Paycom or NATS spamming our members? - Page 2 - GoFuckYourself.com

TMM_John · 12-21-2007, 02:21 PM

Quote:

Originally Posted by A1R3K

theres a couple scums here that hack affiliate databases for information. its well known who a few of them are.

Exactly. Discussing the details of a security issues and the actions taken on it in a public forum, especially one with the member base we have here, is absurd.

will76 · 12-21-2007, 02:22 PM

Quote:

Originally Posted by A1R3K

theres a couple scums here that hack affiliate databases for information. its well known who a few of them are.

who are they? names dammit!

Nookster · 12-21-2007, 02:22 PM

Quote:

Originally Posted by PBucksJohn

If you heard the false rumors I hear about my company on a nearly daily basis you would understand why I get extremely frustrated when I see people start them.

Well, I do see some from time to time and yes, I even feel angry for you. I respect you guys (TMM) and NATS is simply an amazing piece of software that I only wish I could develop or even help develop. From one programmer to another, kudos for NATS.

SiMpLe · 12-21-2007, 02:24 PM

Quote:

Originally Posted by PBucksJohn

Of course we have taken actions on things. I'm not going to discuss the details of which here in public. All it does is tip off those who are doing things to what is being done to combat those things. This is something that should be dealt with directly.

There will always be are various security issues with all softwares as well as issues with client's servers. Due to the install rate of NATS being far beyond any other affiliate software in this industry you are much more likely to hear about our issues than others.

So you have taken action and not alerted your clients? 4 of them have posted in this thread and if it wasn't for Christian stepping up, no one would know where to look. What does this have to do with how many installs your have for christ sake.

Idea - Why don't you step back from GFY - Type out a mass email to your clients right now and send it so they are aware of the exploit.

This is blowing me away sigh

TMM_John · 12-21-2007, 02:24 PM

Quote:

Originally Posted by Nookster

Well, I do see some from time to time and yes, I even feel angry for you. I respect you guys (TMM) and NATS is simply an amazing piece of software that I only wish I could develop or even help develop. From one programmer to another, kudos for NATS.

Thank you, I appreciate that. And I may seem to take things personally at times, but that is only because I take the quality of our products, as well as the success of our client's business and the protection of their livelihood very personally.

TMM_John · 12-21-2007, 02:26 PM

Quote:

Originally Posted by SiMpLe

So you have taken action and not alerted your clients? 4 of them have posted in this thread and if it wasn't for Christian stepping up, no one would know where to look. What does this have to do with how many installs your have for christ sake.

Idea - Why don't you step back from GFY - Type out a mass email to your clients right now and send it so they are aware of the exploit.

This is blowing me away sigh

Again, you don't know what actions we may or may have not taken. What we have do is based on the info we gather when something occurs.

I know you are also only trying to help here. An email will be going out shortly. Jumping the gun and misinforming people is a bad thing also.

Nookster · 12-21-2007, 02:27 PM

Quote:

Originally Posted by PBucksJohn

Thank you, I appreciate that. And I may seem to take things personally at times, but that is only because I take the quality of our products, as well as the success of our client's business and the protection of their livelihood very personally.

Completely understandable. No need to further explain yourself. Back to business!

RazorSharpe · 12-21-2007, 02:36 PM

Quote:

Originally Posted by PBucksJohn

I'm not saying we won't. I'm simply saying those who find an issue should contact us and make us aware of it. Discussing and posting the specific details of a security issue in a public forum helps no one.

There are aprox. 400 - 500 NATS installs. Four are saying here they have had an issue and I would bet there are more being exploited by whoever this criminal is. It certainly does not mean every system has an issue. We are asking those who find an issue to contact us and deal directly with us.

I am not going to go through and dissect a security issue here on GFY.

I'm not asking you to make public what you want to do or even asking you to use this thread as a launchpad for alerting people to the issue. This is exactly why I suggested you email ALL your clients, myself included, and don't expect us to contact you.

This is a serious issue and one that needs to be handled expeditiously and I for one want to know how this happened and why it happened. This isn't a chance exploit of an admin account. The person knew enough to gain access to the NATS specific admin account and has done so on numerous installs that I currently know of. Based on this fact alone, you cannot blame any of us for thinking that it may perhaps have not been a security exploit but rather a leaked password.

Asking those who find an issue to contact you is kind of silly since it is now safe to assume that anyone who has not disabled the NATS account has been compromised or will be compromised in due course.

...

kristin · 12-21-2007, 02:45 PM

Mine is too long to post ...

But to give you a slight idea:

67.19.188.250 - 2007-12-21 14:37:29
67.19.188.250 - 2007-12-21 08:37:51
67.19.188.250 - 2007-12-21 02:37:33
67.19.188.250 - 2007-12-20 20:37:28
67.19.188.250 - 2007-12-20 18:10:30
67.19.188.250 - 2007-12-20 14:37:38
67.19.188.250 - 2007-12-20 08:37:39
67.19.188.250 - 2007-12-20 02:38:03
67.19.188.250 - 2007-12-19 20:37:39
67.19.188.250 - 2007-12-19 18:12:43
67.19.188.250 - 2007-12-19 14:38:13
67.19.188.250 - 2007-12-19 08:38:12
67.19.188.250 - 2007-12-19 02:38:08
67.19.188.250 - 2007-12-18 20:38:10
67.19.188.250 - 2007-12-18 17:24:26
67.84.12.95 - 2007-12-18 15:02:06
67.19.188.250 - 2007-12-18 14:38:05
67.19.188.250 - 2007-12-18 08:38:06
69.94.70.187 - 2007-12-18 02:38:04
65.110.53.100 - 2007-12-17 17:05:59
65.110.53.100 - 2007-12-17 14:38:18
65.110.53.100 - 2007-12-17 08:38:19
65.110.53.100 - 2007-12-17 02:38:19
65.110.53.100 - 2007-12-16 17:00:41
65.110.53.100 - 2007-12-16 14:38:14
65.110.53.100 - 2007-12-16 08:38:13
65.110.53.100 - 2007-12-16 02:38:14
65.110.53.100 - 2007-12-15 20:38:13
65.110.53.100 - 2007-12-15 16:59:57
65.110.53.100 - 2007-12-15 14:33:23
65.110.53.100 - 2007-12-15 08:33:53
65.110.53.100 - 2007-12-15 02:33:27
65.110.53.100 - 2007-12-15 01:00:16
0.0.0.0 - 2007-12-14 02:38:23
0.0.0.0 - 2007-12-13 20:38:25
0.0.0.0 - 2007-12-13 16:57:41
0.0.0.0 - 2007-12-13 14:38:13
0.0.0.0 - 2007-12-13 08:38:14
0.0.0.0 - 2007-12-13 02:38:12
0.0.0.0 - 2007-12-12 20:38:14
0.0.0.0 - 2007-12-12 17:11:35
0.0.0.0 - 2007-12-12 14:38:18
0.0.0.0 - 2007-12-12 08:38:18
0.0.0.0 - 2007-12-12 02:38:18
0.0.0.0 - 2007-12-11 20:38:18
0.0.0.0 - 2007-12-11 16:57:08
0.0.0.0 - 2007-12-11 14:37:58
67.84.12.95 - 2007-12-11 13:01:47
67.84.12.95 - 2007-12-11 10:26:32
0.0.0.0 - 2007-12-11 08:37:58

chri$tian · 12-21-2007, 02:45 PM

This happend to our 2 nats installs a few months ago, I was told to change my password, such I did. Well it happended again this week with a new IP logging in to my admin, I notified nats and was told to change the password again. I have blocked any and all IP's on the server level except mine from accessing the admin now, as there is ovisuouly a person able to get these passwords easily and steal any and all data anything they want.

No blame, just the facts. I suggest everyone have there admins do the same.

TMM_John · 12-21-2007, 02:45 PM

Quote:

Originally Posted by RazorSharpe

I'm not asking you to make public what you want to do or even asking you to use this thread as a launchpad for alerting people to the issue. This is exactly why I suggested you email ALL your clients, myself included, and don't expect us to contact you.

This is a serious issue and one that needs to be handled expeditiously and I for one want to know how this happened and why it happened. This isn't a chance exploit of an admin account. The person knew enough to gain access to the NATS specific admin account and has done so on numerous installs that I currently know of. Based on this fact alone, you cannot blame any of us for thinking that it may perhaps have not been a security exploit but rather a leaked password.

Asking those who find an issue to contact you is kind of silly since it is now safe to assume that anyone who has not disabled the NATS account has been compromised or will be compromised in due course.

...

I am not going to do this on a public forum. You are more than welcome to contact us to discuss. As I have a said, we will be sending an email out.

TMM_John · 12-21-2007, 02:52 PM

Quote:

Originally Posted by AtlasChris

This happend to our 2 nats installs a few months ago, I was told to change my password, such I did. Well it happended again this week with a new IP logging in to my admin, I notified nats and was told to change the password again. I have blocked any and all IP's on the server level except mine from accessing the admin now, as there is ovisuouly a person able to get these passwords easily and steal any and all data anything they want.

No blame, just the facts. I suggest everyone have there admins do the same.

This is what we are going to be recommending to everyone today.

I feel it is not in anyone's best interest to discuss this in public. If anyone would like more details you are welcome to contact us.

tdfcash3 · 12-21-2007, 02:57 PM

what the sweet fuck is going on then? Ive been with NATS years and I would like to auto assume our data is just that, ours! We also have to abide by our UK data protection laws which if in this case was broken outside our control.

John whats going on??

RazorSharpe · 12-21-2007, 02:58 PM

Quote:

Originally Posted by PBucksJohn

I am not going to do this on a public forum. You are more than welcome to contact us to discuss. As I have a said, we will be sending an email out.

do what on a public forum? I didn't ask you to do anything besides contact me.

...

macker · 12-21-2007, 03:04 PM

My install is also showing the NATS user as having been logging in often. I'm not aware of any reason why anybody from nats would be logging in without my knowledge.

Account deleted and ticket submitted to NATS.

I'll be following this thread closely.

tdfcash3 · 12-21-2007, 03:04 PM

ive noticed last login on ours at - 12/21/07 16:32:16 John explain why you as a company with you as its head needed to login to my install today, was something wrong with it?

SiMpLe · 12-21-2007, 03:14 PM

Quote:

Originally Posted by PBucksJohn

I feel it is not in anyone's best interest to discuss this in public.

John all I have to say to that is THANK GOD IT CAME OUT IN PUBLIC TODAY. Cuz now your going to do something about it and alert your clients.

Lots of my allys use NATS and I have alerted them to this thread so they can sweep their sites asap. These are my friends man - I'm doing my part in protecting them the best I can. Please do yours and send that email now before everyone goes away for the holidays. It's already 2:00 on the west coast, 5 on the east.

TMM_John · 12-21-2007, 03:15 PM

Quote:

Originally Posted by tdfcash3

ive noticed last login on ours at - 12/21/07 16:32:16 John explain why you as a company with you as its head needed to login to my install today, was something wrong with it?

Just because it was our account does not mean it was us who logged into your system. Please check the IP that login came from.

TMM_John · 12-21-2007, 03:15 PM

The following email is going out to all NATS clients now:

Quote:

Dear NATS Client,

We have become aware of a security issue involving a few of our clients and would like to take this oportunity to aid you in improving the security of your NATS install. There are a number of ways that you can strengthen the security of your NATS install:

1. It is recommend you IP restrict access to your NATS admin area through the NATS configuration. To set this up, you can place a comma separated list of IP addresses that you wish to allow access to your NATS admin in the ADMIN_IPS field in your configuration admin.

2. We have recently added a new feature that gives you the ability to have all requests to your admin area of NATS posted to a URL of your choice. These posts will include the IP and loginid of the user that is accessing any admin page. This will allow you to closely monitor all admin accesses to your install. Please put in a support ticket if you wish to be updated with this feature.

To be as secure as possible we will be initiating a password change for the TMM admin accounts on all NATS installs on which we have the ability to and we will no longer be storing these passwords at all. We have done this in the past with server access passwords and feel the best way to be as secure as possible is to extend this practice to admin logins also. This will of course cause us to need to contact you to grant access when we must perform anything on your install.

If you have any questions or require any assistance in setting up or changing your NATS configurations or passwords please post a ticket in our support system.

Thank you,
Too Much Media

Trixxxia · 12-21-2007, 03:25 PM

John - can I remove the user?

quantum-x · 12-21-2007, 03:30 PM

Woop, mass NATS email:
Dear NATS Client,

We have become aware of a security issue involving a few of our clients and would like to take this opportunity to aid you in
improving the security of your NATS install. There are a number of ways that you can strengthen the security of your NATS
install:

1. It is recommended that you IP restrict access to your NATS admin area through the NATS configuration. To set this up, you
can place a comma separated list of IP addresses that you wish to allow access to your NATS admin in the ADMIN_IPS field in
your configuration admin.

2. We have recently added a new feature that gives you the ability to have all requests to your admin area of NATS posted to a
URL of your choice. These posts will include the IP and loginid of the user that is accessing any admin page. This will allow
you to closely monitor all admin accesses to your install. Please put in a support ticket if you wish to be updated with this
feature.

To be as secure as possible we will be initiating a password change for the TMM admin accounts on all NATS installs on which we
have the ability to and we will no longer be storing these passwords at all. We have done this in the past with server access
passwords and feel the best way to be as secure as possible is to extend this practice to admin logins also. This will of
course cause us to need to contact you to grant access when we must perform anything on your install.
If you have any questions or require any assistance in setting up or changing your NATS configurations or passwords please post
a ticket in our support system.

