Another couple Twitters got popped by your fellow neighborhood apes.
https://twitter.com/mastodonmusic <- 131,000 followers
https://twitter.com/TheOfficialA7X <- 1,230,000 followers
Love, Welfare & KFC
Just jacked this Instagram
http://instagram.com/thereadysetm8# <- 80,000 followers.
Greetz to YuNG SaM.
We’ll be bringing more content soon
The story of Maniac a liar who blatantly talked shit behind the back of somebody in an effort to help his lying.
Maniac is somebody who likes to get owned and continue to use the Internet even after they’ve been owned countless times. The first example of this was done by Dictate a long time ago back when he used the Internets.
Maniac’s First Dox
This dox was flawed as I was later to find out after researching Maniac extensively for the past month or so now. Most of it was correct there were details missed that I have now corrected courtesy of the fact that Maniac was simply incapable of listening to my offers.
As the story first unfolds I had decided to prove a point and just dox some basic people who were close to Maniac to ensure I was a serious opponent and I was ready to take him down just as quickly.
These two were easy pickings and didn’t take long to figure out. I have quite a bit more information too as my obvious fallback in case something happens in this release.
So now it’s come time for me to release all the work that I’ve been working on throughout the on and off times that I’ve decided to continue the ownage.
First of all, allow me to introduce the dox on Maniac v2, now improved many times over.
Maniac v2 Dox
Next, allow me to explain how I rooted his box multiple times.
I found the backend IP from the CloudFlare by requesting an email and reviewing the headers from the server, I then used an old password of his that I had from a compromised email and SSH’d into the server. I then stole every single file that I needed to and did what I needed to. I had defaced the website which was active for a very short period of time (5 minutes). He then freaked out and shut down the server, which made him miss the fact that I had setup a backdoor on his server. I then dug through the files after he got the server back up and found a file that allowed me to LFI (getcont.php), which let me see what sort of changes he made for security. Not many.
To finalize everything I have left him without three resources power, gas, and water.
Good game mate.
Figured I’d talk about something that recently happened or what happened tonight anyway.
So I was doing my thing being a dumb ape when all of a sudden I get two new friends requests on Jabber.
Knowing me I instantly add them because I’m a faggot with no friends, and then what follows is a guy by the name of Respire starts messaging me hostile as could be for no apparent reason.
He then goes onto explain that he’s doxing me, and he’s going to fuck me up if I don’t let him take over Vv3.
Anyway, this is all irrelevant as he later went onto explain about how he was going to root my server from which case I laughed hard because I’ve heard this at least 20 times.
From which case I ask, how?
He responds an LFI.
(Side note: I do think he was just joking around, and I didn’t take him seriously.)
Which actually got me to thinking is there the possibility an LFI even exists on my server?
I thought it was unlikely that an LFI did exist, but as I thought about it I realized the WelfareIM my original site had previously been text document to convert it I integrated SQL but didn’t want to import all of the files so decided to keep it text based where it just reads text documents.
So obviously that opens up the capability that somebody could actually LFI my server.
So I quickly open up FTP access my WelfareIM files and go straight into the /dox folder continue to edit my index.php file.
Obviously what comes next? I find that I have very few security checks in place to prevent an LFI.
Then, I quickly remove the $_GET in PHP and save.
Next, I notice how stupid I made it, it would have literally read any .txt document as long as they would be able to get the correct path in the name field.
They also would not have been able to leave the directory of that specific account I make every single website I host an individual account that is stuck inside of its own allocated space.
So I quickly implemented a solution to just verify the input of the name field to check the validity of it in the database obviously preventing SQL injection through a basic real_escapse_string as well as no error logs, just in case.
My next thought was to dig through the raw access_logs of my welfare.im server and see just how much had been accessed if any data was compromised from the attack.
Surely enough there were many attempts over the past month to exploit this certain file, not quite sure what made them think this file is vulnerable since it gives no signs that it is, but they were.
I double checked and made sure that no data was accessed whatsoever, and fortunately there were no successful attempts made.
Also, for some odd reason some ape was trying to RFI it not quite sure how they think that’ll work, but more luck to them.
So to finish up what I was saying fellow primates, all apes are vulnerable because we eat bananas.
Obviously I changed all my passwords on the server even ones with disabled logins aka root.
Moral of the story is really cut down the amount of bananas you eat, it could leave you hacked.
tl;dr: I’m a dumb primate and I probably could have been expozed like an access log or some shit; I don’t know what they’d get their paws on as .txt with very limited access.