k, my paysite security is breached, need help! $$

[gleem]

k, I have proxypass installed, have SQL Auth/htaccess and for over 6 months I have never had a pass shared, traffic to my member section is always where it should be, no spikes on the leased feeds, over the last couple days traffic has skyrocketed, can't find my site listed on password sharing sites, and even if it was proxypass woulda shut em down.

So I'm thinking I'm dealing with someone who is spoofing something to get in and send all his surfers through, but I'm not technical enough to figure it out, host is clueless and I'm eating 12x the normal bandwidth I should be.


Can someone gimme a clue, point me in the right direction, anything?

[who]

Can't you see which IP(s) is(are) causing the spike? Can't you then associate that with a customer's account?

[gleem]

Quote:

Originally Posted by who

Can't you see which IP(s) is(are) causing the spike? Can't you then associate that with a customer's account?

well yes, if any more than 3 IP's uses a login they are automatically blocked by ProxyPass, so this is something else.

[who]

But a jerk with a website could be running a proxy, logging in through the proxy, and umpteen users could be going through his website, through his proxy, and into your members area. It would only show the IP of the proxy. That's why I ask if there's any particular IP producing a lot of the activity. Can you check your logs?

[AsianDivaGirlsWebDude]

Try putting a limit on bandwidth per IP address until you detect the offender. Set it high at first then start ratcheting it down and you should find him.

Other people more technical than I am should have other solutions too (so bump for that).

Surprised that your ISP can't help more...

Good luck,

ADG Webmaster

[gleem]

hmmm.. I can't tell, I have access to apache server status, it all looks like normal http traffic

[gleem]

Quote:

Originally Posted by AsianDivaGirlsWebDude

Try putting a limit on bandwidth per IP address until you detect the offender. Set it high at first then start ratcheting it down and you should find him.

Other people more technical than I am should have a solution to (so bump for that).

Surprised that your ISP can't help more...

Good luck,

ADG Webmaster

that's the thing, if it were 1 IP address they would have been blocked already

[who]

Can you see in your stats the referring URL?

[Barefootsies]

[ramstein]

I guess your system admin should look into your log files

[gleem]

Quote:

Originally Posted by who

Can you see in your stats the referring URL?

nope, no reffering url is sending the traffic, it's like a ghost is in my paysite area eating up 12x the bandwidth it should

[PHP-CODER-FOR-HIRE]

I added you to ICQ. I think I know what your problem is. I ran into this same problem about a year ago with a customer of mine.

Get in touch with me ASAP, because it'll get worse if you don't deal with it trust me. Once someone finds out it works, it'll spread like crazy.

[Quickdraw]

Not sure if you were looking for suggestions for other software but I really like Strongboxxx.

[DjSap]

if you have a managed server then I would switch, because if a host can't figure something like this out it's kind of fucked up and they are probably just some reseller without expertise in actual server administration

[woj]

Quote:

Originally Posted by DjSap

if you have a managed server then I would switch, because if a host can't figure something like this out it's kind of fucked up and they are probably just some reseller without expertise in actual server administration

yea, exactly, so who is the clueless host?

[gleem]

they are friends of mine, so I'm not naming names.

[venus]

how do you know your "security is breached"?
there are other ways to make your bandwidth go up, one is somoene could be hotlinking your images, they could be hotlinking a single large file in an attempt to screw with you. lots of reasons for this, check your log analyzer... you do have a log analyzer program correct?

[madawgz]

Quote:

Originally Posted by DjSap

if you have a managed server then I would switch, because if a host can't figure something like this out it's kind of fucked up and they are probably just some reseller without expertise in actual server administration

yep, either that

or the host simply doesnt care or have the time

[gleem]

Quote:

Originally Posted by venus

how do you know your "security is breached"?
there are other ways to make your bandwidth go up, one is somoene could be hotlinking your images, they could be hotlinking a single large file in an attempt to screw with you. lots of reasons for this, check your log analyzer... you do have a log analyzer program correct?

it's traffic to my content section, I know this because I renamed and took it down for 15 minutes, and bandwidth dropped to next to nothing.

