Thread: ***** NATS Issue - What we know about it *****
View Single Post
Old 12-22-2007, 12:23 PM  
raymor
Confirmed User
 
Join Date: Oct 2002
Posts: 3,745
Thanks for handling this reponsibly, contacting NATS first and then going to
full disclosure mode only when it became necesary. As a security professional
who works with a lot of NATS sites, and someone who has previously
raised questions about the security implications of having that kind of data
on the web server at all as well as specific concerns about NATS, this is
of great interest to me and leaves me with a question.

Most of the "symptoms" you describe could be explained by a simpler problem
that that "*Someone* has access to TMM's clients database with your admin
logins and passwords.". There are numerous other ways for a cracker to get
the admin user name and password. Most webmasters choose poor passwords,
with "admin:admin" being common, as are certain variations on that.
You don't have to crack TMM's database to get in when the password is
that obvious. Most webmasters use passwords based on English words,
such a dictionary attack is simple enough. More likely, any PHP script
anywhere on the server might be exploited and used to read the password
from the database. Based on what you've posted, the only evidence that
the bad guy(s) have access to the TMM database is:

Quote:
*) Changing all admin level account passwords stops the intruder. He still attempts to login, but in vain.
*) As soon as TMM has admin access to NATS the intruder is back. Sometimes the same day.
Is that a solid pattern that you saw repeatedly, or is it a case where it
happened one time that the cracker definitely was gone and then came back
shortly after TMM was given admin access?


Quote:
Just as a side info, I think NATS is a great product and
...
I'm not posting this to bash TMM.

Agreed - they have an impressive product and the current crop of people there
seem to be good people. Some on this board know we once had some
intellectual property concerns regarding the actions of somewhere who no
longer works there, but that's been properly taken care of by TMM. My interest
is in helping webmasters who use NATS and TMM to take care of any problems
so that everyone can get back to the business of getting the porn to the people.
__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids
raymor is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote