Encrypted Pastebin PoC

=== Tuhimunatanga ===

Tangata Haututu: @te_taipo

Herenga PHP: 7.2

Tenei Putanga: 1.0.0

Raihana: GPLv2

Paewhakaata o te Raihana: http://www.gnu.org/licenses/gpl-2.0.html

He whakaaturanga o tetehi whakapiri hei haumaru papatono-taupangatanga

Mihi atu nei ki a Karaitiana Taiuru mo tona papakupu o nga kupu aa-kaupapa Maori, o te rorohiko me te paapaaho paapori: https://www.taiuru.maori.nz/dictionary-computer-social-media/

== Whakaaturanga ==


Ahuatanga O Tuhimunatanga
+ He kore te paarongo tautuhituhi kei roto i te raraunga
+ Mena kua wareware koe te te waahitau tukutuku, te kupuhipa ranei. Mena kua ngarongaro enei, e kore e taea te wetemuna te whakapiri.
+ Mahia te aratau a AES-256-GCM
+ Moka-102.4 te kahanga o te whakamunatia o nga kii kupuhipa
+ Moka-89.31 te kahanga o te haatepe-waahitau tukutuku mo ia hanga-whakapiri
+ Ka taea e koe te whakamoonehu tou whakapiri

A Quick Look into 8 Chan – IP Map

8 Chan is hosted in Reno, USA at N.T Technology In. They employ a range of servers to host 8chan including a mail server, a mirroring server, and various mirror servers. 8 Chan are a service that masquerades as a free-speech platform but in reality is purpose built to recruit, train and mobilise ethno-nationalist and alt-right extremism.

8 Chan employs the services of CloudFlare who protect their terrorism spawning platform from DDoS Attacks.

For a look into their other websites, see: EXCLUSIVE: How money flows from Amazon to 8chan

What is more interesting than staring at CloudFlare servers are the actual 8 Chan web-servers themselves. Below is a little map of their current setup which will likely change in the coming days.

Warning: This may bore you to death

  • https://whois.arin.net/rest/org/NTTECH-1.html
    Jim Watkins and his son run this little private server farm.
  • https://whois.arin.net/rest/poc/TW488-ARIN.html
  • Netblock NET-206-223-144-0-1 (Hosts 8ch.net) Info
  • https://whois.arin.net/rest/net/NET-206-223-144-0-1.html
  • IP Block: –

Production Servers

Server IP:

  • Server: nginx/1.11.3
  • Mail server
  • X-Powered-By: PHP/5.4.16
  • mail.8ch.net
  • SSH-2.0-OpenSSH_6.6.1
  • Ports: 22, 25, 80, 110, 143, 993, 995, 5353 is open – Multicast DNS

Observation: This is obviously a mail server application and very out of date.

Server IP:

  • Not properly bound to 8chan
  • Server: nginx/1.8.0
  • SSH-2.0-OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420

Observation: It is likely this is the principle server

Server IP:

  • Bound to 8chan.net
  • Server: nginx/1.14.0
  • SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

Server IP:

  • redirects to 8chan.net
  • Server: nginx/1.8.1
  • OpenSSH NULL

Server IP:

  • redirects to 8chan.net
  • Server: nginx/1.10.1
  • SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

Live Static Archives:

  • They appear to be static live html outputs of the site
  • PHP script is disabled

  • Server: nginx/1.8.1
  • SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

  • Server: nginx/1.14.0
  • SSH-2.0-OpenSSH_7.5 FreeBSD-20170903

  • CVE-2018-15919
  • CVE-2018-15473
  • CVE-2017-15906
  • Server: nginx/1.14.0
  • SSH-2.0-OpenSSH_7.5 FreeBSD-20170903

  • Server: nginx/1.11.2
  • SSH-2.0-OpenSSH_7.5 FreeBSD-20170903


Other servers of interest in this IP range (but not necessarily 8CH):

  • ESMTP Postfix (Ubuntu)
  • Server: nginx/1.4.6 (Ubuntu)

  • Server: nginx
  • Port 123 is open: NTP Multicast DNS…Mac?
  • Port 443
  • Port 5353 is open: Mac workstation?
  • Port 8080 is open: = > See below
  • Port 9306 is open: database port, probably bound locally

Observation: This looks like a remote workstation

  • Server: nginx
  • This server likely does the archiving / static page generation
  • https://gitgud.io/Sapphire/FutaBilly

  • SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

  • Port 22 open
  • CVE-2016-8858
  • SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

Observation: SSH servers?

  • CVE-2016-8858
  • SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

Observation: SSH servers?

  • Meow
  • Server: Apache/2.4.7 (Ubuntu)
  • SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8

Why you should ditch Cloudflare

Cloudflare is a network provider offering a reverse proxy, pass-through service. Apart from some terrible security practices, (for example even if you use SSL certificates [https://], Cloudflare can see your passwords), Cloudflare also does the following:

  • Shields criminal webmasters by hiding their IP address from the public.

