I am not imputing blame or guilt, just raising a question.

Actually, it was more of a jesting remark with a touch of irony.

That wasn't an accusation at all. More of a comment/question.

Geez, someone's on the defensive.

Putting a question mark on the end of something does not remove it from being an accusation. This place is more and more mind boggling by the day.

Its not being defensive. I don't appreciate people implying things, with a question mark or without, which they have no solid reason to believe as true.

Wow! do we know how they got the user and pass to the admin?

theres a couple scums here that hack affiliate databases for information. its well known who a few of them are.

That's wrong to say its an inside job - No way in hell it is. But exploit yes.

John - Have you been alerted to this exploit in the past? It's been posted before here and on other boards. If you were aware, have you alerted your clients to sweep?

This isn't about nats / paycom / mpa / ccbill etc - This is a serious exploit that is effecting peoples business's. If a member get spammed to all hell from a site he just joined... The trust between service and customer is gone. That member will not rebill nor return ever. :2 cents:

Out um :thumbsup

I understand that you are upset by this and the reasons why you could be upset. But man it was a comment. Calm down.

Of course we have taken actions on things. I'm not going to discuss the details of which here in public. All it does is tip off those who are doing things to what is being done to combat those things. This is something that should be dealt with directly.

There will always be are various security issues with all softwares as well as issues with client's servers. Due to the install rate of NATS being far beyond any other affiliate software in this industry you are much more likely to hear about our issues than others.

If you heard the false rumors I hear about my company on a nearly daily basis you would understand why I get extremely frustrated when I see people start them.

Exactly. Discussing the details of a security issues and the actions taken on it in a public forum, especially one with the member base we have here, is absurd.

who are they? names dammit!

Well, I do see some from time to time and yes, I even feel angry for you. I respect you guys (TMM) and NATS is simply an amazing piece of software that I only wish I could develop or even help develop. From one programmer to another, kudos for NATS. :thumbsup

So you have taken action and not alerted your clients? 4 of them have posted in this thread and if it wasn't for Christian stepping up, no one would know where to look. What does this have to do with how many installs your have for christ sake.

Idea - Why don't you step back from GFY - Type out a mass email to your clients right now and send it so they are aware of the exploit. :upsidedow

This is blowing me away sigh

Thank you, I appreciate that. And I may seem to take things personally at times, but that is only because I take the quality of our products, as well as the success of our client's business and the protection of their livelihood very personally.

Again, you don't know what actions we may or may have not taken. What we have do is based on the info we gather when something occurs.

I know you are also only trying to help here. An email will be going out shortly. Jumping the gun and misinforming people is a bad thing also.

Completely understandable. No need to further explain yourself. Back to business! :winkwink:

I'm not asking you to make public what you want to do or even asking you to use this thread as a launchpad for alerting people to the issue. This is exactly why I suggested you email ALL your clients, myself included, and don't expect us to contact you.

This is a serious issue and one that needs to be handled expeditiously and I for one want to know how this happened and why it happened. This isn't a chance exploit of an admin account. The person knew enough to gain access to the NATS specific admin account and has done so on numerous installs that I currently know of. Based on this fact alone, you cannot blame any of us for thinking that it may perhaps have not been a security exploit but rather a leaked password.

Asking those who find an issue to contact you is kind of silly since it is now safe to assume that anyone who has not disabled the NATS account has been compromised or will be compromised in due course.

...

Mine is too long to post ...

But to give you a slight idea:

67.19.188.250 - 2007-12-21 14:37:29
67.19.188.250 - 2007-12-21 08:37:51
67.19.188.250 - 2007-12-21 02:37:33
67.19.188.250 - 2007-12-20 20:37:28
67.19.188.250 - 2007-12-20 18:10:30
67.19.188.250 - 2007-12-20 14:37:38
67.19.188.250 - 2007-12-20 08:37:39
67.19.188.250 - 2007-12-20 02:38:03
67.19.188.250 - 2007-12-19 20:37:39
67.19.188.250 - 2007-12-19 18:12:43
67.19.188.250 - 2007-12-19 14:38:13
67.19.188.250 - 2007-12-19 08:38:12
67.19.188.250 - 2007-12-19 02:38:08
67.19.188.250 - 2007-12-18 20:38:10
67.19.188.250 - 2007-12-18 17:24:26
67.84.12.95 - 2007-12-18 15:02:06
67.19.188.250 - 2007-12-18 14:38:05
67.19.188.250 - 2007-12-18 08:38:06
69.94.70.187 - 2007-12-18 02:38:04
65.110.53.100 - 2007-12-17 17:05:59
65.110.53.100 - 2007-12-17 14:38:18
65.110.53.100 - 2007-12-17 08:38:19
65.110.53.100 - 2007-12-17 02:38:19
65.110.53.100 - 2007-12-16 17:00:41
65.110.53.100 - 2007-12-16 14:38:14
65.110.53.100 - 2007-12-16 08:38:13
65.110.53.100 - 2007-12-16 02:38:14
65.110.53.100 - 2007-12-15 20:38:13
65.110.53.100 - 2007-12-15 16:59:57
65.110.53.100 - 2007-12-15 14:33:23
65.110.53.100 - 2007-12-15 08:33:53
65.110.53.100 - 2007-12-15 02:33:27
65.110.53.100 - 2007-12-15 01:00:16
0.0.0.0 - 2007-12-14 02:38:23
0.0.0.0 - 2007-12-13 20:38:25
0.0.0.0 - 2007-12-13 16:57:41
0.0.0.0 - 2007-12-13 14:38:13
0.0.0.0 - 2007-12-13 08:38:14
0.0.0.0 - 2007-12-13 02:38:12
0.0.0.0 - 2007-12-12 20:38:14
0.0.0.0 - 2007-12-12 17:11:35
0.0.0.0 - 2007-12-12 14:38:18
0.0.0.0 - 2007-12-12 08:38:18
0.0.0.0 - 2007-12-12 02:38:18
0.0.0.0 - 2007-12-11 20:38:18
0.0.0.0 - 2007-12-11 16:57:08
0.0.0.0 - 2007-12-11 14:37:58
67.84.12.95 - 2007-12-11 13:01:47
67.84.12.95 - 2007-12-11 10:26:32
0.0.0.0 - 2007-12-11 08:37:58