Thank you,
Too Much Media

SiMpLe · 12-21-2007, 03:31 PM

Quote:

Originally Posted by quantum-x

Woop, mass NATS email:
Dear NATS Client,

We have become aware of a security issue involving a few of our clients and would like to take this opportunity to aid you in
improving the security of your NATS install. There are a number of ways that you can strengthen the security of your NATS
install:

1. It is recommended that you IP restrict access to your NATS admin area through the NATS configuration. To set this up, you
can place a comma separated list of IP addresses that you wish to allow access to your NATS admin in the ADMIN_IPS field in
your configuration admin.

2. We have recently added a new feature that gives you the ability to have all requests to your admin area of NATS posted to a
URL of your choice. These posts will include the IP and loginid of the user that is accessing any admin page. This will allow
you to closely monitor all admin accesses to your install. Please put in a support ticket if you wish to be updated with this
feature.

To be as secure as possible we will be initiating a password change for the TMM admin accounts on all NATS installs on which we
have the ability to and we will no longer be storing these passwords at all. We have done this in the past with server access
passwords and feel the best way to be as secure as possible is to extend this practice to admin logins also. This will of
course cause us to need to contact you to grant access when we must perform anything on your install.
If you have any questions or require any assistance in setting up or changing your NATS configurations or passwords please post
a ticket in our support system.

Thank you,
Too Much Media

tdfcash3 · 12-21-2007, 03:34 PM

Quote:

Originally Posted by PBucksJohn

Just because it was our account does not mean it was us who logged into your system. Please check the IP that login came from.

you are correct, the ip i got was a UK coming from a server on theplanet, the whois i got is http://www.whois.net/whois_new.cgi?d=Rapidnetuk&tld=com anyone else get the same?

RazorSharpe · 12-21-2007, 03:37 PM

Quote:

Originally Posted by PBucksJohn

Just because it was our account does not mean it was us who logged into your system. Please check the IP that login came from.

was it an ex NATS employee?

tdfcash3 · 12-21-2007, 03:44 PM

it looks and smells like an inside job to me everyones got the same ips showing up, no chance this is a random event!

justsexxx · 12-21-2007, 03:44 PM

Had the same...I was on my own paysite as member to check if mails would come in etc. Within a few days I received spam!

It really sucks hard, and I'm sure many sites are affected. The one who made the script, knows exactly what he/she did, and I'm sure he//she is making a LOT of money with those emails.

And I understand NATS doesn't want to discuss it on a public forum. But an email to customers would be welcome(which is send now)

I am just curious of this was not posted if it would have arrived that fast too...

Luca_Triple 10 · 12-21-2007, 03:55 PM

67.19.188.250 - 2007-12-21 16:02:46
17 times...

rapidnetuk.com
Country United States
State/Region TX
City Dallas
Postal Code 75207
Latitude 32.7825
Longitude -96.8207
Area Code 214

69.94.70.187 - 2007-12-18 04:03:39
1 time...

65.110.53.100 - 2007-12-17 18:14:40
14 times...

Country Greece

0.0.0.0 - 2007-12-14 04:04:20
about 30 times up to Dec. 1st.

Account Deleted.

No accusations, just want to get my info out there to try and help remedy the situation.

tdfcash3 · 12-21-2007, 03:59 PM

this issue is more than emails, whoever is behind it has had access to sales data members details, ive been having a run of passwords blocked by proxy pass or having more than 3 country IP's these pass's were for rock solid affiliates etc kinda makes sense now someone been using other data as well, this really sucks!

kristin · 12-21-2007, 04:02 PM

Quote:

Originally Posted by tdfcash3

this issue is more than emails, whoever is behind it has had access to sales data members details, ive been having a run of passwords blocked by proxy pass or having more than 3 country IP's these pass's were for rock solid affiliates etc kinda makes sense now someone been using other data as well, this really sucks!

What about our templates, webmaster info, sales stats?

My NATS is VERY customized and I've spent too much time and money to have someone able to just gank or even delete my templates.

HouseHead · 12-21-2007, 04:05 PM

looks serious

chri$tian · 12-21-2007, 04:06 PM

Quote:

Originally Posted by kristin

What about our templates, webmaster info, sales stats?

My NATS is VERY customized and I've spent too much time and money to have someone able to just gank or even delete my templates.

If they have an admin user and pass the would have full access to EVERYTHING you have access to, think about it... Not good.

