Ok below is a snipplet from a raw apache access log of a program who is using
NATS.
I've stripped out the ip of the server and other bits that contain other info
which would reveal anything nobody would like to be revealed and things that
aren't relevant to the issue.
I won't disclose which program this is, the ip or anything else of that matter
as it's irrelevant to the question I ask.....and like to get answered.
I won't get into challenges to proof what is listed below as frankly I don't
need to........If you don't believe anything you see awesome.....I won't
try to change your mind or convince you of anything don't want to believe.
I also have no interest to damage anyone with any of this neither is there
anything to gain from by me just like there's nothng I could lose from by this
or whatever you might want to make believe to.
So why do I post this you wonder? Simply coz I wonder if what I think of it
is true and if others who ARE affected by anything like this can ask
themselves what that means to them. I don't have any grudge to anyone
including TMM or anyone who works with them.
The only other reason apart from wondering myself is that I occasionally
assist others who use NATS and ask me questions I couldn't honestly answer
too if I would leave things I'm aware off out of my answer......obviously that
would mean it could bite myself in the ass for something I had no part in.
Ok short explanation of what you see below
Raw apache webserver access log from NATS server
The script which is used for the exploit that was discovered
The date which isn't as claimed 2 months ago but over 5 months ago
IP from a range within sagonet their IP block. Sagonet is a different hosting
provider who sells dedicated hosting only......so this IP isn't from an access
provider.....it's from a server.....that server doesn't belong to the company
and/or people who own the server the log is from.....so the ip listed should
NOT be allowed to access the script listed in the loglines
Status code for the request is 200 which means authorized and OK
This should NEVER be 200 for the IP in the loglines.
My question......please explain and show me this isn't the same output
pattern as the current problem at hand of which TMM claims didn't occur
before 2 months ago....
I only show the lines from 1 server because I don't want to post anymore
info needed to make my point.......but I do have the same from more than
one hand full of other NATS installed servers who all belong to different
programs and people.
Think I'm bluffing.....cool, not my problem just like I don't feel the need
to proof to anyone I am......make up your own mind.....don't try wasting
your time by challenging me anything as I can tell you I won't bite and
all it would do is wasting your time.
Quote:
php?action=add&add%5Busername%3A1%3A6%3A16%5D=fran k1&add%5Bpassword%3A1%3
(obviously cutoff the password field)
66.118.176.86 - - [30/Jul/2007:08:15:10 -0500] "GET /admin_reports.php?report=surfer_stats&member=34501 39 HTTP/1.1" 200 23742 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
66.118.176.86 - - [30/Jul/2007:08:15:13 -0500] "GET /admin_reports.php?report=surfer_stats&member=34501 26 HTTP/1.1" 200 31529 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
66.118.176.86 - - [30/Jul/2007:08:15:17 -0500] "GET /admin_reports.php?report=surfer_stats&member=34500 98 HTTP/1.1" 200 29778 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
66.118.176.86 - - [30/Jul/2007:08:15:21 -0500] "GET /admin_reports.php?report=surfer_stats&member=34500 68 HTTP/1.1" 200 30835 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
66.118.176.86 - - [30/Jul/2007:08:15:24 -0500] "GET /admin_reports.php?report=surfer_stats&member=34500 28 HTTP/1.1" 200 30210 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
66.118.176.86 - - [30/Jul/2007:08:15:27 -0500] "GET /admin_reports.php?report=surfer_stats&member=34500 22 HTTP/1.1" 200 30098 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
66.118.176.86 - - [30/Jul/2007:08:15:32 -0500] "GET /admin_reports.php?report=surfer_stats&member=34499 50 HTTP/1.1" 200 30038 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
66.118.176.86 - - [30/Jul/2007:08:15:35 -0500] "GET /admin_reports.php?report=surfer_stats&member=34499 08 HTTP/1.1" 200 29818 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
66.118.176.86 - - [30/Jul/2007:08:15:38 -0500] "GET /admin_reports.php?report=surfer_stats&member=34498 83 HTTP/1.1" 200 30483 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
|
I'm looking forward to your reply and honestly hope I'm mistaken and when I do I'll gladly admit.....as I have said I'm not out to do any kind of damage to
anyone who is envolved in all this.......just curious if what I see is what I think it is and if it is.....why nobody knew about it or keep it silent if they did.
Try to ridicule me or make me look like an idiot and I will show you make a big mistake doing so.......I don't want to start drama but if you beg me for it
I won't be too unpolite to don't give it to you ;-)
That's not a threat and if you feel like it is.......well then I can only guess
why you would.......and confirm it was a good idea to ask this question
For all the people who don't care about any of this......let me ask you
how many pages you think this thread will goto?
