Got hacked through the forum.

[2600]

Let me know how you did it. My site is Removed
If it ends in 215, that ain't it. Send me a PM with the IP if you find it.

[Brf]

Code: Select all

ping systechforum.net -4

Pinging systechforum.net [104.28.23.23] with 32 bytes of data:

[Lumpy Burgertushie]

same IP I got just running it in a "find my IP" type website .


robert

[2600]

That's Cloudflare's IP! Not my real IP!

[Techie-Micheal]

Yeah, it was PHPlist. https://blog.sucuri.net/2013/09/securit ... b-com.html

Could have sworn there was an early hack involving some leaked passwords. Maybe that was just a website/server issue or something. It was like last year when the site was down for like three weeks.

Edit-

Yeah, 2014 https://theadminzone.com/threads/phpbb- ... 392/page-2

Here's the announcement. viewtopic.php?f=14&t=2283426

Was a server attack. It's why I mask my IP with CloudFlare and delete the MX record and use Gmail as the E-mail service. The MX record gives away the real IP. I have yet to find my real IP with a CloudFlare resolver. It does show the old IP though. That's because I wasn't using CF and those CF resolver websites grabbed it in the plain.

The real IP, sometimes referred to as a RIP, is not needed to compromise a server. There are only two things that must be true for a technical breach (i.e. not social engineering):

- Accessibility of a service (HTTP, SMTP, FTP, SSH, ...)
- A vulnerability in that given service

Hiding behind a proxy does not prevent an attack. What a proxy like CloudFlare does give you is the ability to implement additional controls. However, if you are running out of date software or misconfigured software, and CloudFlare does not block through a WAF or other firewall, your real server will get owned. That does not require knowledge of the RIP.

Having compromised many a server, I usually don't find the RIP until I get in to the server behind the load balancers and proxies.

[2600]

CloudFlare doesn't have any of those ports open....

[Techie-Micheal]

CloudFlare doesn't have any of those ports open....

You don't have a website? I'm pretty sure you do, so you have at least a webserver running, which means you at least have HTTP exposed.

[2600]

HTTP port 80 goes through CloudFlare.

I did an Nmap on my domain and CloudFlare shows their open ports, but this IP address that CloudFlare (the reverse proxy) uses several websites that fall under 104.28.23.23 which is the IP I have. I'm not understanding how just a port would allow a hack when you also need the real IP address. A port is just a port and means nothing without an IP associated to it. In my case the IP for my website goes to 104.28.23.23 which is CloudFlare. Any open port there would be CloudFlare's and only CloudFlare's. Which means hacking say, SSH or FTP on 104.28.23.23 would be for CloudFlare and not my website's true IP address.

[Techie-Micheal]

HTTP port 80 goes through CloudFlare.

I did an Nmap on my domain and CloudFlare shows their open ports, but this IP address that CloudFlare (the reverse proxy) uses several websites that fall under 104.28.23.23 which is the IP I have. I'm not understanding how just a port would allow a hack when you also need the real IP address. A port is just a port and means nothing without an IP associated to it. In my case the IP for my website goes to 104.28.23.23 which is CloudFlare. Any open port there would be CloudFlare's and only CloudFlare's. Which means hacking say, SSH or FTP on 104.28.23.23 would be for CloudFlare and not my website's true IP address.

Okay, let's take a step back. Let's establish a few things:

- CloudFlare is a proxy to your website.
- Your real server IP is unknown to the internet at large.
- Your website runs phpBB, PHP, and a webserver at minimum.
- A website visitor (or attacker) does not need to know the real IP address to connect to your website.

Someone need only connect to your website through CloudFlare to initiate attacks. It is not required to know your real IP address.

[2600]

Okay, yes, they would have to deal with CloudFlare that has safeguards like a WAF. But it won't be through SSH, FTP, etc. Since the real IP is not known and any port open on my IP that CloudFlare issues would be theirs and only theirs.

So to summarize. An attack would have to be at the application layer and not through SSH, HTTP, FTP, etc.
SQL injection, traversal attacks, etc.

It was just that you said that all you needed was a port and I was saying my real IP is hiding behind CloudFlare. I mentioned above I have yet to find my real IP using everything and anything thought of and read about. I did mention that if my IP shows up ending in 215 that was not it as that as that was old.

[Techie-Micheal]

Okay, yes, they would have to deal with CloudFlare that has safeguards like a WAF. But it won't be through SSH, FTP, etc. Since the real IP is not known and any port open on my IP that CloudFlare issues would be theirs and only theirs.

So to summarize. An attack would have to be at the application layer and not through SSH, HTTP, FTP, etc.
SQL injection, traversal attacks, etc.

It was just that you said that all you needed was a port and I was saying my real IP is hiding behind CloudFlare. I mentioned above I have yet to find my real IP using everything and anything thought of and read about. I did mention that if my IP shows up ending in 215 that was not it as that as that was old.

HTTP, yes.

[2600]

Funny that offensive-security.com uses the reverse proxy Securi. Looks like they use OVH though.

Question: Are there real jobs for Pen testers? Do they pay well? I have a Pen tester program that I have used to test my own website.

[Techie-Micheal]

Funny that offensive-security.com uses the reverse proxy Securi. Looks like they use OVH though.

K?

Question: Are there real jobs for Pen testers? Do they pay well? I have a Pen tester program that I have used to test my own website.

You asked if there are real jobs for pen testers, but then state that you used a pen tester program to test your own website. I think you know the answer.

The real IP, sometimes referred to as a RIP, is not needed to compromise a server. There are only two things that must be true for a technical breach (i.e. not social engineering):

- Accessibility of a service (HTTP, SMTP, FTP, SSH, ...)
- A vulnerability in that given service

Hiding behind a proxy does not prevent an attack. What a proxy like CloudFlare does give you is the ability to implement additional controls. However, if you are running out of date software or misconfigured software, and CloudFlare does not block through a WAF or other firewall, your real server will get owned. That does not require knowledge of the RIP.

Having compromised many a server, I usually don't find the RIP until I get in to the server behind the load balancers and proxies.

HTTP port 80 goes through CloudFlare.

Let's go through this one more again. CloudFlare is a proxy. It sends traffic to your server. That traffic is application traffic as well as HTTP, because your webserver, which understands HTTP to process the request, has to provide a response. So, back to what I said:

However, if you are running out of date software or misconfigured software, and CloudFlare does not block through a WAF or other firewall, your real server will get owned.

If you have genuine questions, ask. Rude behavior, however, is not welcome.

[2600]

However, if you are running out of date software or misconfigured software, and CloudFlare does not block through a WAF or other firewall, your real server will get owned.

https://www.cloudflare.com/waf/


Where did you get the idea I was being rude?

[Techie-Micheal]

However, if you are running out of date software or misconfigured software, and CloudFlare does not block through a WAF or other firewall, your real server will get owned.

https://www.cloudflare.com/waf/

Yes, I know that CloudFlare has a WAF. But that doesn't mean everything will get caught by the WAF. And bypasses do exist.