Sunday, July 10, 2011

Academy of Management Studies: Hacked !





July 10, 2011

Hacker Leaks has received the following anonymous submission:

"I managed to hack into the Academy of Management Studies administrator account and I'm now in the process of deleting accounts"

This disclosure was accompanied by the following screen shots in a zip file:




Since this disclosure was submitted by a hacker with an excellent reputation for this sort of exploit, Hacker Leaks has no choice but to accept that this institution has been violated in an especially thorough way. Funny that they claim to offer a top rate IT education, and yet they were so completely owned.

Widesoft GPP CMS Source Code Leaked





July 10, 2011

We recieved the following anonymous message and download link:

"Today I release a proprietary CMS written in old ASP code, this company need some serious love from hackers as they have been overpricing this shit code to corrupted government and political party.LOL the code has several vulnerability but I leave discovering them and playing with them to you!

Vendor: http://www.widesoft.ma/default1.html

Product: Widesoft-GPP CMS

Google dork to find all website that use this CMS: "Widesoft-GPP" inurl:/def.asp?codelangue=23

some important sites:
http://www.partistiqlal.org/
http://www.alittihad.press.ma
http://www.lopinion.ma/
http://www.alalam.ma
http://www.aviationcivile.gov.ma
http://www.aft.gov.ma
www.emploi.gov.ma
 http://www.crimarrakech.ma/
http://audakhla.ma
 http://www.attajdid.ma/ "

The download link for this proprietary source code is:   http://bit.ly/qBsDja

The Hacker Leaks analysis of this disclosure is it is legitimate. Enjoy.

Friday, July 8, 2011

GoDaddy Server Side Vulnerability Exposed



July 8, 2011

Hacker Leaks received the following anonymous submission:

"Not only did Go Daddy have a XSS security vulnerability on their their control panel (https://www.hushmail.com/hushmail/showHelpFile.php?PHPSESSID=D4B1B044D9C6BBC75792BC1640384926&file=popupHyperlinkHelp.html#http://www.offensive-security.com/offsec/godaddy-xss-exploit/),  Go Daddy has additional server side weaknesses (and easter eggs) that could result in a compromise of your Go Daddy website data and functionality.  At the time of this writing, I have a shared hosting account with Go Daddy, because their service was cheap and my website does not host any complex functionality or important data.  For the first couple months I used the control panel to build my site directly in HTML.  Then, I noticed that I had the option of enabling ssh on my account as an included feature!  Other hosting services such as Aplus.net require a copy of your drivers license to allow ssh access to their shared-hosted server.  Go Daddy requires a click of a button.  Once I enabled the service and logged into my account, the first command I issued was “ls -la -R / > directoryDump.txt”, which produced a file over 1
 7 MB in size! This command allowed me to see the entire directory structure for the server in the areas where I had read permissions.  Upon further inspection, I noticed that all shared hosting users are placed into a group (inetuser) and all are assigned to the same chrooted environment.  By being part of the same group, all the users have access to all shared hosting user ftp/ssh usernames on the server! My account was given a limited path by default, not including /sbin/, but I added that by using PATH=/sbin/:restOfYourPath..  Go Daddy does limit the default tools and programs you can run, such as no ssh use from their server going outbound. So I added a couple of my tools from Ubuntu: ifconfig, netcat, and some python and perl scripts.

Permissions:
The permissions for some user directories are interesting.  One thing I noticed, is that for each user’s directory that I had access to, they had an implementation of Joomla.  My guess is the default Joomla settings that the Go daddy's Control Panel applies upon install makes changes to their directory permissions.  That gives inetuser group members access to their Joomla configuration.php files.  If you know something about Joomla, you know that’s not good. Also, each user has access to the chrooted /etc/shadow file showing the password hash of the user whose permissions protect the mail/spool process for the chrooted part of the server. In addition, each user can access the /etc/group file that contains administrator usernames for the server.

Network:
Running ifconfig helped me discover that the server was dual homed with two public ip addresses on interfaces bond0 and dummy0. The dummy0 interface is the ip address that all shared hosting website names resolve to.  The bond0 interface is what the server uses for outbound communications, but it also supports inbound ssh/ftp connections.

Localhost has some interesting ports open:

$ netstat -antup |grep 127.0.0.1
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:199               0.0.0.0:*                   LISTEN      - SMUX
tcp        0      0 127.0.0.1:25                    0.0.0.0:*                   LISTEN      - SMTP

Brute force attack::
Having extracted over 7000 user names from the directory listing file, I decided to see if my user account could be brute forced.  So, I ran the following command with THC-hydra using a dictionary file with my password at about line 200.
hydra -l username -P wordlist.txt serverIPaddress ftp -V
After about 200 tries and 90 seconds my password was cracked-confirming that Go Daddy does not lockout users after a reasonable number of attempts.  I’m assuming the administrator accounts found in the shadow and group files can be attacked this way also, just over ssh.

Easter Eggs:

Go-Go Daddy Anonymous Email!
“Anonymous” email through an open smtp server.
Using netcat or telnet, connect to port 25:
./nc -v localhost 25
localhost.localdomain [127.0.0.1] 25 (smtp) open
220 XX.XX.XX.XX.server.net ESMTP Sendmail 8.13.8/8.12.11; Fri, 1 Apr 2011 20:10:30 -0700
HELO localhost
250 XX.XX.XX.XX.server.net Hello XX.XX.XX.server.net [XX.XX.XX.XX], pleased to meet you
MAIL FROM: meh@localhost
250  2.1.0 meh@localhost... Sender ok
RCPT TO: meow@gmail.com
250 2.1.5 meow@gmail.com... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
hello!
.
250 2.0.0 XXXXXXXX Message accepted for delivery

Anyone with ssh access can send anonymous email from the Go Daddy sever, as the case with open smtp services.  After more research, I discovered that you can assume any host name that is being hosted on that server and send email from it without Go Daddy requiring authentication as that user, such as the case is with gmail and other secure services. For example, if xyz.com is a domain hosted on the server, then I could send any email from either bob@xyz.com or alice@xyz.com whether or not their account exists with no issues whatsoever.  Not only does this have SPAM use written all over it, one could social-engineer your way to more access in people’s directories, web-sites, or wallets.

Read emails from other sites!
By running the following command: ps ax | grep sendmail, you will see the email files that are in queue.
66466 ?        S      0:00 sendmail: ./b777fsxt066666 from queue
Further more, you will see if you navigate to /var/spool/clientmqueue all of the queue messages from cron jobs.  Some of these messages are issued to users that sign up to new sites and may be used for password reset functionality. Discover for yourself. :)

In Conclusion:
Go Daddy provides cheap hosting with significant security vulnerabilities.  I leave it to you the consumer to make the choice of whether you want to host your data using their shared hosting services or look for more secure hosting.  Either way, Go Daddy could easily address these weaknesses to protect its customers data. But will they?"

The analysis of the Hacker Leaks team is that the above information is on the mark, and reveals a serious security hole in the GoDaddy hosting service.

Tuesday, July 5, 2011

Famous American Film Critic Roger Ebert Gets OWNED By Rapt0r !



10:45 PM PT - July 5, 2011

A hacker calling himself Rapt0r has hacked into the G-mail account of famous American film critic Roger Ebert. According to the hacker, he gained entry into this account, changed the password, downloaded a single docoment from Google Docs, took screen shots of various parts of the account - and finally downloaded over 5000 E-Mail messages from Roger Ebert's inbox.



Our analysis is straight forward, the hacker in question did exactly what he claims. Along with an account of the hack, Hacker Leaks received in our anonymous submission box a zip file containing over 5000 E-Mail messages and the screen shots which we publish here, and a single rather bizarre document which we are presently analyzing. We have decided after careful deliberation that we will not be releasing Mr. Ebert's E-Mail messages at this time.


And to add insult to injury the final screen shot shows what our investigators found to be true, that Rapt0r E-Mailed the worlds press with his exploit from WITHIN Roger Ebert's Gmail account. Hacker Leaks has confirmed through multiple sources that they did indeed receive the hackers message apparently addressed from Roger Ebert's personal E-Mail.

Bioware Hacked - 6kk Users Data Dumped

k

July 5, 2011

Hackers using the nick Monia & Br have claimed to have hacked into the servers of http://www.bioware.com/ and accessed 6,000,000+ users data. They provided the following screen shot which was redacted by the hackers and NOT by Hacker Leaks staff.

Saturday, July 2, 2011

Massacre In Xinjiang Kashgar Region Of China In Progress


9:30 PM PT  July 2, 2011

Hacker Leaks has received a very disturbing message from a hacker in China, the message is as follows:

"China Xinjiang Kashgar region scene of large-scale violence. Southwest China's authorities to dispatch military and five military emergency rescue units. The situation is urgent."

We urge the world's media to check on this report, as Local Leaks has reason to believe that a large scale massacre is currently taking place in southern China at this very moment. If our source sends any more material we will update this post asap. We urge EVERYONE to keep their ears to the ground for intelligence on this. Is China killing thousands of it's own citizens at this very moment ?