New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Who is behind Localhost.re?
Anonymous domain behind cloudflare:
nic-hdl: ANO00-FRNIC
type: PERSON
contact: Ano Nymous
remarks: -------------- WARNING --------------
remarks: While the registrar knows him/her,
remarks: this person chose to restrict access
remarks: to his/her personal data. So PLEASE,
remarks: don't send emails to Ano Nymous. This
remarks: address is bogus and there is no hope
remarks: of a reply.
remarks: -------------- WARNING --------------
registrar: INTERNET.BS CORP
changed: 08/02/2013 [email protected]
*anonymous: YES*
obsoleted: NO
eligstatus: ok
eligdate: 08/02/2013 01:34:34
source: FRNIC
Mail via Google Apps, so no help there. Netcraft tells us that is was an Amazon IP before: http://toolbar.netcraft.com/site_report?url=localhost.re
CloudFlare, Inc. 665 Third Street 207 San Francisco CA US 94107 108.162.194.79 AIX cloudflare-nginx 14-Oct-2013
CloudFlare, Inc. 665 Third Street 207 San Francisco CA US 94107 108.162.199.70 Linux cloudflare-nginx 13-Oct-2013
CloudFlare, Inc. 665 Third Street 207 San Francisco CA US 94107 108.162.194.79 unknown cloudflare-nginx 3-Oct-2013
Amazon.com, Inc. Amazon Web Services, Elastic Compute Cloud, EC2 1200 12th Avenue South Seattle WA US 98144 204.236.217.167 unknown Apache/2.2.15 Red Hat 9-Mar-2012
Amazon.com, Inc. Amazon Web Services, Elastic Compute Cloud, EC2 1200 12th Avenue South Seattle WA US 98144 204.236.217.167 Linux Apache/2.2.15 Red Hat 9-Mar-2012
Site itself doesn't tell a lot and code is quite generic. Do we know who is behind the website?
Comments
I'm pretty sure there is no chance we will get to know who's behind it, because his approach is... questionable ;-)
I think it is good what he does, why should only the governments and crime rings know the vulnerabilities in code that runs with customer data ?
+1 for him boo to solus/whmcs.
I agree 100% with this.
It would be good if he told WHMCS/SolusVM and they acted appropriately. Maybe he started off that way and they ignored him. However, broadcasting ways to take down, compromise, destroy, etc. a majority of hosts is hard to call "good" unless you like seeing people in pain.
However he blogs about it rather than sell it on hacking boards. Which makes a hell of a difference.
I think he did at least the last time gave them some chance, but it is frustrating to write people about problems and they send the cops after you or ignore you plain and simple.
Solus at least did an audit whmcs couldnt care less.
I do not want anyone to suffer, dont forget we are sailing in the same boat, but it is not his fault:
1. It is best that the exploit is known to everyone forcing the company to close the backdoor;
2. It is the fault of the company the backdoor existed in the first place;
3. He shows that code obfuscation and "closed source" is not working better than open source, it is actually worse in most cases the difference is that exploits and backdoors are harder to find by the legit people, who's business and even life depends on it.
It certainly is partially his fault since he's not -technically- supposed to be decoding that software. I understand he's not hacking anyone (as far as we know), and I understand the code should be much more secure, but he is causing significant trouble regardless. I don't think we should be lionizing the guy. I doubt he has the best intentions given his propensity for including extra lines in his exploits to cause greater damage. Again, his service could be worthwhile if it were handled privately with the negligent companies, but the fact that they haven't listened to him (assuming he has actually contacted them, which sounds like an unfounded assumption unless someone has information to the contrary) doesn't make him the good guy for posting hacks on his blog. I appreciate him not spreading his exploits privately around nefarious circles, but that doesn't somehow make him a knight in shining armor. I'm sure he is taking a lot of pleasure in seeing as and WHMCS running around like chickens with our heads cut off every time he posts something. If he were truly some noble character, he would patch his own instances, notify those for whom he has concern, and hope that the developers eventually listen.
tl;dr no one in this mess should be receiving praise for how it's being handled.