This happend to our 2 nats installs a few months ago, I was told to change my password, such I did. Well it happended again this week with a new IP logging in to my admin, I notified nats and was told to change the password again. I have blocked any and all IP's on the server level except mine from accessing the admin now, as there is ovisuouly a person able to get these passwords easily and steal any and all data anything they want.

No blame, just the facts. I suggest everyone have there admins do the same.

I am not going to do this on a public forum. You are more than welcome to contact us to discuss. As I have a said, we will be sending an email out.

This is what we are going to be recommending to everyone today.

I feel it is not in anyone's best interest to discuss this in public. If anyone would like more details you are welcome to contact us.

what the sweet fuck is going on then? Ive been with NATS years and I would like to auto assume our data is just that, ours! We also have to abide by our UK data protection laws which if in this case was broken outside our control.

John whats going on??

do what on a public forum? I didn't ask you to do anything besides contact me.

...

My install is also showing the NATS user as having been logging in often. I'm not aware of any reason why anybody from nats would be logging in without my knowledge.

Account deleted and ticket submitted to NATS.

I'll be following this thread closely.

ive noticed last login on ours at - 12/21/07 16:32:16 John explain why you as a company with you as its head needed to login to my install today, was something wrong with it?

John all I have to say to that is THANK GOD IT CAME OUT IN PUBLIC TODAY. Cuz now your going to do something about it and alert your clients.

Lots of my allys use NATS and I have alerted them to this thread so they can sweep their sites asap. These are my friends man - I'm doing my part in protecting them the best I can. Please do yours and send that email now before everyone goes away for the holidays. It's already 2:00 on the west coast, 5 on the east.

Just because it was our account does not mean it was us who logged into your system. Please check the IP that login came from.

The following email is going out to all NATS clients now:

John - can I remove the user?

Woop, mass NATS email:
Dear NATS Client,

We have become aware of a security issue involving a few of our clients and would like to take this opportunity to aid you in
improving the security of your NATS install. There are a number of ways that you can strengthen the security of your NATS
install:

1. It is recommended that you IP restrict access to your NATS admin area through the NATS configuration. To set this up, you
can place a comma separated list of IP addresses that you wish to allow access to your NATS admin in the ADMIN_IPS field in
your configuration admin.

2. We have recently added a new feature that gives you the ability to have all requests to your admin area of NATS posted to a
URL of your choice. These posts will include the IP and loginid of the user that is accessing any admin page. This will allow
you to closely monitor all admin accesses to your install. Please put in a support ticket if you wish to be updated with this
feature.

To be as secure as possible we will be initiating a password change for the TMM admin accounts on all NATS installs on which we
have the ability to and we will no longer be storing these passwords at all. We have done this in the past with server access
passwords and feel the best way to be as secure as possible is to extend this practice to admin logins also. This will of
course cause us to need to contact you to grant access when we must perform anything on your install.
If you have any questions or require any assistance in setting up or changing your NATS configurations or passwords please post
a ticket in our support system.

Thank you,
Too Much Media

:thumbsup:thumbsup:thumbsup:thumbsup

you are correct, the ip i got was a UK coming from a server on theplanet, the whois i got is http://www.whois.net/whois_new.cgi?d=Rapidnetuk&tld=com anyone else get the same?

was it an ex NATS employee?

it looks and smells like an inside job to me everyones got the same ips showing up, no chance this is a random event!

Had the same...I was on my own paysite as member to check if mails would come in etc. Within a few days I received spam!

It really sucks hard, and I'm sure many sites are affected. The one who made the script, knows exactly what he/she did, and I'm sure he//she is making a LOT of money with those emails.

And I understand NATS doesn't want to discuss it on a public forum. But an email to customers would be welcome(which is send now)

I am just curious of this was not posted if it would have arrived that fast too...

67.19.188.250 - 2007-12-21 16:02:46
17 times...

rapidnetuk.com
Country United States
State/Region TX
City Dallas
Postal Code 75207
Latitude 32.7825
Longitude -96.8207
Area Code 214

69.94.70.187 - 2007-12-18 04:03:39
1 time...

65.110.53.100 - 2007-12-17 18:14:40
14 times...

Country Greece

0.0.0.0 - 2007-12-14 04:04:20
about 30 times up to Dec. 1st.

Account Deleted.

No accusations, just want to get my info out there to try and help remedy the situation.

this issue is more than emails, whoever is behind it has had access to sales data members details, ive been having a run of passwords blocked by proxy pass or having more than 3 country IP's these pass's were for rock solid affiliates etc kinda makes sense now someone been using other data as well, this really sucks!

What about our templates, webmaster info, sales stats?

My NATS is VERY customized and I've spent too much time and money to have someone able to just gank or even delete my templates.

looks serious