Hey Guys,

I remember a post a few weeks ago asking what we thought about shell accounts. I said that usually shell accounts = fraud. I have had 3 signups for shell accounts in the last 2 days and all 3 = CC fraud. I caught them ALL before it happened but still it proves my point. We usually have 1:300 or so with or web hosting clients.


James R. Clark II
Nethosters Inc.
http://www.nethosters.com

1 out of 300 accounts is a shell account?

What is a shell account? Is any account with telnet access a shell account?

All you need to watch out for are people who want just a shell (telnet account) and nothing else.

James R. Clark II
Nethosters Inc.

jic,

Same here. Our hosting package has more legitimate orders than our shell package. Some of them really don't try hard enough to cover themselves up.

Although I'm not saying customers who are shell only are bad customers, or that there are only a few of them. There are thousands and thousands of legitimate users who want/need shells. :)

Hi

true most of them are "bad" customers...(not all of them :) )

ask them for a copy of their u.s.drivers license and passport and tell them to make sure it matches the name on the credit card and domain on the account, though not that effective but it makes it harder for ppl. and discourages some of them.



elijaH

Ok, I understand, shell account = telnet account.

What can one do with such an account?

One thing I guess is run an IRC Bot.

What else?

what else

Hack into your server

We stopped serving shell account as of last week, but we would typically get 80-90% of orders that were fraudulant (we found them of course).

A word of advice from someone who was in that industry for 4 years, dont bother, it's more bother than its worth.

Regards,

Tony Lucas

Tony,

I disagree. We have been in business for nine going on ten years now and we have been offering shell accounts all along. We now offer newer services like web hosting, but it is the shell accounts which keep the business running.

The problem with the shell industry is that someone with a cable modem can get into it. And those are the people that get tricked when they receive 15 orders one day.

Also, shell accounts are quite valuable. Many of the new control panels are tricking users into thinking that they don't need shell accounts, but they are quite valuable. Want to learn how to program C, yet don't want to buy a compiler? Get a unix shell account. Want to debug perl scripts but not install the Windows version of perl on your machine? Get a unix shell account. Want to run a bot? Unix shell account. The list goes on.

And personally, I find it MUCH easier to edit webpages with a tool like pico or vi than downloading the page, editing it in notepad, saving it, uploading it, and then testing it, seeing it doesn't work, and repeating.

Finally, shell's are great for e-mail. I don't download my e-mail to my computer, I just have a window open 24x7 running pine on the server. It's so much easier, because then when I am at a remote location, I don't have to worry about e-mail that I am downloading not being saved on my home computer, or messages that I am sending not appearing on my home computer.

Just to clear up confusion, I was only referring to shells for irc processes etc, DoS is too much of a problem these days, For all the other uses, I couldnt agree more.

Regards,

Tony Lucas

What's a usual fee for a shell account? 10 to 20$ /year ?

Oh Vince! I've just been over to your site to see how much you charge for such a shell thingy. Over 100$ :(

I thought for that much money one would get some standard hosting package including telnet access.

[Edited by astra4 on 02-19-2001 at 04:04 PM]

So for the folks who do continue to sell only shell accounts (by this I mean, shell accounts without web hosting), do you place all of your shell accounts on the same server?

I would think that this would be a safe way to ensure that some script kiddie doesn't get on one of your shared web servers and bring things down.

Of course, I suppose waiting for the Credit Card charges to clear would probably eliminate 75% of the script kiddies from even getting on your system.

Brian

Originally posted by astra4
Oh Vince! I've just been over to your site to see how much you charge for such a shell thingy. Over 100$ :(

I thought for that much money one would get some standard hosting package including telnet access.

Astra4, that package DOES come with more than a shell. You'll find that with most "shell-only" companies. It's more than just shell-only, it's also web and e-mail. It's just that our package, known as the ProShell account, isn't based on web hosting as much. Sure, someone could use it for web hosting, and people do, but we have other accounts which have more features aimed towards web hosting which web hosting customers would want.

bteeter,

We run several checks on those who order with us before setting them up. After checking if the AVS matches, we call the user on the phone to confirm the order. This is the same phone number which matches the credit card. Sometimes people wonder what the hell we are talking about. You know it's a fake order if you get that. Finally, as the last standard, we send the password via snail-mail, as long as the AVS matches. So we are almost positive that whoever's credit card ordered that account is getting the access to the account. And if someone ordered the account for someone else (without that person's conscent), they would have said so when we called them. It's not completely failsafe, but it certainly cuts down fake orders considerably.

Finally, we, and other shell providers, run pretty reliable hardware. It is not an easy task for a user, even if they are malicious, to bring down the server. If someone wanted to bring down a server, they could probably just as easily cause the same damage to it WITHOUT having access to it.

[Edited by Vincent Paglione on 02-19-2001 at 04:15 PM]

...Of course, I suppose waiting for the Credit Card charges to clear would probably eliminate 75% of the script kiddies from even getting on your system...

Yes that is correct, we tell them to wait at least 4 weeks for everything to clear the credit card payment, u.s drivers lic. check, passport check and a verifiable home address.

Of course most of them, complains about it , so we just tell them that if you dont like our policy, then go to http://www.tophosts.com :D

elijaH

Actually,

I dont really care if they want to try to hack into my server. I pay people who actually write the exploits to try to hack into my server + I find out the exploits before they actually hit BugTraq + Securityfocus which is really nice :). I just don't like people trying to get a shell account for free. Generally the people who card the accounts use it for a number of things.

1) IRCD (IRC dameon) - to check for just run "ps -aux | grep irc" w/o quotes
2) Bounce (hides IP on IRC)
3) port scanning while checking what O/S and checking for possible exploits. - This REALLY sucks if someone does this. This means they are trying to root other servers through your stuff.



Just a word of advice for everyone who is worried about being hacked. Run tripwire and do incremental backups of your logs on a system inside a firewall so the hacker cant get at it from the outside.

James R. Clark II
Nethosters Inc.
http://www.nethosters.com