What happened last night?

Zollner's Avatar
Glad to see site back up and running.
Last night site started acting erratic then went down for the night. Couldn't get back on.

Kept getting this message: This site can’t be reached www.eccie.net’s server IP address could not be found.

Anyone know what happened?
Shady Admins wont tell anyone what happened. I warned people on my other account (dotwannagotojail) and they banned me -- even though I saved them from massive breach.

Basicly, Eccie Administration, for some unknown reason, enabled Apache Server-status via /etc/httpd/conf/httpd.conf; server-status is typically never public facing or accessible by external IP addresses, but Eccie enabled it. Server-status logs and parses every request sent to and from the server. With the myriad of SSL misconfiguration, it's not difficult to leverage server-status.

After I reported the misconfigurations, I was banned. Because whores are staff -- another puzzling decision. Webair/Eccie administation began logging and parsing Server-status just as an attacker would. I suspect they realized they're complete and utter morons so they shut down shop and modified Server-status, which is still active http://eccie.net/server-status. This time, they created a whitelist -- which is still flawed. And the fun goes on
The_Waco_Kid's Avatar
Shady Admins wont tell anyone what happened. I warned people on my other account (dotwannagotojail) and they banned me -- even though I saved them from massive breach.

Basicly, Eccie Administration, for some unknown reason, enabled Apache Server-status via /etc/httpd/conf/httpd.conf; server-status is typically never public facing or accessible by external IP addresses, but Eccie enabled it. Server-status logs and parses every request sent to and from the server. With the myriad of SSL misconfiguration, it's not difficult to leverage server-status.

After I reported the misconfigurations, I was banned. Because whores are staff -- another puzzling decision. Webair/Eccie administation began logging and parsing Server-status just as an attacker would. I suspect they realized they're complete and utter morons so they shut down shop and modified Server-status, which is still active http://eccie.net/server-status. This time, they created a whitelist -- which is still flawed. And the fun goes on Originally Posted by Souper
you do know that multiple handles are not allowed yeah? the account you are posting with now shows 2010 as the creation date. you've been on the site for 8 years and don't know this?

you should be lucky they didn't ban all your handles.

now for secure socket layer (SSL) and http.conf file edits, who made them? eccie admin's or the hosting site webair? the site was not responding for awhile. was that the reason? did they eventually have to reboot? given the uptime displayed, yes. but it could have been a dozen things. the linux server could have become cpu bound or memory bound, meaning it had to page out to paging space. either usually requires a reboot, one of the few times a unix server must be rebooted.

either or both of those conditions also affects access. in the old days it was telnet, now it's ssh connections that won't respond. or http web pages. how do you know for certain that the server didn't have a runaway process that caused it to become unresponsive, paging out all the memory and even via a console admin ILO connection wasn't available? even if it was, if you could get root you'd likely get a "fork failure not enough memory" to do a kill -9 on a process or issue shutdown or reboot. then you just reset the server via the console.

now is there an exploit for apache server status? yeah, there is an exploit for everything. is this a high level issue? probably not.

"As a penetration tester, I believe that without an actual PoC, the attack would be theoretical, simple as that. PoC || GO is the rule of the game."


http://blog.mazinahmed.net/2017/01/e...instances.html


last, the ip address listed in apache server status is actually webair, yeah? you do know that, right? so .. where is the real exploit?


