rowan

<img src="http://media.sensationcontent.com/rowan/extreme-pw-leak.gif">

Never seen this before - someone has clicked through to another site from a link in my members area, and it's been recorded in that site's extreme-dm stats.

Several people have jumped on that URL in the past few minutes.

shermo

Yup. I've noticed that quite a few times in my stats as well. Pretty shitty.

teenjump

Brutal. Looks like a bug.

detoxed

Woud happen with any stats program

rowan

Yep, but IE doesn't normally include this information in the referer line. It must have been another browser that did it.

thekebie

How does well do fark boobies convert?

fiveyes

It's not the program revealing the username:password so much as it is alerting you to a compromised password.

Look at it this way, if someone accesses your site as http://yourdomain.com/ instead of http:// www.yourdomain.com and you use relative linking throughout, then their referers will always be of the form http://yourdomain.com/directory/page.html. Right?

Now, keeping that in mind- the question is, when does a person access a membership area using http://username:[email protected]/members/?

__________________
<CENTER><A HREF="http://www.hot-off-bourbon.com/" target="_blank"><IMG SRC="http://www.hot-off-bourbon.com/images/hob-logosmall.jpg" border="0"></A>

<FONT face="Comic Sans MS" SIZE="-1"><I>Mardi Gras, Spring Break, Wet-T, Night Club Action, UpSkirt, Oil Wrestling, Voyeur</I></FONT></CENTER>

rowan

Aha, you've noticed my site there? 415k clicks since it was listed in October 2001, I can't complain. I don't have any direct stats but I usually get a few signups per week from the 600-800 uniques they still send each day.

Twe Russ

fiveeyes is the only one with a clue, thats definetely a pw crack,
unless you have a bookmark script that adds them like that for
your members.

__________________

Contact information - ICQ: 7.9.0.3.0.0 · AIM: no roach · E-Mail: roachito || @ || gmail || . || com
[Friend Finder - Geo Targeting & Incredible Site Ratio] - [Credit Card Traffic - Make $65 Per Join]

fiveyes

In fact, comng to think of it, go pull your referer log and find the first occurance of that usage. It'll will point back to the password site that has you hotlinked.

__________________
<CENTER><A HREF="http://www.hot-off-bourbon.com/" target="_blank"><IMG SRC="http://www.hot-off-bourbon.com/images/hob-logosmall.jpg" border="0"></A>

<FONT face="Comic Sans MS" SIZE="-1"><I>Mardi Gras, Spring Break, Wet-T, Night Club Action, UpSkirt, Oil Wrestling, Voyeur</I></FONT></CENTER>

zzgundamnzz

Looks like it. Is Necrohiphop up again?

__________________

rowan

I agree that it was probably a password crack that got the 'leaker' to my site, it was just unusual to see it carried through as-is... from checking my logs it looks like it's buried in quite a few other sites extreme-dm stats and has been for at least 2 weeks. My compromised account script didn't pick it up due to the URL being well hidden (for the most part), so there was hardly anyone using it until it hit the 'last 20 referers' of a site and got noticed.