He doesn't expose vulnerabilities alone. He provides the less intelligent with an easy to use script to exploit others. Motive is everything. His motive is anything but respectable. He is not playing a positive role because of this one detail. That detail overshadows any potential good he could be performing. He is a digital terrorist attempting to strike fear in his targets, which are clearly web hosts and not the whmcs developers. If those were his targets, his scripts would target them. He hates web hosts. He is an enemy to small business.
Want proof of who he really hates? Everyone switch to blesta and watch his interest in whmcs suddenly change to blesta. He wants to take out web hosts. He probably has competitive interest in bringing down other hosts. This is NOT someone I would rally behind. I like to know where holes exist, I don't like putting tools in the hands of script kiddies and saying "go destroy my competition."
I don't think it's fair to villify him. He could easily keep quiet about the exploit, sell it for a few grand and the first you'll know about it is when it hits your installation.
He is effectively the messenger. Don't shoot the messenger. Given the news about spying/wikileaks/snowdon... it's important to remember that just because the truth is hidden, doesn't mean it's not true.
He's not a messenger, he's an activist putting weapons in the hands of script kiddies. Except more than an activist, it's probably driven by a desire to harm competition. His script provides all context necessary, no theories needed. He has malicious intent, period. That isn't an opinion and it isn't open to interpretation. If you don't have malicious intent, don't arm script kiddies and tell them to attack everyone who isn't responsible for this code.
@ricardo Obviously he is not doing the most damage possible, but that doesn't mean he's not still doing damage. He is guilty insofar as he causes such trouble.
Why do you even care? He does nothing illegal.
Devil's advocate! What's the best way for him/her (you sexists!) to handle public disclosure?
You sound like those crazy chicks who have crush on convicted felons
I think there's a hint of bias because people are running WHMCS and feel vulnerable. I'm pretty sure Apache/Linux is on a lot of servers for the same kind of reasoning... the avoidance of using proprietary insecure software.
I guess it's like that old saying that guns don't kill people... people do.
Anyways, it'd seem he has at least 3 vulnerabilities listed on localhost.re. So if they weren't published there... no one running WHMCS would be running the patched versions. If someone feels more comfortable (or blissfully unaware) running the vulnerability then i guess that's their choice... but probably not the best one for their customers.
Exposing the problem, not creating a script kiddie friendly way to execute it and a clear message of "fill in this blank with the host you want to target." That's not even riding the line between exposing problems and malicious intent, that's just way out there in malicious intent territory with no attempts to hide it.
@ricardo Difference in telling someone how to buy a gun and loading it, showing them how to aim it at a specific set of people, putting their finger on the trigger, and sending them out in the wild. Huge difference.
Execution is everything in this case. It exposes the intent.
That my fried, is a matter of interpretation. Exposing people doing illegal things is illegal therefore people doing so need to hide or face tens of years in prison.
If you are an undesirable and too known to be simply disappeared, you will suddenly find out you were not paying your taxes or your medical point on board of your ship had some dope in it, you once ate in the same restaurant someone who is believed to be a terrorist ate too.
If the government wishes you to be silent, you will be, one way or the other and that will be well publicized in a show trial to teach everyone a lesson.
That being said back at the case at hand yeah publishing PoC exploits is certainly not a good intention, but if that is the only way to make people get their heads out of their asses and look around, then fine, I have no proof he did inform them beforehand, however, last exploit was handled differently.
Usually when someone finds out about an exploit and calls the company to fix it, they will first send cops after him because he decoded or decompiled or otherwise reverse engineered and circumvented their means of hiding the exploits, backdoors whatever. The first thing NSA will do when someone exposes their backdoors will be to shoot first ask questions later, national security above everything else, in this case, profit above anything else.
The law allows it. It is broken same way the law that punishes drug addicts, whistle blowers because they expose secret stuff or the one that allows everyone to carry guns. Truth has to hide today, it is dangerous, everyone should run away of it.
