Results 1 to 5 of 5

Thread: service.pwd

  1. #1
    Junior Member
    Join Date
    May 2003


    I run a website which is now getting enough traffic for me to worry about security. I know a pretty good bit about html and javascript but not enough to make my website "attractive" with out a wysiwyg editer so I use front page. With all of the new traffic I am getting I wonderd if anyone would want to hack my site and if so how they would do it. Goodled for frontpage exploits and found some interesting holes. Most didn't work on my sight but there was one that did and it worrys me a little.

    Exploit:www.victim.com/_private/service.pwd or /_vti_pvt/service.pwd.

    Does anyone know of a way to plug this hole. I looked on google but found nothing but the exploits themselves....... not ways to fix them. I thought about deleting the file from the server (I am by the way on a shared server not owned by me just so ya know) but I was afraid that I would not be able to publish or even worse wouldn't be able to access as admin to replace the file.

    Does anyone know what would happen if I moved the file to a less known place?? Wouldn't that be the same a deleting since the path would be different. (I can't change the path for admin rights because it's not my server)

    And what would happen if I just deleted it. Would I just not be able to publish or would I not be able to access admin on the server????

    I sent an email to my wpp (web presence provider) but they said that they don't deal with security except on the server side, not for the web itself.

    Last but not least..... When you type it in your browser you are prompted to download the file and so I did. I open the file in notepad. It is encrypted but I don't know how and I would paste it here except I am afraid of it being in "user@victim.com /password" format. Not exactly info I want posted on this site. But if anyone knows what kind of encryption frontpage .pwd file is in and how much trouble it is to decrypt I would like to know. If it is just to much trouble to decrypt I won't worry about it as much but then it couln't be that much trouble....... this is microsoft we're talking about.

    Note: I would use some other program such as dreamweaver but last time I checked it was like $900.00;.

    Thanks in advance. (especialy you roswell...... so far you have answered every thread I have started so thanks x5 to you)
    Hi, I don\'t care........ Thanks


  2. #2
    Junior Member
    Join Date
    May 2003
    dopey dwarf asked me how I make money on the web........ here was my reply

    Lithium88 wrote on Today 08:05 AM:

    I'll tell you what................ I won't tell you exactly what I do but I'll give you some hints.

    All success is in buisness is supply vs. demand.
    The hardest part is finding the supply. I don't any more but I used to sell stuff on ebay. (I now have my own site to sell stuff) I once found a surplus truck (yes 18 wheeler) of water hoses that were in the storage room of some lawn and garden place for ever and they couldn't sell them. They were willing to take a loss on the product because they couldn't move it and they had to pay inventory tax on it every year.

    I ended up with 2500 waterhoses for just under $4.00 a peice. A water hose at wally world costs around $20.00. I had the supply now......... just no demand.

    I had already sold a few personal items on ebay and bidz.com for way more than what they were worth....... "but water hoses?" I asked myself. What the hell.... I tried it. Average price I got for the water hoses....... $12.00.

    You do the math.
    $12.00 money comin in (buyer pays shipping also)
    -$6.00 list item on ebay
    -$4.00 my cost for item
    =$2.00 profit/item

    dosen't sound like much hu?????? oh wait I forgot......

    $2.00 x 2500 items = $5,000. Looks good. Of course with ebay it takes time to sell stuff. It didn't all happen in one day. But I promise if you start here eventually you will find someone willing to give you the same product over and over again for killer prices.

    Then you can start a website and if your lucky and smart you'll do good buisness with your customers (also known as building a customer base) and after a year or so you'll have enough repeat customers to keep the $'s comin.

    Note: When you find products for cheap don't buy stuff that the market is already flooded with. Chances are someone can get a better deal than you can and you won't be able to move the product. Find something useful and needed but with not to much competion on the web (if your on the web). These are all just basic buisness practices though. And don't forget my website was a flop for the first year and a half. I worked my ass off doing iron work all over the country so that I could afford the cost of building the web. And only here lately was I able to make enough money to quit my job and focus all of my energy on the site.

    It takes time, talent, and even a little luck.

    Good luck.

    And one more thing. On the web it's not just supply and demand. It's supply,demand, and conveinence (spelling??). You can have the best product in the world and everyone could want it........ but if it is not easy for them to find your site than you lose. No one wants to dig through 3,000,000,000 web sites to give away thier hard earned money. And in reality you can have the crapiest product and make tons of money if you know how to manipulate the search engines. But I feel it is always better to be honest than manipulative (with search engines in paticular). I have seen many sites fly past me on alltheweb and google only to get thier sites banned for embedding words and keyword stuffing. Keep that in mind if you ever get that far.
    Hi, I don\'t care........ Thanks


  3. #3
    Junior Member
    Join Date
    Jun 2003
    hi bddy

    service.pwd contains the list of users and encrypted passwords for the FrontPage-extended web.

    I think you should setup .htaccess permissions on directory _vti_pvt

    jst create a file .htaccess in the directory _vti_pvt


    put in this stuff

    Options None

    order deny,allow
    deny from all


    It uses standard DES encryption , any DES/Unix password cracker can do the stuff so beware.

    try Jhon the Ripper

  4. #4
    Junior Member
    Join Date
    May 2003
    thanks. I'll look into that
    Hi, I don\'t care........ Thanks


  5. #5
    Join Date
    Feb 2003
    Are you running on IIS or Apache? If you are running this on IIS, then you can set IP or authentication-based restriction to that specific directory. If this is Apache, then the above advice for .htaccess is fairly good. I would suggest trying to run a tool like IIS lockdown to harden your box a little bit, or just simply deleting the .pwd file as a test (backup your site and try deleting all the front page extensions if you don't need them). But since this is a shared box, you may not be able to try this. I'm not a big IIS admin (I have a few little sites in my care, mostly Apache though), but that's what I would try.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts