Sunday, July 10, 2011

Academy of Management Studies: Hacked !





July 10, 2011

Hacker Leaks has received the following anonymous submission:

"I managed to hack into the Academy of Management Studies administrator account and I'm now in the process of deleting accounts"

This disclosure was accompanied by the following screen shots in a zip file:




Since this disclosure was submitted by a hacker with an excellent reputation for this sort of exploit, Hacker Leaks has no choice but to accept that this institution has been violated in an especially thorough way. Funny that they claim to offer a top rate IT education, and yet they were so completely owned.

Widesoft GPP CMS Source Code Leaked





July 10, 2011

We recieved the following anonymous message and download link:

"Today I release a proprietary CMS written in old ASP code, this company need some serious love from hackers as they have been overpricing this shit code to corrupted government and political party.LOL the code has several vulnerability but I leave discovering them and playing with them to you!

Vendor: http://www.widesoft.ma/default1.html

Product: Widesoft-GPP CMS

Google dork to find all website that use this CMS: "Widesoft-GPP" inurl:/def.asp?codelangue=23

some important sites:
http://www.partistiqlal.org/
http://www.alittihad.press.ma
http://www.lopinion.ma/
http://www.alalam.ma
http://www.aviationcivile.gov.ma
http://www.aft.gov.ma
www.emploi.gov.ma
 http://www.crimarrakech.ma/
http://audakhla.ma
 http://www.attajdid.ma/ "

The download link for this proprietary source code is:   http://bit.ly/qBsDja

The Hacker Leaks analysis of this disclosure is it is legitimate. Enjoy.

Friday, July 8, 2011

GoDaddy Server Side Vulnerability Exposed



July 8, 2011

Hacker Leaks received the following anonymous submission:

"Not only did Go Daddy have a XSS security vulnerability on their their control panel (https://www.hushmail.com/hushmail/showHelpFile.php?PHPSESSID=D4B1B044D9C6BBC75792BC1640384926&file=popupHyperlinkHelp.html#http://www.offensive-security.com/offsec/godaddy-xss-exploit/),  Go Daddy has additional server side weaknesses (and easter eggs) that could result in a compromise of your Go Daddy website data and functionality.  At the time of this writing, I have a shared hosting account with Go Daddy, because their service was cheap and my website does not host any complex functionality or important data.  For the first couple months I used the control panel to build my site directly in HTML.  Then, I noticed that I had the option of enabling ssh on my account as an included feature!  Other hosting services such as Aplus.net require a copy of your drivers license to allow ssh access to their shared-hosted server.  Go Daddy requires a click of a button.  Once I enabled the service and logged into my account, the first command I issued was “ls -la -R / > directoryDump.txt”, which produced a file over 1
 7 MB in size! This command allowed me to see the entire directory structure for the server in the areas where I had read permissions.  Upon further inspection, I noticed that all shared hosting users are placed into a group (inetuser) and all are assigned to the same chrooted environment.  By being part of the same group, all the users have access to all shared hosting user ftp/ssh usernames on the server! My account was given a limited path by default, not including /sbin/, but I added that by using PATH=/sbin/:restOfYourPath..  Go Daddy does limit the default tools and programs you can run, such as no ssh use from their server going outbound. So I added a couple of my tools from Ubuntu: ifconfig, netcat, and some python and perl scripts.

Permissions:
The permissions for some user directories are interesting.  One thing I noticed, is that for each user’s directory that I had access to, they had an implementation of Joomla.  My guess is the default Joomla settings that the Go daddy's Control Panel applies upon install makes changes to their directory permissions.  That gives inetuser group members access to their Joomla configuration.php files.  If you know something about Joomla, you know that’s not good. Also, each user has access to the chrooted /etc/shadow file showing the password hash of the user whose permissions protect the mail/spool process for the chrooted part of the server. In addition, each user can access the /etc/group file that contains administrator usernames for the server.

Network:
Running ifconfig helped me discover that the server was dual homed with two public ip addresses on interfaces bond0 and dummy0. The dummy0 interface is the ip address that all shared hosting website names resolve to.  The bond0 interface is what the server uses for outbound communications, but it also supports inbound ssh/ftp connections.

Localhost has some interesting ports open:

$ netstat -antup |grep 127.0.0.1
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:199               0.0.0.0:*                   LISTEN      - SMUX
tcp        0      0 127.0.0.1:25                    0.0.0.0:*                   LISTEN      - SMTP

Brute force attack::
Having extracted over 7000 user names from the directory listing file, I decided to see if my user account could be brute forced.  So, I ran the following command with THC-hydra using a dictionary file with my password at about line 200.
hydra -l username -P wordlist.txt serverIPaddress ftp -V
After about 200 tries and 90 seconds my password was cracked-confirming that Go Daddy does not lockout users after a reasonable number of attempts.  I’m assuming the administrator accounts found in the shadow and group files can be attacked this way also, just over ssh.

