Requires quoting for a very good point - a lot of household names in there. They need dropping at your front door. Cease and assist as a wise man once said (earlier today) :2 cents:

150 exploits

Definitely did, but don't know if he does now or not.. ICQ him & ask him.

me too

problem is i promote some nats sites, and if members are getting spam due to this, they will cancell. As such I will have lost re-bills from promoting these sites.

almost.

you got 152 spot.

you need to post quicker.

I wiped him out awhile ago already. I want the tracking of the IPs of who logged in - and there, I do need a tech ;)

anyone have any success with this?

Our logs reflect the same thing

67.84.12.95 - 2007-12-21 17:52:52
67.19.188.250 - 2007-12-21 16:20:45
67.19.188.250 - 2007-12-21 10:20:46
67.19.188.250 - 2007-12-21 04:20:45
67.19.188.250 - 2007-12-20 22:20:46
67.19.188.250 - 2007-12-20 17:54:53
67.19.188.250 - 2007-12-20 16:20:45
67.19.188.250 - 2007-12-20 10:20:45
67.19.188.250 - 2007-12-20 04:20:46
67.19.188.250 - 2007-12-19 22:20:46
67.19.188.250 - 2007-12-19 17:54:54
67.19.188.250 - 2007-12-19 16:20:45
67.19.188.250 - 2007-12-19 10:20:46
67.19.188.250 - 2007-12-19 04:20:45
67.19.188.250 - 2007-12-18 22:20:45
67.19.188.250 - 2007-12-18 17:51:01
67.19.188.250 - 2007-12-18 16:20:46
67.19.188.250 - 2007-12-18 10:20:45
69.94.70.187 - 2007-12-18 04:20:45
65.110.53.100 - 2007-12-17 17:51:16
65.110.53.100 - 2007-12-17 16:20:45
65.110.53.100 - 2007-12-17 10:20:45
65.110.53.100 - 2007-12-17 04:20:45
65.110.53.100 - 2007-12-16 17:51:16
65.110.53.100 - 2007-12-16 16:20:46
65.110.53.100 - 2007-12-16 10:20:46
65.110.53.100 - 2007-12-16 04:20:46
65.110.53.100 - 2007-12-15 22:20:46
65.110.53.100 - 2007-12-15 17:51:22
207.44.162.119 - 2007-12-14 04:20:46
207.44.162.119 - 2007-12-13 22:20:46
207.44.162.119 - 2007-12-13 17:51:14
207.44.162.119 - 2007-12-13 16:20:46
207.44.162.119 - 2007-12-13 10:20:45
207.44.162.119 - 2007-12-13 04:20:45
207.44.162.119 - 2007-12-12 22:20:46
207.44.162.119 - 2007-12-12 17:51:05
207.44.162.119 - 2007-12-12 16:20:41
207.44.162.119 - 2007-12-12 10:20:41
207.44.162.119 - 2007-12-12 04:20:41
207.44.162.119 - 2007-12-11 22:20:41
207.44.162.119 - 2007-12-11 17:51:03
207.44.162.119 - 2007-12-11 16:20:40
207.44.162.119 - 2007-12-11 10:20:40
207.44.162.119 - 2007-12-11 04:20:40
207.44.162.119 - 2007-12-10 22:20:41
207.44.162.119 - 2007-12-10 17:51:15
207.44.162.119 - 2007-12-10 16:20:41
207.44.162.119 - 2007-12-10 10:20:41
207.44.162.119 - 2007-12-10 04:20:40
207.44.162.119 - 2007-12-09 22:20:41
207.44.162.119 - 2007-12-09 17:51:01
207.44.162.119 - 2007-12-09 16:20:41
207.44.162.119 - 2007-12-09 10:20:41
207.44.162.119 - 2007-12-09 04:20:42
207.44.162.119 - 2007-12-08 22:20:42
207.44.162.119 - 2007-12-08 17:51:03
207.44.162.119 - 2007-12-08 16:20:47
207.44.162.119 - 2007-12-08 10:20:46
207.44.162.119 - 2007-12-08 04:20:47
207.44.162.119 - 2007-12-07 22:20:47
207.44.162.119 - 2007-12-07 17:51:20
207.44.162.119 - 2007-12-07 16:20:46
207.44.162.119 - 2007-12-07 10:20:46
207.44.162.119 - 2007-12-07 04:20:47
207.44.162.119 - 2007-12-06 22:20:47
207.44.162.119 - 2007-12-06 17:51:13
207.44.162.119 - 2007-12-06 16:20:47
207.44.162.119 - 2007-12-06 10:20:48
207.44.162.119 - 2007-12-06 04:20:47
207.44.162.119 - 2007-12-05 22:20:47
207.44.162.119 - 2007-12-05 17:51:09
207.44.162.119 - 2007-12-05 16:20:47
