milan

After many MANY emails and VM's I will post what OC3 Networks discovered back in October after routine audit of 2 of our clients security.

We know this issue exist since mid Aug 2007, secured our customers and blocked the intruder IP?s from any access to our network.

We posted the thread {url]http://www.gfy.com/showthread.php?t=779742[/url] and got some lawsuit treat to sue us that we could have care less? BUT when our customers that we tracked the breach on their servers got treats as well and requested us to NOT come out public with it, we honored their request.

Just as a side info, I think NATS is a great product and it's a shame that after the months they had to fix or come clean with their clients it never happened...


Credit for this below info should go to our SUPER SYSADMIN/Security fanatic Dale that has never posted on this board so I'm doing this for him, He wanted to come out with this long ago!
=====
The issue with this "intruder" does not seem to be an exploit of the nats software itself. *Someone* has access to TMM's clients database with your admin logins and passwords. That?s what the issue is. I'm not posting this to bash TMM. I'm posting this because they have had month to fix this issue and have apparently failed. They didn't even let (some of?) their customers know they implemented this "Admin activity log" and installed it behind their backs.

I've been involved with a high number of NATS clients and have found the following to be true:
*) Changing all admin level account passwords stops the intruder. He still attempts to login, but in vain.
*) As soon as TMM has admin access to NATS the intruder is back. Sometimes the same day.
*) Intruder is using an automation script that dumps the NATS members list. In some cases he is doing this every hour on the hour.
*) If you have web logs, look for hits against "admin_reports.php?report=surfer_stats&member=#### ##". You will see a number of those hits in sequential order.
*) NATS was vulnerable to SQL injection attacks. I haven't investigated whether it still is.

I have some suggestions for people using NATS:
*) Change all your admin level passwords.
*) Do not give TMM an admin account they can use anytime they want. Change the pass when they are done.
*) Restrict access to the admin*.php files by IP. This is inconvenient, but if you can do this it will circumvent any future intrusion. There may be other files you want to do this with. You can do this with apache easily (syntax depends on your version. this is for 2.0):
<Files "admin*">
Order deny,allow
Deny from all
Allow from your.ip.addr.here
</Files>
*) Keep an eye on the ssh user you have given TMM to fix/maintain your NATS install. Change their password every time they need access and as soon as they are done. I have experience with TMM ssh-ing in and making changes to NATS software without permission.
*) Be thankful of many things I'll not get into.


P.S. Im hearing that there is a backdoor that TMM can use to get into your NATS, but I havent investigated so its speculation. Only reason I even mention this is because NATS is encrypted and you dont know. Im not interested in decrypting NATS just to find out. There are other ways. I hope this isn?t true.

__________________
QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
24/7 "REALLY ON-SITE" Support - Completely Premium Network
Public & Private Network, Remote Reboot, Private VLANs
99.99% Guaranteed Network Uptime / BGP4 Multihomed
24/7 LIVE CHAT, Phone and Ticket Support
1-888-5-QUADRA

Dirty F

Amazing this has been happening SO fucking long and nobody knew about it because of Nats crying about lawsuits all over the place.

Dirty F

This is just nuts.

Reminds me very much of GTS and Mark and how they operate. Say anything bad about them and he will "destroy your business". Point out they are working with scammers and you'll get "banned" etc.

Snake Doctor

Wowsers, nice work OC3

__________________
sig too big

baddog

kudos to Dale

SmokeyTheBear

p.s.

ip's of interest

67.19.188.250
67.84.12.95
69.94.70.187
66.118.176.86
82.199.118.23

__________________
hatisblack at yahoo.com

3xTom

That guys needs a raise

HS-Trixxxia

milan & OC3 - Thanks for that vital information.

OH how can I not mention DALE Thank you for keeping a vigilant eye!

__________________

~~♥~~♥~~♥~~♥~~♥~~♥~~♥~~♥~~
Patrizia
COO - ♥ MassiveDollars
Email: patrizia at MassiveDollars dot com
ICQ: 465.826.441 Yahoo: trixxxia_me MSN: trixxxia at hotmail dot com

JOKER

Thanx a LOT Milan and Dale for getting to the bottom of this AND sharing it with GFY

From your point of view - has the affiliates' info been extracted / compromised as well, or is this unlikely?

Again, thanx a LOT for going public with this.

Steve

__________________
Facilitation - BizDev - Traffic - Consulting - Marketing
Skype: jokerempire | Silent Circle: joker

milan

The bot has FULL ADMIN access to what you have so YES this is very likely.

BTW we have null routed those 5-6 IP's from any access to our network long ago, other ISP's should follow.

