|
Paycom or NATS spamming our members?
Okay, I'm not here to start shit... but I'm tired of receiving emails from members saying they started receiving junk mail / spam just after signup up to our paysite.
We never used our member's email addresses. The only other parties collecting that information is the processor (Paycom in this case) and NATS (the software connected to our member's database information). This is the latest email received: I can't believe you would be so stupid as to sell/give my email address to spammers. That's just business suicide. We took out one month membership last month and immediately started receiving spam to the dedicated email address I used when signing up. So there's NO OTHER WAY anyone else could have that address. Luckily, I can just filter it but you're a bunch of cocks for doing it all the same. The email really is dedicated. It is something like: [email protected] So I have to believe it now. What the hell I'm supposed to do? |
ohh ouch, that one is not good.
No chance for a hack somewhere to get that email list from you server? |
Very interesting.
I have suspected this for some time now. |
Quote:
I'd say this is the most likely answer. :2 cents: |
Or your information has been compromised internally. Did they send details of the spam they are receiving?
|
Quote:
|
Quote:
AlienQ invented suspecting |
Quote:
This can be done by a tech I guess... |
Is your postback directory / folder from your transactions secure/locked down?
WG |
Quote:
Hopefully I will get an answer, but I'm not sure since he left the message via our member area messaging center and his membership expires tomorrow. The email provided is the [email protected] so I'm not sure he will check it out. |
Quote:
Postback URL: http://your.paysite.com/signup/process_epoch.php which is not really protected... but I dunno, if it's that easy to hack that, why is NATS installing all their copies that way? I don't have a high-profile paysite in the first place. We have no affiliates, etc. I'm not sure the email infos are going through the postback either. Epoch's DataPlus uses GRANT commands on the NATS database tables, but is limited by Epoch's IP range (208.236.105.%) and unique username/password. |
Quote:
I hope you can find a trace somewhere to get this sorted, can cost a lot of members very quickly :Oh crap Best of luck :) |
Have had the exact thing happen to me. 3 members with unique addresses have complained in the last 3 months. My mysql db is not accessible via the net so I'm pretty certain it was a hack job. We limit outside writes to the database from epoch via port forwarding on their IP range.
Something is well fishy and it would be nice to find out the who, how and why of this situation. Well, maybe not the why but the who and how would be nice .... |
Quote:
My mysql db is not accessible via the net so I'm pretty certain it was "NOT" a hack job. |
OH OH I've heard of things like this going on. Not good.
|
Let us know when you get more info!
|
NATS uses smarty and there are known exploits to smarty.
does your members area use any open source software? or on any of your servers whose IP is allowed into the nats database have any? here is a scenario.... Open source forum/ticket/gallery software in members area(or on any other server) with a known exploit. maybe this exploit allows a hacker to upload code to your server, that code could allow a hacker to read every file on your system(along with anything else they might want to do), thus allowing them to find your DB settings. with those he can write his own script to read your entire database and print it out, email it, or otherwise return it to him. said hacker then uses said database info to make money spamming your members. so next time you think its NOT a hack job you might want to think again. until you understand how hackers work and how they get in, move around, get what they want and get out, you cant rule them out. doing so is just frankly silly. don't be so secure in your superiority. |
furthermore why would paycom want to steal an email list from you, they already get 10-15% off the top, why risk a cash cow to start spamming?
think a little harder people, it wont hurt you, i sware. |
I never said it was specifically paycom OR NATS, but there is a likelihood that their systems in conjunction have a leak. It's not beyond the realm of possibility.
As I've already mentioned my db server is not web accessible directly. It's ironic that your post implores us not to be secure in our superiority while it make you come across as thinking you're superior in your thinking. |
I am having the same problem but I can eliminate a few theories here.