https://dig.whois.com.au/whois/173.239.50.101


Tools:
Raw WHOIS Data

# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/whois...ing/index.html # NetRange: 173.239.0.0 - 173.239.59.255 CIDR: 173.239.32.0/20, 173.239.0.0/19, 173.239.56.0/22, 173.239.48.0/21 NetName: WEBAIRINTERNET8 NetHandle: NET-173-239-0-0-1 Parent: NET173 (NET-173-0-0-0-0) NetType: Direct Allocation OriginAS: AS27257 Organization: Webair Internet Development Company Inc. (WAIR) RegDate: 2010-03-30 Updated: 2017-02-14 Comment: rwhois://rwhois.webair.com:4321 Ref: https://whois.arin.net/rest/net/NET-173-239-0-0-1 OrgName: Webair Internet Development Company Inc. OrgId: WAIR Address: 501 Franklin Avenue Address: Suite 200 City: Garden City StateProv: NY PostalCode: 11530 Country: US RegDate: 2001-03-12 Updated: 2017-05-03 Comment: Reassignment information for this block is available at rwhois.webair.com port 4321 Ref: https://whois.arin.net/rest/org/WAIR ReferralServer: rwhois://rwhois.webair.com:4321 OrgAbuseHandle: ABUSE2550-ARIN OrgAbuseName: Abusehandle OrgAbusePhone: +1-516-938-4100 OrgAbuseEmail: abuse@webair.com OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE2550-ARIN OrgTechHandle: ZW64-ARIN OrgTechName: IPAdmin-Webair OrgTechPhone: +1-516-938-4100 OrgTechEmail: sagi.brody@webair.com OrgTechRef: https://whois.arin.net/rest/poc/ZW64-ARIN OrgNOCHandle: ZW64-ARIN OrgNOCName: IPAdmin-Webair OrgNOCPhone: +1-516-938-4100 OrgNOCEmail: sagi.brody@webair.com OrgNOCRef: https://whois.arin.net/rest/poc/ZW64-ARIN RTechHandle: ZW64-ARIN RTechName: IPAdmin-Webair RTechPhone: +1-516-938-4100 RTechEmail: sagi.brody@webair.com RTechRef: https://whois.arin.net/rest/poc/ZW64-ARIN RAbuseHandle: WEBAI1-ARIN RAbuseName: Webair RAbusePhone: +1-516-938-4100 RAbuseEmail: abuse@webair.com RAbuseRef: https://whois.arin.net/rest/poc/WEBAI1-ARIN RNOCHandle: ZW64-ARIN RNOCName: IPAdmin-Webair RNOCPhone: +1-516-938-4100 RNOCEmail: sagi.brody@webair.com RNOCRef: https://whois.arin.net/rest/poc/ZW64-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/whois...ing/index.html # so what does displaying the hosting site really get you?
# available at https://www.arin.net/whois_tou.html NetRange 173.239.0.0 - 173.239.59.255 CIDR 173.239.32.0/20, 173.239.0.0/19, 173.239.56.0/22, 173.239.48.0/21 NetName WEBAIRINTERNET8 NetHandle NET-173-239-0-0-1 Parent NET173 (NET-173-0-0-0-0) NetType Direct Allocation OriginAS AS27257 Organization Webair Internet Development Company Inc. (WAIR) RegDate 2001-03-12 Updated 2017-05-03 Comment Reassignment information for this block is available at rwhois.webair.com port 4321 Ref https://whois.arin.net/rest/org/WAIR OrgName Webair Internet Development Company Inc. OrgId WAIR Address Suite 200 City Garden City StateProv NY PostalCode 11530 Country US ReferralServer rwhois://rwhois.webair.com:4321 OrgAbuseHandle ABUSE2550-ARIN OrgAbuseName Abusehandle OrgAbusePhone +1-516-938-4100 OrgAbuseEmail abuse@webair.com OrgAbuseRef https://whois.arin.net/rest/poc/ABUSE2550-ARIN OrgTechHandle ZW64-ARIN OrgTechName IPAdmin-Webair OrgTechPhone +1-516-938-4100 OrgTechEmail sagi.brody@webair.com OrgTechRef https://whois.arin.net/rest/poc/ZW64-ARIN OrgNOCHandle ZW64-ARIN OrgNOCName IPAdmin-Webair OrgNOCPhone +1-516-938-4100 OrgNOCEmail sagi.brody@webair.com OrgNOCRef https://whois.arin.net/rest/poc/ZW64-ARIN RTechHandle ZW64-ARIN RTechName IPAdmin-Webair RTechPhone +1-516-938-4100 RTechEmail sagi.brody@webair.com RTechRef https://whois.arin.net/rest/poc/ZW64-ARIN RAbuseHandle WEBAI1-ARIN RAbuseName Webair RAbusePhone +1-516-938-4100 RAbuseEmail abuse@webair.com RAbuseRef https://whois.arin.net/rest/poc/WEBAI1-ARIN RNOCHandle ZW64-ARIN RNOCName IPAdmin-Webair RNOCPhone +1-516-938-4100 RNOCEmail sagi.brody@webair.com RNOCRef https://whois.arin.net/rest/poc/ZW64-ARIN


so where is this super dangerous exploit you speak of?

and how do you know for certain that's why the site was unresponsive last night?

and about that other handle? it appears you've only had a "soft" ban, at least so far. a banned member does not show up in member search. that handle doesn't.

https://www.eccie.net/memberlist.php?do=getall

Sorry - no matches. Please try some different terms.

strike one.

in this thread you posted as dotwannagotojail

https://www.eccie.net/showpost.php?p...0&postcount=96

banned members can't receive pm's. this handle can't.

strike two.

the only thing missing is BANNED under your handle.strike three.
Attached Images File Type: jpg Capture.JPG (38.1 KB, 161 views)
"now is there an exploit for apache server status? yeah, there is an exploit for everything. is this a high level issue? probably not. "


Are you kidding? Every request to and from the server can be logged. Add the fact that SSL is misconfigured-- that's a recipe for disaster. I'm having a hard time understanding anything you're saying. Think you're spewing buzzwords. Want POC? I can show you POC. Contact me on discord (Yes Indeed#3470).
The_Waco_Kid's Avatar
[QUOTE=Souper;1060736299]
/QUOTE]
Are you kidding? Every request to and from the server can be logged. Add the fact that SSL is misconfigured-- that's a recipe for disaster. Originally Posted by The_Waco_Kid
no i'm not kidding, prove it. i've been waiting for your reply. i found one "theoretical" exploit and dozens of articles on how to turn on this very feature. so if it's such an exploit, why is there so many tech articles on how to turn it on?

do you deny that the apache logging you speak of only points back to the hosting site? which is easily known to begin with?

show me the exploit you are talking about.


and while you are at it, show me that this is why the site was unavailable for about 8 hours? it could have been a dozen other reasons.

oh and one more thing. let's discuss why you really got your other handle banned? could it be this post where you offered to provide real world info?

