Porn site billing processor CCBill has somehow managed to leak the server passwords of well over a thousand of its clients, whose systems have since been infected by IRC bots listening on port 9872 for whatever commands their owner wishes to issue.

The immediate, superficial concern is that someone is planning a significant DDoS attack with the compromised machines. In this matter CCBill has been forthcoming, issuing a warning to its clients that they need to change their passwords and look for the bot and remove it.

The far more serious question is how some IRC denizen came to possess the admin logins and passwords for servers belonging to so many CCBill clients, and here CCBill has been quite reluctant to talk.

Obviously, this sort of access to Web sites would put the private details and credit card data of millions of porn lovers into the hands of a potentially malicious third party.

I wanted to discuss this particular aspect of the story with CCBill, but was kept on hold for about five minutes and eventually told that I'd have to talk to general manager Tom Fisher, who, conveniently, was in a meeting.

I said Fisher could ring me when his meeting was finished. But then, incredibly, I was told, "No, you have to fax us your questions, and we'll reply with a faxed statement. That's what we're doing with the press."

I was in no mood for this cowardly runaround. "I don't have a fax machine," I replied.

"Well you have access to one, don't you?" the flack replied coyly.

"I don't have time for this bulls**t," I said. Just tell him to ring me when his meeting's over."

"Look," the flack told me abruptly, "I'm telling you what you have to do."

And at that point I quite simply lost it and screamed, "and I'm telling you that if you pull this bulls**t with me, I'll print it!"

And then I hung up.

I never heard back; and unfortunately for CCBill, I believe in keeping my word.

The hack was first reported on the SecurityFocus Incidents mailing list by Dayne Jordan, co-owner of Ohio ISP CompleteWeb, on Wednesday. Jordan found six compromised machines on his own server farm alone.

He did a bit more investigating and found a vast number of the bots running in an IRC channel.

"The common tie between all these compromised accounts is that they are all CCBill customers," Jordan says.

"It appears whoever has obtained the CCBILL list of usernames /passwords systematically SSH's into the customers' servers, installs the IRC Eggdrop bot, and leaves."

It's this business of gliding effortlessly into the sites that has us concerned. There is no question that a major compromise of data has occurred -- so you porno fans out there had better keep a close eye on your credit card statements for the next few months. ®

Story Update

CCBill knew of credit database breach in March