ATTENTION: Anyone Who Uses Prosper202 - Read this.

Status
Not open for further replies.


I also turned off Zend altogether. I didn't need it on my server taking up valuable apache cycles/memory for each instance of apache running. zend was installed only for prosper, and now its not needed.

Code: 
sudo nano /etc/php5/apache2/php.ini

Comment out the zend stuff near the bottom of php.ini

Code: 
#[ Zend ]
#zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.3.3
#zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3
#zend_optimizer.version=3.3.3
#zend_extension=/usr/local/Zend/lib/ZendExtensionManager.so
#zend_extension_ts=/usr/local/Zend/lib/ZendExtensionManager_TS.so

Press control O then control X

Code: 
sudo /etc/init.d/apache2 reload

Don't do this if you don't know your way around your server. These exact commands will work with Debian-esque based installs or Ubuntu. Red Hat stuff is slightly different (and crappier :p )
 
A better way to ban somebody (since not everybody will transmit their header information such as an IP, etc... rendering the above php script useless):

iptables -I INPUT -s 1.2.3.4 -j DROP

Of course you need access to your own box. I believe most people have a cpanel option with this though.
goddfadda said:
I also turned off Zend altogether. I didn't need it on my server taking up valuable apache cycles/memory for each instance of apache running. zend was installed only for prosper, and now its not needed.

Code: 
sudo nano /etc/php5/apache2/php.ini
Comment out the zend stuff near the bottom of php.ini

Code: 
#[ Zend ]
#zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.3.3
#zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3
#zend_optimizer.version=3.3.3
#zend_extension=/usr/local/Zend/lib/ZendExtensionManager.so
#zend_extension_ts=/usr/local/Zend/lib/ZendExtensionManager_TS.so
Press control O then control X

Code: 
sudo /etc/init.d/apache2 reload
Don't do this if you don't know your way around your server. These exact commands will work with Debian-esque based installs or Ubuntu. Red Hat stuff is slightly different (and crappier :p )
Click to expand...

Why hit Ctrl-O, then Ctrl-X within NANO? Just hit Ctrl-X, and hit Y when prompted to save. ;)
 
Guys double check your stats, and admin panel. I checked the "Last 20 Logins" yesterday and found that two different IPs had managed to login 8.5 hours AFTER I upgraded.

I just dumped the old database earlier today and have been going through the tedious process of rebuilding links, etc. and have seen an immediate increase in conversion rates. They are back up to where they were prior to the hacking. Looking back at our conversions, it appears that P202 was hacked on 10-26. This resulted in an immediate drop in conversion rates. They literally were cut in half. As I said before, since dumping the old database, conversion rates are back to normal.

I also have this morning's conversion rates to compare to now, and the difference is dramatic.

Again, take a hard look at your install, and consider starting fresh. The update didn't keep out a new intruder for me, and it didn't purge whatever problem there was with the old links, and it resulted in a loss of around $15 - 25k.

/edit/ In case anyone is thinking it: Yes, I did delete the old files per the instructions posted at Prosper202.com
 
SEO_Mike said:
Guys double check your stats, and admin panel. I checked the "Last 20 Logins" yesterday and found that two different IPs had managed to login 8.5 hours AFTER I upgraded.

I just dumped the old database earlier today and have been going through the tedious process of rebuilding links, etc. and have seen an immediate increase in conversion rates. They are back up to where they were prior to the hacking. Looking back at our conversions, it appears that P202 was hacked on 10-26. This resulted in an immediate drop in conversion rates. They literally were cut in half. As I said before, since dumping the old database, conversion rates are back to normal.

I also have this morning's conversion rates to compare to now, and the difference is dramatic.

Again, take a hard look at your install, and consider starting fresh. The update didn't keep out a new intruder for me, and it didn't purge whatever problem there was with the old links, and it resulted in a loss of around $15 - 25k.

/edit/ In case anyone is thinking it: Yes, I did delete the old files per the instructions posted at Prosper202.com
Click to expand...

Did you change your password?
They could have got your password prior to you upgrading.
Of course there are alot of other ways to hack into servers.
Unfortunately it can be a constant battle.
Also, the update was a fresh install, your database stayed the same but all the files were updated.
The only thing I can think of is they got your pass before you upgraded.
 
I thought of that as well. So I changed the password and username for the login and changed the user and pass for the database.

It seemed like there was some sort of compromise with the links as I saw about a 50% drop in conversion rate until I did a completely new install - new database, new install of P202, different username / password.

The problem was not so much with someone getting in there and stealing the data - yeah that sucks - but it appears that they managed to muck with the links or do something that was shaving our conversions. How? No clue, but killing the old db and starting fresh fixed the problem.

So, if you're conversions seem to be a bit off, think about dumping the old database.
 
SEO_Mike said:
I thought of that as well. So I changed the password and username for the login and changed the user and pass for the database.

It seemed like there was some sort of compromise with the links as I saw about a 50% drop in conversion rate until I did a completely new install - new database, new install of P202, different username / password.

The problem was not so much with someone getting in there and stealing the data - yeah that sucks - but it appears that they managed to muck with the links or do something that was shaving our conversions. How? No clue, but killing the old db and starting fresh fixed the problem.

So, if you're conversions seem to be a bit off, think about dumping the old database.
Click to expand...


If you have the old DB it might be worth digging through and figuring out where the traffic was going. Most likely another douche affiliate. If you can track his network you can prob pull some strings such as reverse his commissions or relocating them to you.
 
goddfadda said:
If you have the old DB it might be worth digging through and figuring out where the traffic was going. Most likely another douche affiliate. If you can track his network you can prob pull some strings such as reverse his commissions or relocating them to you.
Click to expand...

Yep, I plan on it. Just not looking forward to it. It's friggin' huge. :(
 
Guys, also check the overall security of your server.

I found a vulnerability in some script residing on my server, and was able to get root privileges.

So remove all unnecessary scripts from your server. Or check them on vulns.
 
That was informative. I haven't been around for a while and this "woke me up" Thanks for the link!

[q
Code: 
uote=blackhorse;397825]I did a write up on my blog with some suggestions for securing your Prosper202 installation. It won't protect from exploits in the code, but will help safeguard your campaigns.

Check it out here:
Prosper202 Self-Hosted Apps: 10 Best Practices To Securing Your Prosper202 Installation | MasterlessSamurai.com

Comments / suggestions welcomed...[/quote]
 
Just found another intruder in the new installation. I'm dumping Prosper202 until it can be secured and penetration tested to the fullest. It's too expensive for me to continue using it.
 
Status
Not open for further replies.
Top Bottom