Also I see the traffic going to my leased plugins, so they are in there surfing, not hotlinking, hotlinks woulda showed up easy

[lazycash]

Most likely getting spoofed, what is the site that is being exploited?

[venus]

you would think this would show up easy as well...

what log analyzer are you using? wusage ?

Quote:

Originally Posted by gleem

it's traffic to my content section, I know this because I renamed and took it down for 15 minutes, and bandwidth dropped to next to nothing.

Also I see the traffic going to my leased plugins, so they are in there surfing, not hotlinking, hotlinks woulda showed up easy

[gleem]

Quote:

Originally Posted by lazycash

Most likely getting spoofed, what is the site that is being exploited?

www.RevengeTV.com


I got bandwidth download limits on (thanks PHP-CODER-FOR-HIRE), doesn't catch it, IP traps, nothing, I'm done for the night, 5am here.. but I need some more help.. this is a good one.

[gleem]

Quote:

Originally Posted by venus

you would think this would show up easy as well...

what log analyzer are you using? wusage ?

awstats.. the only odd site that shows up, but with hardly any hits is:

http://www.ya-moon.com/start.asp

it's japanese, but the word "revenge" shows up, but when you click anything you get some sort of message, which I assume is a "you must login" message, so I have no clue.

[ladida]

Quote:

Originally Posted by DjSap

if you have a managed server then I would switch, because if a host can't figure something like this out it's kind of fucked up and they are probably just some reseller without expertise in actual server administration

You people are clueless. Managed or not managed, host in these cases can do jack shit. It's obvious none of you dealt with hacking before..

[EDepth]

You may want to remove the empty login & password from your passlist... i can just log right in with nothing -> thus why its not showing in proxypass i bet.

[en21]

I tried to login with nothing.. can't get in though

[darksoul]

Quote:

Originally Posted by ladida

You people are clueless. Managed or not managed, host in these cases can do jack shit. It's obvious none of you dealt with hacking before..

I think you're the clueless one.

gleem, feel free to hit me up on icq when you get back
157717888

[scottybuzz]

bump for help

[HighSociety]

nice site you have there, hope someone can help you out

[ladida]

Quote:

Originally Posted by darksoul

I think you're the clueless one.

Haha.. don't be offended. I see you're flying hosting company in your sig, so that's probably why, but it's just how it is. Hosting companies are clueless. Which paysites host with you?

[darksoul]

Quote:

Originally Posted by ladida

Haha.. don't be offended. I see you're flying hosting company in your sig, so that's probably why, but it's just how it is. Hosting companies are clueless. Which paysites host with you?

Its true most companies don't know jack shit besides restarting apache and mysql. But there are a few that know their shit.
And yes the company I'm flying the sig for its one of them beeing run
by hardcore sysadmins which over the years dealt with sites
like ogrish,score-cash,webcams,spookycash,ebaumsworld and the list could go on. I'm also sure that companies like national-net,techiemedia, etc... know their shit as well.
So your generalization its a bit biased.

[ladida]

Quote:

Originally Posted by darksoul

But there are a few that know their shit.
And yes the company I'm flying the sig for its one of them beeing run
by hardcore sysadmins which over the years dealt with sites
like ogrish,score-cash,webcams,spookycash,ebaumsworld and the list could go on. I'm also sure that companies like national-net,techiemedia, etc... know their shit as well.
So your generalization its a bit biased.

Yep, you're clueless, which is seen just from your answer, but you won't get it.
Anyway, which paysites does the company you're supporting currently host? I'd like to check something for you and educate you.

[borked]

what type of firewall are you running? if it's anything decent like pf, then ask your host to look into the packet filter logs to see where the bandwidth is going.

Also get ntop installed asap - that'll tell you where all the traffic is going.

If you need further help, hit me up on icq

[darksoul]

Quote:

Originally Posted by ladida

Yep, you're clueless, which is seen just from your answer, but you won't get it.
Anyway, which paysites does the company you're supporting currently host? I'd like to check something for you and educate you.

I'm far from clueless, but fortunately I don't have to prove that to some nobody on a message board.

[borked]

sorry - forgot to include a link: nTOP

[ladida]

Quote:

Originally Posted by darksoul

I'm far from clueless, but fortunately I don't have to prove that to some nobody on a message board.

