|
2004-04-05, 03:26 PM | #1 |
I've always wondered if there was a god. And now I know there is -- and it's me
|
XXX Passwords
Question.
I think someone is giving out passwords to my pay site. according to my traffic stats I followed a URL to a crack board and still trying to track down if my site is anywhere in this board. What is the process if someone is indeed giving out the password to get free access? thanks in advance
__________________
Please Re-Read The Rules For Sig Files |
2004-04-05, 05:09 PM | #2 |
You can now put whatever you want in this space :)
|
Hunt Him Down and beat his Ass
Not sure what the proper action is but I'm sure that's what you feel like doing
__________________
How To Keep An Asshole In Suspense
I'll Tell You Later |
2004-04-05, 05:24 PM | #3 |
Subversive filth of the hedonistic decadent West
Join Date: Mar 2003
Location: Southeast Florida
Posts: 27,936
|
It is common. You need to have a script at your end that prevents this. There was a thread with the URL of good software a few months ago after this happened to LindaMight. You should be able to find it by using the board's search function.
|
2004-04-05, 05:24 PM | #4 |
I Didn't Do It
|
http://www.pennywize.com/ is a popular solution
|
2004-04-05, 05:50 PM | #5 |
I've always wondered if there was a god. And now I know there is -- and it's me
|
thanks for the insightful info all
__________________
Please Re-Read The Rules For Sig Files |
2004-04-05, 06:21 PM | #6 |
A woman is like beer. They look good, they smell good, and you'd step over your own mother just to get one!
Join Date: Jan 2004
Location: London, UK
Posts: 55
|
Ray's script
Ray of www.webmastersguide.com has a great script to stop hackers etc. I can't remember if it's called Strongbox or Black box.. DUH... But it does the job.
|
2004-05-20, 02:04 PM | #7 |
If something goes wrong at the plant, blame the guy who can't speak English
|
If it's a paysite you are running, chances are that your password will be shared and brute force attack tools will be used to guess an account's user name/password.
Ain't suggesting anything in particular ( biased cus I just started offering my product ) but take a look at some products : http://www.paysiteowners.com/Links/l...thr&no=26&pg=1 Lots of programs you can use ( and no, mine aint listed there ) |
2004-05-20, 02:25 PM | #8 |
You can now put whatever you want in this space :)
Join Date: Nov 2003
Posts: 980
|
There are allways ways to crack your site, but you should make all you can to minimize it. Especially keep your .htpasswd safe
|
2004-05-21, 11:27 AM | #9 |
Internet! Is that thing still around?
Join Date: May 2004
Location: Tampa
Posts: 5
|
XXX Passwords
You can chase down those stolen password sites all day or get Pennywize. It also has a feature that will redirect those people that use the stolen passwords to a page of your choosing. Say your signup page or link list. Go here http://www.pennywize.com/
Hope this helps. B.D.
