Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact us.

Post New Thread Reply

Register GFY Rules Calendar
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed.

 
Thread Tools
Old 03-24-2011, 10:34 AM   #51
JFK
FUBAR the ORIGINATOR
 
JFK's Avatar
 
Industry Role:
Join Date: Jan 2002
Location: FUBARLAND
Posts: 67,374
Fitty expired logins
__________________

FUBAR Webmasters - The FUBAR Times - FUBAR Webmasters Mobile - FUBARTV.XXX
For promo opps contact jfk at fubarwebmasters dot com
JFK is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 03-24-2011, 10:37 AM   #52
VGeorgie
Confirmed User
 
Join Date: Nov 2008
Posts: 359
Quote:
Originally Posted by PornoMonster View Post
Back in the old days, hackers would hack the ccbill file. I thought this was taken care of, but yes, I use to find my entire user/pass lists on boards.

NO it was not my server hacked, I did extensive research on how people would crack the ccbill files. I have not heard about it in a long time, so I figured it was over.
What they did was find the CCBill log file, which contained usernames but no passwords. They'd then compare those usernames against a list of previously cracked u/p pairs, for a more effective brute force attack. This shouldn't be happening now if your site was set up properly.

Hackers can still get your htpasswd file, which can be located anywhere. It's important that it located above the document root, and that you have no scripts running anywhere on your site that can return arbitrary files. Best to put the htpasswd file in an unusual location, and name it something unique. Consider using a stronger encryption on your htpasswd file, and to require customers to use passwords at least nine characters long (or provide them random usernames and passwords - but not the insanely unusable ones CCBill offers; use the passgen utility that Strongbox offers).

If you get confirmation emails be sure your email is secure. If your email account has been hacked they can look at all the confirmations, which by default have the username and password in them.

Last edited by VGeorgie; 03-24-2011 at 10:39 AM..
VGeorgie is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 03-24-2011, 10:38 AM   #53
carzygirls
So Fucking Banned
 
Industry Role:
Join Date: Oct 2010
Posts: 857
This is what everyone should be doing. Create your own database and don't rely on ccbills member file. Automatically terminate your members account on expiration and only renew it if CCBill writes to file with successful rebills.

The problem is not just rehauling your membership file each month but TOTALLY creates an inconvenience if you use any other billers, which, of course, you should be.
carzygirls is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 03-24-2011, 10:44 AM   #54
dgraves
Confirmed User
 
dgraves's Avatar
 
Industry Role:
Join Date: Nov 2005
Location: Scottsdale
Posts: 2,283
make sure your .htpasswd file permission is set to 666

i was having the exact same issue and each month i would have at least 50 extra members in my htpasswd file. it's hard to sell memberships when they're free...

at beginning of each month i ask for a new htpasswd file and compare it to what's on my server.

Last edited by dgraves; 03-24-2011 at 10:45 AM..
dgraves is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 03-24-2011, 10:51 AM   #55
carzygirls
So Fucking Banned
 
Industry Role:
Join Date: Oct 2010
Posts: 857
Quote:
Originally Posted by dgraves View Post
make sure your .htpasswd file permission is set to 666

i was having the exact same issue and each month i would have at least 50 extra members in my htpasswd file. it's hard to sell memberships when they're free...

at beginning of each month i ask for a new htpasswd file and compare it to what's on my server.
I also had this problem. Issue went on for months before it was caught. Of course it lowers sales... the people that paid for the site are the ones who will pay again. It is an issue of financially gargantuan losses
carzygirls is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 03-24-2011, 10:57 AM   #56
SwirlsGirl
So Fucking Banned
 
Join Date: Feb 2006
Location: between east coast and vegas
Posts: 2,067
Quote:
Originally Posted by VGeorgie View Post
What they did was find the CCBill log file, which contained usernames but no passwords. They'd then compare those usernames against a list of previously cracked u/p pairs, for a more effective brute force attack. This shouldn't be happening now if your site was set up properly.

Hackers can still get your htpasswd file, which can be located anywhere. It's important that it located above the document root, and that you have no scripts running anywhere on your site that can return arbitrary files. Best to put the htpasswd file in an unusual location, and name it something unique. Consider using a stronger encryption on your htpasswd file, and to require customers to use passwords at least nine characters long (or provide them random usernames and passwords - but not the insanely unusable ones CCBill offers; use the passgen utility that Strongbox offers).

If you get confirmation emails be sure your email is secure. If your email account has been hacked they can look at all the confirmations, which by default have the username and password in them.
Hey I am still learning something new everyday.... regarding the htpassword file I was always under the impression it belonged somewhere in the ccbill folder or directory.

Today after reading this thread discovered that the htpassword file is located inside of members area? WOuld you consider this a standard/secure place for the file to be located.

Seems like its been there for almost a year now. Hope its not a dumb question
SwirlsGirl is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 03-24-2011, 11:40 AM   #57
VGeorgie
Confirmed User
 
Join Date: Nov 2008
Posts: 359
Quote:
Originally Posted by SwirlsGirl View Post
Today after reading this thread discovered that the htpassword file is located inside of members area? WOuld you consider this a standard/secure place for the file to be located.
Your .htaccess file, to control access to that directory, is in your members area. The .htpasswd file, which contains the username:password pairs, as a precaution belongs outside any place where the Web server can get to it. For example:

Code:
mysite.com
  protected_files
     .htpasswd
  public_html
     members
        .htaccess
Scripts can manage files outside the document root, but Apache (or other Web server software) can't serve files from there. It can only directly access files under public_html.

You have to make sure you have no badly written scripts that can serve up arbitrary files. For example, having some PHP script in a page that can display just any file on your server is a bad thing. Some poorly written Pic-Of-The-Week scripts were like this.

Last edited by VGeorgie; 03-24-2011 at 11:41 AM..
VGeorgie is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 03-24-2011, 11:47 AM   #58
SwirlsGirl
So Fucking Banned
 
Join Date: Feb 2006
Location: between east coast and vegas
Posts: 2,067
Quote:
Originally Posted by VGeorgie View Post
Your .htaccess file, to control access to that directory, is in your members area. The .htpasswd file, which contains the username:password pairs, as a precaution belongs outside any place where the Web server can get to it. For example:

Code:
mysite.com
  protected_files
     .htpasswd
  public_html
     members
        .htaccess
Scripts can manage files outside the document root, but Apache (or other Web server software) can't serve files from there. It can only directly access files under public_html.

You have to make sure you have no badly written scripts that can serve up arbitrary files. For example, having some PHP script in a page that can display just any file on your server is a bad thing. Some poorly written Pic-Of-The-Week scripts were like this.
I see the difference now thanks for the clarity
SwirlsGirl is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 03-24-2011, 11:53 AM   #59
EDepth
Confirmed User
 
Join Date: Nov 2005
Location: Seattle, WA
Posts: 510
You should take a peak at your ccbill log file that the cgi file writes to. If there is a REMOVE log entry for a username that is still in your htpasswd file then something is wrong with your cgi file / server settings. If there is no REMOVE entry for a username that expired, it could very well be a temporary routing issue where CCBill couldn't load the cgi file to remove the account. Have you had any server outages lately that could be related? But yah you should have your password files rebuilt every so often to make sure you are not giving away to many freebies.
__________________
ICQ: 275335837
EDepth is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Post New Thread Reply
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >

Bookmarks



Advertising inquiries - marketing at gfy dot com

Contact Admin - Advertise - GFY Rules - Top

©2000-, AI Media Network Inc



Powered by vBulletin
Copyright © 2000- Jelsoft Enterprises Limited.