yep comus is handing out too much informationincluding IP's - GoFuckYourself.com

pussyserver - BANNED FOR LIFE · 07-22-2006, 10:56 PM

been pokin around in comus thumbs and found that on a default install the following is world viewable

http://some tgp.com/ct/dat/raws
/ct/dat/alog
/ct/dat/cstats.dat
/ct/dat/dailytotals
/ct/dat/history
/ct/dat/ip/log
/ct/dat/raws
/ct/dat/uniques

it even gives out the administrators IP to fix ssh into your host

drill down to ct folder

chmod 622 dat

pussyserver - BANNED FOR LIFE · 07-23-2006, 06:50 AM

bump for day crew

Kimo · 07-23-2006, 06:51 AM

oh shit......

pussyserver - BANNED FOR LIFE · 07-23-2006, 07:01 AM

yep I cant believe this thread went un noticed

wayyyy to much info

I just did a test hack and with the information provided above it is possible to take ove the comus site using nothing but the information in

/ct/dat/alog

which includes the authorized IP as well as the user name and other info

Trixxxia · 07-23-2006, 07:19 AM

Quote:

Originally Posted by pussyserver

yep I cant believe this thread went un noticed

wayyyy to much info

I just did a test hack and with the information provided above it is possible to take ove the comus site using nothing but the information in

/ct/dat/alog

which includes the authorized IP as well as the user name and other info

Did you hit up SixZeros? I don't think he's around here much. VendZilla used to take care of the boards for him but now he's with Playboy so I'm not sure if someone took over his duties.

Ace_luffy · 07-23-2006, 07:51 AM

part of the program.. maybe had significant on it

fris · 07-23-2006, 08:02 AM

dont use comus, smart thumbs guy here, better report it on their forum.

Chris · 07-23-2006, 08:06 AM

hmmmm

sure is kinda strange
but only info i could find was the ip addys

no login user names?

tested it on my comus site

jayeff · 07-23-2006, 08:16 AM

Quote:

Originally Posted by Chris

hmmmm

sure is kinda strange
but only info i could find was the ip addys

no login user names?

tested it on my comus site

Me either. Different setups or is that the smell of BS?

fris · 07-23-2006, 08:22 AM

why is showing the ip address for the domain that important. just nslookup the domain and you will get the ip, nothing special there

PussyTeenies · 07-23-2006, 08:22 AM

i have the same shit
but then again.. i only run it on one site atm.. and that one i hardly use

PussyTeenies · 07-23-2006, 08:24 AM

Quote:

Originally Posted by Fris

why is showing the ip address for the domain that important. just nslookup the domain and you will get the ip, nothing special there

it also shows what you DONT want ppl to know
ct/dat/alog shows IP addy of the admin
you can then easy try to sniff or hack that box
if you suckseed :P then you can sniff the passwords or steal info from him/her/them for epassporte/programs/sponsors/sites you name it

pussyserver - BANNED FOR LIFE · 07-23-2006, 08:37 AM

Quote:

Originally Posted by jayeff

Me either. Different setups or is that the smell of BS?

you know replys like this and a few other clueless wanna be webmasters is the reason I keep most of the stuff I find to myself

if you used comus you would know that the username is built in ( it dosent ask for one)

it authenticates against the IP

there is other information there but im not going to tell you how to read the data ( i make script kiddies look stuff up)

fris · 07-23-2006, 08:40 AM

the admin ip for comus thumb installs is the same as the domain

pussyserver - BANNED FOR LIFE · 07-23-2006, 08:41 AM

Quote:

Originally Posted by PussyTeenies

it also shows what you DONT want ppl to know
ct/dat/alog shows IP addy of the admin
you can then easy try to sniff or hack that box
if you suckseed :P then you can sniff the passwords or steal info from him/her/them for epassporte/programs/sponsors/sites you name it

you not even need to sniff the IP this can be exploited with ready made downloadable tools that can pass *spoofed IP's* to the script and brute the built in username

plus more

whats funny is why is the folder hidden if viewing the site via FTP?? was this on purpose??

pussyserver - BANNED FOR LIFE · 07-23-2006, 08:47 AM

Quote:

Originally Posted by Chris

hmmmm

sure is kinda strange
but only info i could find was the ip addys

no login user names?

tested it on my comus site

pretend you are a hax0r do you think you would be able to do anything with this info

http://www.thumbangels.com/ct/dat/alog

Trixxxia · 07-23-2006, 08:59 AM

Quote:

Originally Posted by pussyserver

you know replys like this and a few other clueless wanna be webmasters is the reason I keep most of the stuff I find to myself

jayeff, is neither an instigator nor 'a clueless wannabe webmaster' he was simply trying to distinguish if he had a different setup, has a different version or if it's the regular GFY sunday morning drama for your momma. Legitimate question I'd think.