The example most on our minds at the moment is the massacre of worshippers at several mosques in Christchurch, Aotearoa New Zealand by a white supremacist terrorist, who had used 8chan as a launch pad for his terror. Cloudflare, while fully aware of the activities that occur on 8chan, and even after this took place on their clients web platform, continue to offer them IP shielding, protecting the very existance of 8chan, allowing users free reign to plan, strategise and refine the tactics of their next mass shooting.

What can you do?

Check if your company or webserver uses Cloudflare and ditch them. They are not an essential service for 99% of their customers use their service more because of scareware tactics by the company.

How can I find out if my website is using Cloudflare?

Check to see if your domain name is in the following list of 10,078 websites that use Cloudflare:

If they are then if you are familiar with domain name DNS you can either log into your web service control panel and follow their instructions about how to disconnect the service, essentially resetting your domain name servers back to their original settings, or contact the help and support centre of your web service to request either instructions or their assistance to remove your support for this service.

Twitter Abuse Blocklist

Archived here: https://pastebin.com/mBhWkbrf

This began as an experiment to see how blocking the follow list of a known racist troll would affect their ability to amplify their attacks out to their wider network.

The user in question (account now suspended) was @MaorisN.

After scraping the Twitter IDs of the followers list, these accounts were first vetted manually to make sure that there were no unintended blocks. Accounts were selected that were most certainly troll or sock accounts. This was achieved by some analytics using the Twitter API.

Other accounts were also analysed and common follower accounts were extracted however not all common followers were included in the final list. For example hundreds of accounts were NZ farmers, many indicating they were members of Federated Farmers, some accounts were Federated Farmers Comms Team people themselves. Whilst this appears to be an indicator that the Fed Farmers communications team at the very least were embarking on attack campaigns on Twitter, these farmers accounts however were at least legitimate Twitter accounts and not their *sock* accounts.

The final list resulting in about 190 accounts in total.

These were presented in two methods for users to use to block these accounts. Two methods were either the importing of a CSV file into the Twitter blocklist, or the use of BlockTogether

The reason for the two methods was to offer a way of double checking user ids with the user accounts, as well as a quicker way for users to import blocks using BlockTogether – for those that do not mind using a 3rd party service to manage their block lists.

The end result was quite hard to gauge but feedback was very positive with many saying that attacks ended shortly after importing the block list.

Another interesting but not necessarily related issue is that about half of the block list accounts are now suspended. That may or may not be a result of this experiment, but it however shows that at the very least, 50% or so of those on the block list were using their sock accounts in a way that broke Twitter TOS.

The list is now removed, but BlockTogether link is still being maintained. In it are the remaining accounts that are still active.

Footnote: If you feel you are being hard done by being on this block list, use the comments function below to state your case.

Pareto Security :: Description of features

Below is a description of the advanced features of Pareto Security listed in the Advanced settings of the dashboard.

As stated, it is best not to use these features unless you know a thing or two about web security. 99% of what Pareto Security does, it does in its default settings therefore you do not need to enable these extra features. In doing so you increase the possibility that legitimate users IP addresses may get accidentally banned.

The first two features are enabled by default, you do not need to enable advanced filtering to enabled these features.

  • Hard ban attempts to attack the webserver: There are requests made to your webserver than can only be attempts to attack the server. These are prevented from executing, and the IP address where the request originated from is banned from accessing your website again.
  • Hard ban attempts to inject malicious code into the database: The same as above except this separates out attempts to attack the database.

The rest are enabled by enabling advanced filtering

  • Hard ban injection attempts via browser user-agents: Every web browser sends a piece of information stating what type of browser it is, this can be spoofed by an attacker and can contain attack scripts to exploit your website. Many malicious requests spoofed in this manner are benign blind attempts, others are very serious attack attempts, these serious ones are banned. There is however a tiny risk of banning the IP address of a legitimate user, so for this reason, and for all of the following features, it is best not to use these unless you know the risks.
  • Advanced HTTP_HOST filtering: Aims to address this – https://expressionengine.com/blog/http-host-and-server-name-security-issues
  • Soft Ban Bots: As stated above, not all bots are bad – but many are indicators of vulnerability scanners intent on mapping your website in preparation for an attack, so in advanced mode will block any request from an attempt to browse your website where the browsers user-agent is not a usual web browser. Soft ban means, block the request but don’t ban the IP address permanently.
  • Advanced POST Filtering: In some earlier versions of PHP (versions older than 5.4) are quite easy to carry out a denial of service attack via blind posting of data. These methods are not well known, one of them I discovered myself, however if they were to become well known – since WordPress still recommends some versions of PHP older than 5.4, it could get quite messy.
  • Domain Name Safe List: Ths is related to the Advanced HTTP_HOST filtering feature. When you first enable Advanced Filtering, the domain name of your website is registered as the official domain. This works in most instances however it will cause problems in rare cases.
  • Filter login attempts: This feature compares the login username against the database list and blocks the request from continuing if the username is not registered. When the Hard Ban option is left disabled, this merely blocks the request, however if Hard Ban in enabled, the IP address of the requester is added to a permanent ban list.

Again, there is no need to enable Advanced Filtering, and certainly do not enable the Hard Ban option if you do not know how to edit an .htaccess file.