I took the nats join form off of my join page for a long time. So no user information such as email was passed from that page. Email was only collected by epoch and posted back to nats. I was still getting spam complaints. I changed servers and checked for any evidence of a hack and found nothing. I was still getting spam complaints. No open source in the members area. For a while my entire site was html only. Tour and members area was basic html. No software running it except for a few years ago when I started with nats. I don't remember if this happened before I had nats but I could be wrong. I would need to search through member emails to check. I can think of a few things that this might be. First, someone might be hacking into my nats and getting the email addresses. It could be an employee from epoch. Or it could be an employee from nats. I disabled the nats admin account. I am the only one with admin access in nats now. It occurred to me that if it is an employee at nats then the admin account they set up would be the easiest way in. I am not saying that this is what is happening but I am taking this precaution. |
If you use NATS and your members are being spammed it is most likely one of two possibilities. Your server has somehow been compromised and people are grabbing the info directly off your server or someone has compromised an admin password to your system. There are of course other possibilities but these are the most likely scenarios.
You are not required to maintain an admin password for TMM to use. You are more than welcome to change this password to whatever you wish and grant us access only when it is needed upon your approval. Changing of all admin passwords on a regular basis is a highly recommended security practice. Also, we have recently implemented remote security logging for admin accesses. You can now have the ability to log all admin accesses, IP addresses, and actions to a local or remote server location. If you are interested in setting this up please submit a support ticket and we will be glad to assist you. This does not send any data to our servers, it can be setup to log directly to anywhere you like. Server and software security is an extremely important and complicated issue. We are always doing all we can to protect your data and ours. |
Check the IP that has been logging in to the admin with the NATS username and password. (click the small icon that looks like a clock on the admin resellers page next to the nats admin user).
We had a simmilar problem with that username and password being compromised. |
Quote:
Admin Status: Fred Schank (US) [email protected] Username: naWKasoplJwA74 Password: unknown Log times: 67.19.188.250 - 2007-12-21 10:31:41 67.19.188.250 - 2007-12-21 04:31:28 67.19.188.250 - 2007-12-20 22:31:28 67.19.188.250 - 2007-12-20 19:35:26 67.19.188.250 - 2007-12-20 16:31:38 67.19.188.250 - 2007-12-20 10:31:38 67.19.188.250 - 2007-12-20 04:32:03 67.19.188.250 - 2007-12-19 22:31:38 67.19.188.250 - 2007-12-19 19:37:03 67.19.188.250 - 2007-12-19 16:32:12 67.19.188.250 - 2007-12-19 10:32:09 67.19.188.250 - 2007-12-19 04:32:08 67.19.188.250 - 2007-12-18 22:32:08 67.19.188.250 - 2007-12-18 18:49:51 67.19.188.250 - 2007-12-18 16:31:52 67.19.188.250 - 2007-12-18 10:31:52 69.94.70.187 - 2007-12-18 04:31:55 65.110.53.100 - 2007-12-17 18:46:41 65.110.53.100 - 2007-12-17 16:31:57 65.110.53.100 - 2007-12-17 