Exactly. Discussing the details of a security issues and the actions taken on it in a public forum, especially one with the member base we have here, is absurd.

who are they? names dammit!

Well, I do see some from time to time and yes, I even feel angry for you. I respect you guys (TMM) and NATS is simply an amazing piece of software that I only wish I could develop or even help develop. From one programmer to another, kudos for NATS. :thumbsup

So you have taken action and not alerted your clients? 4 of them have posted in this thread and if it wasn't for Christian stepping up, no one would know where to look. What does this have to do with how many installs your have for christ sake.

Idea - Why don't you step back from GFY - Type out a mass email to your clients right now and send it so they are aware of the exploit. :upsidedow

This is blowing me away sigh

Thank you, I appreciate that. And I may seem to take things personally at times, but that is only because I take the quality of our products, as well as the success of our client's business and the protection of their livelihood very personally.

Again, you don't know what actions we may or may have not taken. What we have do is based on the info we gather when something occurs.

I know you are also only trying to help here. An email will be going out shortly. Jumping the gun and misinforming people is a bad thing also.

Completely understandable. No need to further explain yourself. Back to business! :winkwink:

I'm not asking you to make public what you want to do or even asking you to use this thread as a launchpad for alerting people to the issue. This is exactly why I suggested you email ALL your clients, myself included, and don't expect us to contact you.

This is a serious issue and one that needs to be handled expeditiously and I for one want to know how this happened and why it happened. This isn't a chance exploit of an admin account. The person knew enough to gain access to the NATS specific admin account and has done so on numerous installs that I currently know of. Based on this fact alone, you cannot blame any of us for thinking that it may perhaps have not been a security exploit but rather a leaked password.

Asking those who find an issue to contact you is kind of silly since it is now safe to assume that anyone who has not disabled the NATS account has been compromised or will be compromised in due course.

...

Mine is too long to post ...

But to give you a slight idea:

67.19.188.250 - 2007-12-21 14:37:29
67.19.188.250 - 2007-12-21 08:37:51
67.19.188.250 - 2007-12-21 02:37:33
67.19.188.250 - 2007-12-20 20:37:28
67.19.188.250 - 2007-12-20 18:10:30
67.19.188.250 - 2007-12-20 14:37:38
67.19.188.250 - 2007-12-20 08:37:39
67.19.188.250 - 2007-12-20 02:38:03
67.19.188.250 - 2007-12-19 20:37:39
67.19.188.250 - 2007-12-19 18:12:43
67.19.188.250 - 2007-12-19 14:38:13
67.19.188.250 - 2007-12-19 08:38:12
67.19.188.250 - 2007-12-19 02:38:08
67.19.188.250 - 2007-12-18 20:38:10
67.19.188.250 - 2007-12-18 17:24:26
67.84.12.95 - 2007-12-18 15:02:06
67.19.188.250 - 2007-12-18 14:38:05
67.19.188.250 - 2007-12-18 08:38:06
69.94.70.187 - 2007-12-18 02:38:04
65.110.53.100 - 2007-12-17 17:05:59
65.110.53.100 - 2007-12-17 14:38:18
65.110.53.100 - 2007-12-17 08:38:19
65.110.53.100 - 2007-12-17 02:38:19
65.110.53.100 - 2007-12-16 17:00:41
65.110.53.100 - 2007-12-16 14:38:14
65.110.53.100 - 2007-12-16 08:38:13
65.110.53.100 - 2007-12-16 02:38:14
65.110.53.100 - 2007-12-15 20:38:13
65.110.53.100 - 2007-12-15 16:59:57
65.110.53.100 - 2007-12-15 14:33:23
65.110.53.100 - 2007-12-15 08:33:53
65.110.53.100 - 2007-12-15 02:33:27
65.110.53.100 - 2007-12-15 01:00:16
0.0.0.0 - 2007-12-14 02:38:23
0.0.0.0 - 2007-12-13 20:38:25
0.0.0.0 - 2007-12-13 16:57:41
0.0.0.0 - 2007-12-13 14:38:13
0.0.0.0 - 2007-12-13 08:38:14
0.0.0.0 - 2007-12-13 02:38:12
0.0.0.0 - 2007-12-12 20:38:14
0.0.0.0 - 2007-12-12 17:11:35
0.0.0.0 - 2007-12-12 14:38:18
0.0.0.0 - 2007-12-12 08:38:18
0.0.0.0 - 2007-12-12 02:38:18
0.0.0.0 - 2007-12-11 20:38:18
0.0.0.0 - 2007-12-11 16:57:08
0.0.0.0 - 2007-12-11 14:37:58
67.84.12.95 - 2007-12-11 13:01:47
67.84.12.95 - 2007-12-11 10:26:32
0.0.0.0 - 2007-12-11 08:37:58

This happend to our 2 nats installs a few months ago, I was told to change my password, such I did. Well it happended again this week with a new IP logging in to my admin, I notified nats and was told to change the password again. I have blocked any and all IP's on the server level except mine from accessing the admin now, as there is ovisuouly a person able to get these passwords easily and steal any and all data anything they want.

