TMM and TMM / NATS clients Please explain this and SHOW me I'm wrong!!!!
 

Ok below is a snipplet from a raw apache access log of a program who is using
NATS.

I've stripped out the ip of the server and other bits that contain other info
which would reveal anything nobody would like to be revealed and things that
aren't relevant to the issue.

I won't disclose which program this is, the ip or anything else of that matter
as it's irrelevant to the question I ask.....and like to get answered.

I won't get into challenges to proof what is listed below as frankly I don't
need to........If you don't believe anything you see awesome.....I won't
try to change your mind or convince you of anything don't want to believe.

I also have no interest to damage anyone with any of this neither is there
anything to gain from by me just like there's nothng I could lose from by this
or whatever you might want to make believe to.

So why do I post this you wonder? Simply coz I wonder if what I think of it
is true and if others who ARE affected by anything like this can ask
themselves what that means to them. I don't have any grudge to anyone
including TMM or anyone who works with them.

The only other reason apart from wondering myself is that I occasionally
assist others who use NATS and ask me questions I couldn't honestly answer
too if I would leave things I'm aware off out of my answer......obviously that
would mean it could bite myself in the ass for something I had no part in.

Ok short explanation of what you see below

Raw apache webserver access log from NATS server
The script which is used for the exploit that was discovered
The date which isn't as claimed 2 months ago but over 5 months ago
IP from a range within sagonet their IP block. Sagonet is a different hosting
provider who sells dedicated hosting only......so this IP isn't from an access
provider.....it's from a server.....that server doesn't belong to the company
and/or people who own the server the log is from.....so the ip listed should
NOT be allowed to access the script listed in the loglines
Status code for the request is 200 which means authorized and OK
This should NEVER be 200 for the IP in the loglines.

My question......please explain and show me this isn't the same output
pattern as the current problem at hand of which TMM claims didn't occur
before 2 months ago....

I only show the lines from 1 server because I don't want to post anymore
info needed to make my point.......but I do have the same from more than
one hand full of other NATS installed servers who all belong to different
programs and people.

Think I'm bluffing.....cool, not my problem just like I don't feel the need
to proof to anyone I am......make up your own mind.....don't try wasting
your time by challenging me anything as I can tell you I won't bite and
all it would do is wasting your time.

I'm looking forward to your reply and honestly hope I'm mistaken and when I do I'll gladly admit.....as I have said I'm not out to do any kind of damage to
anyone who is envolved in all this.......just curious if what I see is what I think it is and if it is.....why nobody knew about it or keep it silent if they did.

Try to ridicule me or make me look like an idiot and I will show you make a big mistake doing so.......I don't want to start drama but if you beg me for it
I won't be too unpolite to don't give it to you ;-)

That's not a threat and if you feel like it is.......well then I can only guess
why you would.......and confirm it was a good idea to ask this question :winkwink:

For all the people who don't care about any of this......let me ask you
how many pages you think this thread will goto?

:thumbsup

this might be a 7+ pager..

I was here... let's trade niche links while we wait a professional reply.. shall we? ... http://www.gofuckyourself.com/showthread.php?t=791123

Where does it end??

Can't wait to hear the reply

This is technically over my head but interesting as hell.

Ouch....

x2 :helpme

This looks like trouble.

In other news, ARS has weekly payouts and $75 pps! Check us out

Oy Vey Kanka


PS:


I cant wait to party new years yo !!! and go skiing the slopess!!

You are saying the IP blocking should be stopping them?

The IP blocking is done in NATS, not at the apache level. The apache request will still be 200, but the contents of the page will be blocked by the IP restriction.

If you mean something else then I misunderstood you and please explain further.

ehh till now I'm not claiming anything I wrote is shady or proofs anything bad at this point.......I won't do so until someone shows me I'm mistaking and wrong.
which is possible.......when they can't show me reasonably that I'm wrong I
might change my opinion about this :thumbsup

So until now.....don't assume what I wrote really is true or that I'm claiming it's true.......not just yet :winkwink:

but that didn't really address the question by PBucksJohn ??

That is a good question. I will have to ask the techs.

Also, as I said, I was a bit confused by his question. It was a worded a bit strangely. He mentioned 5 months ago. I have no way of knowing who this is or what they had or did not have setup. So it is hard to comment.

If he has a question or accusation he should ask or make it.

SG can you tell me where I'd pull those reports?

Also, we never said this issue did not occur prior to 2 months ago. We said we learned of it a few months ago. We are not 100% sure how long it as gone on for.

Hasn't this all been covered already? Many times?

that sure is interesting...

What about it is interesting?