It's a good thing people keep finding flaws but describing and giving clues how the flaw can be detrimental to the server and site owner, on a board where loads of people with time, know-how and desire to screw over their mother, isn't a good thing to do. *Hey, but that's just me*

If you've already attempted to advise Comus about it a few times and nothing was done, then I understand why you're putting it out there and making the users aware of how the rest of their stuff can be compromised.

Freakster · 07-23-2006, 09:06 AM

Quote:

Originally Posted by Fris

the admin ip for comus thumb installs is the same as the domain

he means the admin connecting to it...

pussyserver - BANNED FOR LIFE · 07-23-2006, 09:14 AM

Quote:

Originally Posted by TopBucksTrixxxia

jayeff, is neither an instigator nor 'a clueless wannabe webmaster' he was simply trying to distinguish if he had a different setup, has a different version or if it's the regular GFY sunday morning drama for your momma. Legitimate question I'd think.

It's a good thing people keep finding flaws but describing and giving clues how the flaw can be detrimental to the server and site owner, on a board where loads of people with time, know-how and desire to screw over their mother, isn't a good thing to do. *Hey, but that's just me*

If you've already attempted to advise Comus about it a few times and nothing was done, then I understand why you're putting it out there and making the users aware of how the rest of their stuff can be compromised.

ok sorry didnt mean to call him a clueless webmaster

just pisses me off when the first thing a person says is oh its BS etc etc

I didnt give away anything as far as how to exploit the information and the majority of the people on GFY do not have the know how I doubt half know HTML or PHP or any other web launguage just my

ok back to work

if someone has contact info for the script writer please contact him/her

Trixxxia · 07-23-2006, 09:24 AM

Quote:

Originally Posted by pussyserver

ok sorry didnt mean to call him a clueless webmaster

just pisses me off when the first thing a person says is oh its BS etc etc

I didnt give away anything as far as how to exploit the information and the majority of the people on GFY do not have the know how I doubt half know HTML or PHP or any other web launguage just my

ok back to work

if someone has contact info for the script writer please contact him/her

That's ok

For the record, I hit up anybody and everybody that could possibly reach them. My only problem is I can't find VendZilla on my damn Trillian this morning - maybe he got kicked off - he'd probably have their telephone number. I hope his ears are ringing and he'll take a look here

Joesho · 07-23-2006, 12:35 PM

I am sure tony will look into this he is a sharp fella and a good businessman.

SmokeyTheBear · 07-23-2006, 12:47 PM

disclosure bump

sixzeros · 07-23-2006, 01:50 PM

This post is bullshit.

If you have a problem with Comus.. use our forums or if you have an emergency contact me personally.

My phone number is on the front of my website and my forum has personal messaging, my support email is checked every few hours...

If you think you can do anything with this information.. OTHER than actually trace a REAL hacker who is trying to get access to your system, then go for it, but expect to be busted. Yes this information is very handy when you need to catch someone.

Comus makes extraordinary efforts to stop, trace and track hackers, yes everything is recorded, if you think you can hack Comus and we wont find you then you're an idiot.

Just ask some of the guys out there that we've helped to protect.

Special thanks to all my friends in Russia, China, Australia, New Zealand, Italy, USA, Germany, Amsterdam, Turkey, Korea, Europe, Asia, North America, South America, the Pacific and Africa for watching our backs.

And special thanks to Joe for contacting me personally about this.

pussyserver - BANNED FOR LIFE · 07-23-2006, 02:24 PM

Quote:

Originally Posted by sixzeros

This post is bullshit.

If you have a problem with Comus.. use our forums or if you have an emergency contact me personally.

My phone number is on the front of my website and my forum has personal messaging, my support email is checked every few hours...

If you think you can do anything with this information.. OTHER than actually trace a REAL hacker who is trying to get access to your system, then go for it, but expect to be busted. Yes this information is very handy when you need to catch someone.

Comus makes extraordinary efforts to stop, trace and track hackers, yes everything is recorded, if you think you can hack Comus and we wont find you then you're an idiot.

Just ask some of the guys out there that we've helped to protect.

Special thanks to all my friends in Russia, China, Australia, New Zealand, Italy, USA, Germany, Amsterdam, Turkey, Korea, Europe, Asia, North America, South America, the Pacific and Africa for watching our backs.

And special thanks to Joe for contacting me personally about this.

wasnt trying to stir up anything thanks for looking into this

jimthefiend · 07-23-2006, 02:26 PM

Quote:

Originally Posted by sixzeros

This post is bullshit.

