Bestcasuals.com Vuln + Audit. _St0rm

1. Error links:
2.  
3. http://bestcasuals.com/image_resize.php?image=productData
4. ----------------------------------------------------------
5.  
6. GIF87a2¡›‚ÿÿÿÿ,2†”©Ë­£œ´Ú+Þ¼Gí…â7–h¦ª¶¤l@×ñFËT~ã4á
   rÂZ b;m–p‰4*£P(O8qî¦R¥´JüVrÏ¢÷x=§9ä-Õz®¾±’vÔV§Íôúñi²6È4ØÓBˆØ¡¸¸Ñèx
   Y1I9ayù¢ÉÈyâÙ ú(ºQ;
7. Warning: Division by zero in c:\domains\bestcasuals.com\wwwroot\image_resize.php on line 277
8.  
9. Warning: imagecreatetruecolor() [function.imagecreatetruecolor]: Invalid image dimensions in c:\domains\bestcasuals.com\wwwroot\image_resize.php on line 337
10.  
11. Warning: imagecopyresampled(): supplied argument is not a valid Image resource in c:\domains\bestcasuals.com\wwwroot\image_resize.php on line 338
12. GIF87a2¡›‚ÿÿÿÿ,2…”©Ë­£œ´Ú+Þ¼Gí…â7–h¦ª¶¤l@×1G³}w9ÅÛA¢M8‹ÀߤX;FxAª’ùèŒÓè5Êåz•§ú WX‹¹§±ëË{¬þ²¥`Œ6V7²•Ò'ØÓ2xx¢˜’ȸáøx)YAY9q‰ù²É¡Ùù¹ŠY;
13. Warning: imagedestroy(): supplied argument is not a valid Image resource in c:\domains\bestcasuals.com\wwwroot\image_resize.php on line 255
14. PHP Warning: Division by zero in c:\domains\bestcasuals.com\wwwroot\image_resize.php on line 277 PHP Warning: imagecreatetruecolor() [function.imagecreatetruecolor]: Invalid image dimensions in c:\domains\bestcasuals.com\wwwroot\image_resize.php on line 337 PHP Warning: imagecopyresampled(): supplied argument is not a valid Image resource in c:\domains\bestcasuals.com\wwwroot\image_resize.php on line 338 PHP Warning: imagedestroy(): supplied argument is not a valid Image resource in c:\domains\bestcasuals.com\wwwroot\image_resize.php on line 255
15.  
16.  
17.  
18.  
19. http://bestcasuals.com:80/staticpage.php?pageid=12
20. --------------------------------------------------
21.  
22. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 3
23.  
24.  
25. Those are the only scripting errors I could find.
26. --------------------------------------------------------------------------------------------------------------------
27.  
28. Database name: bestcasuals
29.  
30. Server info:
31.  
32. Web Server: Microsoft-IIS/6.0
33. Powered-by: PHP/5.1.2
34. Powered-by: ASP.NET
35. DB Server: MySQL >=4.1
36. Current DB: bestcasuals
37.  
38.  
39. Couldn't gather any tables from it.
40. --------------------------------------------------------------------------------------------------------------------
41. Virus information on the .zip link.
42.  
43. URL analysis tool Result
44.  
45. Avira Clean site
46. BitDefender Malware site
47. Dr.Web Clean site
48. G-Data Clean site
49. Malc0de Database Clean site
50. MalwareDomainList Clean site
51. Opera Clean site
52. ParetoLogic Malware site
53. Phishtank Clean site
54. TrendMicro Malware site
55. Websense ThreatSeeker Unrated site
56. Wepawet Unrated site
57.  
58. bestcasuals.com ns1.24livehost.com => 69.93.85.106
59. ns2.24livehost.com => 69.93.85.107
60.  
61. ISP: (AS21844) THEPLANET
62. IP: 70.86.21.146
63. Virus: Trojan
64.  
65. --------------------------------------------------------------------------------------------------------------------
66.  
67. C:\Users\St0rm>tracert bestcasuals.com
68.  
69. Tracing route to bestcasuals.com [70.86.21.146]
70. over a maximum of 30 hops:
71.  
72. 1 179 ms 179 ms 178 ms :)
73. 2 184 ms 181 ms 183 ms :)
74. 3 256 ms 193 ms 179 ms :)
75. 4 217 ms 216 ms 180 ms v995.core1.sjc1.he.net [64.71.150.21]
76. 5 187 ms 179 ms 178 ms 10gigabitethernet2-1.core1.sjc2.he.net [72.52.92.118]
77. 6 182 ms 182 ms 191 ms mpr1.sjc7.us [206.223.116.86]
78. 7 186 ms 180 ms 181 ms xe-4-1-0.er1.sjc2.us.above.net [64.125.27.90]
79. 8 182 ms 181 ms 193 ms xe-4-0-0.cr1.sjc2.us.above.net [64.125.28.54]
80. 9 193 ms 191 ms 198 ms 64.125.26.25.available.above.net [64.125.26.25]
81. 10 258 ms 249 ms 232 ms xe-3-2-0.cr1.iah1.us.above.net [64.125.26.121]
82. 11 228 ms 225 ms 229 ms xe-2-1-0.cr1.dfw2.us.above.net [64.125.30.58]
83. 12 230 ms 226 ms 229 ms xe-0-1-0.er1.dfw2.us.above.net [64.125.27.74]
84. 13 228 ms 236 ms 238 ms 64.125.199.94.t366.above.net [64.125.199.94]
85. 14 243 ms 236 ms 230 ms te7-1.dsr01.dllstx3.networklayer.com [70.87.253.2]
86. 15 * * * Request timed out.
87. 16 230 ms 233 ms 233 ms po1.car03.dllstx5.networklayer.com [70.87.254.18]
88. 17 232 ms 228 ms 230 ms 92.15.5646.static.theplanet.com [70.86.21.146]
89.  
90. Trace complete.
91.  
92. Open ports for: 70.86.21.146
93.  
94. Not shown: 996 filtered ports
95.  
96.  
97. PORT STATE SERVICE
98.  
99. 80/tcp open http
100.  
101. 110/tcp open pop3
102.  
103. 443/tcp open https
104.  
105. 587/tcp open submission
106.  
107. Total Domains: 2.
108.  
109. Http://mail.bestcasuals.com
110. Http://bestcasuals.com
111. -----------------------------------------------------------------------------------------------------------------------
112.  
113.  
114.  
115. Opinion:
116.  
117. I think that the website could be legit, yet rooted by someone and is hosting a virus in the admins corner.
118.  
119. To gain full control of the site. So my other option is to email the webmaster if he knows he has a virus.
120.  
121. and then try and warn people. The only bad thing I could find was one virus being hosted by him.
122. There wasn't really anything to go by after that.
123.  
124. I Ddos'd it and it was going up and down for a little while. I may try again later.
125.  
126. The MySQL injection worked, but only found the database, not the tables.
127.  
128. if you have backtrack, I suggest giving it a go. To see where the files are stored, and get the admin login.
129.  
130. For some reason mine is messing up at the moment. =/
131.  
132. I'm sorry I couldn't really do very much on this one.
133.  
134. _St0rm
135.  
136.  
137. -----------------------------------------------------------------------------------------------------------------------
138.