207.44.162.119 - 2007-12-05 10:20:47
207.44.162.119 - 2007-12-05 04:20:46
207.44.162.119 - 2007-12-04 22:20:47
207.44.162.119 - 2007-12-04 17:51:37
207.44.162.119 - 2007-12-04 16:20:51
207.44.162.119 - 2007-12-04 10:20:51
207.44.162.119 - 2007-12-04 04:20:50
207.44.162.119 - 2007-12-03 22:20:51
207.44.162.119 - 2007-12-03 17:51:10
207.44.162.119 - 2007-12-03 16:20:50
207.44.162.119 - 2007-12-03 10:20:51
207.44.162.119 - 2007-12-03 04:20:51
207.44.162.119 - 2007-12-02 22:20:51
207.44.162.119 - 2007-12-02 17:51:40
207.44.162.119 - 2007-12-02 16:20:51
207.44.162.119 - 2007-12-02 10:20:51
207.44.162.119 - 2007-12-02 04:20:51
207.44.162.119 - 2007-12-01 22:20:51
207.44.162.119 - 2007-12-01 17:51:04
207.44.162.119 - 2007-12-01 16:20:50
207.44.162.119 - 2007-12-01 10:20:51
207.44.162.119 - 2007-12-01 04:20:50
207.44.162.119 - 2007-11-30 22:20:51
207.44.162.119 - 2007-11-30 17:51:32
207.44.162.119 - 2007-11-30 16:20:51
207.44.162.119 - 2007-11-30 10:20:51
207.44.162.119 - 2007-11-30 04:20:52
207.44.162.119 - 2007-11-29 22:20:51
207.44.162.119 - 2007-11-29 17:51:18
207.44.162.119 - 2007-11-29 16:39:51
207.44.162.119 - 2007-11-28 17:51:25
207.44.162.119 - 2007-11-27 17:51:25
207.44.162.119 - 2007-11-26 20:24:22
207.44.162.119 - 2007-11-26 20:11:53
207.44.162.119 - 2007-11-26 17:51:29
207.44.162.119 - 2007-11-25 17:51:27
207.44.162.119 - 2007-11-25 16:20:50
207.44.162.119 - 2007-11-25 10:20:51
207.44.162.119 - 2007-11-25 04:20:51
207.44.162.119 - 2007-11-24 22:20:51
207.44.162.119 - 2007-11-24 17:51:09
207.44.162.119 - 2007-11-24 16:20:55
207.44.162.119 - 2007-11-24 10:20:56
207.44.162.119 - 2007-11-24 04:20:55
207.44.162.119 - 2007-11-23 22:20:56
207.44.162.119 - 2007-11-23 17:51:08
207.44.162.119 - 2007-11-23 16:20:56
207.44.162.119 - 2007-11-23 10:20:55
207.44.162.119 - 2007-11-22 18:03:46
207.44.162.119 - 2007-11-22 17:51:05
207.44.162.119 - 2007-11-22 04:26:26
207.44.162.119 - 2007-11-21 22:26:25
207.44.162.119 - 2007-11-21 18:13:02
207.44.162.119 - 2007-11-21 17:51:08
207.44.162.119 - 2007-11-20 17:51:13
207.44.162.119 - 2007-11-19 21:53:46
207.44.162.119 - 2007-11-19 17:51:19
207.44.162.119 - 2007-11-18 17:51:26
207.44.162.119 - 2007-11-17 17:51:14
207.44.162.119 - 2007-11-17 13:20:42
207.44.162.119 - 2007-11-17 09:09:50
207.44.162.119 - 2007-11-16 17:51:15
207.44.162.119 - 2007-11-15 17:51:46
207.44.162.119 - 2007-11-15 09:11:16
207.44.162.119 - 2007-11-15 07:50:05
207.44.162.119 - 2007-11-14 17:51:15
207.44.162.119 - 2007-11-13 17:51:29
207.44.162.119 - 2007-11-13 15:31:13
207.44.162.119 - 2007-11-12 17:52:06
207.44.162.119 - 2007-11-12 15:16:36
207.44.162.119 - 2007-11-12 09:13:52
207.44.162.119 - 2007-11-12 06:56:56
207.44.162.119 - 2007-11-12 06:43:06
66.118.176.86 - 2007-11-12 06:05:00
66.118.176.86 - 2007-11-12 06:01:55
67.84.12.95 - 2007-10-30 12:52:13
67.84.12.95 - 2007-07-18 14:50:26
67.84.12.95 - 2007-07-18 14:48:20
67.84.12.95 - 2007-07-18 14:35:07
67.84.12.95 - 2007-07-18 11:45:29
67.84.12.95 - 2007-07-18 11:09:37
207.150.178.60 - 2007-07-17 09:12:36
67.84.12.95 - 2007-07-16 16:55:25
207.150.178.60 - 2007-07-16 13:19:20
207.150.178.60 - 2007-07-16 10:48:07
207.150.178.60 - 2007-07-16 07:25:33
207.150.178.60 - 2007-07-16 06:28:05
67.84.12.95 - 2007-07-14 14:26:22
67.84.12.95 - 2007-07-14 14:26:16
67.84.12.95 - 2007-07-14 14:25:42
67.84.12.95 - 2007-07-14 13:09:13

