Originally Posted by minusonebit (Post 13551830)

Ah, now ain't that nice? Does that mean all of the affiliates' information is compromised as well? God, this entire industry sucks with regard to security and privacy practices. People need to get their heads out of their asses. Add this to the list of reasons why I am glad I use a taxpayer ID for program signups.

Now, the question that remains in my mind is two fold:

1. Why is TMM sitting on their goddamned asses with regard to this?
2. Milan, why did you give them as long as you did to fix this before letting it out?

This is a serious issue and you giving them three fucking months is to address it before going public with it is way too damn long. They should have had 48 hours - maximum - to address it. You're right, they should have notified the customers. Their failure to do that is another nail in their coffin. And right after they bought SegPay? Hah, now there is one billing company I'll never do business with.

Fuck TMM's reputation and the damage that releasing this after 48 hours would have caused, let me be the first to say that I don't give a good goddamn about that at all. When privacy and security and people having access to private data is concerned, the reputation of the companies involved does not matter, the security of the data in a timely manner trumps all ego concerns.

This industry worries way too fucking much about the reputation of other companies when it comes to shit like this. When something stinks, the dirty laundry needs to be aired now, not after three months of back room pleasantries and friendly chats.

Originally Posted by raymor (Post 13551540)

Thanks for handling this reponsibly, contacting NATS first and then going to
full disclosure mode only when it became necesary. As a security professional
who works with a lot of NATS sites, and someone who has previously
raised questions about the security implications of having that kind of data
on the web server at all as well as specific concerns about NATS, this is
of great interest to me and leaves me with a question.

Most of the "symptoms" you describe could be explained by a simpler problem
that that "*Someone* has access to TMM's clients database with your admin
logins and passwords.". There are numerous other ways for a cracker to get
the admin user name and password. Most webmasters choose poor passwords,
with "admin:admin" being common, as are certain variations on that.
You don't have to crack TMM's database to get in when the password is
that obvious. Most webmasters use passwords based on English words,
such a dictionary attack is simple enough. More likely, any PHP script
anywhere on the server might be exploited and used to read the password
from the database. Based on what you've posted, the only evidence that
the bad guy(s) have access to the TMM database is:



Is that a solid pattern that you saw repeatedly, or is it a case where it
happened one time that the cracker definitely was gone and then came back
shortly after TMM was given admin access?





Agreed - they have an impressive product and the current crop of people there
seem to be good people. Some on this board know we once had some
intellectual property concerns regarding the actions of somewhere who no
longer works there, but that's been properly taken care of by TMM. My interest
is in helping webmasters who use NATS and TMM to take care of any problems
so that everyone can get back to the business of getting the porn to the people.

Originally Posted by Sebastian Sands (Post 13552133)

Are the processors concerned at all?

Originally Posted by PBucksJohn (Post 13552666)

Milan and Caz, I want to apologize to both of you.

I realize now that you guys were only trying to help in this situation. I had received comments from a few people indicating to me that wasn't the case and I took them to be true without speaking with you guys myself. I always try to form my own opinions on things and in this case I'm sorry for not getting my own opinion of what you were doing about the situation.

I would also like to tell you that there is no backdoor we have put in NATS for us to access. I understand this is a common rumor but that is all that it is.

I realize now you guys are only here trying to help and I appreciate it. Thank you. I hope you can accept my apology.

Originally Posted by milan (Post 13552710)

John,

People that know me aware how easy going I am.

We respected the major dilemma you were facing and really tried to help you, TMM and the industry securing the data nothing more.
Your product is great and we are working on a daily basis with your install and support team, what a great bunch of guys they are.

Me and I can speak in the name of Caz here that we without question accept the apology with no hard feeling, I really think in the future anyone should really talk face to face (or by phone...) without prejudice and try to understand the problem.

We are here 24/7 to help you if needed to solve the security breach, since at the end this is ALL it is.

I truly hope you can enjoy this holiday even if you are probably occupied with this issue.

Respectfully,

Originally Posted by PBucksJohn (Post 13552720)

Thank you. We have really gotten off on the wrong foot here, which is my fault. I hope we can sit down in Vegas and get to know each other, as well as with Caz. I sent you an ICQ also but did not receive a reply, not sure if it made it through to you. My ICQ is 5596373.

Originally Posted by BoyAlley (Post 13552803)

Originally Posted by milan (Post 13552832)

Not everyone are angry little man and in seek of drama...

We respect first and foremost OUR customers, I have no problem with that do you?

Originally Posted by BoyAlley (Post 13552846)

Originally Posted by V_RocKs (Post 13552845)

Nice... When it comes to security, there is no competition among hosting companies. I love that!


On a side note...

IP RESTRICTION...

But my IP address changes....

Bullshit. You make enough money to call your provider and request a PERMANENT one. But they don't provide one. What the fuck? Are you on Dialup because most Cable, DSL, Broadband providers WILL give you a permanent IP if you pay monthly for leasing. Usually $20. Consider it a cost of doing business and a tax write off.

