Shady Admins wont tell anyone what happened. I warned people on my other account (dotwannagotojail) and they banned me -- even though I saved them from massive breach.
Basicly, Eccie Administration, for some unknown reason, enabled Apache Server-status via /etc/httpd/conf/httpd.conf; server-status is typically never public facing or accessible by external IP addresses, but Eccie enabled it. Server-status logs and parses every request sent to and from the server. With the myriad of SSL misconfiguration, it's not difficult to leverage server-status.
After I reported the misconfigurations, I was banned. Because whores are staff -- another puzzling decision. Webair/Eccie administation began logging and parsing Server-status just as an attacker would. I suspect they realized they're complete and utter morons so they shut down shop and modified Server-status, which is still active http://eccie.net/server-status. This time, they created a whitelist -- which is still flawed. And the fun goes on
Originally Posted by Souper
you do know that multiple handles are not allowed yeah? the account you are posting with now shows 2010 as the creation date. you've been on the site for 8 years and don't know this?
you should be lucky they didn't ban all your handles.
now for secure socket layer (SSL) and http.conf file edits, who made them? eccie admin's or the hosting site webair? the site was not responding for awhile. was that the reason? did they eventually have to reboot? given the uptime displayed, yes. but it could have been a dozen things. the linux server could have become cpu bound or memory bound, meaning it had to page out to paging space. either usually requires a reboot, one of the few times a unix server must be rebooted.
either or both of those conditions also affects access. in the old days it was telnet, now it's ssh connections that won't respond. or http web pages. how do you know for certain that the server didn't have a runaway process that caused it to become unresponsive, paging out all the memory and even via a console admin ILO connection wasn't available? even if it was, if you could get root you'd likely get a "fork failure not enough memory" to do a kill -9 on a process or issue shutdown or reboot. then you just reset the server via the console.
now is there an exploit for apache server status? yeah, there is an exploit for everything. is this a high level issue? probably not.
"As a penetration tester, I believe that without an actual PoC, the attack would be theoretical, simple as that. PoC || GO is the rule of the game."
http://blog.mazinahmed.net/2017/01/e...instances.html
last, the ip address listed in apache server status is actually webair, yeah? you do know that, right? so .. where is the real exploit?
https://dig.whois.com.au/whois/173.239.50.101
Tools:
Raw WHOIS Data
# # ARIN WHOIS data and services are subject to the Terms of Use # available at:
https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at #
https://www.arin.net/resources/whois...ing/index.html # NetRange: 173.239.0.0 - 173.239.59.255 CIDR: 173.239.32.0/20, 173.239.0.0/19, 173.239.56.0/22, 173.239.48.0/21 NetName: WEBAIRINTERNET8 NetHandle: NET-173-239-0-0-1 Parent: NET173 (NET-173-0-0-0-0) NetType: Direct Allocation OriginAS: AS27257 Organization: Webair Internet Development Company Inc. (WAIR) RegDate: 2010-03-30 Updated: 2017-02-14 Comment: rwhois://rwhois.webair.com:4321 Ref:
https://whois.arin.net/rest/net/NET-173-239-0-0-1 OrgName: Webair Internet Development Company Inc. OrgId: WAIR Address: 501 Franklin Avenue Address: Suite 200 City: Garden City StateProv: NY PostalCode: 11530 Country: US RegDate: 2001-03-12 Updated: 2017-05-03 Comment: Reassignment information for this block is available at rwhois.webair.com port 4321 Ref:
https://whois.arin.net/rest/org/WAIR ReferralServer: rwhois://rwhois.webair.com:4321 OrgAbuseHandle: ABUSE2550-ARIN OrgAbuseName: Abusehandle OrgAbusePhone: +1-516-938-4100 OrgAbuseEmail:
abuse@webair.com OrgAbuseRef:
https://whois.arin.net/rest/poc/ABUSE2550-ARIN OrgTechHandle: ZW64-ARIN OrgTechName: IPAdmin-Webair OrgTechPhone: +1-516-938-4100 OrgTechEmail:
sagi.brody@webair.com OrgTechRef:
https://whois.arin.net/rest/poc/ZW64-ARIN OrgNOCHandle: ZW64-ARIN OrgNOCName: IPAdmin-Webair OrgNOCPhone: +1-516-938-4100 OrgNOCEmail:
sagi.brody@webair.com OrgNOCRef:
https://whois.arin.net/rest/poc/ZW64-ARIN RTechHandle: ZW64-ARIN RTechName: IPAdmin-Webair RTechPhone: +1-516-938-4100 RTechEmail:
sagi.brody@webair.com RTechRef:
https://whois.arin.net/rest/poc/ZW64-ARIN RAbuseHandle: WEBAI1-ARIN RAbuseName: Webair RAbusePhone: +1-516-938-4100 RAbuseEmail:
abuse@webair.com RAbuseRef:
https://whois.arin.net/rest/poc/WEBAI1-ARIN RNOCHandle: ZW64-ARIN RNOCName: IPAdmin-Webair RNOCPhone: +1-516-938-4100 RNOCEmail:
sagi.brody@webair.com RNOCRef:
https://whois.arin.net/rest/poc/ZW64-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at:
https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at #
https://www.arin.net/resources/whois...ing/index.html # so what does displaying the hosting site really get you?
