fact if I started a program, those two and Jettis would be my processors.

as an affiliate I won't sign up if you use epoch or ibill any longer. epoch fuck me with Penthouse years ago (some people have a short memory span). and ccbill's checks every week are awsome. And as an affiliate I can and have called them, and get answers on the phone or email. Don't know about now, if they have anyone like Kimmy there, she did take it upon herself 2 check into something for me once and it has made me
$ 1,000.00's am pretty dam sure this would not have happened with ibill nor epoch. I think ccbill rocks... and am unanimous on this.

I remember grabbing my ccbill admin login since we were going to give them a try. About a week later, my login wasn't working. No one could figure out what was up. Later we found out that our admin had be "compromised" and they issued us a new login. Anyway, i guess it was better to find out early (the level of security) then being years later and way to late.

Can you say, 'Class Action Lawsuit' ?

Anyone with an attorney ON STAFF, please contact me, I'd be interested =)

apparently they already knew of the problem according to previous statements on this thread, and not until they got drug thru the mud did they scurry and make a fix.... i'm no fucking lawyer, but that sounds like a major fucking lawsuit.... On the same disclaimer, i'm sure they covered themselves in the TOS agreement their clients had to sign... so who knows...

either way..... security is paramount.... hell, i've personally witnessed Epoch's armed security wells fargo truck/team come in at the end of the work day to pick up some 'master CD's' or something.... they have security cards to access every are of that place, top security if i've ever seen it... has anyone seen ccbill's security? is it up to par?

Jimmyf,

I think you mean DMR not Epoch. At Penthouse, we have never had an Epoch set-up.

DMR is another story. We lost a lot of money with DMR too.

mike,
director AT penthouse.com

Sorry you are correct PHmike.

A lot of us took a bath with DMR. (sigh)

Anyway, I hate to be an "I told you so" but I was talking with Ron about this a LONG, LONG time ago. Their scripts (and security) have sucked since Day 1. They may have gotten better, but it doesn't look like it. They've never taken it seriously, and I believe they continue to disregard it (even after all the breaches and problems).

I still like everyone from CCBILL - great people, but not a technical company. :-/

I have had that problem with IBill as well as CCBill. The problem is simply that CCBill has to operate a script that is on another server in an uncontrollable environment. Now add this fact to the mostly security ignorant webmaster and you will get hacked accounts. There are simple steps to prevent most hacker attempts.

1. change your passwords regularly and make them complicated. Stop using your girl friends name already.

2. creat a subdir in your cgi-bin dir called e.g cgi-bin/1jez63hhdnh4rj/ and place the renamed script into it. Change this info in the ccbill database and you will most likely never be bothered by hacked accounts.

3. the password file should be below the webaccessable path so noone can get it over the web.

4. place the original ccbill script into cgi-bin and point it to a password file in your web accessable dir. This of course is fake but might distract a hacker long enough to go to a different easier target.


Security starts with yourself on your machine. Don't blame others if you haven't the least to prevent stuff like this.

You may be interested in a new Thread I have started.

http://bbs.gofuckyourself.com/showth...threadid=92116

Cheers

Anna

Hi Salsbury,

Jennifer from Jettis here...

Please see the thread at: http://www.gofuckyourself.com/showth...threadid=78069

We made additional modifications to our password script for our clients' protection quite some time ago and even redistributed this updated script again back in October to all Jettis clients. If there are any clients still using the old password script, drop us an email at [email protected] and we'll send the newer one out right away.