XXX Passwords
 

Question.

I think someone is giving out passwords to my pay site. according to my traffic stats I followed a URL to a crack board and still trying to track down if my site is anywhere in this board.

What is the process if someone is indeed giving out the password to get free access?


thanks in advance

Hunt Him Down and beat his Ass |lightsabe

Not sure what the proper action is but I'm sure that's what you feel like doing

It is common. You need to have a script at your end that prevents this. There was a thread with the URL of good software a few months ago after this happened to LindaMight. You should be able to find it by using the board's search function.

http://www.pennywize.com/ is a popular solution

thanks for the insightful info all
|peace|

Ray's script
 

Ray of www.webmastersguide.com has a great script to stop hackers etc. I can't remember if it's called Strongbox or Black box.. DUH... But it does the job.

If it's a paysite you are running, chances are that your password will be shared and brute force attack tools will be used to guess an account's user name/password.

Ain't suggesting anything in particular ( biased cus I just started offering my product ) but take a look at some products :

http://www.paysiteowners.com/Links/l...thr&no=26&pg=1

Lots of programs you can use ( and no, mine aint listed there ) :)

There are allways ways to crack your site, but you should make all you can to minimize it. Especially keep your .htpasswd safe

XXX Passwords
 

You can chase down those stolen password sites all day or get Pennywize. It also has a feature that will redirect those people that use the stolen passwords to a page of your choosing. Say your signup page or link list. Go here http://www.pennywize.com/
Hope this helps.

B.D.

I am not the only one reading this article : http://sentinel.deny.de/Tutorial.txt and knowing how to cheat Pennywize |rasta|

> There was a thread with the URL of good
> software a few months ago after this
> happened to LindaMight.

Lindamight and several other people here are using my Strongbox,
which is definitely the next generation protection,
FAR advanced beyond the 1997 ideas of pennydumb et al.

The preety new site isn't ready just yet but yopu can find
more info at:
http://www.webmastersguide.com/htaccess-cgi/strongbox/


Joe A said:
> Ray of www.webmastersguide.com has a great script to stop hackers etc. I can't
> remember if it's called Strongbox or Black box.. DUH... But it does the job.

It's Strongbox, Joe. Black Box was Mike's old referer based thing.
Joe, you've got a really old version of Strongbox, you should see it now! It rocks.


Southfun said:
> I am not the only one reading this article : http://sentinel.deny.de/Tutorial.txt
> and knowing how to cheat Pennywize

Yeah, no shit. It was 1998 or 1999 when I first actually
saw someone do a complete end run around Pennydumb and
the exact same attack still works the exact same way.
They haven't updated since then to fix it.
Pennydumb is a joke. 3 days ago I installed Strongbox for a guy
who had been using Pennywize for years and wouldn't listen
to anyone who told him how bad it sucked.
With 4 minutes Strongbox detected the first username
that pennywize had been missing for months.
Within 24 hours Strongbox caught 13 different usernames
that were out in the wild an Pennydumb didn't know shit.

A simple solution
what if you droped a cookie on the join page or the webgood page

and set your members area up so it refuses access
if it doesnt find the cookie

the password sites link directly to the members area
so those surfers would never have the cookie
and of course they would go by by

TO GET EVEN FUCK WITH THEIR BOOKMARKERS
you redirect traffic from password sites to a CLEAN page where you nicely explain to the surfer that the password site they just came from is famous for installing hacks on unsupecting surfers computers which steal their credit card info and bank account numbers

then you tell them some stuff about idenity theft and that visiting hacker sites is the best way to get fucked blah blah

that really pisses them off

Tommy - I wouldn't want to piss you off |couch| Very clever stuff, I like it.

I've used something a little bit similar as a small
part of a much more comprehensive solution.
A neat idea, with two things to keep in mind -
soemthing like 30% of punters have cookies
disabled, so you can't refuse access on that basis,
and password sites have gotten a lot more sophisticated too.
They can and sometimes do set the same darn cookie.
Not often, but sometimes.

Then of course something like Strongbox provides not only
a crytographically secure defense against shared passwords,
but also protects against dictionary attacks and other nefarious
activity, providing informative reports of it all.

I use Proxypass on my paysites & have been very happy with it. It's a monthly fee, which ends up being expensive over the years, but I haven't had a compromised password run up bandwith once since I had it installed. Works for me!

First thing I would do is make sure you don't allow multiple logins. That way at least no more than 1 person can be logged into an account at a time. That will minimize the damage if the password is cracked or given out.

We log the IP of the person logging in... if the IP changes frequently within a short period of time the account freezes and we get a notification. Even if you have a dynamic IP it normally won't change 6 times in an hour.

1 ) Some craking tools, like AccessDiver can store a cookie and send it along when it performs a brute-force-attack.

2 ) Redirecting traffic...Well, who says that the cracked passwords are links? Many password sites have found out that the webmasters block access by checking who the referer is ( that's a damn big list ) and they post the passwords so you have to cut and paste them. No referer, no problem for the leecher.

3 ) I don't know much about ProxyPass or Strongbox. None of them offers free trials, so I guess their security lies into keeping it's internal works secret?

4 ) People focus a lot on traded/shared passwords. But even a simple Perl script can check the logs and detect multiple logins and then close the account. But thats not the main problem of a web site's security anymore. It's the fact that ANYONE can learn how to crack a members site within the hour. How do you detect then than an account is maybe used by 3 different persons? Or do you guys think that all cracked passwords are posted on password sites? My guess would be that only 10% are posted. The rest is used by the crackers or traded on 1 to 1 basis.

4 ) One time fee vs monthly fee. If it is a script that is installed localy and doesn't use a server to sync and for it's backup data, then it should be a one time fee. These scripts/programs use the harddisk to store their data ( ISP's nightmare if they allow it). The monthly fee varies from company to company. Our's start at 9.95$ per month with free installation. You can't tell me that it is expensive :P

Check us out : http://www.passguardian.com ( free trial anyway )
ICQ : 267932717