Archive for the ‘hacking websites’ Category


Spain Detains 3 in PlayStation Cyberattacks

The Spanish police said on Friday that they had apprehended three men suspected of computer hacking in connection with recent attacks on Sony’s PlayStation Network as well as corporate and government Web sites around the world.

The National Police identified the three as the local leadership of the shadowy international network of computer hackers known as Anonymous, which has claimed responsibility for a wide variety of attacks.

Anonymous is composed of people from various countries organized into cells that share common goals, the police said, with activists operating anonymously in a coordinated fashion.

One of the three suspects, a 31-year-old Spaniard, was detained in the southern Spanish city of Almería sometime after May 18, the police said. He had a computer server in his apartment in the northern Spanish port city of Gijón, where the group is believed to have attacked the Web sites of the Sony PlayStation online gaming store.

The same computer server was also believed to have been used in coordinated attacks against two Spanish banks, BBVA and Bankia; the Italian energy company Enel; and government sites in Algeria, Chile, Colombia, Egypt, Libya, Iran, Spain and New Zealand, the police said.

The two other men, both also Spaniards in their early 30s, were picked up in Barcelona and Valencia. The police statement did not make clear the timing of those detentions, but a police spokeswoman said all had occurred recently.

The spokeswoman, who did not want to be identified in accordance with department policy, said all three were subsequently released, without bail, pending formal charges.

They were expected to be charged with forming an illegal association to attack public and corporate Web sites, a charge that carries a potential sentence of up to three years in prison.

The police opened their investigation last October, after hackers overwhelmed the Spanish Ministry of Culture’s Web site to protest legislation increasing punishments for illegal downloads.

It was not immediately clear how much of a role the group may have played in the recent attacks on Sony. About a dozen Sony Web sites and services around the world have been hacked; the biggest breaches forced the company, which is based in Tokyo, to shut down its popular PlayStation Network for a month beginning in April.

The Japanese company has acknowledged that hackers compromised the personal data of tens of millions of user accounts. Earlier this month, a separate hacker collective called Lulz Security, or LulzSec, said it had breached a Sony Pictures site and released vital source code.

Sony has estimated that the hacker attacks will cost it at least 14 billion yen ($175 million), in damages, including spending on information technology, legal costs, lower sales and free offers to lure back customers.

Mami Imada, a Sony spokeswoman in Tokyo, said she had no information on the detentions and declined to comment.

The police said that they had analyzed more than two million lines of chat logs since October, as well as Web pages used by the group to identify the leadership in Spain “with the capacity to make decisions and direct attacks.” Members of Anonymous used a computer program called L.O.I.C. to crash Web sites with denial-of-service attacks, the police said.

Among recent attacks, the hackers also brought down the site of the Spanish National Electoral Commission last month before regional and municipal elections. It was that attack, on May 18, that led to the detention of the suspect in Almería.

The movement against the antipiracy law has been closely linked to the broader youth-led political movements that have occurred in Puerta del Sol, the central square in Madrid, and in other city squares since May 15.

These protests have called for a complete overhaul of Spain’s political system and laws aimed at stopping illegal downloading.

Hiroko Tabuchi contributed reporting.


Hackers Steal Data From Simon Cowell’s X-Factor

May. 6 2011 – 7:02 am
Simon Cowell at the National Television Awards...Image via Wikipedia

UPDATE: A spokesperson for Fox says the network is COPPA compliant and blocked people under 13 years of age from registering for X Factor audition information on Fox.com. “This is a matter that we take very seriously,” the spokesperson says.

——-

Cyber criminals have been on stealing spree of late. Not long after the the theft of more than 100 million user account details from Sony, Fox has confirmed that hackers also breached fox.com and obtained a file of details on 73,000 people who requested information about the X-Factor auditions.

The Fox TV show. which is an Americanized version of a British talent program. begins filming today. The winner of the show gets a $5 million recording contract with Cowell’s Syco music label and Sony Music.

A spokesperson for Fox tells me that media reports about the hacking incident incorrectly stated that data for 250,000 people had been compromised and that the correct number was “about 73,000.” They added that the data, which was stolen last week, did not include financial information, social security numbers or user names and passwords.

“We took immediate action to stop the illegal intrusion and began working with federal authorities,” said Gaude Paez of Fox. “We’ve [sent] emails to impacted registrants to notify them of the unauthorised access and providing [sic] them information to help them guard against spam and phishing.”

Carole Therelaut of Naked Security points out that the data breach comes after the X-Factor changed its rules in the U.S. to allow children as young as 12 to enter its competition, unnervingly putting personal data on pre-teens in the hands of faceless hackers.

Cowell’s troubles come amid a wave of cyber security issues making the news this week. In entertainment, the French DJ David Guetta has reportedly employed an ex-Pentagon investigator to look into the theft by hackers of his new single. According to BBC Newsbeat, Guetta says parts of the song “Where Them Girls At” featuring Nicki Minaj were stolen by a hacker who added their own production and posted it online, claiming it was Guetta’s.

Yesterday it emerged that Last Pass, a service that syncs with browsers to let you control a variety of passwords with one master password, had asked its users to change their master passwords after discovering a potential breach to its database. In its latest blog post Last Pass said the issue affects roughly 0.5% of users.  Read PC World’s interview with the CEO of Last Pass here.

Sony is meanwhile offering American customers affected by a massive security breach, $1 million-insurance policies and a year of identity theft protection, according to Bloomberg. It comes after 101.6 million user accounts on Sony’s PlayStation Network and the Sony Online Entertainment network for gamers were compromised by hackers.


Date D A V Description Plat. Author
2011-01-14 Exploit Code Downloads Waiting verification Real Networks RealPlayer SP ‘RecordClip’ Method Remote Code Execution 106 windows Sean de Regge
2011-01-12 Exploit Code Downloads Verified MS11-002: Microsoft Data Access Components Vulnerability 181 windows Peter Vreugdenhil
2011-01-10 Exploit Code Downloads Verified MS10-081: Windows Common Control Library (Comctl32) Heap Overflow 243 windows Nephi Johnson
2011-01-09 Exploit Code Downloads Verified KingView 6.5.3 SCADA HMI Heap Overflow PoC 389 windows Dillon Beresford
2011-01-08 Exploit Code Downloads Download Vulnerable Application Verified NetSupport Manager Agent Remote Buffer Overflow 354 multiple ikki
2011-01-01 Exploit Code Downloads Download Vulnerable Application Verified HP Photo Creative 2.x audio.Record.1 ActiveX Control Remote Stack Based Buffer Overflow 571 windows rgod
2010-12-30 Exploit Code Downloads Waiting verification CA ARCserve D2D r15 Web Service Servlet Code Execution 384 windows rgod
2010-12-30 Exploit Code Downloads Download Vulnerable Application Verified QuickPHP Web Server Arbitrary (src .php) File Download 420 windows Pr0T3cT10n
2010-12-30 Exploit Code Downloads Download Vulnerable Application Waiting verification Chilkat Software FTP2 ActiveX Component Remote Code Execution 298 windows rgod
2010-12-29 Exploit Code Downloads Download Vulnerable Application Verified QuickPHP Web Server 1.9.1 Directory Traversal 336 windows John Leitch
2010-12-29 Exploit Code Downloads Download Vulnerable Application Verified httpdASM 0.92 Directory Traversal 234 windows John Leitch
2010-12-29 Exploit Code Downloads Verified DD-WRT Information Disclosure Vulnerability 384 hardware Craig Heffner
2010-12-26 Exploit Code Downloads Download Vulnerable Application Verified Kolibri v2.0 Buffer Overflow RET + SEH exploit (HEAD) 1591 windows TheLeader
2010-12-22 Exploit Code Downloads Download Vulnerable Application Verified WMITools ActiveX Remote Command Execution Exploit 0day 1418 windows WooYun
2010-12-22 Exploit Code Downloads Verified Citrix Access Gateway Command Injection Vulnerability 1120 linux George D. Gal
2010-12-21 Exploit Code Downloads Waiting verification Ecava IntegraXor 3.6.4000.0 Directory Traversal 444 windows Luigi Auriemma
2010-12-15 Exploit Code Downloads Verified Internet Explorer 8 CSS Parser Exploit 4036 windows Nephi Johnson
2010-12-14 Exploit Code Downloads Verified Crystal Reports Viewer 12.0.0.549 Activex Exploit (PrintControl.dll) 0-day 888 windows Dr_IDE
2010-12-11 Exploit Code Downloads Verified Exim 4.63 Remote Root Exploit 2997 linux Kingcope
2010-12-10 Exploit Code Downloads Verified LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD 1278 freebsd Kingcope
2010-12-09 Exploit Code Downloads Waiting verification VMware Tools update OS Command Injection 1587 multiple Nahuel Grisolia
2010-12-05 Exploit Code Downloads Download Vulnerable Application Verified Freefloat FTP Server Buffer Overflow Vulnerability 0day 1722 windows 0v3r
2010-12-03 Exploit Code Downloads Verified Image Viewer CP Gold 6 ActiveX TifMergeMultiFiles() Buffer Overflow 876 windows Dr_IDE
2010-12-03 Exploit Code Downloads Verified iFTPStorage for iPhone / iPod touch <= 1.3 – Directory Traversal 892 hardware XEL
2010-12-02 Exploit Code Downloads Download Vulnerable Application Verified ProFTPD 1.3.3c compromised source remote root Trojan 2727 linux anonymous

How To Deface A Website?