# available at
https://www.arin.net/whois_tou.html NetRange 173.239.0.0 - 173.239.59.255 CIDR 173.239.32.0/20, 173.239.0.0/19, 173.239.56.0/22, 173.239.48.0/21 NetName WEBAIRINTERNET8 NetHandle NET-173-239-0-0-1 Parent NET173 (NET-173-0-0-0-0) NetType Direct Allocation OriginAS AS27257 Organization Webair Internet Development Company Inc. (WAIR) RegDate 2001-03-12 Updated 2017-05-03 Comment Reassignment information for this block is available at rwhois.webair.com port 4321 Ref
https://whois.arin.net/rest/org/WAIR OrgName Webair Internet Development Company Inc. OrgId WAIR Address Suite 200 City Garden City StateProv NY PostalCode 11530 Country US ReferralServer rwhois://rwhois.webair.com:4321 OrgAbuseHandle ABUSE2550-ARIN OrgAbuseName Abusehandle OrgAbusePhone +1-516-938-4100 OrgAbuseEmail
abuse@webair.com OrgAbuseRef
https://whois.arin.net/rest/poc/ABUSE2550-ARIN OrgTechHandle ZW64-ARIN OrgTechName IPAdmin-Webair OrgTechPhone +1-516-938-4100 OrgTechEmail
sagi.brody@webair.com OrgTechRef
https://whois.arin.net/rest/poc/ZW64-ARIN OrgNOCHandle ZW64-ARIN OrgNOCName IPAdmin-Webair OrgNOCPhone +1-516-938-4100 OrgNOCEmail
sagi.brody@webair.com OrgNOCRef
https://whois.arin.net/rest/poc/ZW64-ARIN RTechHandle ZW64-ARIN RTechName IPAdmin-Webair RTechPhone +1-516-938-4100 RTechEmail
sagi.brody@webair.com RTechRef
https://whois.arin.net/rest/poc/ZW64-ARIN RAbuseHandle WEBAI1-ARIN RAbuseName Webair RAbusePhone +1-516-938-4100 RAbuseEmail
abuse@webair.com RAbuseRef
https://whois.arin.net/rest/poc/WEBAI1-ARIN RNOCHandle ZW64-ARIN RNOCName IPAdmin-Webair RNOCPhone +1-516-938-4100 RNOCEmail
sagi.brody@webair.com RNOCRef
https://whois.arin.net/rest/poc/ZW64-ARIN
so where is this super dangerous exploit you speak of?
and how do you know for certain that's why the site was unresponsive last night?
and about that other handle? it appears you've only had a "soft" ban, at least so far. a banned member does not show up in member search. that handle doesn't.
https://www.eccie.net/memberlist.php?do=getall
Sorry - no matches. Please try some different terms.
strike one.
in this thread you posted as
dotwannagotojail
https://www.eccie.net/showpost.php?p...0&postcount=96
banned members can't receive pm's. this handle can't.
strike two.
the only thing missing is BANNED under your handle.strike three.