10:31:58 65.110.53.100 - 2007-12-17 04:31:58 65.110.53.100 - 2007-12-16 18:47:47 65.110.53.100 - 2007-12-16 16:31:58 65.110.53.100 - 2007-12-16 10:31:57 65.110.53.100 - 2007-12-16 04:31:58 65.110.53.100 - 2007-12-15 22:31:58 65.110.53.100 - 2007-12-15 18:47:17 65.110.53.100 - 2007-12-15 16:27:13 65.110.53.100 - 2007-12-15 10:27:25 65.110.53.100 - 2007-12-15 04:27:14 65.110.53.100 - 2007-12-15 02:44:20 0.0.0.0 - 2007-12-14 04:32:04 0.0.0.0 - 2007-12-13 22:32:04 0.0.0.0 - 2007-12-13 18:45:36 0.0.0.0 - 2007-12-13 16:32:04 0.0.0.0 - 2007-12-13 10:32:05 0.0.0.0 - 2007-12-13 04:32:03 0.0.0.0 - 2007-12-12 22:32:04 0.0.0.0 - 2007-12-12 18:45:43 0.0.0.0 - 2007-12-12 16:31:57 0.0.0.0 - 2007-12-12 10:31:58 0.0.0.0 - 2007-12-12 04:31:57 0.0.0.0 - 2007-12-11 22:31:57 0.0.0.0 - 2007-12-11 18:44:32 0.0.0.0 - 2007-12-11 16:31:47 0.0.0.0 - 2007-12-11 10:31:47 0.0.0.0 - 2007-12-11 04:31:50 0.0.0.0 - 2007-12-10 22:31:59 0.0.0.0 - 2007-12-10 18:47:36 0.0.0.0 - 2007-12-10 16:31:35 0.0.0.0 - 2007-12-10 10:31:38 0.0.0.0 - 2007-12-10 04:31:35 0.0.0.0 - 2007-12-09 22:31:36 0.0.0.0 - 2007-12-09 18:43:34 0.0.0.0 - 2007-12-09 16:31:49 0.0.0.0 - 2007-12-09 10:31:41 0.0.0.0 - 2007-12-09 04:32:16 0.0.0.0 - 2007-12-08 22:32:24 0.0.0.0 - 2007-12-08 18:43:42 0.0.0.0 - 2007-12-08 16:32:51 0.0.0.0 - 2007-12-08 10:32:41 0.0.0.0 - 2007-12-08 04:32:52 0.0.0.0 - 2007-12-07 22:32:39 0.0.0.0 - 2007-12-07 18:41:42 0.0.0.0 - 2007-12-07 16:32:41 0.0.0.0 - 2007-12-07 10:32:32 0.0.0.0 - 2007-12-07 04:32:43 0.0.0.0 - 2007-12-06 22:32:34 0.0.0.0 - 2007-12-06 18:46:03 0.0.0.0 - 2007-12-06 16:32:27 0.0.0.0 - 2007-12-06 10:32:42 0.0.0.0 - 2007-12-06 04:32:28 0.0.0.0 - 2007-12-05 22:32:25 0.0.0.0 - 2007-12-05 18:44:41 0.0.0.0 - 2007-12-05 16:32:56 0.0.0.0 - 2007-12-05 10:32:53 0.0.0.0 - 2007-12-05 04:32:38 0.0.0.0 - 2007-12-04 22:32:41 0.0.0.0 - 2007-12-04 18:43:25 0.0.0.0 - 2007-12-04 16:32:38 0.0.0.0 - 2007-12-04 10:32:31 0.0.0.0 - 2007-12-04 04:32:33 0.0.0.0 - 2007-12-03 22:32:31 0.0.0.0 - 2007-12-03 18:44:33 0.0.0.0 - 2007-12-03 16:32:31 0.0.0.0 - 2007-12-03 10:32:41 0.0.0.0 - 2007-12-03 04:32:29 0.0.0.0 - 2007-12-02 22:32:31 0.0.0.0 - 2007-12-02 18:50:51 0.0.0.0 - 2007-12-02 16:32:29 0.0.0.0 - 2007-12-02 10:32:28 0.0.0.0 - 2007-12-02 04:32:24 0.0.0.0 - 2007-12-01 22:32:32 0.0.0.0 - 2007-12-01 18:43:42 0.0.0.0 - 2007-12-01 16:32:40 0.0.0.0 - 2007-12-01 10:32:45 0.0.0.0 - 2007-12-01 04:32:38 0.0.0.0 - 2007-11-30 22:32:38 0.0.0.0 - 2007-11-30 18:39:27 0.0.0.0 - 2007-11-30 16:32:43 0.0.0.0 - 2007-11-30 10:32:42 0.0.0.0 - 2007-11-30 04:32:49 0.0.0.0 - 2007-11-29 22:32:45 0.0.0.0 - 2007-11-29 18:41:54 0.0.0.0 - 2007-11-29 16:51:43 0.0.0.0 - 2007-11-28 18:40:13 0.0.0.0 - 2007-11-27 18:38:00 0.0.0.0 - 2007-11-26 20:36:23 0.0.0.0 - 2007-11-26 18:37:42 67.84.12.95 - 2007-11-26 13:17:26 67.84.12.95 - 2007-11-26 12:22:43 67.84.12.95 - 2007-11-26 12:12:53 Every few hours like clockwork... I can tell you this account has been removed pretty quickly. I hope this resolve the situation. Thanks you all for your support and answers. Happy Holidays! |
Quote:
Quote:
Code:
$variable = mysql_real_escape_string($variable); |
Quote:
When I did test signups for some programs I used a unique email address for each and they sent me spam also. So this is real and not just isolated to your website. All signups I did were thru NATS but I'm not sure exactly which processor was connected. |
Any replies from them???