If you have a problem with Comus.. use our forums or if you have an emergency contact me personally.

My phone number is on the front of my website and my forum has personal messaging, my support email is checked every few hours...

If you think you can do anything with this information.. OTHER than actually trace a REAL hacker who is trying to get access to your system, then go for it, but expect to be busted. Yes this information is very handy when you need to catch someone.

Comus makes extraordinary efforts to stop, trace and track hackers, yes everything is recorded, if you think you can hack Comus and we wont find you then you're an idiot.

Just ask some of the guys out there that we've helped to protect.

Special thanks to all my friends in Russia, China, Australia, New Zealand, Italy, USA, Germany, Amsterdam, Turkey, Korea, Europe, Asia, North America, South America, the Pacific and Africa for watching our backs.

And special thanks to Joe for contacting me personally about this.

PussyNegro just got owned.

Thanks for that SixZeros. Great script too.

pussyserver - BANNED FOR LIFE · 07-23-2006, 02:28 PM

and for the record I love Comus Thumbs

Jimi eat shit swamp rat

jimthefiend · 07-23-2006, 02:29 PM

Quote:

Originally Posted by pussyserver

and for the record I love Comus Thumbs

Jimi eat shit swamp rat

You first, silverback.

Vendzilla · 07-23-2006, 04:01 PM

I just found this thread, I was offline for the weekend, My role with Comusthumbs hasn't changed, I just need a weekend off every once in a while!

SmokeyTheBear · 07-23-2006, 05:00 PM

Quote:

Originally Posted by sixzeros

This post is bullshit.

If you have a problem with Comus.. use our forums or if you have an emergency contact me personally.

My phone number is on the front of my website and my forum has personal messaging, my support email is checked every few hours...

If you think you can do anything with this information.. OTHER than actually trace a REAL hacker who is trying to get access to your system, then go for it, but expect to be busted. Yes this information is very handy when you need to catch someone.

Comus makes extraordinary efforts to stop, trace and track hackers, yes everything is recorded, if you think you can hack Comus and we wont find you then you're an idiot.

Just ask some of the guys out there that we've helped to protect.

Special thanks to all my friends in Russia, China, Australia, New Zealand, Italy, USA, Germany, Amsterdam, Turkey, Korea, Europe, Asia, North America, South America, the Pacific and Africa for watching our backs.

And special thanks to Joe for contacting me personally about this.

i think you mean this thread is bullshit , if the post is bullshit that means your full of shit

I dont think the lad meant any harm. I don't agree that allowing this directory to be publicly accessible is better for customers than having it private, might as well hide that directory unless theres some burning need for it to be open right.. regardless of the small chance it would help a hacker gain access to your site or you , no chance is better than a slim chance in my books..

Trixxxia · 07-23-2006, 06:00 PM

Quote:

Originally Posted by Vendzilla

I just found this thread, I was offline for the weekend, My role with Comusthumbs hasn't changed, I just need a weekend off every once in a while!

K didn't know - tried to find you on my list and poof, you're not there - Trillian must be screwing with us today

raymor · 07-23-2006, 08:39 PM

Quote:

This post is bullshit.

I'm translating that to mean the following, let me know if this is correct:

Quote:

Thank you for bringing this up. While we don't feel that it poses a significant security risk
and we would have preferred to be contacted directly before you made a public post,
this is something we are diligently looking into. At first blush, it appears that although
the information isn't particularly sensitive, it probably would make sense to drop a
.htaccess in that directory with "deny from all" so that those files can't be accessed
via a web browser. If you see anything else that you think should be addressed, please
give me a call at the number on the site so that we can evaluate and if needed address
the issue before it is publicized in order to keep our clients secure. Thanks again.

07-22-2006, 10:56 PM	#1
pussyserver - BANNED FOR LIFE So Fucking Banned Join Date: Oct 2005 Location: I convert perverts like catholic church! Posts: 5,133	yep comus is handing out too much informationincluding IP's been pokin around in comus thumbs and found that on a default install the following is world viewable http://some tgp.com/ct/dat/raws /ct/dat/alog /ct/dat/cstats.dat /ct/dat/dailytotals /ct/dat/history /ct/dat/ip/log /ct/dat/raws /ct/dat/uniques it even gives out the administrators IP to fix ssh into your host drill down to ct folder chmod 622 dat

07-23-2006, 06:51 AM	#3
Kimo ... Join Date: Jan 2006 Location: Maryland ICQ:87038677 Posts: 11,542	oh shit...... __________________ ...