As i guessed. GG

[darksoul]

Quote:

Originally Posted by ladida

As i guessed. GG

btw, I hope you don't consider bruteforcing a u/p as hacking

[ladida]

Quote:

Originally Posted by darksoul

btw, I hope you don't consider bruteforcing a u/p as hacking

Just shows how clueless you are.

[stef_girls18]

Parse the server logs and install additional logging, so you can track down the offending user.

[Mutt]

well it sounds like you're just being spoofed via one of the leased plugins - how any plugin companies are still using referer method is beyond me.

are you seeing a spike in the numbers of your own files in the members area being downloaded? if not then no doubt it's just simple spoofing to get into the plugins.

whick company leases these feeds http://www.revengetv.com/chop1/index2.php ?

[Mutt]

Quote:

Originally Posted by gleem

So I'm thinking I'm dealing with someone who is spoofing something to get in and send all his surfers through, but I'm not technical enough to figure it out, host is clueless and I'm eating 12x the normal bandwidth I should be.

12x the normal bandwidth for the leased feeds or your own bandwidth?

[gleem]

ok, turns out it was a " : " in the middle of the htaccess file that was indeed allowing anyone who entered blank u/p twice in.. so they never showed up as a user and it was all different IP's getting in not a proxy so it looked like legit traffic.

No the " : " wasn't there before in my htaccess, and I hadn't touched that file in months, the file had proper permissions, was like the server or someone else stuck it in there..

Sometimes I hate this biz, then again, it turns out to be something this simple that causes hours of frustration. crazy

[gleem]

Thanks to "PHP-CODER-FOR-HIRE" for trouble shooting this for me for like 5 hours too!

[LiveDose]

Glad you got it all firgured out.

[gleem]

actually it was a " : " user inserted into my htpasswd file by paycom back before June 23rd since it created a backup of my htpasswd file automatically and that was the time stamp of the backup.

my brain is gonna explode...

[venus]

hlad you got it going... I was going to suggest the last ditch effor of manually looking though your log files to see if you can spot something strange.
If I have a problem, thats where I go...

but now that all those people no longer have access you should keep that traffic by sending them to your join page, set your 401 error to go to a page, I made this one for people who do not have a valid password
http://www.landofvenus.com/401.html .. converts great for me.

[com]

Quote:

Originally Posted by gleem

Thanks to "PHP-CODER-FOR-HIRE" for trouble shooting this for me for like 5 hours too!

I don't mean to downplay anyone's efforts here; and I'm glad to hear this was taken care of however this should've taken your host or sysadmin much less than a half an hour to figgure out.

[fuzebox]

Quote:

Originally Posted by gleem

ok, turns out it was a " : " in the middle of the htaccess file that was indeed allowing anyone who entered blank u/p twice in..

A couple of people have come to me this week and it turned out to be the same thing... I'm wondering if someone has figured out how to exploit paycoms postback system to add these.

[gleem]

Quote:

Originally Posted by fuzebox

A couple of people have come to me this week and it turned out to be the same thing... I'm wondering if someone has figured out how to exploit paycoms postback system to add these.

Paycom completely denies it was their fault, says it was "corrupted file or failure to completely delete"

If it was an exploit someone figured out they did it to my file back in June, cause at the end of June I switched to SQL auth system and haven't used their postback since, 6/23 was the date that file was updated. guess I left the htpasswd file active cause it had a few members on it that were still active.

anyways, if you have a "bandwidth ghost" in your members area and you can't pin it to any one login or IP address, look for user " : " in your htpasswd file!

[PHP-CODER-FOR-HIRE]

Quote:

Originally Posted by com

I don't mean to downplay anyone's efforts here; and I'm glad to hear this was taken care of however this should've taken your host or sysadmin much less than a half an hour to figgure out.

Actually, there was more to it than just that username/password problem. I also implemented bandwidth/traffic restrictions, banned abusers manually by sifting through the logs, etc.

On top of that, this was a server I had never logged into before, so going into someone else's territory isn't quite the same as if I'd been using the system for months and knew the workings of the entire thing.

Thanks for the insult, though.