If you have a member on your pay site using marshallpratt1 with the email address marshallpratt1@yahoo.com Check your password files...

He signed up at SGD in the early hours through Clear Card after being denied a few times in the last month by CCBill. He added variations of his user name at least 100 times which I've now deleted and of course I've blocked his ip :)

Just to give you guys a heads up :)

Do you guys use any automatic protection for your members areas? We're using ProxyPass - it's very good & automatically detects activity like that & blocks the offending IP.

Ray is still setting up Strongbox but...

Even he can't find a way to stop hackers getting in to password files to add users. All password protection programmes do is stop a user id being used too often from different ip's...

Do you guys use any automatic protection for your members areas? We're using ProxyPass - it's very good & automatically detects activity like that & blocks the offending IP.

ProxyPass is very old and next to useless. Much better programs out there now.

Ray is still setting up Strongbox but...

Even he can't find a way to stop hackers getting in to password files to add users. All password protection programmes do is stop a user id being used too often from different ip's...

Joe, where is the pass file? If you have a folder in www for your file, there are thousands of ways to write to it.
If you have a folder with your pass file a level below, it can only be written to by the scripts that are supposed to do this - However, you are also using a few processors - All all of their files safe - Looks like something is web visible.

All password files are hidden. You can't see them through regular ftp access. I had to warn Paycom the other day that someone hacked their system to add a password.

I spoke to Ray the other day and he says that this is a commen problem. There is no 100% way to protect the password files on any server. If anyone should know... It's him :)

Another trick a hacker uses, is to add a password and then just use the min of bandwidth to start with so he might be missed on any checks. Then after a few days.. He posts it all over the place. I check my password files a few times each day and cross check to a sign up. If I haven't received one.. I do a raw files log, then delete the pasword and ban the ip.

All password files are hidden. You can't see them through regular ftp access. I had to warn Paycom the other day that someone hacked their system to add a password.

I spoke to Ray the other day and he says that this is a commen problem. There is no 100% way to protect the password files on any server. If anyone should know... It's him :)

Another trick a hacker uses, is to add a password and then just use the min of bandwidth to start with so he might be missed on any checks. Then after a few days.. He posts it all over the place. I check my password files a few times each day and cross check to a sign up. If I haven't received one.. I do a raw files log, then delete the pasword and ban the ip.
All password files are hidden. You can't see them through regular ftp access.
That is just the way a server is set up - Port 21 ftp hides files like pass and htaccess. Because you can't see them through this port, doesn't mean you can't see them other ways -
If someone has the ability to write to your pass file, you have to look at a few things -
1) A script writing is web viewable (or)
2) You have server ports open (or)
3) You have phb files or cgi files open (or)
4) Your home computer has been accessed
5) Some of your critical files are incorrectly chmod'ed
There are other ways - But a member joining and then adding passes leads me to only look at the above -

It's brute force..

His ip has been barred and user name was deleted but it's coming back in cycles every 10 mins or so.. I'm having fun deleting them as they're added. I'm waiting for my host to get back home from a Sunday out.. Thank god he's on the east coast so only 5hrs behind

It's brute force..

His ip has been barred and user name was deleted but it's coming back in cycles every 10 mins or so.. I'm having fun deleting them as they're added. I'm waiting for my host to get back home from a Sunday out.. Thank god he's on the east coast so only 5hrs behind
Joe - All sites get Brute Force attacks - Have fun removing the proxies they use, there are hundreds of thousands of them and you will eventually kill your server speed trying to block them all -
This is't your problem - Brute force simply looks for 1) known user/passes and 2) passes that are simple to crack.
You have someone WRITING to your pass file at will - You have an open file on your server that gives the finder the ability to write new passes to your pass file.

Problem solved for now my host has blocked his ip from their amchines..

The next stage is we are blocking all anon visitors. If this stops members and they email me with saying their axxess is barred.. I'll just ask them if they are using an anonymizer.. If they are.. I'll tell them not to use it... LOL

Ok.. the prob is the cgi file that the cc processors use. Weare now working on it from there :(

Ive never known anyone to go on about password sharing like you Joe, its a part of having a pay site. Get real hosting and strongbox and dont stress yourselof so much

Alf you are yet another prick here..

Read this part again " I spoke to Ray the other day and he says that this is a commen problem. There is no 100% way to protect the password files on any server. If anyone should know... It's him " This refers to hackers getting in through cgi scripts. No one can stop them adding passwords. Ray is installing Strongbox as I've already said. He can't find a way to stop the cgi security leak on my server, yours or anyones !!!

At least Cardinal Sin knows what I've been talking about and he made serious comments which are appreciated, The hacker added a script in the cgi bin in the password folder so that we'd think it was from one of the three processors I use. A quick call to CCBill to verify which scripts were legit and the hackers was deleted and no more "marshallpratt1"...

Get a life