Thread: Paycom or NATS spamming our members?
View Single Post
Old 12-23-2007, 06:44 AM  
chupacabra
Confirmed User
 
Join Date: Sep 2002
Posts: 3,626
Quote:
Originally Posted by dustman View Post
People, keep in mind that the only admin account that has been compromised is the TMM admin account. For god's sake, delete this account immediately.

This breach would also explain the multiple waves of compromised user passwords that we have seen. User passwords are easy to see in NATS, affiliate passwords are not.

My members area security software has reported dozens of compromised passwords logging in within less than 5 minutes. This only happens when there is a compiled list of valid passwords, not from passwords obtained by brute force.

After over 20 hours, I finally got a response to my trouble ticket:

TMM ‎(3:55 PM):
I'm sorry and it look like I have to get you an full upgrade to have this new feature
TMM ‎(3:56 PM):
and we are currently develope on better security system on NATS and there will be release on Monday hopfully
TMM ‎(3:58 PM):
can we do the update on Monday instead?

Dirty D ‎(3:59 PM):
Keep in mind we are one of the MANY programs that the TMM admin login was compromised. Before I get pissed off, let me get this straight and make sure I understand.

#1. The IP Log feature won't work until the next release comes out... maybe monday

#2. NATS will not log the admin login info to a log file and the ONLY way to get admin login information is for me to WRITE A SCRIPT to accept a POST with info from NATS using these undocumented variables xxxxxx , xxxxxxx, xxxxxxxx, xxxxxxxx, xxxxxxx

#3. Nothing has been accomplished to resolve this Trouble Ticket

TMM ‎(4:05 PM):
#1 yes, we are currently develope on the security script on will try to get relase as soon as possble.
#2 Currently no, but I will add this to the feature request.
#3 I'm sorry about this, we are wokring on the relase, and will let you know as soon as it is ready.
TMM ‎(4:11 PM):
I'm sorry for any inconvenience that cause on this issue, please change the ssh password and disable the nats admin login, one of us will contact you as soon as the new release is ready.
you know, reading what you typed above really struck a nerve w/ me... i don't even use NATS for my small sites, but i do use SegPay as a processor. a few months back i started seeing the exact same you describe above. waves of locked/banned user accounts one after another, like 50 in a row all caught by PWSentry due to multiple logins from too many geo locales... this would be all at once, and then stop once all the compromised accounts got caught. a week or two later, boom, same thing. lots of wasted time for me changing passwords for everyone and pissed off/canceling customers, and as you said, obviously not brute-force here...

i'm going to go dig back and see when this trend started, but i cant help but wonder if this is tied to when NATS and Segpay started their incestuous relationship, as i had never seen this kind if account compromising over the past 8 years, not so many simultaneously and then suddenly stoppping in a single wave.

sounds way too close to what you describe above, *way* too close to me..
__________________
...promise her a defamation, tell her where the rain will fall..
chupacabra is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote