ServerGenius

Ok below is a snipplet from a raw apache access log of a program who is using
NATS.

I've stripped out the ip of the server and other bits that contain other info
which would reveal anything nobody would like to be revealed and things that
aren't relevant to the issue.

I won't disclose which program this is, the ip or anything else of that matter
as it's irrelevant to the question I ask.....and like to get answered.

I won't get into challenges to proof what is listed below as frankly I don't
need to........If you don't believe anything you see awesome.....I won't
try to change your mind or convince you of anything don't want to believe.

I also have no interest to damage anyone with any of this neither is there
anything to gain from by me just like there's nothng I could lose from by this
or whatever you might want to make believe to.

So why do I post this you wonder? Simply coz I wonder if what I think of it
is true and if others who ARE affected by anything like this can ask
themselves what that means to them. I don't have any grudge to anyone
including TMM or anyone who works with them.

The only other reason apart from wondering myself is that I occasionally
assist others who use NATS and ask me questions I couldn't honestly answer
too if I would leave things I'm aware off out of my answer......obviously that
would mean it could bite myself in the ass for something I had no part in.

Ok short explanation of what you see below

Raw apache webserver access log from NATS server
The script which is used for the exploit that was discovered
The date which isn't as claimed 2 months ago but over 5 months ago
IP from a range within sagonet their IP block. Sagonet is a different hosting
provider who sells dedicated hosting only......so this IP isn't from an access
provider.....it's from a server.....that server doesn't belong to the company
and/or people who own the server the log is from.....so the ip listed should
NOT be allowed to access the script listed in the loglines
Status code for the request is 200 which means authorized and OK
This should NEVER be 200 for the IP in the loglines.

My question......please explain and show me this isn't the same output
pattern as the current problem at hand of which TMM claims didn't occur
before 2 months ago....

I only show the lines from 1 server because I don't want to post anymore
info needed to make my point.......but I do have the same from more than
one hand full of other NATS installed servers who all belong to different
programs and people.

Think I'm bluffing.....cool, not my problem just like I don't feel the need
to proof to anyone I am......make up your own mind.....don't try wasting
your time by challenging me anything as I can tell you I won't bite and
all it would do is wasting your time.

I'm looking forward to your reply and honestly hope I'm mistaken and when I do I'll gladly admit.....as I have said I'm not out to do any kind of damage to
anyone who is envolved in all this.......just curious if what I see is what I think it is and if it is.....why nobody knew about it or keep it silent if they did.

Try to ridicule me or make me look like an idiot and I will show you make a big mistake doing so.......I don't want to start drama but if you beg me for it
I won't be too unpolite to don't give it to you ;-)

That's not a threat and if you feel like it is.......well then I can only guess
why you would.......and confirm it was a good idea to ask this question

For all the people who don't care about any of this......let me ask you
how many pages you think this thread will goto?

__________________
| http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |

Daruma

this might be a 7+ pager..

__________________

~Ray

I was here... let's trade niche links while we wait a professional reply.. shall we? ... http://www.gofuckyourself.com/showthread.php?t=791123

__________________
Adult Backlinks for Adult Websites - Testimonials Available

F U S I O N

Where does it end??

xclusive

Can't wait to hear the reply

__________________
I support MediumPimpin.com / Shemp's Outlawtgp.com /

L-Pink

This is technically over my head but interesting as hell.

sicone

Ouch....

__________________

CyberHustler

BoyAlley

x2

ARS Bryan

This looks like trouble.

In other news, ARS has weekly payouts and $75 pps! Check us out

__________________
///ARS - Adult Revenue Service


ICQ me 25120534

Juicy D. Links

Oy Vey Kanka


PS:


I cant wait to party new years yo !!! and go skiing the slopess!!

TMM_John

You are saying the IP blocking should be stopping them?

The IP blocking is done in NATS, not at the apache level. The apache request will still be 200, but the contents of the page will be blocked by the IP restriction.

If you mean something else then I misunderstood you and please explain further.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

ServerGenius

ehh till now I'm not claiming anything I wrote is shady or proofs anything bad at this point.......I won't do so until someone shows me I'm mistaking and wrong.
which is possible.......when they can't show me reasonably that I'm wrong I
might change my opinion about this

So until now.....don't assume what I wrote really is true or that I'm claiming it's true.......not just yet

__________________
| http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |

Daruma

but that didn't really address the question by PBucksJohn ??

__________________

BoyAlley

TMM_John

That is a good question. I will have to ask the techs.

Also, as I said, I was a bit confused by his question. It was a worded a bit strangely. He mentioned 5 months ago. I have no way of knowing who this is or what they had or did not have setup. So it is hard to comment.

If he has a question or accusation he should ask or make it.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

Trixxxia

SG can you tell me where I'd pull those reports?

TMM_John

Also, we never said this issue did not occur prior to 2 months ago. We said we learned of it a few months ago. We are not 100% sure how long it as gone on for.

Hasn't this all been covered already? Many times?

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

JD

that sure is interesting...

TMM_John

What about it is interesting?

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

BoyAlley

TMM_John

I don't doubt it was going on 5 months prior. And I didn't think that is what he meant by interesting. You have to admit the original post had a strange tone to it. Whether that was intentional or not I don't know. I don't know SG to be the attacking type so it is probably just the way he speaks, but you know how GFY can interpret whatever they want and run with it.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

WiredGuy

What does a denied page look like? Does it have the same file size each time its requested or does it contain some dynamic information? If its static, the file size should be the same each time, not quite what the log is showing.
WG

__________________
I play with Google.

tony286

Too techie for me. lol

TMM_John

I agree. As I said to BA I will have to ask the techs. I would assume that he did not have the IP restriction on 5 months ago. I have no way of knowing that as I don't know who it is and I have not spoken with them. SG did not say they had the restriction on, just that since it is at a different host it shouldn't be able to access it. That would require the restriction be on and setup properly. I can't speak to that.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

CarlosTheGaucho

Gonna read this once again as I wake up tomorrow = interesting read as always Hans !

__________________
CTG Media | skype: carlosprague | cb |at| ctgmedia |dot| net | Want to make more with your Dating Traffic? | Read My Educational Series | Read my Adult Biz Chronicles | Did your ad revenue drop by 40 pct. or more last year?

Doctor Dre

Sounds like he's suspecting something but he dosen't want to attack anybody without definite proof.

__________________

tical

our old program amateurwealth had test signup emails getting spammed about 2-3 weeks after they were entered

BEFORE WE EVER ANNNOUNCED OR WENT LIVE

anyone who's been here for a while knows amateurwealth was a long time ago with epic jim, trey (pimpdogg) & myself

maybe the brand new server was hacked
maybe someone at paycom was selling lists
maybe this nats bug is WAY older than a few months (think at least a year)

thats all

__________________
112.020.756

ServerGenius

Hi,

I don't try to accuse anyone nor do I intend to. Also I haven't read all posts
and threads about all this so forgive me if I ask something that has been
answered once or many times before.

I also mentioned this isn't from my own servers/business as I don't use
NATS myself, this is from someone I assist with tech stuff and who asked
me about it......which only asked recently so that's why it wasn't brought
up before by me......perhaps the person has brought it up before as he did
mention asking some things earlier but the times he did he got replies that
both didn't answer his question as well as made clear it's better to don't
ask about it more or again........but that could have been something else
and I don't know or care to know exactly what was said.......

The question you asked regarding the status code that always would be
200 but not return the contents it normally returns already has been answered. Data that is returned isn't default or don't contain anything
as which the size of it shows......

I mentioned 2 months as I believed and understood that that was
said in a statement by you......if that's wrong....then I misunderstand
and stand corrected.

__________________
| http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |

Doctor Dre

AmateurWealth has only existed for a year ?

__________________

TMM_John

I wasn't accusing you of accusing I was confused and if there is something I'm simply saying if we're more direct it will make it easier.

The response sizes varying is strange, but you can also see the same member ID requested 3 times with different sizes so that may be irrelevant. Again, I'm not exactly sure what the response with a restriction looks like so I can't comment on that at this point and I have no way of even knowing if the IP restriction was on for whoever this is back then.

You are correct, we became aware of an issue a few months ago, but thought we were sure the scope was much smaller. I would imagine it was going on prior to us first getting an indication of it.

You can also always ICQ me with questions and I'll be glad to help you.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

AlienQ - BANNED FOR LIFE

Just cuz you can see the file does not mean you can access the file.

Thus nothing, I mean if ya ran this test and took it to the next level to view the file and saw the contents then you would have something.

So I do not know why ya made this thread, knowing that you were not able to access the contents.

These NATS threads are getting pretty boring.

__________________

notoldschool

I would just ignore these posts to tell you the truth. Everyone wants to start shit. If they were important they would have asked in a better manner and it would have been through nats support. All these threads are lame.

__________________
No doubt one may quote history to support any cause, as the devil quotes scripture.
-- Learned Hand

http://www.bjpenn.com

12clicks

Its not rocket science. I don't umderstand why people try to make it so.
what happened Is simple and clear as day

__________________

Catalyst

I am going to have to re-read this..what am I not understanding..

sortie

I read everything posted here and still don't know WTF this is about.

This thread better start delivering or I'm outta here!

__________________

XSecurityAudit

Interesting. So was the user added via the automated bot? or was this user added by NATS itself?

From the looks of the above it looks like an automated request as you can actually see the variables and content (i.e., the request was made using a GET and not a POST).

Servergenius, what script was the add account request sent to?

notoldschool

all I get is something about gogo bots attacking a megatron string of magical code written by two fat men in a rubber room wearing tin foil hats that swear they were cheated out of 10 clicks from a softcore gallery on the hun.

__________________
No doubt one may quote history to support any cause, as the devil quotes scripture.
-- Learned Hand

http://www.bjpenn.com

ServerGenius

Yup you're right I'm not the attacking type and I don't mean or imply anything
else than I tried to write......I'm Dutch so English isn't my first language...
add a few drinks to that which doesn't improve my english skills. That's why
I posted after seeing the first replies that I don't accuse or claim anything
or even what I posted is true and couldn't be a mistake I made......which
I also stated wouldn't be possible to be a mistake or misinterpretation I made
from what I noticed and thought it could be.......I hope you can understand
this a bit better than my first post.....if not please let me know....and I'll try
again to explain what I really mean

__________________
| http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |

TMM_John

I think I get what you mean now. I figured your English may be an issue but it usually seems to be pretty good. The drinks explain it a bit more tho

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

DatingGold

lots of beating around the bush

__________________
9 Years of SOLID payouts and conversions!



ADULT DATING - $100 PPS

LIVE CAMS - $214 PPS

WWW.DATINGGOLD.COM

ICQ: 27442303

JFK

yeah

__________________

FUBAR Webmasters - The FUBAR Times - FUBAR Webmasters Mobile - FUBARTV.XXX
For promo opps contact jfk at fubarwebmasters dot com

Iron Fist

Yawn...

__________________
i like waffles

BoyAlley

TMM_John

That is all being done under the advisement of counsel. Fortunately I do not get my legal advice from GFY. Lots of people here think they know everything about the law and you'd be amazed how little they do know. I have also been advised not to discuss it at this point. You can be assured tho that we want whoever this is found and punished more than anyone else.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

ninavain

No this shit is gonna be a 10-pager, I bet $50 on it

TheDoc

ServerGenius - I think the pattern would be the same. This is the simplest and easiest way to get member data and insert member records.

And from the Apache exploit to Johns serve getting hacked, all of it. Yeah.. they prob are related, some what. These people's job is to get into affiliate programs for user/pass details, as mind blowing stupid as that sounds to some people, it is true. Yes, they sell the emails too, and that's what leads to the money train.

__________________

CyberHustler

CyberHustler

CyberHustler