|
***** NATS Issue - What we know about it *****
After many MANY emails and VM's I will post what OC3 Networks discovered back in October after routine audit of 2 of our clients security.
We know this issue exist since mid Aug 2007, secured our customers and blocked the intruder IP?s from any access to our network. We posted the thread {url]http://www.gfy.com/showthread.php?t=779742[/url] and got some lawsuit treat to sue us that we could have care less? BUT when our customers that we tracked the breach on their servers got treats as well and requested us to NOT come out public with it, we honored their request. Just as a side info, I think NATS is a great product and it's a shame that after the months they had to fix or come clean with their clients it never happened... Credit for this below info should go to our SUPER SYSADMIN/Security fanatic Dale that has never posted on this board so I'm doing this for him, He wanted to come out with this long ago! ===== The issue with this "intruder" does not seem to be an exploit of the nats software itself. *Someone* has access to TMM's clients database with your admin logins and passwords. That?s what the issue is. I'm not posting this to bash TMM. I'm posting this because they have had month to fix this issue and have apparently failed. They didn't even let (some of?) their customers know they implemented this "Admin activity log" and installed it behind their backs. I've been involved with a high number of NATS clients and have found the following to be true: *) Changing all admin level account passwords stops the intruder. He still attempts to login, but in vain. *) As soon as TMM has admin access to NATS the intruder is back. Sometimes the same day. *) Intruder is using an automation script that dumps the NATS members list. In some cases he is doing this every hour on the hour. *) If you have web logs, look for hits against "admin_reports.php?report=surfer_stats&member=#### ##". You will see a number of those hits in sequential order. *) NATS was vulnerable to SQL injection attacks. I haven't investigated whether it still is. I have some suggestions for people using NATS: *) Change all your admin level passwords. *) Do not give TMM an admin account they can use anytime they want. Change the pass when they are done. *) Restrict access to the admin*.php files by IP. This is inconvenient, but if you can do this it will circumvent any future intrusion. There may be other files you want to do this with. You can do this with apache easily (syntax depends on your version. this is for 2.0): <Files "admin*"> Order deny,allow Deny from all Allow from your.ip.addr.here </Files> *) Keep an eye on the ssh user you have given TMM to fix/maintain your NATS install. Change their password every time they need access and as soon as they are done. I have experience with TMM ssh-ing in and making changes to NATS software without permission. *) Be thankful of many things I'll not get into. P.S. Im hearing that there is a backdoor that TMM can use to get into your NATS, but I havent investigated so its speculation. Only reason I even mention this is because NATS is encrypted and you dont know. Im not interested in decrypting NATS just to find out. There are other ways. I hope this isn?t true. |
Amazing this has been happening SO fucking long and nobody knew about it because of Nats crying about lawsuits all over the place.
|
Quote:
Reminds me very much of GTS and Mark and how they operate. Say anything bad about them and he will "destroy your business". Point out they are working with scammers and you'll get "banned" etc. |
Wowsers, nice work OC3
|
kudos to Dale
|
p.s.
ip's of interest 67.19.188.250 67.84.12.95 69.94.70.187 66.118.176.86 82.199.118.23 |
That guys needs a raise :)
|
milan & OC3 - Thanks for that vital information.
OH how can I not mention DALE :) Thank you for keeping a vigilant eye! |
Thanx a LOT Milan and Dale for getting to the bottom of this AND sharing it with GFY :thumbsup
From your point of view - has the affiliates' info been extracted / compromised as well, or is this unlikely? Again, thanx a LOT for going public with this. Steve |
Quote:
BTW we have null routed those 5-6 IP's from any access to our network long ago, other ISP's should follow. |
you guys go above and beyond, I am happy I have some of my stuff hosted with you guys. I know it's in good hands.
|
holy shit this isnt good...
|
Isnt anybody amazed this has been going on since august? How come a hosting company knows about this and the owners of the software didnt? For 4 months already?
