HOw can a password site post 400 of my passwords?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • loco12
    Confirmed User
    • Aug 2003
    • 638

    #1

    HOw can a password site post 400 of my passwords?

    Fuck knows how this has happened as I have strongbox installed and its working fine. But 400 of my passwords were posted on a password site.

    I have noticed Strongbox has been knocking out more members daily in the last month. So how do these thieves get access to the password files?

    Checked server stats and only me thats been logged on.

    Thoughts?
  • Sebastian Sands
    Confirmed User
    • Mar 2005
    • 5223

    #2
    What's your site?

    Comment

    • c0py-BANNED FOR LIFE
      So Fucking Banned
      • Feb 2004
      • 195

      #3
      whats the forum url

      Comment

      • WarChild
        Let slip the dogs of war.
        • Jan 2003
        • 17263

        #4
        Originally posted by loco12
        Fuck knows how this has happened as I have strongbox installed and its working fine. But 400 of my passwords were posted on a password site.

        I have noticed Strongbox has been knocking out more members daily in the last month. So how do these thieves get access to the password files?

        Checked server stats and only me thats been logged on.

        Thoughts?
        Sounds like a security issue with a script running on your server or your server setup . You'd be surprised how many people leave their password files, for instance, available for public access.
        Last edited by WarChild; 12-30-2007, 12:06 PM.
        .

        Comment

        • gaymale
          Confirmed User
          • Sep 2003
          • 234

          #5
          If your stats show only you have been logging in, maybe whoever did this got your id and password. Might want to change your pasword.
          Submit your website at: and

          Comment

          • ladida
            Confirmed User
            • Nov 2005
            • 2179

            #6
            MAGIC!1

            What's your site, what's the forum, how many members you have, where do you host....
            agentGFY *at* gmail.com

            Comment

            • loco12
              Confirmed User
              • Aug 2003
              • 638

              #7
              But only my IP shows up. If someone else was using my login their IP would be different to mine..

              Comment

              • WarChild
                Let slip the dogs of war.
                • Jan 2003
                • 17263

                #8
                Originally posted by loco12
                But only my IP shows up. If someone else was using my login their IP would be different to mine..
                They don't need to be logging in to your server.

                If you have any scripts running, they may be vulnerable through a variety of measures. Basically, someone could take control of your server by having the script(s) run commands. To you it would appear nobody "logged in" to your server.

                Your password file may even web accessable. That is, can someone just type in yoursite.com/passwords.txt (or whatever) and retreive the password file?

                I'm no security expert, especially in regards to web servers, so you'll probably want to get some help from somebody that is. Do you know any good admins that could do a quick once over on your site?

                You could get some more information by letting us know exactly what you're running script and members protection wise. Maybe someone can point out a vulnerable script from its name.
                .

                Comment

                • Phil
                  Confirmed User
                  • Jan 2004
                  • 7659

                  #9
                  don't give the ul name or minusonebit will have it posted on his blog
                  Ask Phil

                  Comment

                  • loco12
                    Confirmed User
                    • Aug 2003
                    • 638

                    #10
                    My password file is safe from typins. I use strong box for protection. Use CCBill and Epoch for processing.

                    I have emailed Ray Morris and hopefully he can take a look to see what the problem is and how it happened.

                    Comment

                    • WarChild
                      Let slip the dogs of war.
                      • Jan 2003
                      • 17263

                      #11
                      Originally posted by loco12
                      My password file is safe from typins. I use strong box for protection. Use CCBill and Epoch for processing.

                      I have emailed Ray Morris and hopefully he can take a look to see what the problem is and how it happened.
                      Alright bud just trying to give you some simple advice. Good luck with finding the problem. Hopefully you know people more knowledgable than me.
                      .

                      Comment

                      • jeffrey
                        Confirmed User
                        • Jul 2004
                        • 1864

                        #12
                        Switch to Phantom Frog and you wouldnt have this problem.
                        Coming Soon!