|
Quote:
Wow, not just compromised, but by the logtimes it seems whoever it was had wrote a script to login every few hours to do whatever they did. Quite the operation. Any idea how the login was compromised? WG |
Just looked at log from
Fred Schank (US) [email protected] 67.19.188.250 - 2007-12-21 10:21:34 67.19.188.250 - 2007-12-21 04:21:30 67.19.188.250 - 2007-12-20 22:21:30 67.19.188.250 - 2007-12-20 18:00:47 67.19.188.250 - 2007-12-20 16:21:30 67.19.188.250 - 2007-12-20 10:21:30 67.19.188.250 - 2007-12-20 04:21:31 67.19.188.250 - 2007-12-19 22:21:30 67.19.188.250 - 2007-12-19 18:00:55 WTF Just deleted it |
If you find unusual login activity please contact us by submitting a ticket. Thank you.
|
That ip resolves to
------------------------ rapidnetuk.com - mail only domain. www.slinky.co.uk SSL Certificate has expired. NameServer: NS1.THEPLANET.COM NameServer: NS2.THEPLANET.COM |
Quote:
nauD44y59hP1lC Fred Schank (US) [email protected] 67.19.188.250 - 2007-12-21 10:03:39 67.19.188.250 - 2007-12-21 04:03:27 67.19.188.250 - 2007-12-20 22:03:23 67.19.188.250 - 2007-12-20 19:36:25 67.19.188.250 - 2007-12-20 16:03:37 67.19.188.250 - 2007-12-20 10:03:40 67.19.188.250 - 2007-12-20 04:04:06 67.19.188.250 - 2007-12-19 22:03:48 67.19.188.250 - 2007-12-19 19:38:29 67.19.188.250 - 2007-12-19 16:04:23 67.19.188.250 - 2007-12-19 10:04:24 67.19.188.250 - 2007-12-19 04:04:26 67.19.188.250 - 2007-12-18 22:04:30 67.19.188.250 - 2007-12-18 18:50:57 67.19.188.250 - 2007-12-18 16:04:28 67.19.188.250 - 2007-12-18 10:04:31 69.94.70.187 - 2007-12-18 04:04:37 65.110.53.100 - 2007-12-17 18:32:26 65.110.53.100 - 2007-12-17 16:04:56 65.110.53.100 - 2007-12-17 10:05:00 65.110.53.100 - 2007-12-17 04:05:03 65.110.53.100 - 2007-12-16 18:25:39 65.110.53.100 - 2007-12-16 16:05:05 65.110.53.100 - 2007-12-16 10:05:07 65.110.53.100 - 2007-12-16 04:05:11 65.110.53.100 - 2007-12-15 22:05:14 65.110.53.100 - 2007-12-15 18:25:23 65.110.53.100 - 2007-12-15 16:00:27 65.110.53.100 - 2007-12-15 10:01:01 65.110.53.100 - 2007-12-15 04:00:38 65.110.53.100 - 2007-12-15 02:26:05 0.0.0.0 - 2007-12-14 04:05:48 0.0.0.0 - 2007-12-13 22:05:51 0.0.0.0 - 2007-12-13 18:23:50 0.0.0.0 - 2007-12-13 16:05:44 0.0.0.0 - 2007-12-13 10:05:50 0.0.0.0 - 2007-12-13 04:05:51 0.0.0.0 - 2007-12-12 22:05:54 0.0.0.0 - 2007-12-12 18:36:51 0.0.0.0 - 2007-12-12 16:06:02 0.0.0.0 - 2007-12-12 10:06:06 0.0.0.0 - 2007-12-12 04:06:10 0.0.0.0 - 2007-12-11 22:06:13 0.0.0.0 - 2007-12-11 18:23:38 0.0.0.0 - 2007-12-11 16:05:55 0.0.0.0 - 2007-12-11 10:05:58 0.0.0.0 - 2007-12-11 04:06:13 0.0.0.0 - 2007-12-10 22:06:26 0.0.0.0 - 2007-12-10 18:29:17 0.0.0.0 - 2007-12-10 16:06:01 0.0.0.0 - 2007-12-10 10:06:11 