This tutorial will be broken down into 3 main sections, they are as followed:
1. Finding Vuln Hosts.
2. Getting In.
3. Covering Your Tracks

“Don’t close it. Don’t shrink it. Don’t hack it up, … Don’t starve it of resources. Don’t drain it of its professional talent. Don’t hand it over to strangers. Don’t pass the buck. Don’t ignore it, and don’t abandon the people it serves day in and day out.” by xbee30@yahoo.com</blockquote>

It really is easy, and I will show you how easy it is.

1. Finding Vuln Hosts
This section needs to be further broken down into two catigories of script kiddies: ones who scan the net for a host that is vuln to a certain exploit and ones who search a certain site for any exploit. The ones you see on alldas are the first kind, they scan thousands of sites for a specific exploit. They do not care who they hack, anyone will do. They have no set target and not much of a purpose. In my opinion these people should either have a cause behind what they are doing, ie. “I make sure people keep up to date with security, I am a messanger” or “I am spreading a political message, I use defacments to get media attention”. People who deface to get famous or to show off their skills need to grow up and relize there is a better way of going about this (not that I support the ones with other reasons ether). Anyways, the two kinds and what you need to know about them:

Scanning Script Kiddie: You need to know what signs of the hole are, is it a service? A certain OS? A CGI file? How can you tell if they are vuln? What version(s) are vuln? You need to know how to search the net to find targets which are running whatever is vuln. Use altavista.com or google.com for web based exploits. Using a script to scan ip ranges for a certain port that runs the vuln service. Or using netcraft.com to find out what kind of server they are running and what extras it runs (frontpage, php, etc..) nmap and other port scanners allow quick scans of thousands of ips for open ports. This is a favorate technique of those guys you see with mass hacks on alldas.

Targetted Site Script Kiddie: More respectable then the script kiddies who hack any old site. The main step here is gathering as much information about a site as possible. Find out what OS they run at netcraft or by using: telnet http://www.site.com 80 then GET / HTTP/1.1 Find out what services they run by doing a port scan. Find out the specifics on the services by telnetting to them. Find any cgi script, or other files which could allow access to the server if exploited by checking /cgi /cgi-bin and browsing around the site (remember to index browse)

Wasn’t so hard to get the info was it? It may take awhile, but go through the site slowly and get all the information you can.

2. Getting In
Now that we got the info on the site we can find the exploit(s) we can use to get access. If you were a scanning script kiddie you would know the exploit ahead of time. A couple of great places to look for exploits are Security Focus and packetstorm. Once you get the exploit check and make sure that the exploit is for the same version as the service, OS, script, etc.. Exploits mainly come in two languages, the most used are C and perl. Perl scripts will end in .pl or .cgi, while C will end in .c To compile a C file (on *nix systems) do gcc -o exploit12 file.c then: ./exploit12 For perl just do: chmod 700 file.pl (not really needed) then: perl file.pl. If it is not a script it might be a very simple exploit, or just a theory of a possible exploit. Just do alittle research into how to use it. Another thing you need to check is weither the exploit is remote or local. If it is local you must have an account or physical access to the computer. If it is remote you can do it over a network (internet).

Don’t go compiling exploits just yet, there is one more important thing you need to know

3. Covering Your Tracks
So by now you have gotten the info on the host inorder to find an exploit that will allow you to get access. So why not do it? The problem with covering your tracks isn’t that it is hard, rather that it is unpredictable. just because you killed the sys logging doesn’t mean that they don’t have another logger or IDS running somewhere else. (even on another box). Since most script kiddies don’t know the skill of the admin they are targetting they have no way of knowing if they have additional loggers or what. Instead the script kiddie makes it very hard (next to impossible) for the admin to track them down. Many use a stolden or second isp account to begin with, so even if they get tracked they won’t get caught. If you don’t have the luxery of this then you MUST use multiple wingates, shell accounts, or trojans to bounce off of. Linking them together will make it very hard for someone to track you down. Logs on the wingates and shells will most likely be erased after like 2-7 days. That is if logs are kept at all. It is hard enough to even get ahold of one admin in a week, let alone further tracking the script kiddie down to the next wingate or shell and then getting ahold of that admin all before the logs of any are erased. And it is rare for an admin to even notice an attack, even a smaller percent will actively pursue the attacker at all and will just secure their box and forget it ever happend. For the sake of arugment lets just say if you use wingates and shells, don’t do anything to piss the admin off too much (which will get them to call authoritizes or try to track you down) and you deleting logs you will be safe. So how do you do it?