TheSenator · 12-21-2007, 04:09 PM

Quote:

Originally Posted by AtlasChris

If they have an admin user and pass the would have full access to EVERYTHING you have access to, think about it... Not good.

I am not sure how NATS works from the inside. If they have admin access, do they also have access to affiliate info as well?

tdfcash3 · 12-21-2007, 04:10 PM

Quote:

Originally Posted by AtlasChris

If they have an admin user and pass the would have full access to EVERYTHING you have access to, think about it... Not good.

Exactly and how many sponsors are we talking, how much info in total has been compromised?

TMM_John · 12-21-2007, 04:12 PM

Quote:

Originally Posted by Trixxxia

John - can I remove the user?

Yes, you can of course.

TMM_John · 12-21-2007, 04:15 PM

Quote:

Originally Posted by RazorSharpe

was it an ex NATS employee?

We have nothing that leads us to believe that. Everything indicates that it is an outside person who has accessed passwords somehow. There are a number of ways some of these passwords may have been compromised including but not limited to them getting the admin password by accessing a client's server and taking it from the DB. Passwords in NATS3 are 2 way encrypted. This is changed to 1 way encryption in NATS4 and we are also going to be putting out a patch for NATS3 which changes this to one way encryption.

Luca_Triple 10 · 12-21-2007, 04:16 PM

additional info... not sure how important it is:

Joined
Last Login
12/21/07 17:03:59
12/21/07 16:02:46

I've had nats since about July... but the user naqIPksxjBioBI who was admin since time of install says joined today. ???

TMM_John · 12-21-2007, 04:19 PM

Quote:

Originally Posted by Luca_Triple 10

additional info... not sure how important it is:

Joined
Last Login
12/21/07 17:03:59
12/21/07 16:02:46

I've had nats since about July... but the user naqIPksxjBioBI who was admin since time of install says joined today. ???

It says it logged in today or it says it joined today? It would much better assist us and you to contact us and work with us on resolving the issue rather than just posting all of the info you find here. The person doing these things may very well monitor here.

kristin · 12-21-2007, 04:22 PM

Quote:

Originally Posted by AtlasChris

If they have an admin user and pass the would have full access to EVERYTHING you have access to, think about it... Not good.

Oh I know, that's why I'm surprised people are only going off about the emails.

Think of all the other info they had access to ...

Luca_Triple 10 · 12-21-2007, 04:23 PM

Quote:

Originally Posted by PBucksJohn

It says it logged in today or it says it joined today? It would much better assist us and you to contact us and work with us on resolving the issue rather than just posting all of the info you find here. The person doing these things may very well monitor here.

it says they logged in and joined today.

i will be submitting a ticket now. thanks for the help and attention in this matter.

kristin · 12-21-2007, 04:24 PM

Quote:

Originally Posted by TheSenator

I am not sure how NATS works from the inside. If they have admin access, do they also have access to affiliate info as well?

They would have access to that, yes.

TMM_John · 12-21-2007, 04:25 PM

Quote:

Originally Posted by Luca_Triple 10

it says they logged in and joined today.

i will be submitting a ticket now. thanks for the help and attention in this matter.

Thank you. We are doing a mass change of any password our guys have, but I believe that should not affect the join date. I appreciate your help on this.

chri$tian · 12-21-2007, 04:26 PM

Quote:

Originally Posted by tdfcash3

Exactly and how many sponsors are we talking, how much info in total has been compromised?

With this post and the people I have spoken with personally, its about 10 to 15 confirmed. But ya have to think it many more, if its that easy. After everything is changed and locked down on the server level, there wont be any, easy fix.

SiMpLe · 12-21-2007, 04:26 PM

Quote:

Originally Posted by justsexxx

Had the same...I was on my own paysite as member to check if mails would come in etc. Within a few days I received spam!

It really sucks hard, and I'm sure many sites are affected. The one who made the script, knows exactly what he/she did, and I'm sure he//she is making a LOT of money with those emails.

And I understand NATS doesn't want to discuss it on a public forum. But an email to customers would be welcome(which is send now)

I am just curious of this was not posted if it would have arrived that fast too...

This is not new as of today justsexxx as I've found out from current nats clients this has effected in the past. But NATS did finally alert every single one of their clients to this issue on 12/21/07 - Merry Xmas

The ICQ's I have been getting all day are fucking unreal as to who knew about the exploit as it effected them as far back as a YEAR. This has been going on for a long time to lots of programs and I am totally disgusted right now.

Take it a step further - The programs benefiting from these lists being used/mailed promoting their products

Anyone here feeling fucking violated?

John again thank you for your support and getting that email out. I'm still shaking my head as to why it took you so long. You've know about this for a long time there is 100% no question about that. But at least you did it and now people are aware and can lock down to stop this shit.

