Previous Story
Protecting against Hackers
Posted On 10 Oct 2001
So now that you have invested thousands of dollars on an adult website, and you are now an “expert” from reading through dozens of bulletin boards on various articles such as TGP’s, AVS services, designing webpages, you are ready to make hundreds of thousands of dollars with your new, awesome adult website!! But before you start running up your credit cards in anticipation of your upcoming fortunes, have you thought about security? Within three days of my adult website being launched, I noticed hundreds of entries in my log file with strange directory paths and some weird usernames.Protect against Hackers: First-hand experience
By: P Reynolds
url: http://www.eroticaoutdoors.com
So now that you have invested thousands of dollars on an adult website, and you are now an “expert” from reading through dozens of bulletin boards on various articles such as TGP’s, AVS services, designing webpages, you are ready to make hundreds of thousands of dollars with your new, awesome adult website!! But before you start running up your credit cards in anticipation of your upcoming fortunes, have you thought about security? Within three days of my adult website being launched, I noticed hundreds of entries in my log file with strange directory paths and some weird usernames. Someone had already tried to hack my site and it was only three days old!!! After this, I did quite a bit of research on adult paysite hackers and will explain the various methods used by hackers and way to protect against them. It is amazing how little information I was able to get from other adult webmasters!! Either they have no clue or they don’t want to admit they are at risk.
Protect against password hurlers.
There are dozens of programs freely available on the internet that will take a dictionary of common website logins and hurl them against your website at an incredible rate of speed to match a working login. Examples of the newer programs include Access Diver, Golden Eye, and Ares. These programs are very hard to protect against even if you have brute force protection installed. Pennywise is one of the best because it has a low tolerance of attempted passwords before it starts giving fake ‘good’ responses.
The brute force attack itself is not dangerous to your website because the attempt itself takes up very little bandwidth, it’s the danger of having a password comprised that is bad. The best ways to protect against this is make sure that your password script does not let the user choose their own password but instead assigns a random one, such as ‘4rk76TY’, to them. Secondly, it is possible to repel these programs using a script that looks for a unique signature emitted by these programs, much like the common .htaccess line of “RewriteCond %{HTTP_USER_AGENT} ^.*Teleport.*$”. This is very new in the making and no commercial applications are available yet. The third method of protection against this would be to make your login a form based login using hidden values that have to also be sent to the browser. This is the easiest method to implement but it will only block the script kiddies which are 95% of the passtrading population.
By the way, putting an entry into your .htaccess file such as “#deny from 196.23.187.”, namely the IP address of the attacker, will probably not do any good since these programs use a list of proxies and rotate them every X number of attempts.
Protect against password lists.
There are maybe a dozen different active IRC channels devoted only to sharing and cracking passwords for adult sites. While one password to your site posted in plain view in the channel can cause your bandwidth to shoot through the room, the only people seeing that password are the ones that are in the channel and paying attention. But imagine the damage when that one password is posted to a password list which is distributed to many people! Now there is a written copy of your precious password which these people can reference whenever they want to.
How to combat this? These password lists maintain a database of which websites are quality sites and which ones are scam sites. The trick is to get your site listed on the scam websites which are rarely reviewed. One way is by contacting one of the password list operators and offering them a free password or some other incentive to secretly ban your website. Another more devious approach would be to temporarily design your website to give a dozen popups and redirect to a sponsor or some other annoying website, and then submit a working password to these lists in hopes that they will ban it outright. Perhaps you can use a subdomain for this. TIP: Make the members area an IP address because most won’t post it
There are several published articles on password sites so I will not go over those but I will say that a proper marketing approach to the webmaster of those sites can yield some quality traffic. Unfortunately, there are several other places that you have to worry more about. These include groups or clubs such as Yahoo or Usenet that have active forums where people can request a password to a specific site and then maybe one of the other forum visitors will provide them with one. There is not much you can do about this short of informing the host (e.g. Yahoo Clubs Moderator), but then the forum will just pop up in another place.
Installing a script that checks the password script versus the IP of the user and automatically canceling the password will help a lot!
Protect against real hackers
Now that we have talked about the damage that a password trader can do to your hosting expenses, just imagine what could happen if a hacker was able to access your entire password file. Changing every password and notifying the member would be a Herculean task at best.
The three most common ways that hackers access your password file is 1) exploiting the billing company’s scripts 2) using a program that compares your website versus commonly known directory and file pathways, and 3) exploiting an external cgi or perl program that you have installed.
Hackers will first analyze which billing method you use and then go to that billing company’s website and read the webmaster tutorials, which frequently tell the directory paths used and some even give the source code for the login scripts!! Some hackers also own adult websites so they will be intimately familiar with the internal workings. The best way to protect against this is to change the default directory and filenames. For example, if the installation instruction for XYZbill state to place the script in a directory called XYZbill/secure, you can and should physically the names in the cgi or perl script and in the directory structure to some obscure name such as ‘infoxpass’.
Over the last few years, more and more internet security websites have started to actually outline, for educational purposes, various attempted and successful hacking attempts by users that are scanning for common directories such as /logs/, /.htpassword, /admin/ or even /ccbill/secure/. While this is good for website administrators to analyze and compare against their website, it also gives a hacker a ready made list of common directory paths. All the hacker has to do is take these lists and use a common program to run them on a website and look for accessible files.
Lastly, and probably the most critical of all, is that webmaster should NOT install any external cgi or perl applications! It might be nice to have a guestbook, chat forum, or survey on your website, but you better be sure there is not a way to exploit that script in order to access the inner workings of your website. You can go to www.securityfocus.com and do a search for the script you are using but keep in mind these security websites only list published exploits. If there is a file on your website that is not integral to the function of your website, delete it! This goes for log files such as .bash_history and ftp log files as well.
Recently, there is some talk about various free programs that will spoof an IP address. This is dangerous when your .htaccess file is publically accessible and it specifically states the address of the password file along with a line stating something like “#allow from 172.141.48.”
Another recent development involves a cgi or perl script that will spoof the referring URL in order to bypass that restriction. For example, if you have a live feed on your website that is only accessible if the user goes from your members page directly to the live feed, then all a hacker needs to do is put your url in a field and the program will send a header with that information. This should not be a real threat to you as it is not your bandwidth that is being used, but that of the live feed provider.
Closing Remarks
While all this is good to know, please keep in mind that you will only be able to block the script kiddies and the new- to moderate-level hackers using this information. There is nothing you can do if a hacker exploits a weakness in your hosts’ server in order to gain access, but hopefully the server has other websites that seem more interesting that yours for the hacker to go through. At least it is refreshing to know that probably 95% of the people who trade passwords, crack passwords, and attempt to hack sites are basically script kiddies that can mainly push Start buttons on freeware programs.