OK... But I AM ON DIALUP! So pay an admin here to setup a proxy on a dedicated server with a NON-ADULT hosting company picked at random. Have that proxy password protected.

Case closed...

The fact that a village idiot can get into this industry if he has $100,000 in inheritance money frightens me. It frightens me because when it comes to security you are all village idiots! Every last one of you!

90% of you have hackers on your boxes because they hacked your forum, your support system, your webcam software or by some other means. You don't know because all the hacker wants is your password DB and not the Emails.

They trade those DB's like Pokemon cards. They give 1 account away to each person who asks for them on newsgroups and IRC channels. It NEVER trips your strongbox, pennywize, proxy pass, etc, because they give each requester a different account. So even if the real user and the fake one use it at the same time they fall with in the AOL threshold (5 IP's in 15 minutes).

You all think.. Impossible because those previously mentioned programs shut this kinda shit down! No... They don't... Because each request gets a different account. This isn't password boards where 15,000 people get the same account. This is the designer version where everyone gets their own unique, free account.

But bandwidth is so cheap I don't give a fuck!... I know.. But in one channel on the IRC alone you will have up to 1000 people receive a password in a day. You are pissing away $35,000 a day! Smaller programs a few thousand...

Industry wide? About $800,000,000 a year is just pissed away...

OK.. Back to your original programming where you just bury your heads in the sand.

Originally Posted by TheDoc (Post 13552877)

Sad as it is to say, this is a 10+ year problem and is probably one of the biggest reasons we have seen a down turn in our industry over the last 5ish years.

I have heard it from people straight up, and we all know it to be true to. Stolen email lists or not... If you signup for a porn site you will get spamed at some point down the road.

Originally Posted by milan (Post 13552633)

I can't answer #1 as I knew they are trying to resolve this, they did not sit on their ass... (I still think letting the customers know would be first priority)

as for #2 I will repeat that we still have respect for the idea that security issues should be secret until their fixed. and was urged by our clients that we located the issue on their server NOT to go public or something bad will happen to them, who know what bad is but lawsuit and revoke of license is what I heard... can't confirm the second one.

Originally Posted by Dirty F (Post 13551935)

Wtf? Youre so fucking fucked in your head, you should seek help you fucking imbecile. I had my chance but got quiet? Had what chance you retard boy? Oh yeah now i remember, you said i stopped posting on gfy for 3 weeks after you said you would beat me up :1orglaugh:1orglaugh
Man, if you read all this shit back about yourself dont you just want to shoot yourself?
Please explain to me how exactly i got quiet and scared? :1orglaugh:1orglaugh Fucking delusional piece of password sharing shit!

Originally Posted by ronaldo (Post 13552084)

If I understand correctly from the other thread, OC3Networks is working with, or assisting MojoHost and quite possibly others as well.

If that's true, I have to give props to a company (that I don't host with btw) for working DIRECTLY WITH their competition to help solve an issue that effects our entire industry instead of capitalizing on it for their own gains.

That deserves the utmost respect.

:thumbsup

Originally Posted by Ycaza (Post 13553356)

woh, I am taken aback and happy to accept the apology. Thank you john, I just saw this. It is our pleasure to try and help the situation. If there is more I or we can do to help resolve this, let us know.

oh and boy alley we did, months ago. I helped not only our clients, but a bunch of nats customers called me personally for the fix. I had assumed the problem was fixed from there. We just uncovered it again, In what I am told is a slightly different form.

Originally Posted by milan (Post 13552832)

We respect first and foremost OUR customers, I have no problem with that do you? and if you saw the post we had a few months back you will see we did alerted the industry but I guess the subject of the post was not appealing enough for people to ask Q's.

Originally Posted by TheDoc (Post 13552877)

Sad as it is to say, this is a 10+ year problem and is probably one of the biggest reasons we have seen a down turn in our industry over the last 5ish years.

I have heard it from people straight up, and we all know it to be true to. Stolen email lists or not... If you signup for a porn site you will get spamed at some point down the road.

Originally Posted by PBucksJohn (Post 13553551)

You're very welcome. I made the mistake of lumping you in with some of the assholes here by assuming things others told me to be true rather than looking for myself which I something I always try to do in life. I'm sorry for that.

We also believed the issued had been fixed when it first popped up and was addressed. We also fully believed we had spoken with everyone it affected. Some people here would rather perpetuate the drama than listen to things tho :(

If we can be of any aid to you in helping your clients or if you have any info that we could use please know that the lines of communication are always open. I look forward to sitting down with you in Vegas also.

Originally Posted by Headless (Post 13551306)

holy shit this isnt good...

Originally Posted by milan (Post 13551150)

After many MANY emails and VM's I will post what OC3 Networks discovered back in October after routine audit of 2 of our clients security.

We know this issue exist since mid Aug 2007, secured our customers and blocked the intruder IP?s from any access to our network.