Instead of covering this issue up you now look like a hero just from that one email. Go figure

tdfcash3 · 12-21-2007, 04:31 PM

Quote:

Originally Posted by AtlasChris

With this post and the people I have spoken with personally, its about 10 to 15 confirmed. But ya have to think it many more, if its that easy. After everything is changed and locked down on the server level, there wont be any, easy fix.

yeh ive just swapped all details on current admins and disabled the nats admin, ill look over their other info to secure it.

TampaToker · 12-21-2007, 04:32 PM

Quote:

Originally Posted by Luca_Triple 10

it says they logged in and joined today.

i will be submitting a ticket now. thanks for the help and attention in this matter.

Showing they joined today as well.........

TMM_John · 12-21-2007, 04:32 PM

Quote:

Originally Posted by SiMpLe

This is not new as of today justsexxx as I've found out from current nats clients this has effected in the past. But NATS did finally alert every single one of their clients to this issue on 12/21/07 - Merry Xmas

The ICQ's I have been getting all day are fucking unreal as to who knew about the exploit as it effected them as far back as a YEAR. This has been going on for a long time to lots of programs and I am totally disgusted right now.

Take it a step further - The programs benefiting from these lists being used/mailed promoting their products

Anyone here feeling fucking violated?

John again thank you for your support and getting that email out. I'm still shaking my head as to why it took you so long. You've know about this for a long time there is 100% no question about that. But at least you did it and now people are aware and can lock down to stop this shit.

Instead of covering this issue up you now look like a hero just from that one email. Go figure

What we have found in the past lead us to believe it was not widespread and that we could prevent it via doing what we did. I think we prevented a lot of it and I do not believe it as far wide spread as some people here seem to enjoy making it out to be. As we have now seen the issue pop up again we have taken even further action against any problems continuing.

Nothing is going to prevent this from happening 100% in the future. The average server security in this industry is horrible. And many people with very bad security insist they know everything about it and are 100% secure. We have assisted a number of clients privately in helping them secure their servers which they claimed were bullet proof.

Unfortunately we are dealing with criminals here. They will continue to hack servers, be they NATS clients, clients of other software, or whatever. If NATS could magically prevent people's servers from being compromised I would be a very retired man.

TMM_John · 12-21-2007, 04:34 PM

Quote:

Originally Posted by TampaToker

Showing they joined today as well.........

Please submit a ticket also so we can have our guys get a good look. This is making me worry someone is somehow injecting these. Our code is routinely audited for SQL injections however that doesn't guarantee there are other ways to do it, or that someone is doing it directly to your MySQL server or in some other way. Please get a ticket submitted so we can take a look.

TMM_John · 12-21-2007, 04:38 PM

According to Fred in v3 the Join Date you are being shown is the date the account info was last modified and it is the password update that is causing the dates to be showing as today.

jcsike · 12-21-2007, 04:39 PM

Quote:

Originally Posted by PBucksJohn

If NATS could magically prevent people's servers from being compromised I would be a very retired man.

through your username/password, you mean. you couldnt call up your clients, one at a time and ask them to change the pw and upgrade their security?

TMM_John · 12-21-2007, 04:41 PM

Quote:

Originally Posted by jcsike

through your username/password, you mean. you couldnt call up your clients, one at a time and ask them to change the pw and upgrade their security?

Those who we had an indication had a problem were notified. And we changed all passwords.

It is my belief that someone is accessing the server that NATS is on and retrieving the admin password directly from the server. Then using that password in whatever script they have to login as it is less obvious than them accessing your box directly on a regular basis.

We are however changing our policy to no longer keep any NATS admin passwords as we have done with SSH info in the past to be sure it is not something on our end.