"I'm sure some girls have his emails and phone numbers; for a little bit of pocket change I'll hand over an accurate and CURRENT address, name, phone number, and anything else you can imagine"


https://www.eccie.net/showpost.php?p...0&postcount=96


you claim this is your "other handle", that in itself is a banning offense, outing rw info is a whole 'nother level.
[QUOTE=The_Waco_Kid;1060736321]

no i'm not kidding, prove it. i've been waiting for your reply. i found one "theoretical" exploit and dozens of articles on how to turn on this very feature. so if it's such an exploit, why is there so many tech articles on how to turn it on?

do you deny that the apache logging you speak of only points back to the hosting site? which is easily known to begin with?

show me the exploit you are talking about.


and while you are at it, show me that this is why the site was unavailable for about 8 hours? it could have been a dozen other reasons.

oh and one more thing. let's discuss why you really got your other handle banned? could it be this post where you offered to provide real world info?

"I'm sure some girls have his emails and phone numbers; for a little bit of pocket change I'll hand over an accurate and CURRENT address, name, phone number, and anything else you can imagine"


https://www.eccie.net/showpost.php?p...0&postcount=96


you claim this is your "other handle", that in itself is banning offense, outing rw info is a whole 'nother level. Originally Posted by Souper
You're 100% wrong. Yes, the Apache log wasn't exclusive to internal IPs and SEO cralwers until the website went down. Coincidence? I left my contact info in the post. I'll gladly provide POC off the public forum
The_Waco_Kid's Avatar
[QUOTE=Souper;1060736401]

You're 100% wrong. Yes, the Apache log wasn't exclusive to internal IPs and SEO cralwers until the website went down. Coincidence? I left my contact info in the post. I'll gladly provide POC off the public forum Originally Posted by The_Waco_Kid

no proof? you are wrong. i know what you are by how you replied. you are a web admin/web programmer. i'm a unix sys admin. i've met dozens of your type who think you know the operating system. if i knew any who really did and gave me a $100 i'd be rich.

well, i am sorta rich but i'm always interested in more money to invest.


but you can't prove one word of what you claim. your log example by your own admission proves i'm right. there is nothing in that which is exploitable other than back to the hosting site itself.

you could simply run a denial of service attack on eccie.net and have better results. nice try but you can't prove what you claim, certainly not from some apache service log. and you know it.
[QUOTE=The_Waco_Kid;1060736444]


no proof? you are wrong. i know what you are by how you replied. you are a web admin/web programmer. i'm a unix sys admin. i've met dozens of your type who think you know the operating system. if i knew any who really did and gave me a $100 i'd be rich.

well, i am sorta rich but i'm always interested in more money to invest.


but you can't prove one word of what you claim. your log example by your own admission proves i'm right. there is nothing in that which is exploitable other than back to the hosting site itself.

you could simply run a denial of service attack on eccie.net and have better results. nice try but you can't prove what you claim, certainly not from some apache service log. and you know it. Originally Posted by Souper

Ya. Now I know you're clueless. Until last night EVERY request was being logged in server-status. And like I said, SSL misconfiguration made it worse. Session hashes, plaintext passwords, password reset links, they were all visible.
The_Waco_Kid's Avatar
[QUOTE=Souper;1060736515]


Ya. Now I know you're clueless. Until last night EVERY request was being logged in server-status. And like I said, SSL misconfiguration made it worse. Session hashes, plaintext passwords, password reset links, they were all visible. Originally Posted by The_Waco_Kid
prove it. some Apache log doesn't show it. where is the screen cap of it?

better still .. PM me my password. i tried several times to login during the outage, and right before the outage. i was logged in when the outage happened. it should be captured, right?

so PM me my own password.

you are what i said you are. a web programmer who thinks he knows the linux os. but doesn't.
[QUOTE=The_Waco_Kid;1060736627]

prove it. some Apache log doesn't show it. where is the screen cap of it?

better still .. PM me my password. i tried several times to login during the outage, and right before the outage. i was logged in when the outage happened. it should be captured, right?

so PM me my own password.

you are what i said you are. a web programmer who thinks he knows the linux os. but doesn't. Originally Posted by Souper
I have over a million requests logged; in fact, this isn't even my account

PM sent
The_Waco_Kid's Avatar
[QUOTE=Souper;1060736645]

I have over a million requests logged; in fact, this isn't even my account

PM sent Originally Posted by The_Waco_Kid

i got your pm. i replied. red herring. good night.
Looks like I was rigght
Zollner's Avatar
Well much info posted about why this happened that is beyond me.
Does this mean attacks like this, shutting the site can continue or can this vulnerability be patched?