We posted the thread http://www.gfy.com/fucking-around-and-business-discussion/779742-oc3-networks-customers-urgent.html and got some lawsuit treat to sue us that we could have care less? BUT when our customers that we tracked the breach on their servers got treats as well and requested us to NOT come out public with it, we honored their request.

Just as a side info, I think NATS is a great product and it's a shame that after the months they had to fix or come clean with their clients it never happened...


Credit for this below info should go to our SUPER SYSADMIN/Security fanatic Dale that has never posted on this board so I'm doing this for him, He wanted to come out with this long ago!
=====
The issue with this "intruder" does not seem to be an exploit of the nats software itself. *Someone* has access to TMM's clients database with your admin logins and passwords. That?s what the issue is. I'm not posting this to bash TMM. I'm posting this because they have had month to fix this issue and have apparently failed. They didn't even let (some of?) their customers know they implemented this "Admin activity log" and installed it behind their backs.

I've been involved with a high number of NATS clients and have found the following to be true:
*) Changing all admin level account passwords stops the intruder. He still attempts to login, but in vain.
*) As soon as TMM has admin access to NATS the intruder is back. Sometimes the same day.
*) Intruder is using an automation script that dumps the NATS members list. In some cases he is doing this every hour on the hour.
*) If you have web logs, look for hits against "admin_reports.php?report=surfer_stats&member=#### ##". You will see a number of those hits in sequential order.
*) NATS was vulnerable to SQL injection attacks. I haven't investigated whether it still is.

I have some suggestions for people using NATS:
*) Change all your admin level passwords.
*) Do not give TMM an admin account they can use anytime they want. Change the pass when they are done.
*) Restrict access to the admin*.php files by IP. This is inconvenient, but if you can do this it will circumvent any future intrusion. There may be other files you want to do this with. You can do this with apache easily (syntax depends on your version. this is for 2.0):
<Files "admin*">
Order deny,allow
Deny from all
Allow from your.ip.addr.here
</Files>
*) Keep an eye on the ssh user you have given TMM to fix/maintain your NATS install. Change their password every time they need access and as soon as they are done. I have experience with TMM ssh-ing in and making changes to NATS software without permission.
*) Be thankful of many things I'll not get into.

Originally Posted by milan (Post 13551150)

After many MANY emails and VM's I will post what OC3 Networks discovered back in October after routine audit of 2 of our clients security.

We know this issue exist since mid Aug 2007, secured our customers and blocked the intruder IP?s from any access to our network.

We posted the thread http://www.gfy.com/fucking-around-and-business-discussion/779742-oc3-networks-customers-urgent.html and got some lawsuit treat to sue us that we could have care less? BUT when our customers that we tracked the breach on their servers got treats as well and requested us to NOT come out public with it, we honored their request.

Just as a side info, I think NATS is a great product and it's a shame that after the months they had to fix or come clean with their clients it never happened...


Credit for this below info should go to our SUPER SYSADMIN/Security fanatic Dale that has never posted on this board so I'm doing this for him, He wanted to come out with this long ago!
=====
The issue with this "intruder" does not seem to be an exploit of the nats software itself. *Someone* has access to TMM's clients database with your admin logins and passwords. That?s what the issue is. I'm not posting this to bash TMM. I'm posting this because they have had month to fix this issue and have apparently failed. They didn't even let (some of?) their customers know they implemented this "Admin activity log" and installed it behind their backs.

I've been involved with a high number of NATS clients and have found the following to be true:
*) Changing all admin level account passwords stops the intruder. He still attempts to login, but in vain.
*) As soon as TMM has admin access to NATS the intruder is back. Sometimes the same day.
*) Intruder is using an automation script that dumps the NATS members list. In some cases he is doing this every hour on the hour.
*) If you have web logs, look for hits against "admin_reports.php?report=surfer_stats&member=#### ##". You will see a number of those hits in sequential order.
*) NATS was vulnerable to SQL injection attacks. I haven't investigated whether it still is.

I have some suggestions for people using NATS:
*) Change all your admin level passwords.
*) Do not give TMM an admin account they can use anytime they want. Change the pass when they are done.
*) Restrict access to the admin*.php files by IP. This is inconvenient, but if you can do this it will circumvent any future intrusion. There may be other files you want to do this with. You can do this with apache easily (syntax depends on your version. this is for 2.0):
<Files "admin*">
Order deny,allow
Deny from all
Allow from your.ip.addr.here
</Files>
*) Keep an eye on the ssh user you have given TMM to fix/maintain your NATS install. Change their password every time they need access and as soon as they are done. I have experience with TMM ssh-ing in and making changes to NATS software without permission.
*) Be thankful of many things I'll not get into.


P.S. Im hearing that there is a backdoor that TMM can use to get into your NATS, but I havent investigated so its speculation. Only reason I even mention this is because NATS is encrypted and you dont know. Im not interested in decrypting NATS just to find out. There are other ways. I hope this isn?t true.