Check Prosper, Account Hacked.

[jpet1010]

One of our P202's was hacked. I have no idea how they were able to, I've checked logs and see nothing. I made a post yesterday on the FB thread, we were charged for a couple hundred clicks that we never registered. I waited a couple hours thinking it was a FB glitch, fired the campaigns back up and split test with a new P202, everything was fine. This morning it happened again but I split the two P202's as it was happening, the New P202 started hauling in traffic while the old one sat there. Anyways, just throwing out a warning, I know last time this happened, whoever hacked one, hacked a bunch. So give your stats a look.

 

[Compound]

Try limiting access to your Prosper login to only IPs that you control using .htaccess

 

[Refrozen]

Prosper202 is an unsecure POS. There's been numerous discussions on the nickycakes IRC about how many security holes there are, and they've overwhelmingly been reported and left unfixed.

Definitely fall back on your own security: do what Compound said, use .htaccess passwords, whatever it takes if you want to use Prosper.

Edit: and that likely still won't solve all your problems, since IIRC the track click file has some big SQL injection problems which you need to be able to access to make Prosper work. Hire a programmer to go through and clean up all the SQL injection stuff, I can refer you to someone as necessary.

 

[jpet1010]

Try limiting access to your Prosper login to only IPs that you control using .htaccess

That was done.

 

[kingfish]

Yep prosper's about as secure as a fat kid at the public pool. Also they don't give a fuck cause they already cashed out and are ballin on bloosky money.

 

[Sonny Forelli]

was your login still on 202-login.php?

 

[tjewsky]

How about you DONT use 202 anymore???

 

[behnk01]

What was your last generated subid # ? I don't want to know exactly, just a range. I just wanna know at what volume of clickthrough's should this be a cause for concern.

 

[behnk01]

Or I'll just start load balancing between 10 of em.

 

[Refrozen]

What was your last generated subid # ? I don't want to know exactly, just a range. I just wanna know at what volume of clickthrough's should this be a cause for concern.

watt

 

[justo_tx]

What was your last generated subid # ? I don't want to know exactly, just a range. I just wanna know at what volume of clickthrough's should this be a cause for concern.

Or I'll just start load balancing between 10 of em.

How do you correlate questions about getting hacked with load balancing?

 

[nickycakes]

did you...you know...check the logs?

 

[behnk01]

How do you correlate questions about getting hacked with load balancing?

I think p202 is a great tool. I'd like to use it for a while. By balancing the load, I'd minimize the risk of losing everything. And I was just curious as to how much volume the OP was sending.

 

[SitPoMk]

yay for exposing the fact that our undeniably most used tracking platform is full of security flaws for 1000s of coders that are going to see this thread!

 

[behnk01]

yay for exposing the fact that our undeniably most used tracking platform is full of security flaws for 1000s of coders that are going to see this thread!

Diversify or die.

Anyhow, I've reverse engineered back to p202 url's many times. I never fucked with the domains or anything like that as I'd like to be the one spouting off stuff to be stolen and not be the stealer. Someone else for sure out there already knows this. I remember seeing someone's url of "trckr2133" or something of the like. I never linked up how many url's this person owned like this, but I'm sure he had big cash flow to run that many.

 

[justo_tx]

I think p202 is a great tool. I'd like to use it for a while. By balancing the load, I'd minimize the risk of losing everything. And I was just curious as to how much volume the OP was sending.

Just be careful with load balancing, I don't use 202 myself but unless you manage your data sync/replication properly you could end up with foreign key reference problems, effectively nuking the data integrity (in other words a subid is generated from one instance but uploaded to another instance.)

 

[morpho]

So if you don't use Prosper ... than what?

I like Prosper, but its time consuming to set up, is inaccurate because you can't have exact click costs, and now apparently insecure ... oh and barely supported anymore.

Anybody want to make some recommendations other that just bash Prosper.

 

[Firelead]

Prosper202 is an unsecure POS. There's been numerous discussions on the nickycakes IRC about how many security holes there are, and they've overwhelmingly been reported and left unfixed.

Definitely fall back on your own security: do what Compound said, use .htaccess passwords, whatever it takes if you want to use Prosper.

Edit: and that likely still won't solve all your problems, since IIRC the track click file has some big SQL injection problems which you need to be able to access to make Prosper work. Hire a programmer to go through and clean up all the SQL injection stuff, I can refer you to someone as necessary.

What are the holes you know about? Why not post them on the forum here and we'll fix them.

 

[justo_tx]

So if you don't use Prosper ... than what?

Roll your own

I like Prosper, but its time consuming to set up, is inaccurate because you can't have exact click costs, and now apparently insecure ... oh and barely supported anymore.

Scratch my above suggestion, if you think setting up prosper is time consuming you definitely don't want to roll your own tracker, but it's somewhat liberating if you do, any feature you want is available.

 

[juntao65]

we need a gay affiliate stacker, open source it up. who'se up for it? i'll buy you all a pitcher when you're done. if all of us pitch in, that'll be like a beer supply for all your affiliate life - which ends in 2012.