I don't doubt it was going on 5 months prior. And I didn't think that is what he meant by interesting. You have to admit the original post had a strange tone to it. Whether that was intentional or not I don't know. I don't know SG to be the attacking type so it is probably just the way he speaks, but you know how GFY can interpret whatever they want and run with it.

What does a denied page look like? Does it have the same file size each time its requested or does it contain some dynamic information? If its static, the file size should be the same each time, not quite what the log is showing.
WG

Too techie for me. lol

I agree. As I said to BA I will have to ask the techs. I would assume that he did not have the IP restriction on 5 months ago. I have no way of knowing that as I don't know who it is and I have not spoken with them. SG did not say they had the restriction on, just that since it is at a different host it shouldn't be able to access it. That would require the restriction be on and setup properly. I can't speak to that.

Gonna read this once again as I wake up tomorrow = interesting read as always Hans !

Sounds like he's suspecting something but he dosen't want to attack anybody without definite proof.

our old program amateurwealth had test signup emails getting spammed about 2-3 weeks after they were entered

BEFORE WE EVER ANNNOUNCED OR WENT LIVE

anyone who's been here for a while knows amateurwealth was a long time ago with epic jim, trey (pimpdogg) & myself

maybe the brand new server was hacked
maybe someone at paycom was selling lists
maybe this nats bug is WAY older than a few months (think at least a year)

thats all

Hi,

I don't try to accuse anyone nor do I intend to. Also I haven't read all posts
and threads about all this so forgive me if I ask something that has been
answered once or many times before.

I also mentioned this isn't from my own servers/business as I don't use
NATS myself, this is from someone I assist with tech stuff and who asked
me about it......which only asked recently so that's why it wasn't brought
up before by me......perhaps the person has brought it up before as he did
mention asking some things earlier but the times he did he got replies that
both didn't answer his question as well as made clear it's better to don't
ask about it more or again........but that could have been something else
and I don't know or care to know exactly what was said.......

The question you asked regarding the status code that always would be
200 but not return the contents it normally returns already has been answered. Data that is returned isn't default or don't contain anything
as which the size of it shows......

I mentioned 2 months as I believed and understood that that was
said in a statement by you......if that's wrong....then I misunderstand
and stand corrected.

:2 cents:

AmateurWealth has only existed for a year ?

I wasn't accusing you of accusing :) I was confused and if there is something I'm simply saying if we're more direct it will make it easier.

The response sizes varying is strange, but you can also see the same member ID requested 3 times with different sizes so that may be irrelevant. Again, I'm not exactly sure what the response with a restriction looks like so I can't comment on that at this point and I have no way of even knowing if the IP restriction was on for whoever this is back then.

You are correct, we became aware of an issue a few months ago, but thought we were sure the scope was much smaller. I would imagine it was going on prior to us first getting an indication of it.

You can also always ICQ me with questions and I'll be glad to help you.

Just cuz you can see the file does not mean you can access the file.

Thus nothing, I mean if ya ran this test and took it to the next level to view the file and saw the contents then you would have something.

So I do not know why ya made this thread, knowing that you were not able to access the contents.

These NATS threads are getting pretty boring.

I would just ignore these posts to tell you the truth. Everyone wants to start shit. If they were important they would have asked in a better manner and it would have been through nats support. All these threads are lame.

Its not rocket science. I don't umderstand why people try to make it so.
what happened Is simple and clear as day

I am going to have to re-read this..what am I not understanding..

I read everything posted here and still don't know WTF this is about.

This thread better start delivering or I'm outta here! :mad:

Interesting. So was the user added via the automated bot? or was this user added by NATS itself?

From the looks of the above it looks like an automated request as you can actually see the variables and content (i.e., the request was made using a GET and not a POST).

Servergenius, what script was the add account request sent to?

all I get is something about gogo bots attacking a megatron string of magical code written by two fat men in a rubber room wearing tin foil hats that swear they were cheated out of 10 clicks from a softcore gallery on the hun.

Yup you're right I'm not the attacking type and I don't mean or imply anything
else than I tried to write......I'm Dutch so English isn't my first language...
add a few drinks to that which doesn't improve my english skills. That's why
I posted after seeing the first replies that I don't accuse or claim anything
or even what I posted is true and couldn't be a mistake I made......which
I also stated wouldn't be possible to be a mistake or misinterpretation I made
from what I noticed and thought it could be.......I hope you can understand
this a bit better than my first post.....if not please let me know....and I'll try
again to explain what I really mean :winkwink:

I think I get what you mean now. I figured your English may be an issue but it usually seems to be pretty good. The drinks explain it a bit more tho :)