                        Comment

                        • loco12
                          Confirmed User
                          • Aug 2003
                          • 638

                          #13
                          Originally posted by jeffrey
                          Switch to Phantom Frog and you wouldnt have this problem.
                          Why is that? What does Phantom Frog do differently that Stronbox is lacking at?

                          Comment

                          • jeffrey
                            Confirmed User
                            • Jul 2004
                            • 1864

                            #14
                            www.phantomfrog.com
                            I dont get money from posting that, lol.
                            But I so use them.

                            With phantom frog even if all your passwords were shared everyone would get blocked so no one that shouldn't have access would get in. And with the automated password recovery the real member can easily get a new password sent to their email instantly so they can log on to your site.

                            This means you wouldn't have to change the password for 400 users, and they wouldn't have to wait more then a few seconds to finish beating off.
                            Coming Soon!

                            Comment

                            • sumphatpimp
                              Confirmed User
                              • Aug 2002
                              • 5235

                              #15
                              password stealing and server hacking is a lot easier then you think.
                              the bad guys run a script 24/7 spidering one ip after another getting whatever info it can about operating system, scripts or whatever the server has installed. Once the script has that information it goes through what exploits it knows exists for that operating system or scripts. then the attack happens and takes your passwords or whatever it can. all this usually from an exploited server, so they don't get caught. and the owners of the server don't even know it.

                              Comment

                              • loco12
                                Confirmed User
                                • Aug 2003
                                • 638

                                #16
                                Just been reading up about Phantom Frog and it does look like it would solve the problem.

                                Will save on posting out new passwords to members as well.

                                Comment

                                • jeffrey
                                  Confirmed User
                                  • Jul 2004
                                  • 1864

                                  #17
                                  Originally posted by loco12
                                  Will save on posting out new passwords to members as well.
                                  thats one of the reasons I got it.
                                  I love waking up in the morning and seeing that a member or 2 recovered their own password at some ungodly hour. Those members are now still happy they could beat off after getting back from the bar and will have that much more reason to rebill
                                  Coming Soon!

                                  Comment

                                  • loco12
                                    Confirmed User
                                    • Aug 2003
                                    • 638

                                    #18
                                    The amount of blocked passwords from members and only a few email asking for a new password. Many are too embarressed to ask me and cancel, so again this seems a good idea.

                                    Comment

                                    • jeffrey
                                      Confirmed User
                                      • Jul 2004
                                      • 1864

                                      #19
                                      Originally posted by loco12
                                      The amount of blocked passwords from members and only a few email asking for a new password. Many are too embarrassed to ask me and cancel, so again this seems a good idea.
                                      Damn, never would have thought about people being too embarrassed to ask for a new pass and just cancel.
                                      Just contact Bill, he is a great guy to deal with. And actually has a phone number that he answers which is nice.

                                      I dont have your member base, but even with what I have the cost is worth not having to deal with the passwords all the time. Means I can skiing for the weekend and be fine with my blackberry.
                                      Last edited by jeffrey; 12-30-2007, 01:00 PM.
                                      Coming Soon!

                                      Comment

                                      • mrwilson
                                        mrwilson 2.0
                                        • Jul 2007
                                        • 5122

                                        #20
                                        Strongbox can be easily bruteforced using a proxy list and wordlist and many of the bruteforce tools available.

                                        instead of usernames you could perhaps use emails?
                                        or make the username and password longer with #'s and other characters.

                                        Phantomfrog is also recommended...

                                        Comment

                                        • L-Pink
                                          working on my tan
                                          • Mar 2005
                                          • 39151

                                          #21
                                          Originally posted by jeffrey
                                          Switch to Phantom Frog and you wouldnt have this problem.
                                          Thanks for the tip.

                                          Comment

                                          • zigx
                                            Confirmed User
                                            • Sep 2003
                                            • 1430

                                            #22
                                            Originally posted by loco12
                                            The amount of blocked passwords from members and only a few email asking for a new password. Many are too embarressed to ask me and cancel, so again this seems a good idea.
                                            u know, thats a great fucking point man. currently i only have strongbox myself and phantomfrog posted by jeffrey looks really interesting.

