Quote:
Originally Posted by VGeorgie
What they did was find the CCBill log file, which contained usernames but no passwords. They'd then compare those usernames against a list of previously cracked u/p pairs, for a more effective brute force attack. This shouldn't be happening now if your site was set up properly.
Hackers can still get your htpasswd file, which can be located anywhere. It's important that it located above the document root, and that you have no scripts running anywhere on your site that can return arbitrary files. Best to put the htpasswd file in an unusual location, and name it something unique. Consider using a stronger encryption on your htpasswd file, and to require customers to use passwords at least nine characters long (or provide them random usernames and passwords - but not the insanely unusable ones CCBill offers; use the passgen utility that Strongbox offers).
If you get confirmation emails be sure your email is secure. If your email account has been hacked they can look at all the confirmations, which by default have the username and password in them.
|
Hey I am still learning something new everyday.... regarding the htpassword file I was always under the impression it belonged somewhere in the ccbill folder or directory.
Today after reading this thread discovered that the htpassword file is located inside of members area? WOuld you consider this a standard/secure place for the file to be located.
Seems like its been there for almost a year now. Hope its not a dumb question