PASSWORD SHARING ALERT TO ALL PAYSITE OWNERS!!!

[AdultsiteReview]

As an affiliate of hundreds of adult websites and owner of 21 paysites of my own, I have to post this password sharing alert to my colleagues, as we all are loosing money.

Fellow paysite webmasters you need to check the following password sharing websites, if not each and every day, at least several times a week, and take action (delete) towards the member account being shared.

Before I post the list where one of my paysites was listed which I caught on to after about 10 hours of heavy use, I want to say that I do not have the time/resources to legally pursue the owners of these websites on my own, but I am willing to join a class-action lawsuit.

Here is a list of the sites password sharing sites I know of, and feel free to add to this list, thanks!

http://www.rawpasswords.com/
http://www.happy-hacker.com/
http://www.ultrapasswords.com/
http://www.passworduniverse.com/
http://www.sexhackers.com/
http://www.loginaccepted.com/
http://www.4passes.com/
http://www.villainess.com/xxxPasswords/21/2006
http://www.xxxpass.se/pass2/2006-05-26-(8635).php
http://porno-paroli.sexnarod.ru/topic99976_70.html

Note: You may not need to check every single one of the above sites, as it seems most or all usernames and passwords combinations trickle to most or all sites over time.


Finally this thread should perhaps be made sticky by the moderators.

[alvarez]

that sucks

[spazlabz]

ya know, it might be helpful if you posted that some of those sites have trojans embedded on them prior to having someone go to them and see if their members areas are listed....
just a thought


spaz

[AdultsiteReview]

I check every site on the above list every day using the Opera browser and have not had a problem!

[spazlabz]

happy-hacker sent my norton's ballistic with a downloader trojan
multipe attempts to install bummer huh, it caught it though


spaz

[QuickDraw]

Don't forget about IRC, newsgroups, etc. Rather then worry about password sharing sites though, you should be worrying about securing your sites. I highly suggest generating your own passwords ( don't let the user pick them ) and install something like StrongBox ( http://www.bettercgi.com/strongbox/ ). Surfers are getting savvy.. it's up to you to keep crackers out.

[[BV]]

Quote:

Originally Posted by QuickDraw

, you should be worrying about securing your sites..

Yes, all 21 of them.

Basic paysite 101. Get ProxyPass or StrongBox (they seem to be the top 2)
I use ProxyPass.

You have to think of password site traffic as free traffic. Don't bitch about it, make money off it.

Some of those sites have been around for over 6 or 7 years, maybe longer. Do a search on ultrapasswords, he's probably the most well known.

[nekrom]

Yup those pass sites and hundreds if not thousands of others have been up since adult started. Take one down, 5 popup in it's spot.

While it's shit traffic, it still converts. And yes, prevention is always better then cure.

-N

[spazlabz]

Quote:

Originally Posted by nekrom

Yup those pass sites and hundreds if not thousands of others have been up since adult started. Take one down, 5 popup in it's spot.

While it's shit traffic, it still converts. And yes, prevention is always better then cure.

-N

I remember a certain busty site that featured amateurs before its owner 'found god' and got out of the business
they used to exploit the password sharing by setting up a fake members area with limited content and give out the passwords to password hacking sites and get them on the upsells to the real members area that was protected like a safe!


spaz

[Jim]

Quote:

Originally Posted by [BV]

Yes, all 21 of them.

Basic paysite 101. Get ProxyPass or StrongBox (they seem to be the top 2)
I use ProxyPass.

You have to think of password site traffic as free traffic. Don't bitch about it, make money off it.

Some of those sites have been around for over 6 or 7 years, maybe longer. Do a search on ultrapasswords, he's probably the most well known.

I often wondered why a simple script that looked at logons and passwords and ip addresses wouldn't be a lot cheaper than any other type of software. If the same logon and password was used by 3 different ip addresses in a 24 hour period, that logon and password would be deleted. Simple, Cheap and to me anyway, looks like it would work fine.

[ClickBuster]

Quote:

Originally Posted by Jim

If the same logon and password was used by 3 different ip addresses in a 24 hour period, that logon and password would be deleted. Simple, Cheap and to me anyway, looks like it would work fine.

Actually this is a terrible way to do this, cause AOL users change their IPs every 15 minutes or something like that. You'll get tons of banned users that are actually regular members.

[Jim]

Quote:

Originally Posted by ClickBuster

Actually this is a terrible way to do this, cause AOL users change their IPs every 15 minutes or something like that. You'll get tons of banned users that are actually regular members.