0.0.0.0 - 2007-12-10 04:06:13 0.0.0.0 - 2007-12-09 22:06:18 0.0.0.0 - 2007-12-09 18:22:13 0.0.0.0 - 2007-12-09 16:06:28 0.0.0.0 - 2007-12-09 10:06:18 0.0.0.0 - 2007-12-09 04:07:04 0.0.0.0 - 2007-12-08 22:07:15 0.0.0.0 - 2007-12-08 18:35:34 0.0.0.0 - 2007-12-08 16:07:34 0.0.0.0 - 2007-12-08 10:07:36 0.0.0.0 - 2007-12-08 04:07:35 0.0.0.0 - 2007-12-07 22:07:34 0.0.0.0 - 2007-12-07 18:41:05 0.0.0.0 - 2007-12-07 16:08:25 0.0.0.0 - 2007-12-07 10:08:23 0.0.0.0 - 2007-12-07 04:08:02 0.0.0.0 - 2007-12-06 22:08:07 0.0.0.0 - 2007-12-06 18:26:06 0.0.0.0 - 2007-12-06 16:07:51 0.0.0.0 - 2007-12-06 10:08:12 0.0.0.0 - 2007-12-06 04:08:16 0.0.0.0 - 2007-12-05 22:08:05 0.0.0.0 - 2007-12-05 18:28:41 0.0.0.0 - 2007-12-05 16:08:59 0.0.0.0 - 2007-12-05 10:08:55 0.0.0.0 - 2007-12-05 04:08:30 0.0.0.0 - 2007-12-04 22:08:57 0.0.0.0 - 2007-12-04 18:25:06 0.0.0.0 - 2007-12-04 16:09:01 0.0.0.0 - 2007-12-04 10:08:59 0.0.0.0 - 2007-12-04 04:09:01 0.0.0.0 - 2007-12-03 22:08:54 0.0.0.0 - 2007-12-03 18:27:43 0.0.0.0 - 2007-12-03 16:08:51 0.0.0.0 - 2007-12-03 10:09:16 0.0.0.0 - 2007-12-03 04:08:48 0.0.0.0 - 2007-12-02 22:08:55 0.0.0.0 - 2007-12-02 18:31:27 0.0.0.0 - 2007-12-02 16:08:55 0.0.0.0 - 2007-12-02 10:09:06 0.0.0.0 - 2007-12-02 04:08:59 0.0.0.0 - 2007-12-01 22:09:10 0.0.0.0 - 2007-12-01 18:24:36 0.0.0.0 - 2007-12-01 16:09:24 0.0.0.0 - 2007-12-01 10:09:31 0.0.0.0 - 2007-12-01 04:09:23 0.0.0.0 - 2007-11-30 22:09:27 0.0.0.0 - 2007-11-30 18:21:16 0.0.0.0 - 2007-11-30 16:09:43 0.0.0.0 - 2007-11-30 04:09:46 0.0.0.0 - 2007-11-29 22:09:51 0.0.0.0 - 2007-11-29 18:25:45 0.0.0.0 - 2007-11-29 16:28:33 0.0.0.0 - 2007-11-28 18:21:25 0.0.0.0 - 2007-11-27 16:53:24 0.0.0.0 - 2007-11-26 18:47:14 0.0.0.0 - 2007-11-26 16:53:22 0.0.0.0 - 2007-11-25 16:55:49 0.0.0.0 - 2007-11-25 14:43:40 0.0.0.0 - 2007-11-25 08:43:35 0.0.0.0 - 2007-11-25 02:43:30 0.0.0.0 - 2007-11-24 20:43:50 0.0.0.0 - 2007-11-24 16:55:06 0.0.0.0 - 2007-11-24 14:43:50 0.0.0.0 - 2007-11-24 08:43:50 0.0.0.0 - 2007-11-24 02:44:07 0.0.0.0 - 2007-11-23 20:43:56 0.0.0.0 - 2007-11-23 16:54:33 0.0.0.0 - 2007-11-23 14:44:07 0.0.0.0 - 2007-11-23 08:44:08 0.0.0.0 - 2007-11-22 16:56:39 0.0.0.0 - 2007-11-22 16:26:58 0.0.0.0 - 2007-11-22 04:32:10 0.0.0.0 - 2007-11-21 22:32:14 0.0.0.0 - 2007-11-21 18:21:13 0.0.0.0 - 2007-11-21 17:04:28 0.0.0.0 - 2007-11-20 16:55:38 0.0.0.0 - 2007-11-19 16:56:14 0.0.0.0 - 2007-11-18 16:53:57 0.0.0.0 - 2007-11-17 17:01:50 0.0.0.0 - 2007-11-17 13:29:47 0.0.0.0 - 2007-11-16 16:52:08 0.0.0.0 - 2007-11-15 16:56:51 0.0.0.0 - 2007-11-15 09:18:32 0.0.0.0 - 2007-11-15 06:57:29 0.0.0.0 - 2007-11-14 16:57:28 0.0.0.0 - 2007-11-13 16:59:12 0.0.0.0 - 2007-11-13 15:44:09 0.0.0.0 - 2007-11-12 17:00:58 0.0.0.0 - 2007-11-12 15:24:32 0.0.0.0 - 2007-11-12 05:31:30 |