                                            jeffrey, if i signup for this do you have ref code or is there any reward for you?
                                            _,.:'`- Club JK . com --> 60% payouts
                                            RSS, Hosteds, POTD, Your Mother, etc... CCBill

                                            Comment

                                            • GPS
                                              Confirmed User
                                              • Feb 2007
                                              • 572

                                              #23
                                              Hey dude..

                                              Setup a on .htaccess

                                              Error 401 http://to your full page ad

                                              and kill all the passwords..

                                              try it..
                                              no sig!

                                              Comment

                                              • jeffrey
                                                Confirmed User
                                                • Jul 2004
                                                • 1864

                                                #24
                                                Originally posted by zigx
                                                u know, thats a great fucking point man. currently i only have strongbox myself and phantomfrog posted by jeffrey looks really interesting.

                                                jeffrey, if i signup for this do you have ref code or is there any reward for you?
                                                No ref code.
                                                but if you let Bill know Jeff from seannalust sent ya he would at least know its me

                                                Melvin got me to use phantomfrog And I am glad I did. He switched from strongbox.
                                                Coming Soon!

                                                Comment

                                                • tony299
                                                  lurker
                                                  • Aug 2002
                                                  • 57021

                                                  #25
                                                  phantom frog looks interesting.

                                                  Comment

                                                  • darling2
                                                    Confirmed User
                                                    • Jul 2006
                                                    • 345

                                                    #26
                                                    is it possible to configure strongbox to automatically reset password and send out new passwords to members?

                                                    Comment

                                                    • HouseHead
                                                      Confirmed User
                                                      • Aug 2003
                                                      • 5539

                                                      #27
                                                      Originally posted by ladida
                                                      MAGIC!1

                                                      What's your site, what's the forum, how many members you have, where do you host....
                                                      eeeeeeeeeeeeeeeeeek
                                                      The Sexiest place to Buy & Sell Adult Ads - JuicyAds is where YOUR profits matter!

                                                      ---> SPOTS AVAILABLE
                                                      :|: SIGN UP RIGHT NOW <---

                                                      Comment

                                                      • Robbie
                                                        Leaner, Meaner, Faster
                                                        • Aug 2002
                                                        • 20960

                                                        #28
                                                        Originally posted by jeffrey
                                                        Bill is the man! I was recommended by Clement from Deluxe Pass and once Bill installed Phantom Frog...all troubles were over with. It not only stops password trading, but also brute force attacks. Bill is a grouchy fucker, but nobody knows their shit better than him. I highly recommend it.
                                                        -Robbie
                                                        ClaudiaMarie.Com

                                                        Comment

                                                        • directfiesta
                                                          Too lazy to set a custom title
                                                          • Oct 2002
                                                          • 30135

                                                          #29
                                                          That many passwords ....

                                                          I would install and run http://www.chkrootkit.org/

                                                          Someone has managed to drop a shellscript that gives him access to the root and all folders ....

                                                          No point in changing password software protection .
                                                          I know that Asspimple is stoopid ... As he says, it is a FACT !

                                                          But I can't figure out how he can breathe or type , at the same time ....

                                                          Comment

                                                          • Lucky06
                                                            Registered User
                                                            • Dec 2006
                                                            • 4

                                                            #30
                                                            Who's a grouchy fucker?

                                                            Lol, now you're going to hurt Bill's feelings if he reads this board Robbie. I switched to Phantom Frog in September of '06 and I have no intention of going anywhere else for my site security. I tried Pennywize, IPROT, Password Sentry and a few more, but in my humble opinion PhantomFrog kicks everybody's ass. If you're in doubt about how your current security system is performing, have Bill install the Frog Demo for you. You're going to freak when you see how many guys are sneaking in under your nose!

                                                            Since I got onboard with Phantom Frog, my password management workload has been cut down to nearly zip! Yeah, there's still a few dim bulbs who will still write you to get a new password, but not many. If you let your members know how to get help when they need it, most will just retrieve their own passwords and be on their way. Sweet!