07-23-2006, 07:51 AM	#6
Ace_luffy www.creationcrew.com Industry Role: Join Date: Feb 2005 Location: CREATIONCREW.COM CREATIONCREW.COM CREATIONCREW.COM CREATIONCREW.COM CREATIONCREW.COM CREATIONCREW.COM Posts: 12,111	part of the program.. maybe had significant on it __________________ ++ Adult and Mainstream Websites Designs \| 10 banners for only $50 \| html5 Banners ++ email : [email protected] Telegram : https://t.me/creationcrew \| HTML5/Responsive Site - Div/CSS - ElevatedX - NATs - Wordpress

07-23-2006, 08:02 AM	#7
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,372	dont use comus, smart thumbs guy here, better report it on their forum. __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

07-23-2006, 08:06 AM	#8
Chris Too lazy to set a custom title Industry Role: Join Date: May 2003 Location: icq: 71462500 Skype: Jupzchris Posts: 27,880	hmmmm sure is kinda strange but only info i could find was the ip addys no login user names? tested it on my comus site __________________ [email protected]

07-23-2006, 06:50 AM	#2
pussyserver - BANNED FOR LIFE So Fucking Banned Join Date: Oct 2005 Location: I convert perverts like catholic church! Posts: 5,133	bump for day crew

07-23-2006, 07:01 AM	#4
pussyserver - BANNED FOR LIFE So Fucking Banned Join Date: Oct 2005 Location: I convert perverts like catholic church! Posts: 5,133	yep I cant believe this thread went un noticed wayyyy to much info I just did a test hack and with the information provided above it is possible to take ove the comus site using nothing but the information in /ct/dat/alog which includes the authorized IP as well as the user name and other info

07-23-2006, 08:22 AM	#10
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,372	why is showing the ip address for the domain that important. just nslookup the domain and you will get the ip, nothing special there __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

07-23-2006, 08:22 AM	#11
PussyTeenies Confirmed User Join Date: Feb 2005 Location: Haarlem and Amsterdam, capital of the porn world ;-) Posts: 6,496	i have the same shit but then again.. i only run it on one site atm.. and that one i hardly use __________________ Need adult hosting? Contact us! WARM Hosting Need an IT solution? or someone to check your site and security? Nossie - IT Professional

07-23-2006, 08:40 AM	#14
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,372	the admin ip for comus thumb installs is the same as the domain __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

07-23-2006, 12:35 PM	#21
Joesho want to get in shape Join Date: Jan 2003 Location: on the lake Posts: 12,329	I am sure tony will look into this he is a sharp fella and a good businessman. __________________ Got any domains to sell? I proudly host all my stuff at www.rackco.com

07-23-2006, 12:47 PM	#22
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	disclosure bump __________________ hatisblack at yahoo.com

07-23-2006, 01:50 PM	#23
sixzeros Registered User Join Date: Aug 2002 Location: Las Vegas Posts: 53	This post is bullshit. If you have a problem with Comus.. use our forums or if you have an emergency contact me personally. My phone number is on the front of my website and my forum has personal messaging, my support email is checked every few hours... If you think you can do anything with this information.. OTHER than actually trace a REAL hacker who is trying to get access to your system, then go for it, but expect to be busted. Yes this information is very handy when you need to catch someone. Comus makes extraordinary efforts to stop, trace and track hackers, yes everything is recorded, if you think you can hack Comus and we wont find you then you're an idiot. Just ask some of the guys out there that we've helped to protect. Special thanks to all my friends in Russia, China, Australia, New Zealand, Italy, USA, Germany, Amsterdam, Turkey, Korea, Europe, Asia, North America, South America, the Pacific and Africa for watching our backs. And special thanks to Joe for contacting me personally about this. __________________ http://comusthumbs - TGP Thumbnailer - The Power and Support you need to grow your TGP site.

07-23-2006, 02:28 PM	#26
pussyserver - BANNED FOR LIFE So Fucking Banned Join Date: Oct 2005 Location: I convert perverts like catholic church! Posts: 5,133	and for the record I love Comus Thumbs Jimi eat shit swamp rat

07-23-2006, 04:01 PM	#28
Vendzilla Biker Gnome Industry Role: Join Date: Mar 2004 Location: cell#324 Posts: 23,200	I just found this thread, I was offline for the weekend, My role with Comusthumbs hasn't changed, I just need a weekend off every once in a while! __________________ Webair died? Carbon is not the problem, it makes up 0.041% of our atmosphere , 95% of that is from Volcanos and decomposing plants and stuff. So people in the US are responsible for 13% of the carbon in the atmosphere which 95% is not from Humans, like cars and trucks and stuff and they want to spend trillions to fix it while Solar Panel plants are powered by coal plants think about that