Holy shit there's 3 programs effected so far :(
|
Quote:
John, a pattern is apparent here, why ask us each to contact you via support when the onus should be on TMM to contact us personally to make us aware and tell us what you intend to do about it? |
Um..........................
This has been posted before?? http://www.gfy.com/showthread.php?t=671565 http://www.gfy.com/showthread.php?t=779594 Theres a post on ADX to about the same issue to - John have you mass emailed your instals about this? This isn't new! |
Quote:
There are aprox. 400 - 500 NATS installs. Four are saying here they have had an issue and I would bet there are more being exploited by whoever this criminal is. It certainly does not mean every system has an issue. We are asking those who find an issue to contact us and deal directly with us. I am not going to go through and dissect a security issue here on GFY. |
Quote:
I just decided not to name some sponsors I got spam from because I can not verify(with hard evidence) that it's not the sponsor themselves spamming. |
Makes you wonder what's really going on.
|
Quote:
Exploit or inside job? Someone has to be familar with the NATS system to exploit that way. |
I just found another post about the same thing on JBM from Oct 07
|
Quote:
|
Quote:
Actually, it was more of a jesting remark with a touch of irony. |
Quote:
Geez, someone's on the defensive. |
Quote:
Its not being defensive. I don't appreciate people implying things, with a question mark or without, which they have no solid reason to believe as true. |
Wow! do we know how they got the user and pass to the admin?
|
Quote:
theres a couple scums here that hack affiliate databases for information. its well known who a few of them are. |
Quote:
John - Have you been alerted to this exploit in the past? It's been posted before here and on other boards. If you were aware, have you alerted your clients to sweep? This isn't about nats / paycom / mpa / ccbill etc - This is a serious exploit that is effecting peoples business's. If a member get spammed to all hell from a site he just joined... The trust between service and customer is gone. That member will not rebill nor return ever. :2 cents: |
Quote:
|
Quote:
|
Quote:
There will always be are various security issues with all softwares as well as issues with client's servers. Due to the install rate of NATS being far beyond any other affiliate software in this industry you are much more likely to hear about our issues than others. |
Quote:
|
| All times are GMT -7. The time now is 04:14 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123