                                                            Oh, and Bill is not the "grouchy fucker" he's made out to be. He's a fuckin' sweetheart! One thing I do have to agree with Robbie on is that he really DOES know his shit and support is top notch.

                                                            Comment

                                                            • Robbie
                                                              Leaner, Meaner, Faster
                                                              • Aug 2002
                                                              • 20960

                                                              #31
                                                              LOL! Actually I messaged Bill and showed him this thread. He then showed me something brand new that he is unveiling on Jan. 2 I'll leave it to him to announce it to the world...but if you have a paysite and are wondering if there are any other ways to monetize your content...then you need to contact Bill.
                                                              Ironically, the thing he has just built is EXACTLY what I have been looking for over the last couple of months as I have been making deals to maximize the income from the Claudia-Marie.Com website to even greater heights (there never seems to be enough money for my drug and whore habits LOL)
                                                              I'm having Bill install this new product on my server as we speak. And one of the great things about it is the fact that he is so anal about security that I won't have to worry about anybody stealing from me.
                                                              Go over to phantomfrog.com and contact Bill if you are a paysite owner. I think you're going to like what he will show you with this new product.
                                                              Hell, I would post the URL to the new product...but I didn't ask him if it was okay yet. He's still working on putting up some screenshots of the admin so I won't reveal it to everybody yet. But again, if you are a paysite owner...just get over to phantomfrog.com and use his contact info and ask him about it. Tell him you read a post over here by Robbie about some super secret mystery software he is about to release.
                                                              -Robbie
                                                              ClaudiaMarie.Com

                                                              Comment

                                                              • V_RocKs
                                                                Damn Right I Kiss Ass!
                                                                • Nov 2003
                                                                • 32449

                                                                #32
                                                                Your first and biggest mistake...

                                                                Putting all of your paysites on the same server as your free sites.

                                                                Comment

                                                                • V_RocKs
                                                                  Damn Right I Kiss Ass!
                                                                  • Nov 2003
                                                                  • 32449

                                                                  #33
                                                                  bukkakeblogger.com

                                                                  This wordpress version is full of exploits...

                                                                  Comment

                                                                  • Robbie
                                                                    Leaner, Meaner, Faster
                                                                    • Aug 2002
                                                                    • 20960

                                                                    #34
                                                                    Originally posted by V_RocKs
                                                                    Your first and biggest mistake...

                                                                    Putting all of your paysites on the same server as your free sites.
                                                                    Who me? You're mistaken my friend. My tgp's are on their own dedicated server. My first and biggest mistakes were my first three wives. But as far as setting up my sites on servers...if you knew me, you'd know that I got that covered pretty well.
                                                                    But I'm hip to what you're trying to say. Especially with all the easy hacks through blogs, forums, etc. I try to make sure my stuff is as safe as possible. Plus I couldn't possibly handle the loads on one server...I'm running about 15 terrabytes of bandwidth a month and I haven't even checked how many megs per second I'm pushing.
                                                                    It's crazy. I'm just glad that bandwidth is cheap these days. Could you imagine those kinda numbers back 10 years ago? I remember when the cheapest bandwidth you could get was a buck fifty a gig. Now I pay 14 cents.
                                                                    -Robbie
                                                                    ClaudiaMarie.Com

                                                                    Comment

                                                                    • V_RocKs
                                                                      Damn Right I Kiss Ass!
                                                                      • Nov 2003
                                                                      • 32449

                                                                      #35
                                                                      BTW.. No matter what you use for password management, it still has to conform to the AOL rule. (x) number of IP's over (y) number of minutes. So it won't magically kill passwords when they are shared individually like in a message board via PM's or in a chatroom.

                                                                      One way to try and do this is to log the region from the IP... Then associate that region to the account. Would stop tons of this.