I don't know...I just looked at this boards ip addresses. We have a webmaster with over 200 posts that only comes here through aol. And through all the posts and thousands of times they have been here, they have only used 4 different aol proxy ip addresses. So, instead of 3, bump it to 5 or even 10 and it will still work and be free.

Looking at this, "When a member initially connects to the AOL host complex, the client software receives network configuration information, including the IP addresses for the local system and for the DNS server. The member's IP address is a Dyamically Assigned Hardware Address (DAHA), which is an address that is assigned to a session. Once the session has ended, the address may be reassigned." it looks like the aol user is good until they log off. And even then, "the address may be reassigned".

[[BV]]

Quote:

Originally Posted by Jim

I often wondered why a simple script that looked at logons and passwords and ip addresses wouldn't be a lot cheaper than any other type of software. If the same logon and password was used by 3 different ip addresses in a 24 hour period, that logon and password would be deleted. Simple, Cheap and to me anyway, looks like it would work fine.

That's exactly part of what proxypass does along with protecting from bruit force attacks.

It actually changes the password.

You can't stop there though.
The real owner of that password needs to be notified of the new password. Finally we have that process automated as well.
Otherwise you need to have someone on it 24/7 or you end up with unhappy customers as 99% of shared passwords are not shared by the owner.

[frankthetank]

Quote:

Originally Posted by [BV]

... as 99% of shared passwords are not shared by the owner.

That´s interesting but I have to admit I can´t follow. If the owner of the password doesn´t share it, where do they get it from?

Is it a guess or do you think they use spy software?

I´m not familiar with those problems because I don´t run a pasite yet, but I´m building one. So it´s an interesting part for me.

[Tvduijn]

Guys, Htacces passwords are "quite" easily gathered with Accessdiver(.com). With a good wordlist and weak passwords is easy to find some passes.
I would advise every paysite owner to use accessdiver yourself to see for yourself. Best defence would be a (custom) php/cgi/whatever login instead of htacces imo. Or atleast make sure you block IP's that do over 5 attemps in 24 hours or so.

Just my 2 cents.

[Lisa]

Quote:

Originally Posted by spazlabz

I remember a certain busty site that featured amateurs before its owner 'found god' and got out of the business

spaz

I still have my 'I [HEART] PORN' t-shirt.

[spazlabz]

Quote:

Originally Posted by frankthetank

That´s interesting but I have to admit I can´t follow. If the owner of the password doesn´t share it, where do they get it from?

Is it a guess or do you think they use spy software?

I´m not familiar with those problems because I don´t run a pasite yet, but I´m building one. So it´s an interesting part for me.

there are programs out there for people who really enjoy hacking paysites that make it very easy
hackers comes along and wants to se your content or show off that he can 'hack' a site all they need is;
the right software (extremely easy to get)
a descent sized word list
your members URL (http://www.yoursite.com/members) authorization failed provies this quickly
5 proxies (again easy to find)

you get get literally dozens of working U/Ps in under a minute esp if the site has been around for awhile. New sites are harder to hack like this.


spaz

[spazlabz]

Quote:

Originally Posted by Lisa

I still have my 'I [HEART] PORN' t-shirt.

heh heh, I never got a shirt!
but i am workin on a buddy christ

spaz

[tigermom]

Someone told me he puts up fake member areas on his free sites. He gives them some shitty free content there and links to sponsors. Then he goes to those password sharing boards and posts it as a password to a paysite... according to him he's getting sign-ups that way.

[[BV]]

Quote:

Originally Posted by frankthetank

That´s interesting but I have to admit I can´t follow. If the owner of the password doesn´t share it, where do they get it from?

Is it a guess or do you think they use spy software?

I´m not familiar with those problems because I don´t run a pasite yet, but I´m building one. So it´s an interesting part for me.

Yes, basically I would classify it as a guess, that's why you do not want your members picking their own passwords.

You want to generate them a random pass. Makes it much harder for the hackers and their scripts to guess. They basically try thousands and thousands of user pass combos on your site until they find one that works. Another reason why you want to use something like proxypass. After one IP tries to log in unsuccessfully after so many times it bans that IP for a period of time.

Now as far as the old user pass, if someone tries to log in using the shared combination again, you send them to a fake members area.

[terry]

Great! A couple of urls I didnt already have there. Thanks for sharing.