I doubt the real Fred is doing the hack. I mean, why would he use his real name?

I actually banned the account - although John said I could remove him:
http://www.gfy.com/showpost.php?p=13548415&postcount=84

Quote:
Originally Posted by Trixxxia
John - can I remove the user?

Yes, you can of course.

well i don't wanna delete it cause i wont be able to tell if he is still logging in. So i just went in and banned it. But i do see a new ip now don't know if its nats or not 67.84.12.95

the only details i see being shared are the same details your customers are using to find out they have been compromised, i would think instead of complaining that people are finding out they have been hacked you might start by emailing your customers and letting them know , then they wouldnt have to find out on gfy.
:2 cents:

This thread = LMFAO

NATS tech support
http://i24.photobucket.com/albums/c4...dedram23-1.jpg

I believe that would be a "smoking gun" ????? :party-smi

anybody want to see my penis?

It's very widespread and has been brought up on numerous occasions. Whenever it is brought up it gets the classic GFY response of belittling the messenger.
This is one that comes to mind, although it has come up many times before.
I use to use a unique email for every sponsor I joined, and with NATS sponsors the result was always the same, so I quit signing up to sponsors using NATS.
http://www.gfy.com/showthread.php?t=752142

The weird relationship that John and Quickbuck have doesn't make me feel any easier about the whole situation either. Considering the Quickbuck system is all NATS, I find this quote a bit odd. Business may be business, but how can either one of these companies do business with each other?

are there any nats programs that haven't been compromised yet ?

will nats be contacting the programs affiliates and let them know their affiliate personal information has been compromised for the sponsors in question

I know Mayors was clean.

But I also know they went through and changed/killed all admin accounts awhile ago.

4 pages... and no signs of it stopping before another.

So far, from what I can tell - we are ok but the server guys are doing their due diligence and going over our servers for us and the other programs hosting with them for the past few hours.

1. It is recommend you IP restrict access to your NATS admin area through the NATS configuration. To set this up, you can place a comma separated list of IP addresses that you wish to allow access to your NATS admin in the ADMIN_IPS field in your configuration admin.

Just did that... noted that my IP is dynamic and change once in a while... so I put XXX.XXX.* instead of XXX.XXX.XXX.XXX

Now I can't even access the configuration anymore and I'm stuck.

Great. Anybody knows how to edit this information? Please contact me theindigo2k /AT/ yahoo /DOT/ com

Are you the only one with admin access? If yes, I think your only way back is via your host, put a call or ticket in.

oh crap..that sucks :Oh crap

If the hacker was able to access the affiliate data, that could sell for huge. Imagine what some programs would pay for contact info to some of the biggest whales in the industry.

I haven't read the whole thread other than the first post but I wanted to say this.

I had a paysite processing with paycom awhile back, and I did test signups using email addresses like [email protected] [email protected] etc...a couple of months later I started getting spam at those email addresses.
My emails to my account rep and Rand concerning that subject were never replied to.

Give me a break. When members contact you saying "Hey you spammer, blah blah blah" you think that he just got spammed from a different site using the same email address. Because I know very well we don't spam, and Epoch/NATS don't either.

I did not start this thread until a member with a DEDICATED email address could prove me it came from our paysite.

Problem is, if you start a thread in this industry against a processor and/or program... you know better than me it's not always professional. I can't lose my credit card processor so it needs to be serious before I start a public thread about it.

Anyway, mind your own business. When you pay $/month for a program, you expect security fixes/alerts. Not you having to ask around to know what is going on. This is called trust.

double post

Ignore him indigo this thread has been very informative....

Is that why I always have reps hitting me up saying "Please give us a try" :1orglaugh :winkwink:

indigo, I commend you for coming out with this. At least we're all able to simultaneously block the shit now - so we can battle the next snake when we hear hissing again. Hopefully, everyone can be reached now and things get done.