We will keep this very short and too the point, so we’ll need to get a few wingates. Wingates by nature tend to change IPs or shutdown all the time, so you need an updated list or program to scan the net for them. You can get a list of wingates that is well updated at and you can also get a program called winscan there. Now lets say we have 3 wingates:

212.96.195.33 port 23
202.134.244.215 port 1080
203.87.131.9 port 23

to use them we go to telnet and connect to them on port 23. we should get a responce like this:

CSM Proxy Server >

to connect to the next wingate we just type in it’s iport

CSM Proxy Server >202.134.244.215:1080
If you get an error it is most likely to be that the proxy you are trying to connect to isn’t up, or that you need to login to the proxy. If all goes well you will get the 3 chained together and have a shell account you are able to connect to. Once you are in your shell account you can link shells together by:

[j00@server j00]$ ssh 212.23.53.74

You can get free shells to work with until you get some hacked shells, here is a list of free shell accounts. And please remember to sign up with false information and from a wingate if possible.

SDF (freeshell.org) – http://sdf.lonestar.org
GREX (cyberspace.org) – http://www.grex.org
NYX – http://www.nxy.net
ShellYeah – http://www.shellyeah.org
HOBBITON.org – http://www.hobbiton.org
FreeShells – http://www.freeshells.net
DucTape – http://www.ductape.net
Free.Net.Pl (Polish server) – http://www.free.net.pl
XOX.pl (Polish server) – http://www.xox.pl
IProtection – http://www.iprotection.com
CORONUS – http://www.coronus.com
ODD.org – http://www.odd.org
MARMOSET – http://www.marmoset.net
flame.org – http://www.flame.org
freeshells – http://freeshells.net.pk
LinuxShell – http://www.linuxshell.org
takiweb – http://www.takiweb.com
FreePort – http://freeport.xenos.net
BSDSHELL – http://free.bsdshell.net
ROOTshell.be – http://www.rootshell.be
shellasylum.com – http://www.shellasylum.com
Daforest – http://www.daforest.org
FreedomShell.com – http://www.freedomshell.com
LuxAdmin – http://www.luxadmin.org
shellweb – http://shellweb.net
blekko – http://blekko.net

once you get on your last shell you can compile the exploit, and you should be safe from being tracked. But lets be even more sure and delete the evidence that we were there.

Alright, there are a few things on the server side that all script kiddies need to be aware of. Mostly these are logs that you must delete or edit. The real script kiddies might even use a rootkit to automaticly delete the logs. Although lets assume you aren’t that lame. There are two main logging daemons which I will cover, klogd which is the kernel logs, and syslogd which is the system logs. First step is to kill the daemons so they don’t log anymore of your actions.

[root@hacked root]# ps -def | grep syslogd
[root@hacked root]# kill -9 pid_of_syslogd

in the first line we are finding the pid of the syslogd, in the second we are killing the daemon. You can also use /etc/syslog.pid to find the pid of syslogd.

[root@hacked root]# ps -def | grep klogd
[root@hacked root]# kill -9 pid_of_klogd

Same thing happening here with klogd as we did with syslogd.

now that killed the default loggers the script kiddie needs to delete themself from the logs. To find where syslogd puts it’s logs check the /etc/syslog.conf file. Of course if you don’t care if the admin knows you were there you can delete the logs completely. Lets say you are the lamest of the script kiddies, a defacer, the admin would know that the box has been comprimised since the website was defaced. So there is no point in appending the logs, they would just delete them. The reason we are appending them is so that the admin will not even know a break in has accurd. I’ll go over the main reasons people break into a box:

To deface the website. – this is really lame, since it has no point and just damages the system.

To sniff for other network passwords. – there are programs which allow you to sniff other passwords sent from and to the box. If this box is on an ethernet network then you can even sniff packets (which contain passwords) that are destine to any box in that segment.

To mount a DDoS attack. – another lame reason, the admin has a high chance of noticing that you comprimised him once you start sending hundreds of MBs through his connection.

To mount another attack on a box. – this and sniffing is the most commonly used, not lame, reason for exploiting something. Since you now how a rootshell you can mount your attack from this box instead of those crappy freeshells. And you now have control over the logging of the shell.

To get sensitive info. – some corperate boxes have alot of valueable info on them. Credit card databases, source code for software, user/password lists, and other top secret info that a hacker may want to have.

