| |
Harvesting Passwords
|
|
I have investigated some sites whose password files were being
"harvested" daily, with nobody the wiser! If your
scripts are being used by "unauthorized personnel," who
would know? Passwords, once harvested, can usually be decrypted.
- Netbilling sometimes inserts the username, plain text password,
and customer home address in the Apache server log.
- Use nbmember.cgi to display the entire list of active members
and their (encrypted) passwords. Hackers can generally decrypt 50%-90% of
those passwords within a few hours. nbmember.cgi will also quietly add
nonpaying members, with nobody the wiser. The secret keyword is
in plain text in nbmember.cfg. nbmember.cgi certainly rates as
the friendliest billing script, with very complete online help available.
This includes the commands available, in addition to the precise location
of the secret keyword file, and the passwords being protected.
|
|