12-21-2007, 02:45 PM	#59
kristin GOO! Industry Role: Join Date: Sep 2002 Location: Back Home : ) Posts: 9,768	Mine is too long to post ... But to give you a slight idea: 67.19.188.250 - 2007-12-21 14:37:29 67.19.188.250 - 2007-12-21 08:37:51 67.19.188.250 - 2007-12-21 02:37:33 67.19.188.250 - 2007-12-20 20:37:28 67.19.188.250 - 2007-12-20 18:10:30 67.19.188.250 - 2007-12-20 14:37:38 67.19.188.250 - 2007-12-20 08:37:39 67.19.188.250 - 2007-12-20 02:38:03 67.19.188.250 - 2007-12-19 20:37:39 67.19.188.250 - 2007-12-19 18:12:43 67.19.188.250 - 2007-12-19 14:38:13 67.19.188.250 - 2007-12-19 08:38:12 67.19.188.250 - 2007-12-19 02:38:08 67.19.188.250 - 2007-12-18 20:38:10 67.19.188.250 - 2007-12-18 17:24:26 67.84.12.95 - 2007-12-18 15:02:06 67.19.188.250 - 2007-12-18 14:38:05 67.19.188.250 - 2007-12-18 08:38:06 69.94.70.187 - 2007-12-18 02:38:04 65.110.53.100 - 2007-12-17 17:05:59 65.110.53.100 - 2007-12-17 14:38:18 65.110.53.100 - 2007-12-17 08:38:19 65.110.53.100 - 2007-12-17 02:38:19 65.110.53.100 - 2007-12-16 17:00:41 65.110.53.100 - 2007-12-16 14:38:14 65.110.53.100 - 2007-12-16 08:38:13 65.110.53.100 - 2007-12-16 02:38:14 65.110.53.100 - 2007-12-15 20:38:13 65.110.53.100 - 2007-12-15 16:59:57 65.110.53.100 - 2007-12-15 14:33:23 65.110.53.100 - 2007-12-15 08:33:53 65.110.53.100 - 2007-12-15 02:33:27 65.110.53.100 - 2007-12-15 01:00:16 0.0.0.0 - 2007-12-14 02:38:23 0.0.0.0 - 2007-12-13 20:38:25 0.0.0.0 - 2007-12-13 16:57:41 0.0.0.0 - 2007-12-13 14:38:13 0.0.0.0 - 2007-12-13 08:38:14 0.0.0.0 - 2007-12-13 02:38:12 0.0.0.0 - 2007-12-12 20:38:14 0.0.0.0 - 2007-12-12 17:11:35 0.0.0.0 - 2007-12-12 14:38:18 0.0.0.0 - 2007-12-12 08:38:18 0.0.0.0 - 2007-12-12 02:38:18 0.0.0.0 - 2007-12-11 20:38:18 0.0.0.0 - 2007-12-11 16:57:08 0.0.0.0 - 2007-12-11 14:37:58 67.84.12.95 - 2007-12-11 13:01:47 67.84.12.95 - 2007-12-11 10:26:32 0.0.0.0 - 2007-12-11 08:37:58 __________________ Vacares rules. "Usually only fat guys have the kind of knowledge and ability that Kristin has."

12-21-2007, 02:45 PM	#60
chri$tian Confirmed User Industry Role: Join Date: Aug 2003 Location: Charleston, SC Posts: 2,468	This happend to our 2 nats installs a few months ago, I was told to change my password, such I did. Well it happended again this week with a new IP logging in to my admin, I notified nats and was told to change the password again. I have blocked any and all IP's on the server level except mine from accessing the admin now, as there is ovisuouly a person able to get these passwords easily and steal any and all data anything they want. No blame, just the facts. I suggest everyone have there admins do the same. __________________ http://www.3dsex.com

12-21-2007, 02:57 PM	#63
tdfcash3 Registered User Join Date: Nov 2006 Posts: 65	what the sweet fuck is going on then? Ive been with NATS years and I would like to auto assume our data is just that, ours! We also have to abide by our UK data protection laws which if in this case was broken outside our control. John whats going on?? __________________ ICQ - 421-515-010

12-21-2007, 03:04 PM	#65
macker Confirmed User Join Date: Jul 2003 Location: www.FetishAssets.com Posts: 2,161	My install is also showing the NATS user as having been logging in often. I'm not aware of any reason why anybody from nats would be logging in without my knowledge. Account deleted and ticket submitted to NATS. I'll be following this thread closely. __________________ ForcedMen \| AsianViolation \| WorkMyCock \| TickleAsian \| MasturbationInstructors \| AssCleaners \| TickleTorment \| Fetish4Download (VOD) \| PantyhosePlaza \| FemaleDomination mick[at]fetishassets.com \| ICQ: 395-117

12-21-2007, 03:04 PM	#66
tdfcash3 Registered User Join Date: Nov 2006 Posts: 65	ive noticed last login on ours at - 12/21/07 16:32:16 John explain why you as a company with you as its head needed to login to my install today, was something wrong with it? __________________ ICQ - 421-515-010

12-21-2007, 03:25 PM	#70
Trixxxia Confirmed User Industry Role: Join Date: Aug 2004 Location: Montreal, Canada Posts: 5,600	John - can I remove the user?