|
Quote:
|
Quote:
|
Quote:
Not good, at all. Will I see eMails / Newsletters of the programs that I'm signed up with that my info has been compromised and my Identity / Banking Info / ePass info has been stolen? Well, let's just say I doubt it, but I still HOPE that they will be honest about it. I've already started to ask some of the program owners that I'm signed up with if they had that issue - but to be honest, it shouldn't be MY job to ask them if my info is / was secure, but theirs to inform me that I've got a serious problem now and need to change all this data / info. Just my :2 cents: |
Quote:
Easier to notify customer of the issue :2 cents: |
Need to add:
1) Using the ADMIN_IPS security settings within the NATS Config Admin stops unauthorized IP's from entering, viewing, or getting any Admin related documents or data. IP LOCK YOU ADMIN AREA - It's a built in feature within NATS. 2) NATS IP is: 67.84.12.95 3) When NATS is done updating they tell you to change passwords. This is a great time to change the NATS PW and set the account status to normal. You should already be changing your FTP/SSH pw each time, which nats tells you to do. |
bookmarked
|
i like elephants
|
:helpme:helpme:helpme
|
Good info. :thumbsup
|
Thanks for handling this reponsibly, contacting NATS first and then going to
full disclosure mode only when it became necesary. As a security professional who works with a lot of NATS sites, and someone who has previously raised questions about the security implications of having that kind of data on the web server at all as well as specific concerns about NATS, this is of great interest to me and leaves me with a question. Most of the "symptoms" you describe could be explained by a simpler problem that that "*Someone* has access to TMM's clients database with your admin logins and passwords.". There are numerous other ways for a cracker to get the admin user name and password. Most webmasters choose poor passwords, with "admin:admin" being common, as are certain variations on that. You don't have to crack TMM's database to get in when the password is that obvious. Most webmasters use passwords based on English words, such a dictionary attack is simple enough. More likely, any PHP script anywhere on the server might be exploited and used to read the password from the database. Based on what you've posted, the only evidence that the bad guy(s) have access to the TMM database is: Quote:
happened one time that the cracker definitely was gone and then came back shortly after TMM was given admin access? Quote:
Agreed - they have an impressive product and the current crop of people there seem to be good people. Some on this board know we once had some intellectual property concerns regarding the actions of somewhere who no longer works there, but that's been properly taken care of by TMM. My interest is in helping webmasters who use NATS and TMM to take care of any problems so that everyone can get back to the business of getting the porn to the people. |
Ah, now ain't that nice? Does that mean all of the affiliates' information is compromised as well? God, this entire industry sucks with regard to security and privacy practices. People need to get their heads out of their asses. Add this to the list of reasons why I am glad I use a taxpayer ID for program signups.
Now, the question that remains in my mind is two fold: 1. Why is TMM sitting on their goddamned asses with regard to this? 2. Milan, why did you give them as long as you did to fix this before letting it out? This is a serious issue and you giving them three fucking months is to address it before going public with it is way too damn long. They should have had 48 hours - maximum - to address it. You're right, they should have notified the customers. Their failure to do that is another nail in their coffin. And right after they bought SegPay? Hah, now there is one billing company I'll never do business with. Fuck TMM's reputation and the damage that releasing this after 48 hours would have caused, let me be the first to say that I don't give a good goddamn about that at all. When privacy and security and people having access to private data is concerned, the reputation of the companies involved does not matter, the security of the data in a timely manner trumps all ego concerns. This industry worries way too fucking much about the reputation of other companies when it comes to shit like this. When something stinks, the dirty laundry needs to be aired now, not after three months of back room pleasantries and friendly chats. |
Quote:
Ommmmggg the irony :1orglaugh Holy shit! Im sure now, youre fucked in your head. |
Quote:
|
Quote:
Posting 300 passwords, usernames, full names, telephone numbers, addresses didnt do any harm. Silly me, how could i forget that :1orglaugh |
Quote:
http://www.gofuckyourself.com/showth...ight=Porngraph Posted 01-16-2006, 12:53 PM |
Quote:
|
yeah sounds like a real non issue to me :Oh crap
Nice work Milan, you guys run an excellent operation!! |
Quote:
Man, if you read all this shit back about yourself dont you just want to shoot yourself? Please explain to me how exactly i got quiet and scared? :1orglaugh:1orglaugh Fucking delusional piece of password sharing shit! |
hmmkay, this would explain all the spam to UNIQUE-ADDRESS-USED-ONLY-TOSIGNUP-TO...fmydomains.com and UNIQUE-ADDRESS-USED-ONLY-TOSIGNUP-TO...fmydomains.com and UNIQUE-ADDRESS-USED-ONLY-TOSIGNUP-TO...fmydomains.com
and... |
I wonder if this is where Kandah gets his/her/it's lists. Anyone have that little fucker's IP addresses, could match them against the list of intruders... we all know the lists that nic is peddling are stolen, stolen, stolen... would make sense...
|
Ok Frank just totally owned & destroyed Minusonebit, now move on to the real topic and stop fighting.
|
QUESTION: what is the correct way to specify an IP range plus 1 other IP when setting up the ADMIN_IPS in a NATS configuration?
would it be 1.2.3.*,5.6.7.8 or 1.2.3.1-255,5.6.7.8 or something else? |
If I understand correctly from the other thread, OC3Networks is working with, or assisting MojoHost and quite possibly others as well.
If that's true, I have to give props to a company (that I don't host with btw) for working DIRECTLY WITH their competition to help solve an issue that effects our entire industry instead of capitalizing on it for their own gains. That deserves the utmost respect. :thumbsup |
Quote:
|
I'd just like to say great work on this, and as I'd mentioned in other threads [and was told I was an idiot for it] - NATS was vulnerable to SQL injections. I'm not sure if it still is now, but it certainly was.
|
Are the processors concerned at all?
|
Quote:
Thank you but I really don't see any of other hosts as competition I see them as peers, there is SO much business for everyone and i think any industry should stick one to another. MojoHost, Webair, Splitinfinity and Natnet all great operation and should share security matters. (hope didn't forget or offended anyone) |
| All times are GMT -7. The time now is 10:47 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123