Getting the Attitude: How to Hack a Paysite, Part 1

How to Hack a Paysite: What the Good Guys Need to Know

One billing company did come to me and say they had changed their code as a result of reading my article. Another billing company changed their code as well, after rather my thoroughly showing their president the mess they were in.

If you’re plagued by hackers and password traders, it’s probably your own billing company who is letting them in. Is that news to you? It’s probably news to your billing company as well!

Your billing company could make hacking and password trading a thing of the past. Right now, though, there’s no incentive. If you’re plagued by hackers, that’s supposedly your problem. You, not the billing company, are paying that bandwidth bill for the site rippers. You are perhaps even paying for third party password protection. As things stand now, you can’t live without it!

To understand the problem, I need to teach you how to hack a paysite. You’ll understand what your billing companies are up against. And you’ll see that with a remarkably small effort you can make your hacking problem a thing of the past.

Getting the Attitude

One particular password traders’ board was running a fundraising drive. They were looking for donations from the members to pay for their own bandwidth expense. The board owner explained (typos left intact):

Most of you have been receiving free passes since you joined and we have saved you $1000s of dollars. We dont think that a Donation is too much to ask for what you receive in return.

The “free passes,” of course, are the hacked passwords to your paysite. Most responses were whiners saying they were unemployed, but would kick in $5 or $10 when they were able. Yes, these are the people sending your bandwidth bill through the roof with their site rippers and traded passwords.

One response, though, shows precisely what we’re dealing with. Please take the time to read it in its entirety (typos left intact):

Well I will just start by saying that I think that the owners should be compensated for the bandwidth. I first donated $25 when it was first asked by cueball, this is before gold passes were around and have continued every month to do so. Why, well, one thing its a great site with many great members, lots of stuff here besides passes. Second is the passes, I mean how many members would see even a fraction of these paysites without this site? The problem with most folks is they dont WANT to pay anything, they want everything FREE. Things just dont work that way. If this was my site I would certainely limit the number of those who arent paying so that I could reduce my bandwidth. Second, I would charge everyone a nominal fee, perhaps $10 a month to help offset the costs. Folks, the owners of this site owe you nothing free, so why don’t you pony up. What the hell is $25 bucks a month? You can afford a puter, and ISP, and who knows what else. Time to pay the piper. My thanks to cueball and all the others that keep this site running and being such a wonderful site to be a member of.

That’s the attitude you’re up against. The typical password trader doesn’t even know he’s doing anything wrong. The passes are there, so use them. If you can post a few “passes” yourself, you’re a hero for being so clever and for sharing. By the way, the board’s own USA-based hosting company is collecting the donations!

Basic Paysite Hacking Technique

Fifteen years ago (in 1988), Robert Morris Jr. took down the Internet. This was pretty clever at the time, since it was the first such incident. The funny thing is, today’s paysite hackers continue to use the same three techniques. Many of today’s hackers – teenagers and college kids devoid of any sense of ethics – are too young to remember.

Here are the three techniques. Neither you nor the hacker kiddies need to remember the details. The automated tools are waiting for you to use:

  • A scanner. You’ve seen police radio scanners, right? It’s a device which checks various frequencies, locking onto anything it finds interesting. Check your server logs, and you’ll find lots of people looking for files and scripts you don’t even have. They’re scanning for “interesting” items, and will take note of whatever is found. (In the Morris Worm’s case, the scanner was looking for more computers to infect.)
  • A known vulnerability. This is called “an exploit” by the hackers. (Morris knew of vulnerabilities in the Unix utilities fingerd and sendmail.) Nearly every exploit posted on the paysite hackers’ boards is based on a billing company script.
  • A password guesser. The passwords on your server are encrypted. So, they’re safe, right? Think again! Morris showed how vulnerable they were fifteen years ago. Most billing companies seem to have forgotten this lesson!