                                                                      Comment

                                                                      • V_RocKs
                                                                        Damn Right I Kiss Ass!
                                                                        • Nov 2003
                                                                        • 32449

                                                                        #36
                                                                        Originally posted by Robbie
                                                                        Who me? You're mistaken my friend. My tgp's are on their own dedicated server. My first and biggest mistakes were my first three wives. But as far as setting up my sites on servers...if you knew me, you'd know that I got that covered pretty well.
                                                                        But I'm hip to what you're trying to say. Especially with all the easy hacks through blogs, forums, etc. I try to make sure my stuff is as safe as possible. Plus I couldn't possibly handle the loads on one server...I'm running about 15 terrabytes of bandwidth a month and I haven't even checked how many megs per second I'm pushing.
                                                                        It's crazy. I'm just glad that bandwidth is cheap these days. Could you imagine those kinda numbers back 10 years ago? I remember when the cheapest bandwidth you could get was a buck fifty a gig. Now I pay 14 cents.
                                                                        No, I am talking to the thread starter who was asking how so many passwords could end up being posted.

                                                                        Comment

                                                                        • Robbie
                                                                          Leaner, Meaner, Faster
                                                                          • Aug 2002
                                                                          • 20960

                                                                          #37
                                                                          Oh, okay. I got worried and thought I was doing something wrong.
                                                                          -Robbie
                                                                          ClaudiaMarie.Com

                                                                          Comment

                                                                          • Robbie
                                                                            Leaner, Meaner, Faster
                                                                            • Aug 2002
                                                                            • 20960

                                                                            #38
                                                                            Originally posted by V_RocKs
                                                                            BTW.. No matter what you use for password management, it still has to conform to the AOL rule. (x) number of IP's over (y) number of minutes. So it won't magically kill passwords when they are shared individually like in a message board via PM's or in a chatroom.
                                                                            Frog will. First time the guy logs in it records his IP address. Then whenever it is used at any geo location that doesn't fit with his IP address it gets shut down. The original user has to get a new password. Then when he logs in with his ip address it is recorded again. Then if the forum or aol or whatever uses it BAM they are nailed again. It's what makes phantomfrog work when the others don't. And it's got a cool "virtual velocity" function that is pretty funny to watch. Like when a guy logs in from Australia and then from Russia two minutes later it calculates how fast in miles per hour a person would have to be traveling.
                                                                            -Robbie
                                                                            ClaudiaMarie.Com

                                                                            Comment

                                                                            • TiaLing
                                                                              Confirmed User
                                                                              • Mar 2006
                                                                              • 979

                                                                              #39
                                                                              Pennywise

                                                                              I had similar probs.....installed pennywize which has seemed to stop password abuse but like everyone has pointed out....I seem to be having alot of passwords blocked, but no emails from members? I heard alot about other scripts....anyone have an opinion on Pennywize?

                                                                              tia


                                                                              Trade Traffic and hardlinks

                                                                              Comment

                                                                              • V_RocKs
                                                                                Damn Right I Kiss Ass!
                                                                                • Nov 2003
                                                                                • 32449

                                                                                #40
                                                                                Originally posted by Robbie
                                                                                Frog will. First time the guy logs in it records his IP address. Then whenever it is used at any geo location that doesn't fit with his IP address it gets shut down. The original user has to get a new password. Then when he logs in with his ip address it is recorded again. Then if the forum or aol or whatever uses it BAM they are nailed again. It's what makes phantomfrog work when the others don't. And it's got a cool "virtual velocity" function that is pretty funny to watch. Like when a guy logs in from Australia and then from Russia two minutes later it calculates how fast in miles per hour a person would have to be traveling.
                                                                                If everyone would implement this, we'd have about 40% more money to spread around.

                                                                                Comment

                                                                                • aico
                                                                                  Moo Moo Cow
                                                                                  • Mar 2004
                                                                                  • 14748

                                                                                  #41
                                                                                  anyone telling you to change your password protection script has no clue what they are talking about. Warchild and some others were giving you the correct answers.

