After many MANY emails and VM's I will post what OC3 Networks discovered back in October after routine audit of 2 of our clients security.
We know this issue exist since mid Aug 2007, secured our customers and blocked the intruder IP?s from any access to our network.
We posted the thread
http://www.gfy.com/fucking-around-and-business-discussion/779742-oc3-networks-customers-urgent.html and got some lawsuit treat to sue us that we could have care less? BUT when our customers that we tracked the breach on their servers got treats as well and requested us to NOT come out public with it, we honored their request.
Just as a side info, I think NATS is a great product and it's a shame that after the months they had to fix or come clean with their clients it never happened...
Credit for this below info should go to our SUPER SYSADMIN/Security fanatic Dale that has never posted on this board so I'm doing this for him, He wanted to come out with this long ago!
=====
The issue with this "intruder" does not seem to be an exploit of the nats software itself. *Someone* has access to TMM's clients database with your admin logins and passwords. That?s what the issue is. I'm not posting this to bash TMM. I'm posting this because they have had month to fix this issue and have apparently failed. They didn't even let (some of?) their customers know they implemented this "Admin activity log" and installed it behind their backs.
I've been involved with a high number of NATS clients and have found the following to be true:
*) Changing all admin level account passwords stops the intruder. He still attempts to login, but in vain.
*) As soon as TMM has admin access to NATS the intruder is back. Sometimes the same day.
*) Intruder is using an automation script that dumps the NATS members list. In some cases he is doing this every hour on the hour.
*) If you have web logs, look for hits against "admin_reports.php?report=surfer_stats&member=#### ##". You will see a number of those hits in sequential order.
*) NATS was vulnerable to SQL injection attacks. I haven't investigated whether it still is.
I have some suggestions for people using NATS:
*) Change all your admin level passwords.
*) Do not give TMM an admin account they can use anytime they want. Change the pass when they are done.
*) Restrict access to the admin*.php files by IP. This is inconvenient, but if you can do this it will circumvent any future intrusion. There may be other files you want to do this with. You can do this with apache easily (syntax depends on your version. this is for 2.0):
<Files "admin*">
Order deny,allow
Deny from all
Allow from your.ip.addr.here
</Files>
*) Keep an eye on the ssh user you have given TMM to fix/maintain your NATS install. Change their password every time they need access and as soon as they are done. I have experience with TMM ssh-ing in and making changes to NATS software without permission.
*) Be thankful of many things I'll not get into.
P.S. Im hearing that there is a backdoor that TMM can use to get into your NATS, but I havent investigated so its speculation. Only reason I even mention this is because NATS is encrypted and you dont know. Im not interested in decrypting NATS just to find out. There are other ways. I hope this isn?t true.