No blame, just the facts. I suggest everyone have there admins do the same.

I am not going to do this on a public forum. You are more than welcome to contact us to discuss. As I have a said, we will be sending an email out.

This is what we are going to be recommending to everyone today.

I feel it is not in anyone's best interest to discuss this in public. If anyone would like more details you are welcome to contact us.

what the sweet fuck is going on then? Ive been with NATS years and I would like to auto assume our data is just that, ours! We also have to abide by our UK data protection laws which if in this case was broken outside our control.

John whats going on??

do what on a public forum? I didn't ask you to do anything besides contact me.

...

My install is also showing the NATS user as having been logging in often. I'm not aware of any reason why anybody from nats would be logging in without my knowledge.

Account deleted and ticket submitted to NATS.

I'll be following this thread closely.

ive noticed last login on ours at - 12/21/07 16:32:16 John explain why you as a company with you as its head needed to login to my install today, was something wrong with it?

John all I have to say to that is THANK GOD IT CAME OUT IN PUBLIC TODAY. Cuz now your going to do something about it and alert your clients.

Lots of my allys use NATS and I have alerted them to this thread so they can sweep their sites asap. These are my friends man - I'm doing my part in protecting them the best I can. Please do yours and send that email now before everyone goes away for the holidays. It's already 2:00 on the west coast, 5 on the east.

Just because it was our account does not mean it was us who logged into your system. Please check the IP that login came from.

The following email is going out to all NATS clients now:

John - can I remove the user?

Woop, mass NATS email:
Dear NATS Client,

We have become aware of a security issue involving a few of our clients and would like to take this opportunity to aid you in
improving the security of your NATS install. There are a number of ways that you can strengthen the security of your NATS
install:

1. It is recommended that you IP restrict access to your NATS admin area through the NATS configuration. To set this up, you
can place a comma separated list of IP addresses that you wish to allow access to your NATS admin in the ADMIN_IPS field in
your configuration admin.

2. We have recently added a new feature that gives you the ability to have all requests to your admin area of NATS posted to a
URL of your choice. These posts will include the IP and loginid of the user that is accessing any admin page. This will allow
you to closely monitor all admin accesses to your install. Please put in a support ticket if you wish to be updated with this
feature.

To be as secure as possible we will be initiating a password change for the TMM admin accounts on all NATS installs on which we
have the ability to and we will no longer be storing these passwords at all. We have done this in the past with server access
passwords and feel the best way to be as secure as possible is to extend this practice to admin logins also. This will of
course cause us to need to contact you to grant access when we must perform anything on your install.
If you have any questions or require any assistance in setting up or changing your NATS configurations or passwords please post
a ticket in our support system.

Thank you,
Too Much Media

:thumbsup:thumbsup:thumbsup:thumbsup

you are correct, the ip i got was a UK coming from a server on theplanet, the whois i got is http://www.whois.net/whois_new.cgi?d=Rapidnetuk&tld=com anyone else get the same?

was it an ex NATS employee?

it looks and smells like an inside job to me everyones got the same ips showing up, no chance this is a random event!

Had the same...I was on my own paysite as member to check if mails would come in etc. Within a few days I received spam!

It really sucks hard, and I'm sure many sites are affected. The one who made the script, knows exactly what he/she did, and I'm sure he//she is making a LOT of money with those emails.

And I understand NATS doesn't want to discuss it on a public forum. But an email to customers would be welcome(which is send now)

I am just curious of this was not posted if it would have arrived that fast too...

67.19.188.250 - 2007-12-21 16:02:46
17 times...

rapidnetuk.com
Country United States
State/Region TX
City Dallas
Postal Code 75207
Latitude 32.7825
Longitude -96.8207
Area Code 214

69.94.70.187 - 2007-12-18 04:03:39
1 time...

65.110.53.100 - 2007-12-17 18:14:40
14 times...

Country Greece

0.0.0.0 - 2007-12-14 04:04:20
about 30 times up to Dec. 1st.