__________________
QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
24/7 "REALLY ON-SITE" Support - Completely Premium Network
Public & Private Network, Remote Reboot, Private VLANs
99.99% Guaranteed Network Uptime / BGP4 Multihomed
24/7 LIVE CHAT, Phone and Ticket Support
1-888-5-QUADRA

Sebastian Sands

you guys go above and beyond, I am happy I have some of my stuff hosted with you guys. I know it's in good hands.

dropped9

holy shit this isnt good...

Dirty F

Isnt anybody amazed this has been going on since august? How come a hosting company knows about this and the owners of the software didnt? For 4 months already?

milan

Well they DID know... at least from October when we told them (seem like they knew already) if you read the post above. I still have respect for the idea that security issues should be secret until their fixed. Even tho TMM hasn't fixed their issue.

__________________
QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
24/7 "REALLY ON-SITE" Support - Completely Premium Network
Public & Private Network, Remote Reboot, Private VLANs
99.99% Guaranteed Network Uptime / BGP4 Multihomed
24/7 LIVE CHAT, Phone and Ticket Support
1-888-5-QUADRA

Dirty F

Ok let me put it this way: Isnt anybody surpised they knew about this and didnt fix it?? I just cant think of one reason for that.

JOKER

That's what I suspected as well.

Not good, at all.

Will I see eMails / Newsletters of the programs that I'm signed up with that my info has been compromised and my Identity / Banking Info / ePass info has been stolen?

Well, let's just say I doubt it, but I still HOPE that they will be honest about it.

I've already started to ask some of the program owners that I'm signed up with if they had that issue - but to be honest, it shouldn't be MY job to ask them if my info is / was secure, but theirs to inform me that I've got a serious problem now and need to change all this data / info.

Just my

__________________
Facilitation - BizDev - Traffic - Consulting - Marketing
Skype: jokerempire | Silent Circle: joker

milan

I believe they tried/trying to fix the security breach in house and hoped to do that BEFORE this exploded. bad judgment in my opinion.

Easier to notify customer of the issue

__________________
QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
24/7 "REALLY ON-SITE" Support - Completely Premium Network
Public & Private Network, Remote Reboot, Private VLANs
99.99% Guaranteed Network Uptime / BGP4 Multihomed
24/7 LIVE CHAT, Phone and Ticket Support
1-888-5-QUADRA

TheDoc

Need to add:

1) Using the ADMIN_IPS security settings within the NATS Config Admin stops unauthorized IP's from entering, viewing, or getting any Admin related documents or data.

IP LOCK YOU ADMIN AREA - It's a built in feature within NATS.

2) NATS IP is: 67.84.12.95

3) When NATS is done updating they tell you to change passwords. This is a great time to change the NATS PW and set the account status to normal. You should already be changing your FTP/SSH pw each time, which nats tells you to do.

__________________

BOSS1

bookmarked

__________________

NEW SITE: Stockings Kingdom
Lesbians in Latex, Lesbians in Stockings, Granny Sex, BDSM Porn, Latex and Sex, Custom Foot Fetish, Femdom Movies and Kinky Porn Pass.
300+ hosted flvs, 500+ hosted galleries, Page Peel ADs.. NATS export and payouts twice a month

CurrentlySober

i like elephants

__________________

My Dream Gal... XXX

DWB

D

Good info.

__________________
-D.
ICQ: 202-96-31

raymor

Thanks for handling this reponsibly, contacting NATS first and then going to
full disclosure mode only when it became necesary. As a security professional
who works with a lot of NATS sites, and someone who has previously
raised questions about the security implications of having that kind of data
on the web server at all as well as specific concerns about NATS, this is
of great interest to me and leaves me with a question.

Most of the "symptoms" you describe could be explained by a simpler problem
that that "*Someone* has access to TMM's clients database with your admin
logins and passwords.". There are numerous other ways for a cracker to get
the admin user name and password. Most webmasters choose poor passwords,
with "admin:admin" being common, as are certain variations on that.
You don't have to crack TMM's database to get in when the password is
that obvious. Most webmasters use passwords based on English words,
such a dictionary attack is simple enough. More likely, any PHP script
anywhere on the server might be exploited and used to read the password
from the database. Based on what you've posted, the only evidence that
the bad guy(s) have access to the TMM database is:

Is that a solid pattern that you saw repeatedly, or is it a case where it
happened one time that the cracker definitely was gone and then came back
shortly after TMM was given admin access?



Agreed - they have an impressive product and the current crop of people there
seem to be good people. Some on this board know we once had some
intellectual property concerns regarding the actions of somewhere who no
longer works there, but that's been properly taken care of by TMM. My interest
is in helping webmasters who use NATS and TMM to take care of any problems
so that everyone can get back to the business of getting the porn to the people.