__________________
|
2004-05-21, 12:29 PM | #10 |
If something goes wrong at the plant, blame the guy who can't speak English
|
I am not the only one reading this article : http://sentinel.deny.de/Tutorial.txt and knowing how to cheat Pennywize |rasta|
|
2004-05-21, 03:17 PM | #11 |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
> There was a thread with the URL of good
> software a few months ago after this > happened to LindaMight. Lindamight and several other people here are using my Strongbox, which is definitely the next generation protection, FAR advanced beyond the 1997 ideas of pennydumb et al. The preety new site isn't ready just yet but yopu can find more info at: http://www.webmastersguide.com/htaccess-cgi/strongbox/ Joe A said: > Ray of www.webmastersguide.com has a great script to stop hackers etc. I can't > remember if it's called Strongbox or Black box.. DUH... But it does the job. It's Strongbox, Joe. Black Box was Mike's old referer based thing. Joe, you've got a really old version of Strongbox, you should see it now! It rocks. Southfun said: > I am not the only one reading this article : http://sentinel.deny.de/Tutorial.txt > and knowing how to cheat Pennywize Yeah, no shit. It was 1998 or 1999 when I first actually saw someone do a complete end run around Pennydumb and the exact same attack still works the exact same way. They haven't updated since then to fix it. Pennydumb is a joke. 3 days ago I installed Strongbox for a guy who had been using Pennywize for years and wouldn't listen to anyone who told him how bad it sucked. With 4 minutes Strongbox detected the first username that pennywize had been missing for months. Within 24 hours Strongbox caught 13 different usernames that were out in the wild an Pennydumb didn't know shit. |
2004-05-21, 08:45 PM | #12 |
NYC Boy That Moved To The Island
|
A simple solution
what if you droped a cookie on the join page or the webgood page and set your members area up so it refuses access if it doesnt find the cookie the password sites link directly to the members area so those surfers would never have the cookie and of course they would go by by TO GET EVEN FUCK WITH THEIR BOOKMARKERS you redirect traffic from password sites to a CLEAN page where you nicely explain to the surfer that the password site they just came from is famous for installing hacks on unsupecting surfers computers which steal their credit card info and bank account numbers then you tell them some stuff about idenity theft and that visiting hacker sites is the best way to get fucked blah blah that really pisses them off |
2004-05-21, 09:10 PM | #13 |
Porn Movie Peddler
|
Tommy - I wouldn't want to piss you off Very clever stuff, I like it.
|
2004-05-21, 10:05 PM | #14 | |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
Quote:
part of a much more comprehensive solution. A neat idea, with two things to keep in mind - soemthing like 30% of punters have cookies disabled, so you can't refuse access on that basis, and password sites have gotten a lot more sophisticated too. They can and sometimes do set the same darn cookie. Not often, but sometimes. Then of course something like Strongbox provides not only a crytographically secure defense against shared passwords, but also protects against dictionary attacks and other nefarious activity, providing informative reports of it all. |
|
2004-05-22, 01:31 AM | #15 |
With $10,000, we'd be millionaires! We could buy all kinds of useful things like ... love!
|
I use Proxypass on my paysites & have been very happy with it. It's a monthly fee, which ends up being expensive over the years, but I haven't had a compromised password run up bandwith once since I had it installed. Works for me!
|
2004-05-22, 08:19 AM | #16 |
Rock stars ... is there anything they don't know?
Join Date: Apr 2004
Location: USA
Posts: 17
|
First thing I would do is make sure you don't allow multiple logins. That way at least no more than 1 person can be logged into an account at a time. That will minimize the damage if the password is cracked or given out.
We log the IP of the person logging in... if the IP changes frequently within a short period of time the account freezes and we get a notification. Even if you have a dynamic IP it normally won't change 6 times in an hour. |
2004-05-22, 10:14 AM | #17 |
If something goes wrong at the plant, blame the guy who can't speak English
|
1 ) Some craking tools, like AccessDiver can store a cookie and send it along when it performs a brute-force-attack.
2 ) Redirecting traffic...Well, who says that the cracked passwords are links? Many password sites have found out that the webmasters block access by checking who the referer is ( that's a damn big list ) and they post the passwords so you have to cut and paste them. No referer, no problem for the leecher. 3 ) I don't know much about ProxyPass or Strongbox. None of them offers free trials, so I guess their security lies into keeping it's internal works secret? 4 ) People focus a lot on traded/shared passwords. But even a simple Perl script can check the logs and detect multiple logins and then close the account. But thats not the main problem of a web site's security anymore. It's the fact that ANYONE can learn how to crack a members site within the hour. How do you detect then than an account is maybe used by 3 different persons? Or do you guys think that all cracked passwords are posted on password sites? My guess would be that only 10% are posted. The rest is used by the crackers or traded on 1 to 1 basis. 4 ) One time fee vs monthly fee. If it is a script that is installed localy and doesn't use a server to sync and for it's backup data, then it should be a one time fee. These scripts/programs use the harddisk to store their data ( ISP's nightmare if they allow it). The monthly fee varies from company to company. Our's start at 9.95$ per month with free installation. You can't tell me that it is expensive Check us out : http://www.passguardian.com ( free trial anyway ) ICQ : 267932717 |
|
|