Account Deleted.

No accusations, just want to get my info out there to try and help remedy the situation.

this issue is more than emails, whoever is behind it has had access to sales data members details, ive been having a run of passwords blocked by proxy pass or having more than 3 country IP's these pass's were for rock solid affiliates etc kinda makes sense now someone been using other data as well, this really sucks!

What about our templates, webmaster info, sales stats?

My NATS is VERY customized and I've spent too much time and money to have someone able to just gank or even delete my templates.

looks serious

If they have an admin user and pass the would have full access to EVERYTHING you have access to, think about it... Not good.

I am not sure how NATS works from the inside. If they have admin access, do they also have access to affiliate info as well?

Exactly and how many sponsors are we talking, how much info in total has been compromised?

Yes, you can of course.

We have nothing that leads us to believe that. Everything indicates that it is an outside person who has accessed passwords somehow. There are a number of ways some of these passwords may have been compromised including but not limited to them getting the admin password by accessing a client's server and taking it from the DB. Passwords in NATS3 are 2 way encrypted. This is changed to 1 way encryption in NATS4 and we are also going to be putting out a patch for NATS3 which changes this to one way encryption.

additional info... not sure how important it is:

Joined
Last Login
12/21/07 17:03:59
12/21/07 16:02:46

I've had nats since about July... but the user naqIPksxjBioBI who was admin since time of install says joined today. ???

It says it logged in today or it says it joined today? It would much better assist us and you to contact us and work with us on resolving the issue rather than just posting all of the info you find here. The person doing these things may very well monitor here.

Oh I know, that's why I'm surprised people are only going off about the emails.

Think of all the other info they had access to ...

it says they logged in and joined today.

i will be submitting a ticket now. thanks for the help and attention in this matter.

They would have access to that, yes.

Thank you. We are doing a mass change of any password our guys have, but I believe that should not affect the join date. I appreciate your help on this.

With this post and the people I have spoken with personally, its about 10 to 15 confirmed. But ya have to think it many more, if its that easy. After everything is changed and locked down on the server level, there wont be any, easy fix.

This is not new as of today justsexxx as I've found out from current nats clients this has effected in the past. But NATS did finally alert every single one of their clients to this issue on 12/21/07 - Merry Xmas

The ICQ's I have been getting all day are fucking unreal as to who knew about the exploit as it effected them as far back as a YEAR. This has been going on for a long time to lots of programs and I am totally disgusted right now.

Take it a step further - The programs benefiting from these lists being used/mailed promoting their products :disgust Anyone here feeling fucking violated?

John again thank you for your support and getting that email out. I'm still shaking my head as to why it took you so long. You've know about this for a long time there is 100% no question about that. But at least you did it and now people are aware and can lock down to stop this shit.

Instead of covering this issue up you now look like a hero just from that one email. Go figure

yeh ive just swapped all details on current admins and disabled the nats admin, ill look over their other info to secure it.

Showing they joined today as well.........

What we have found in the past lead us to believe it was not widespread and that we could prevent it via doing what we did. I think we prevented a lot of it and I do not believe it as far wide spread as some people here seem to enjoy making it out to be. As we have now seen the issue pop up again we have taken even further action against any problems continuing.

Nothing is going to prevent this from happening 100% in the future. The average server security in this industry is horrible. And many people with very bad security insist they know everything about it and are 100% secure. We have assisted a number of clients privately in helping them secure their servers which they claimed were bullet proof.

Unfortunately we are dealing with criminals here. They will continue to hack servers, be they NATS clients, clients of other software, or whatever. If NATS could magically prevent people's servers from being compromised I would be a very retired man.

Please submit a ticket also so we can have our guys get a good look. This is making me worry someone is somehow injecting these. Our code is routinely audited for SQL injections however that doesn't guarantee there are other ways to do it, or that someone is doing it directly to your MySQL server or in some other way. Please get a ticket submitted so we can take a look.

According to Fred in v3 the Join Date you are being shown is the date the account info was last modified and it is the password update that is causing the dates to be showing as today.

through your username/password, you mean. you couldnt call up your clients, one at a time and ask them to change the pw and upgrade their security?

Those who we had an indication had a problem were notified. And we changed all passwords.

It is my belief that someone is accessing the server that NATS is on and retrieving the admin password directly from the server. Then using that password in whatever script they have to login as it is less obvious than them accessing your box directly on a regular basis.

We are however changing our policy to no longer keep any NATS admin passwords as we have done with SSH info in the past to be sure it is not something on our end.