__________________
For historical display only. This information is not current:
support&#64;bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids

minusonebit

Ah, now ain't that nice? Does that mean all of the affiliates' information is compromised as well? God, this entire industry sucks with regard to security and privacy practices. People need to get their heads out of their asses. Add this to the list of reasons why I am glad I use a taxpayer ID for program signups.

Now, the question that remains in my mind is two fold:

1. Why is TMM sitting on their goddamned asses with regard to this?
2. Milan, why did you give them as long as you did to fix this before letting it out?

This is a serious issue and you giving them three fucking months is to address it before going public with it is way too damn long. They should have had 48 hours - maximum - to address it. You're right, they should have notified the customers. Their failure to do that is another nail in their coffin. And right after they bought SegPay? Hah, now there is one billing company I'll never do business with.

Fuck TMM's reputation and the damage that releasing this after 48 hours would have caused, let me be the first to say that I don't give a good goddamn about that at all. When privacy and security and people having access to private data is concerned, the reputation of the companies involved does not matter, the security of the data in a timely manner trumps all ego concerns.

This industry worries way too fucking much about the reputation of other companies when it comes to shit like this. When something stinks, the dirty laundry needs to be aired now, not after three months of back room pleasantries and friendly chats.

Dirty F

Ommmmggg the irony

Holy shit! Im sure now, youre fucked in your head.

minusonebit

Shut the fuck up you piece of rotting rat shit. I am tired of listening to you yammer on about the password non-issue. You are using it for sig views and its getting old. Why don't you go back to fucking Juicy's dog and get off my nuts you stupid, two bit, good for nothing, ain't worth a shit pile of rat droppings?

Dirty F

Non issue? Oh yeah i forgot what you said for a minute:
Posting 300 passwords, usernames, full names, telephone numbers, addresses didnt do any harm.

Silly me, how could i forget that

AlienQ - BANNED FOR LIFE

ALIEN
http://www.gofuckyourself.com/showth...ight=Porngraph
Posted 01-16-2006, 12:53 PM

__________________

minusonebit

You know Franck, I'm not gonna let you trick me into hi-jacking this thread over this petty bullshit you and I have between us. You talk more shit than a fucking sewer. You are too much of a pussy to back up all your shit talking in person - you had your chance and you got real quiet like a scared little bitch - so just fucking shut up already. Or if you really want to keep going, then start a new thread and lets have at it. Got it?

papill0n

yeah sounds like a real non issue to me



Nice work Milan, you guys run an excellent operation!!

Dirty F

Wtf? Youre so fucking fucked in your head, you should seek help you fucking imbecile. I had my chance but got quiet? Had what chance you retard boy? Oh yeah now i remember, you said i stopped posting on gfy for 3 weeks after you said you would beat me up
Man, if you read all this shit back about yourself dont you just want to shoot yourself?
Please explain to me how exactly i got quiet and scared? Fucking delusional piece of password sharing shit!

u-Bob

hmmkay, this would explain all the spam to UNIQUE-ADDRESS-USED-ONLY-TOSIGNUP-TO...fmydomains.com and UNIQUE-ADDRESS-USED-ONLY-TOSIGNUP-TO...fmydomains.com and UNIQUE-ADDRESS-USED-ONLY-TOSIGNUP-TO...fmydomains.com
and...

minusonebit

I wonder if this is where Kandah gets his/her/it's lists. Anyone have that little fucker's IP addresses, could match them against the list of intruders... we all know the lists that nic is peddling are stolen, stolen, stolen... would make sense...

Doctor Dre

Ok Frank just totally owned & destroyed Minusonebit, now move on to the real topic and stop fighting.

__________________

HunkyLuke

QUESTION: what is the correct way to specify an IP range plus 1 other IP when setting up the ADMIN_IPS in a NATS configuration?

would it be 1.2.3.*,5.6.7.8
or 1.2.3.1-255,5.6.7.8
or something else?

ronaldo

If I understand correctly from the other thread, OC3Networks is working with, or assisting MojoHost and quite possibly others as well.

If that's true, I have to give props to a company (that I don't host with btw) for working DIRECTLY WITH their competition to help solve an issue that effects our entire industry instead of capitalizing on it for their own gains.

That deserves the utmost respect.

Gordon G

quantum-x

I'd just like to say great work on this, and as I'd mentioned in other threads [and was told I was an idiot for it] - NATS was vulnerable to SQL injections. I'm not sure if it still is now, but it certainly was.

Sebastian Sands

Are the processors concerned at all?

milan

Thank you but I really don't see any of other hosts as competition I see them as peers, there is SO much business for everyone and i think any industry should stick one to another.