                                                                                  Comment

                                                                                  • Robbie
                                                                                    Leaner, Meaner, Faster
                                                                                    • Aug 2002
                                                                                    • 20960

                                                                                    #42
                                                                                    I have a clue. And I think that securing your server is of course step ONE. That should be a given. Then if you want to really stop all password trading and brute force attacks after your server is nailed down...then yes, you would want to change over to the phantom frog software. As far as I know it is the only security software of it's type. Warchild is giving some very solid advise. But shutting the doors on your server isn't gonna help stop people trading passwords, or stop the hundreds that are already out there, or keep you from the hours of headaches and work that goes with dealing with all that customer support. There is a lot more to what this guy is facing than just server security. Though obviously that should be job number one.
                                                                                    -Robbie
                                                                                    ClaudiaMarie.Com

                                                                                    Comment

                                                                                    • D
                                                                                      Confirmed User
                                                                                      • Jan 2006
                                                                                      • 7412

                                                                                      #43
                                                                                      Using NATS?
                                                                                      -D.
                                                                                      ICQ: 202-96-31

                                                                                      Comment

                                                                                      • Robbie
                                                                                        Leaner, Meaner, Faster
                                                                                        • Aug 2002
                                                                                        • 20960

                                                                                        #44
                                                                                        Originally posted by D
                                                                                        Using NATS?
                                                                                        That's true. If he's using NATS his passwords are definitely compromised. Another good reason to have a system that blocks them and changes the passwords. And another good reason to listen to Warchild and aico and get the security of the site (including the IP restriction of NATS) up to snuff.
                                                                                        It sucks that there are so many thieves out there and honest hard working people have to watch their backs every second.
                                                                                        -Robbie
                                                                                        ClaudiaMarie.Com

                                                                                        Comment

                                                                                        • Robbie
                                                                                          Leaner, Meaner, Faster
                                                                                          • Aug 2002
                                                                                          • 20960

                                                                                          #45
                                                                                          Hey D....I like your sites. I'm gonna sign up and promote them. I can definitely use some hot black girl stuff on my tgp's. Love those big asses.
                                                                                          -Robbie
                                                                                          ClaudiaMarie.Com

                                                                                          Comment

                                                                                          • D
                                                                                            Confirmed User
                                                                                            • Jan 2006
                                                                                            • 7412

                                                                                            #46
                                                                                            Originally posted by Robbie
                                                                                            Hey D....I like your sites. I'm gonna sign up and promote them. I can definitely use some hot black girl stuff on my tgp's. Love those big asses.
                                                                                            Cool, man. Sign up tonight, and I should push your account through tomorrow. Beyond that, it's pretty straightforward. Let me know if there's anything you need.
                                                                                            -D.
                                                                                            ICQ: 202-96-31

                                                                                            Comment

                                                                                            • Robbie
                                                                                              Leaner, Meaner, Faster
                                                                                              • Aug 2002
                                                                                              • 20960

                                                                                              #47
                                                                                              Just finished signing up. That's some funny shit on the Shorty Mac site. A rap for every scene description....pure genius! I love it.
                                                                                              -Robbie
                                                                                              ClaudiaMarie.Com

                                                                                              Comment

                                                                                              • aico
                                                                                                Moo Moo Cow
                                                                                                • Mar 2004
                                                                                                • 14748

                                                                                                #48
                                                                                                I say again, Phantom Frog and Strongbox DO NOT protect your .htpasswd file. All of your 400 passwords are on that site because someone got access to your .htpasswd file, while PF and SB will protect your members area from people using those passwords, they will not, and DID NOT, protect your .htpasswd file, someone hacked your server and is still probably doing so.

                                                                                                Comment

                                                                                                • loco12
                                                                                                  Confirmed User
                                                                                                  • Aug 2003
                                                                                                  • 638

                                                                                                  #49
                                                                                                  Agree that the server must have been exploited by a script. I have contacted tech support and asked them to run a diagnostic on it. Changing all my passwords as well as an added precaution. And also dumping wordpress. The less scripts the better.

                                                                                                  Comment

                                                                                                  • V_RocKs
                                                                                                    Damn Right I Kiss Ass!
                                                                                                    • Nov 2003
                                                                                                    • 32449

                                                                                                    #50
                                                                                                    I addressed the fact that his server was hacked.

                                                                                                    PF is for after this happens... IT DOES HELP!

                                                                                                    Comment

                                                                                                    Working...