amuck-landowner

Is WHMCS next to be exploited?

johnnyd95

New Member
I really appreciate you guys shutting down my business for a week. Me and Ryan both out of town, myself on very bad Internet and no cell signal. Don can only be expected to stay awake so much. This was an unusual week as I work one job out of town every year and Ryan went to hostingcon. Regardless, you two are the cause of much stress, suffering, and financial loss this week. Our clients are as safe as we can make them (Internet, "safe" is a relative term), can't say the same for our physical and mental well being right now.


I hope you're both real proud. I just want you to know that I really appreciate the fact that this week I'm audio engineer, videographer, and I have to play sys admin at night now so I'm literally getting sick from lack of sleep. Much appreciated. Wish you'd picked another week.


There are people on the other side of that screen you know.
Thank you, Curtis G and I worked hard to make it happen. :popcorn:
 

johnnyd95

New Member
Why aren't these people banned from VPSB?  I didn't think we were a skid friendly community.   Both hostbill and WHMCS unencrypted sources are available from a variety of sites, if you have an exploit and you're going to cause "lolz" then go for it and shut the fuck up about it already.
You want Curtis G, and me banned? Put up a poll asking if Curtis G and m should be banned. If the majority of the forum thinks that, then ban us. :popcorn:
 
Last edited by a moderator:

shovenose

New Member
Verified Provider
You want Curtis G, and me banned? Put up a poll asking if Curtis G and m should be banned. If the majority of the forum thinks that, then ban us. :popcorn:
I think banned these people, no matter how annoying, will not help. It might be somewhat helpful to have them here.
 

jarland

The ocean is digital
I think banned these people, no matter how annoying, will not help. It might be somewhat helpful to have them here.
No it won't. They only want attention. They're feeding off the "lulz" here so deprive them of that by banning every new name they make and encouraging hosts to deal with these matters quietly so long as clients are not directly impacted. They are nothing more than children who demand to be heard. I hope one day they grow up and realize that the world doesn't revolve around them, but until then I'd settle for everyone effected filing civil lawsuits for lost income when they step over the line. Sure it's expensive, but kids need to learn. With that said, they'll no longer be acknowledged by me, Ryan, or Don as a part of Catalyst Host. We don't negotiate with skids. Anything further that we have to communicate to them can be done by certified/registered mail, should any reason present itself.
 
Last edited by a moderator:

netnub

New Member
Now to ban netnub too.
For what? Making your security better...


SolusVM, WHMCS, Hostbill are at fault here, not me. I simply abuse the software and find the exploits, I don't develop their shit software.


Its your fault for using the horrible the software in the first place. In my "defense", I used my best-efforts to contact the developers, was ignored. Therefore they're stupid for ignoring me.


As for you Jarland, I really have nothing to say to you, besides without people like me you wouldn't understand the concept of security. If we're going to bash people who expose vulnerabilities, why don't we blame every security researcher/exploiter on the internet; too many to count.


As for suing people, thats just pure out bullshit. The fact you want to sue the person who disclosed them is pure stupidy, you should be sueing the companies for not understanding the concept of security. I really hate when people like you want to say you can sue anyone for any reason, as that just doesn't work for me. You can't simply sue people for assisting in finding security issues.


As for all the companies like SolusVM, WHMCS,hostbill,spbas,etc. that think they're safe, well they're not. They will never be, as long as they still rely on encoders to make them 'un-exploitable' then people will decode + find vulnerabilities and then expose them.


No matter how much you want to deny what I've said here it'd be very hard for you to do that as its all facts that I'm posting. I was asked multiple times to contact them first, so I did, I even showed proof! Then I disclosed some, hell even Humza(Infinity on LET) gave them proof of vulnerabilities, however in a blog post they denied that noone sent them anyone.


Unless companies take credit for they're mistakes then they'll never learn. Now I'm not going to say you can never be 100% "unhackable", because anything written by people can be exploited, reverse engineered, etc. For example, SolusVM knows what it has to do because someone told it what to do in lines of code, however they f**ked up majorly by not sanatizing the variables.


Therefore, referring to the point above, the company who developed the commerical product is at fault, not the security researchers.


Now I feel I've ranted enough at 12:05 AM in the morning.
 

Marc M.

Phoenix VPS
Verified Provider
I second this motion.
@jarland netub posted this thread a while back asking about needing a DDoS protected server: http://vpsboard.com/topic/495-251gbs-attack-incoming-flood-advice/?hl=ddos

... just to see how many providers would jump at offering him something; then he started sending private messages to providers, including myself, asking them if they would want to resell DDoS Protection Services from HostKVM.net. I mean why in God's name would I want to do that when we already provide DDoS mitigation for free, and we can also provide IP filtering for a price, all of which is built into our DCs infrastructure.