MojoHost, Webair, Splitinfinity and Natnet all great operation and should share security matters. (hope didn't forget or offended anyone)

__________________
QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
24/7 "REALLY ON-SITE" Support - Completely Premium Network
Public & Private Network, Remote Reboot, Private VLANs
99.99% Guaranteed Network Uptime / BGP4 Multihomed
24/7 LIVE CHAT, Phone and Ticket Support
1-888-5-QUADRA

milan

I can't answer #1 as I knew they are trying to resolve this, they did not sit on their ass... (I still think letting the customers know would be first priority)

as for #2 I will repeat that we still have respect for the idea that security issues should be secret until their fixed. and was urged by our clients that we located the issue on their server NOT to go public or something bad will happen to them, who know what bad is but lawsuit and revoke of license is what I heard... can't confirm the second one.

__________________
QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
24/7 "REALLY ON-SITE" Support - Completely Premium Network
Public & Private Network, Remote Reboot, Private VLANs
99.99% Guaranteed Network Uptime / BGP4 Multihomed
24/7 LIVE CHAT, Phone and Ticket Support
1-888-5-QUADRA

milan

YES solid as can be, we will keep all logs and evidence... as soon as they (TMM) get the "new" admin password within hours we saw the attacks comeback, more than that after we blocked the 2-3 IP's on the core network they came from, a few weeks later the "hacker" changed IP's while attacking our customers so another protection went into place.

__________________
QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
24/7 "REALLY ON-SITE" Support - Completely Premium Network
Public & Private Network, Remote Reboot, Private VLANs
99.99% Guaranteed Network Uptime / BGP4 Multihomed
24/7 LIVE CHAT, Phone and Ticket Support
1-888-5-QUADRA

milan

Yes they are, some have been responsible and contact me to get more info on what we have and I did, it doesn't look like they got any of the CC info tho.
they were more interested in the email list

__________________
QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
24/7 "REALLY ON-SITE" Support - Completely Premium Network
Public & Private Network, Remote Reboot, Private VLANs
99.99% Guaranteed Network Uptime / BGP4 Multihomed
24/7 LIVE CHAT, Phone and Ticket Support
1-888-5-QUADRA

TMM_John

Milan and Caz, I want to apologize to both of you.

I realize now that you guys were only trying to help in this situation. I had received comments from a few people indicating to me that wasn't the case and I took them to be true without speaking with you guys myself. I always try to form my own opinions on things and in this case I'm sorry for not getting my own opinion of what you were doing about the situation.

I would also like to tell you that there is no backdoor we have put in NATS for us to access. I understand this is a common rumor but that is all that it is.

I realize now you guys are only here trying to help and I appreciate it. Thank you. I hope you can accept my apology.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

milan

John,

People that know me aware how easy going I am.

We respected the major dilemma you were facing and really tried to help you, TMM and the industry securing the data nothing more.
Your product is great and we are working on a daily basis with your install and support team, what a great bunch of guys they are.

Me and I can speak in the name of Caz here that we without question accept the apology with no hard feeling, I really think in the future anyone should really talk face to face (or by phone...) without prejudice and try to understand the problem.

We are here 24/7 to help you if needed to solve the security breach, since at the end this is ALL it is.

I truly hope you can enjoy this holiday even if you are probably occupied with this issue.

Respectfully,

__________________
QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
24/7 "REALLY ON-SITE" Support - Completely Premium Network
Public & Private Network, Remote Reboot, Private VLANs
99.99% Guaranteed Network Uptime / BGP4 Multihomed
24/7 LIVE CHAT, Phone and Ticket Support
1-888-5-QUADRA

TMM_John

Thank you. We have really gotten off on the wrong foot here, which is my fault. I hope we can sit down in Vegas and get to know each other, as well as with Caz. I sent you an ICQ also but did not receive a reply, not sure if it made it through to you. My ICQ is 5596373.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

seeric

just a little PSA here.

if you dont have this product, get it.

www.lifelock.com

change all your passwords to places that you use the same pass as your nats account.

problem solved, or at least your level of protection is intensely elevated.

i've been using this for a while and you wouldnt believe the activity a normal persons credit data sees. i get calls about once a month for someone or another trying to access my credit info for this or that.

its worth it.

milan

Didn't get it as I'm not at my computer but my wifes notebook... will see it soon... thx for that.

Absolutely on the sit down, would be great to meet you heard lots of good things about you from a mutual friend (NJ guy that leave out here in Cali now)

__________________
QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
24/7 "REALLY ON-SITE" Support - Completely Premium Network
Public & Private Network, Remote Reboot, Private VLANs
99.99% Guaranteed Network Uptime / BGP4 Multihomed
24/7 LIVE CHAT, Phone and Ticket Support
1-888-5-QUADRA

munki

<---- not fucking happy at this point...

__________________

BoyAlley