To learn and have fun. – many people do it for the thrill of hacking, and the knowledge you gain. I don’t see this as horrible a crime as defacing. as long as you don’t destroy anything I don’t think this is very bad. Infact some people will even help the admin patch the hole. Still illegal though, and best not to break into anyone’s box.

I’ll go over the basic log files: utmp, wtmp, lastlog, and .bash_history
These files are usually in /var/log/ but I have heard of them being in /etc/ /usr/bin/ and other places. Since it is different on alot of boxes it is best to just do a find / -iname ‘utmp’|find / -iname ‘wtmp’|find / -iname ‘lastlog’. and also search threw the /usr/ /var/ and /etc/ directories for other logs. Now for the explanation of these 3.

utmp is the log file for who is on the system, I think you can see why this log should be appended. Because you do not want to let anyone know you are in the system. wtmp logs the logins and logouts as well as other info you want to keep away from the admin. Should be appended to show that you never logged in or out. and lastlog is a file which keeps records of all logins. Your shell’s history is another file that keeps a log of all the commands you issued, you should look for it in your $ HOME directory and edit it, .sh_history, .history, and .bash_history are the common names. you should only append these log files, not delete them. if you delete them it will be like holding a big sign infront of the admin saying “You’ve been hacked”. Newbie script kiddies often deface and then rm -rf / to be safe. I would avoid this unless you are really freaking out. In this case I would suggest that you never try to exploit a box again. Another way to find log files is to run a script to check for open files (and then manually look at them to determine if they are logs) or do a find for files which have been editted, this command would be: find / -ctime 0 -print

A few popular scripts which can hide your presence from logs include: zap, clear and cloak. Zap will replace your presence in the logs with 0’s, clear will clear the logs of your presence, and cloak will replace your presence with different information. acct-cleaner is the only heavily used script in deleting account logging from my experience. Most rootkits have a log cleaning script, and once you installed it logs are not kept of you anyways. If you are on NT the logs are at C:\winNT\system32\LogFiles\, just delete them, nt admins most likely don’t check them or don’t know what it means if they are deleted.

One final thing about covering your tracks, I won’t go to into detail about this because it would require a tutorial all to itself. I am talking about rootkits. What are rootkits? They are a very widely used tool used to cover your tracks once you get into a box. They will make staying hidden painfree and very easy. What they do is replace the binaries like login, ps, and who to not show your presence, ever. They will allow you to login without a password, without being logged by wtmp or lastlog and without even being in the /etc/passwd file. They also make commands like ps not show your processes, so no one knows what programs you are running. They send out fake reports on netstat, ls, and w so that everything looks the way it normally would, except anything you do is missing. But there are some flaws in rootkits, for one some commands produce strange effects because the binary was not made correctly. They also leave fingerprints (ways to tell that the file is from a rootkit). Only smart/good admins check for rootkits, so this isn’t the biggest threat, but it should be concidered. Rootkits that come with a LKM (loadable kernel module) are usually the best as they can pretty much make you totally invisible to all others and most admins wouldn’t be able to tell they were comprimised.

In writting this tutorial I have mixed feelings. I do not want more script kiddies out their scanning hundreds of sites for the next exploit. And I don’t want my name on any shouts. I rather would like to have people say “mmm, that defacing crap is pretty lame” especially when people with no lives scan for exploits everyday just to get their name on a site for a few minutes. I feel alot of people are learning everything but what they need to know inorder to break into boxes. Maybe this tutorial cut to the chase alittle and helps people with some knowledge see how simple it is and hopefully make them see that getting into a system is not all it’s hyped up to be. It is not by any means a full guide, I did not cover alot of things. I hope admins found this tutorial helpful aswell, learning that no matter what site you run you should always keep on top of the latest exploits and patch them. Protect yourself with IDS and try finding holes on your own system (both with vuln scanners and by hand). Also setting up an external box to log is not a bad idea. Admins should have also seen alittle bit into the mind of a script kiddie and learned a few things he does.. this should help you catch one if they break into your systems.

On one final note, defacing is lame. I know many people who have defaced in the past and regret it now. You will be labeled a script kiddie and a lamer for a long, long time.

Also see these:
Deface any website – home page (Visit this first, then the above ones if you like)
http://www.netdisaster.com

—–

Deface the Microsoft.com website, with a chainsaw!
http://www.netdisast…/microsoft.com/

Deface Google website here, with a shot gun!
http://www.netdisast…p://google.com/

—–

Lead and CONTRIBUTE to the cyber revolution to make it a better place !!

Rate the post if it is helpful to you in each and every way.

Please do not hesitate to comment on the post.