I'm for banning him as well. Such behaviour is unacceptable and bellow the standards of vpsBoard IMHO.
 

MartinD

Retired Staff
Verified Provider
Retired Staff
Oh boy - here goes

..a lot of bullshit
For what? Making your security better...
SolusVM, WHMCS, Hostbill are at fault here, not me. I simply abuse the software and find the exploits, I don't develop their shit software.
Please share with the community where exactly you made anyone's security better and how fault lies solely at the feet of these software vendors. We'll touch back on this in a moment.

Its your fault for using the horrible the software in the first place. In my "defense", I used my best-efforts to contact the developers, was ignored. Therefore they're stupid for ignoring me.
Wrong, once again. You didn't use any 'best-efforts' to contact the developers. You submitted a ticket and used their contact form with a ridiculous title relating to their clock ticking away.. and that if they didn't reply you would release some information (of which no-one has seen anything of any value)

As for suing people, thats just pure out bullshit. The fact you want to sue the person who disclosed them is pure stupidy, you should be sueing the companies for not understanding the concept of security. I really hate when people like you want to say you can sue anyone for any reason, as that just doesn't work for me. You can't simply sue people for assisting in finding security issues.
Suing isn't ridiculous here. Different way to look at it, you put the business of many providers on hold for a day claiming you had 18 vulnerabilities to disclose. What you actually had.. was sweet naff all. Are you going to hold your hands up and apologies to the huge number of providers you caused issues for? Oh, and again, you disclosed nothing.

No matter how much you want to deny what I've said here it'd be very hard for you to do that as its all facts that I'm posting. I was asked multiple times to contact them first, so I did, I even showed proof! Then I disclosed some, hell even Humza(Infinity on LET) gave them proof of vulnerabilities, however in a blog post they denied that noone sent them anyone.
I'm sure I'm not alone here in wondering where all these facts are. You were asked to contact them first (something anyone with 2 braincells would have done before taking their 2" hardon public) but you didn't. It wasn't until mid-afternoon you bothered to contact them. You didn't show them any proof at all, you submitted a lame-ass ticket with no information at all apart from, yet again, your raging hardon for attention. You disclosed some? No, again, wrong. You disclosed nothing of any value at all. With regards to Humza, you should probably speak to him again about that - your wires are quite crossed there. What you provided was a few snippets of code where you used 'grep' to find any instance of 'exec' and treated it as though it was some kind of vulnerability. l33t h4x0r. The blog post was made to confirm that no information relating to any exploits had been given and that was true. Really, what Solus should have done is write a blog post saying "Some kid with a hardon is going around trying to scare providers. Being responsible, we're looking in to all of the code to see if any of this is true. Unfortunately, said kid is too busy wanking in to an old sock over forum posts to get in touch. We'll continue to look for any possible issues in the meantime."

With regards to security over all, I think we should cast our minds back to the posts on LET where you claimed to be coding a billing system. No, wait, a ticket system. No, wait, a VPS panel. No wait... you get the picture. Each and every one of them was picked apart by the community within minutes because the code was so bad and.... wait for it... full of holes. Our self-proclaimed expert on security here is producing code with more air than Swiss cheese.

All you've done on this forum is cry wolf, make bold claims with no proof and prove yourself to be incredibly stupid. You've been rude and disruptive on IRC and you fail to see why people have a problem with you. I would suggest you put the sock away, go outside, play on your go-kart for a while then come back with fresh eyes. No-one here takes you seriously and your attempt to re-brand yourself from "CurtisG" to "netnub" has failed catastrophically. Do us all a favour; grow up.
 

peterw

New Member
nethub:

Trying to blackmail people excludes any just causes. What's your business with SolusVM?
 
Last edited by a moderator:

Daniel

New Member
I would also be in favour of netnub being banned. He does nothing but contribute negativity towards this community.

@netnub Stop pretending you are some sort of hero. You are ruining peoples lives.
 

MartinD

Retired Staff
Verified Provider
Retired Staff
Trying to blackmail people excludes any just causes. What's your business with SolusVM?
My business? I'm a customer and a provider that was affected. I'm also a reasonable guy that can't tolerate idiots.
 

netnub

New Member
I could honestly care less if I "ruin lifes", I can make them a living hell and I wouldn't give a fuck.
 
Top
amuck-landowner