I don't see that in his/her writings. I see them clearly identifying the vulnerability, which is EVERYTHING that Full Disclosure is about.
You don't see the scripts? Look I'd be all for it without script kiddy friendly scripts with a spot in the header to insert your favorite host. Absolutely nothing about that part is defined by full disclosure and it overshadows everything else that he does. You can't really just ignore that like it's a small detail. It's the one that defines intent.
I do. One (wo)man's kiddy friendly script is another (wo)man's Fully Disclosed and documented example.
I've seen a LOT of vulnerabilities, across a wide range of products, and these don't look anymore disastrous than any others. You should check out the Full Disclosure mailing list if you think localhost.re is something to get your panties in a wad. ;-)
One thing that we don't yet know (and this always comes out, eventually) is what the person behind localhost.re might have done before going public. Time will tell.
It's still not part of the full disclosure doctrine to arm script kiddies. I support exposure. That one change in tactic would turn this individual from enemy to friend in my eyes. It's a small but insanely significant detail. As long as they continue that one part of their tactic, I hope to see them brought down. If the malicious intent isn't there, that seems like a small price to pay to become the friend of the little guys in the industry rather than the enemy. Is he that married to this one tactic so much that he desires to be a target even when unnecessary? Perhaps so, but then it's his own fault if the industry works together to expose him. Which we will, and that isn't a threat, it's a statement of the obvious...that people will defend themselves against a common threat.
Everyone makes mistakes. This person will make one. Everyone keep an eye out.
I agree with that because pointing out and publishing vulnerabilities is the norm in the security industry and is actually a public service (for examples of this visit Secunia or any other site that focuses on vulnerabilities).
What I do not agree with is his posting of scripts that will allow anyone who can copy and paste to hack vulnerable sites. I also do not agree with his not too subtle encouragement of hacking of sites ("Eeeeeeexploit time: Register a new user on a target WHMCS install (/register.php) Edit the whmcs.py exploit Have fun!" )
Letting people (both users and the software makers) know that there is a vulnerability is a public service but encouraging people to hack sites makes him an accomplice to the hacking.
If really posting exploits it's a good example of security holes and that's the only reason why everything was fixed quickly by WHMCS.
And misguided people will misunderstand the true threat. ;-)
If he disclosed some really low level vulns (like the one in solus) I would say: OK, he's causing a hell of problems to providers
But when he exposes the most immature SQL injections and extremely stupid eval stuff then he isn't the one causing you problems, it's WHMCS not following PHP security 101 and hiding it behind obfuscation. God even a PHP first-year student won't make such horrible holes...
Fully agree, the shock he caused to solus people woke them up, it seems that in case of WHMCS it didnt, they still avoid the audit and try to keep a low profile, like "yeah, the shitstorm will pass, only a few providers will suffer we will keep collecting our checks".
And the real accomplices here are us which still use that code and put customer data at risk.
The difference between solus and whmcs is that solus has a lot of serious contenders out there, therefore it is adapt or die, while whmcs can sit on their hands and the money will still come.
I know it is a long shot, but in a e-mail they sent me...obviously to try and provide confidence they state they are doing external audits. If this it true or not, I have no idea and if anything the other thread shows them reaching out for help.
---E-mail---
We understand the frustration regarding security that you are having with WHMCS. At WHMCS, it's our desire to take a proactive approach to resolving bugs and preventing security problems in our product. To this point, we have and will continue to conduct both internal and external security audits to further harden and protect our software’s security. While we've been reactive to the recent security problems, it's not how we prefer to operate. The upcoming release of WHMCS, which is currently in beta, will provide over 170 documented bug fixes in our product (http://docs.whmcs.com/Changelog:WHMCS_V5.3).
So, they are doing an external audit ? Did they put it on their site ?
Like I said this was e-mail response to asking if they would be doing one. However I have not seen a public announcement.