Well as a matter of fact.
Yes.

However I did not pin it on PAYCOM.

Hope you get it sorted out.

After all its not just people who run nats paysites, its all the affiliates too that are going to be affected.

And to be honest, personally, I'm fucking PISSED about it. :mad:

Merry fucking Xmas.

Now take this a step further and ask yourself: How many affiliates maybe used the same password for ePassPorte as well - since the NATS data already supplies the ePassPorte Account-name - the next step for the hacker was easily to try the user / password combo - now think back of the TrafficHangar incident and how many have been affected... get the picture I draw here? :disgust

Not happy about this, in the LEAST.

S.-

so what programs were being advertised in the spam emails that came from hacking NATS?

SlickCash was just sued by Facebook for attempting to hack their users' information including emails.

this is not a good day for NATS - not because it was hacked - no software is inpenetrable but seems like NATS had many warnings and the action taken wasn't thorough enough.

This is the most important thing to do if we are able to research it.

The criminal (yes it's a crime, I'm tired of geeks that think internet is not serious) could be linked to the referrals/products. If the list was sold, then we need to know who sold it.

heres a bump

We found the solution. I think NATS should give more details regarding this recommendation so people don't get stuck outside of their member area if their IP changes.

I have to agree with ShotGun and ladida, that everything is hackable and everything will have it's day that it was hacked. Not just adult companies, but mainstream too. How many exploits have there been for Linux & Windows? How many times have personal information been lost by credit card companies? Everything is hackable and everything will be hacked once. There's no stopping it, the only thing that you can do is get a hold of the company providing the software and have them patch it ASAP. Now if John did have prior knowledge of this prior to today, which it seems, he should have contacted every client running that version of that software that was affected. Let them know what needs to be done and supply a patch, or let them know what to change (ssh passwords, etc, etc).

Now as for this comment. I feel that if John knew it, HE doesn't need to make a public statement, but he does in fact need to let their clients, EVERY SINGLE CLIENT, know that one one of their servers has been compromised. But only if their server contains data about a clients machine (server ip, ssh port, ssh user, ssh pass, etc, etc). But at the same time, it'd be public because a client would post on GFY or one of the other boards. This also brings up the fact that any machine visible on the web should have a software firewall on their machine, iptables is fine. Block every port except those needed by web server (port 80, 443 and any others). Then only allow say for SSH the IP addy's needed for the certain people.

It might be a pain in the ass, but that's the best way to keep somebody out, even if they have your information, atleast they can't FTP or SSH into your box.

Not really. I don't think NATS stores CC data in their DB. I don't know of any affiliate program that does, the only ones that should would be the ones that have their own processing. Meaning they are doing the processing themselves. Not using a processor like Epoch/CCBill.

Seems to me when looking at both of these together it appears there is a smoking gun here. I don't have access to that forum or know where it's at. Spacedog can you tell us what that post is in context too?

For all we know he could be talking about a cheerleader squad. I realise it's likely not that, so what was his post a response too?

You can always follow the money trail. They have to be spamming a program with the emails. They had to provide a way for that program to pay them.

There is also the possibility that someone could have been trying to harvest data. Imagine if one program got to see who all of your top affiliates were, how much they make, a way to contact them, and what sites they used to send you sales. I think that kind of information would be 100x more valuable to the right people then a bunch of member's emails.

From what I have been told, that is a very good idea.

Yes, because you are a whale.

Affiliate data + members emails = huge value

And to think I almost went to bed without checking email and GFY.

OMFG, speechless.

For any of you that are MojoHost customers Corey and I will be assessing the entirity of the situation tomorrow and in contact with all NATS customers that we host personally by every means available to us. We are committed to being as helpful as possible regarding this situation. Please do not hesitate to contact me on my cellular phone any time of day or night with any questions or concerns.

Brad

Great thing to do Brad ;)
WG

LOL @ the dumbasses who think Fred from TMM is the culprit:1orglaugh

Brad,

Hit me up tomorrow on ICQ or email I have the full details on this and I think us leading hosting providers to this industry should share to protect our customers. (mike-webair this goes out to you to)

I might just go public with the info we have as well since at this point it's out, I still have respect for the idea that security issues should be secret until their fixed. Even tho TMM hasn't fixed their issue 4 months later.

Email sent, thank you Milan. I believe that our clients and community at large would all be well served to put our heads together on this.

:thumbsup

Brad

I just sent you the info we have on the problem, how long we are aware of it and steps we tool to track and protect our clients, Let me know your thoughts about releasing this to the community.