12-21-2007, 03:30 PM	#71
quantum-x Confirmed User Join Date: Feb 2002 Location: ICQ: 251425 Fr/Au/Ca Posts: 6,863	Woop, mass NATS email: Dear NATS Client, We have become aware of a security issue involving a few of our clients and would like to take this opportunity to aid you in improving the security of your NATS install. There are a number of ways that you can strengthen the security of your NATS install: 1. It is recommended that you IP restrict access to your NATS admin area through the NATS configuration. To set this up, you can place a comma separated list of IP addresses that you wish to allow access to your NATS admin in the ADMIN_IPS field in your configuration admin. 2. We have recently added a new feature that gives you the ability to have all requests to your admin area of NATS posted to a URL of your choice. These posts will include the IP and loginid of the user that is accessing any admin page. This will allow you to closely monitor all admin accesses to your install. Please put in a support ticket if you wish to be updated with this feature. To be as secure as possible we will be initiating a password change for the TMM admin accounts on all NATS installs on which we have the ability to and we will no longer be storing these passwords at all. We have done this in the past with server access passwords and feel the best way to be as secure as possible is to extend this practice to admin logins also. This will of course cause us to need to contact you to grant access when we must perform anything on your install. If you have any questions or require any assistance in setting up or changing your NATS configurations or passwords please post a ticket in our support system. Thank you, Too Much Media

12-21-2007, 03:44 PM	#75
tdfcash3 Registered User Join Date: Nov 2006 Posts: 65	it looks and smells like an inside job to me everyones got the same ips showing up, no chance this is a random event! __________________ ICQ - 421-515-010

12-21-2007, 03:44 PM	#76
justsexxx Too lazy to set a custom title Join Date: Aug 2001 Location: The Netherlands Posts: 13,723	Had the same...I was on my own paysite as member to check if mails would come in etc. Within a few days I received spam! It really sucks hard, and I'm sure many sites are affected. The one who made the script, knows exactly what he/she did, and I'm sure he//she is making a LOT of money with those emails. And I understand NATS doesn't want to discuss it on a public forum. But an email to customers would be welcome(which is send now) I am just curious of this was not posted if it would have arrived that fast too... __________________ Questions? ICQ: 125184542

12-21-2007, 03:55 PM	#77
Luca_Triple 10 Confirmed User Join Date: Jun 2007 Location: South Florida Posts: 696	67.19.188.250 - 2007-12-21 16:02:46 17 times... rapidnetuk.com Country United States State/Region TX City Dallas Postal Code 75207 Latitude 32.7825 Longitude -96.8207 Area Code 214 69.94.70.187 - 2007-12-18 04:03:39 1 time... 65.110.53.100 - 2007-12-17 18:14:40 14 times... Country Greece 0.0.0.0 - 2007-12-14 04:04:20 about 30 times up to Dec. 1st. Account Deleted. No accusations, just want to get my info out there to try and help remedy the situation. __________________ Now with up to $40.00 PPS! TruthOrSex.com . SexyLette.com . CumShotsPOV.com . FuckOverMyEx.com . ShemaleKinky.com ICQ: 369986008

12-21-2007, 03:59 PM	#78
tdfcash3 Registered User Join Date: Nov 2006 Posts: 65	this issue is more than emails, whoever is behind it has had access to sales data members details, ive been having a run of passwords blocked by proxy pass or having more than 3 country IP's these pass's were for rock solid affiliates etc kinda makes sense now someone been using other data as well, this really sucks! __________________ ICQ - 421-515-010

12-21-2007, 04:05 PM	#80
HouseHead Confirmed User Join Date: Aug 2003 Location: Aim - Hydromorphone Posts: 5,539	looks serious __________________ The Sexiest place to Buy & Sell Adult Ads - JuicyAds is where YOUR profits matter! ---> SPOTS AVAILABLE :\|: SIGN UP RIGHT NOW <---

12-21-2007, 04:16 PM	#86
Luca_Triple 10 Confirmed User Join Date: Jun 2007 Location: South Florida Posts: 696	additional info... not sure how important it is: Joined Last Login 12/21/07 17:03:59 12/21/07 16:02:46 I've had nats since about July... but the user naqIPksxjBioBI who was admin since time of install says joined today. ??? __________________ Now with up to $40.00 PPS! TruthOrSex.com . SexyLette.com . CumShotsPOV.com . FuckOverMyEx.com . ShemaleKinky.com ICQ: 369986008

12-21-2007, 04:38 PM	#98
TMM_John Confirmed User Industry Role: Join Date: May 2004 Posts: 6,659	According to Fred in v3 the Join Date you are being shown is the date the account info was last modified and it is the password update that is causing the dates to be showing as today. __________________ Skype: JohnA1078 Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!