Possibly how servers during onymous got located? Apache server status page.

I run a few hidden services and realized that the url /server-status exposes the ip of most hidden services including mine. Checking the markets in the sidebar (that are online now) one of them has this page enabled, Majestic Garden/TMG (but unlike most others, it doesn't leak any ips). Here is an example of a hidden service that leaks its ips on that page: http://lkzrfpop7hhszdqp.onion/server-status

There is a simple fix, https://httpd.apache.org/docs/2.2/mod/mod_status.html and I think hidden service and darknetmarket operators need to be aware that this page is enabled by default and needs to be disabled to protect the ip address of your apache server.

Another discussion about this and how I realized my server was leaking it's ip is here: https://www.reddit.com/r/onions/comments/2s2i11/ok_to_post_real_ips_of_insecure_hidden_services/


Comments


[6 Points] 0xb44d:

don't take this the wrong way - but if you run a hidden service and have mod_status enabled then you really shouldn't be running a hidden service.

hire somebody who understands the hidden service threat model and can setup and administer a stack for you.

the answer to your question is that it is highly unlikely that Onymous relied on status pages to uncover all of those hidden services, as that would have been something that would have been noticed a lot earlier.

every security scanner in the world checks server-status and similar urls


[1 Points] eleitl:

Hidden services should be run in virtual guests with RFC 1918 space, with address translation done by a different guest.


[1 Points] impost_r:

Majestic Garden is a joke, still on WordPress 3.8.1 last time I checked, it can be taken down in about 5 seconds if you use the xmlrpc vulnerability. WordPress shows the order of user registration(userid), the 2nd user(part of the team if I recall correctly) is highly doxable.


[1 Points] None:

Apache is a joke in itself. This being said, I got several "server-status" requests made on my market, and they simply get a nice 404 page.


[0 Points] None:

fuck I'd like to run a DNM but I don't know much about how to "hide" a server, I can set up a website and hosting clearnet no problem but this darknet stuff is tricky. There must be a path to total anon hosting.


[-3 Points] Axaq:

Solution: don't run a hidden service on an Apache server.