Easter Eggs:

Go-Go Daddy Anonymous Email!
“Anonymous” email through an open smtp server.
Using netcat or telnet, connect to port 25:
./nc -v localhost 25
localhost.localdomain [127.0.0.1] 25 (smtp) open
220 XX.XX.XX.XX.server.net ESMTP Sendmail 8.13.8/8.12.11; Fri, 1 Apr 2011 20:10:30 -0700
HELO localhost
250 XX.XX.XX.XX.server.net Hello XX.XX.XX.server.net [XX.XX.XX.XX], pleased to meet you
MAIL FROM: meh@localhost
250  2.1.0 meh@localhost... Sender ok
RCPT TO: meow@gmail.com
250 2.1.5 meow@gmail.com... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
hello!
.
250 2.0.0 XXXXXXXX Message accepted for delivery

Anyone with ssh access can send anonymous email from the Go Daddy sever, as the case with open smtp services.  After more research, I discovered that you can assume any host name that is being hosted on that server and send email from it without Go Daddy requiring authentication as that user, such as the case is with gmail and other secure services. For example, if xyz.com is a domain hosted on the server, then I could send any email from either bob@xyz.com or alice@xyz.com whether or not their account exists with no issues whatsoever.  Not only does this have SPAM use written all over it, one could social-engineer your way to more access in people’s directories, web-sites, or wallets.

Read emails from other sites!
By running the following command: ps ax | grep sendmail, you will see the email files that are in queue.
66466 ?        S      0:00 sendmail: ./b777fsxt066666 from queue
Further more, you will see if you navigate to /var/spool/clientmqueue all of the queue messages from cron jobs.  Some of these messages are issued to users that sign up to new sites and may be used for password reset functionality. Discover for yourself. :)

In Conclusion:
Go Daddy provides cheap hosting with significant security vulnerabilities.  I leave it to you the consumer to make the choice of whether you want to host your data using their shared hosting services or look for more secure hosting.  Either way, Go Daddy could easily address these weaknesses to protect its customers data. But will they?"

The analysis of the Hacker Leaks team is that the above information is on the mark, and reveals a serious security hole in the GoDaddy hosting service.

Tuesday, July 5, 2011

Famous American Film Critic Roger Ebert Gets OWNED By Rapt0r !



10:45 PM PT - July 5, 2011

A hacker calling himself Rapt0r has hacked into the G-mail account of famous American film critic Roger Ebert. According to the hacker, he gained entry into this account, changed the password, downloaded a single docoment from Google Docs, took screen shots of various parts of the account - and finally downloaded over 5000 E-Mail messages from Roger Ebert's inbox.



Our analysis is straight forward, the hacker in question did exactly what he claims. Along with an account of the hack, Hacker Leaks received in our anonymous submission box a zip file containing over 5000 E-Mail messages and the screen shots which we publish here, and a single rather bizarre document which we are presently analyzing. We have decided after careful deliberation that we will not be releasing Mr. Ebert's E-Mail messages at this time.


And to add insult to injury the final screen shot shows what our investigators found to be true, that Rapt0r E-Mailed the worlds press with his exploit from WITHIN Roger Ebert's Gmail account. Hacker Leaks has confirmed through multiple sources that they did indeed receive the hackers message apparently addressed from Roger Ebert's personal E-Mail.

Bioware Hacked - 6kk Users Data Dumped

k

July 5, 2011

Hackers using the nick Monia & Br have claimed to have hacked into the servers of http://www.bioware.com/ and accessed 6,000,000+ users data. They provided the following screen shot which was redacted by the hackers and NOT by Hacker Leaks staff.

Saturday, July 2, 2011

Massacre In Xinjiang Kashgar Region Of China In Progress


9:30 PM PT  July 2, 2011

Hacker Leaks has received a very disturbing message from a hacker in China, the message is as follows:

"China Xinjiang Kashgar region scene of large-scale violence. Southwest China's authorities to dispatch military and five military emergency rescue units. The situation is urgent."

We urge the world's media to check on this report, as Local Leaks has reason to believe that a large scale massacre is currently taking place in southern China at this very moment. If our source sends any more material we will update this post asap. We urge EVERYONE to keep their ears to the ground for intelligence on this. Is China killing thousands of it's own citizens at this very moment ?

Thursday, June 30, 2011

Strange Leak Indeed !


9:45 PM PT June 30, 2011

We are still analyzing this image but I wanted to get it out there because if it is genuine it is VERY interesting.

The image purports to show the screen shot of an image attached to an E-Mail sent to the president of the Fraternal Order of Police, as it it sits IN  HIS  INBOX. If we can authenticate this image, it would at least prove a clever hacker has access to the G-Mail accout of a very important and powerful cop. What a shame, I am weeping big tears let me get a kleenex.

We will let you know when we learn more about this very intriguing disclosure.

Tuesday, June 28, 2011

Fiji Intelligence Officers Ask For Hacker Assistance In Hacking Government Servers






June 28, 2011

HackerLeaks received a message purporting to be from intelligence officers in Fiji requesting the aid of hackers worlwide in hacking their own governments servers. here's the full text of the message received and the reply address.


"Hello brothers
 
We are intel officers fighting to free Fiji from a dictactor and its miltray rule by bringing peace and a democratic government. The people are being beaten everyday while our government fills it pockets with huge monies from public funds.
 
Reference of what is happening in our small country Fiji can be found at our blog sites:
 
 
we in Fiji dont have resources to fight the government and retrive information from their servers to let the world " know the truth" about our governments shady dealings. That is why we need you.
 
please help us crack and steal government file and sites.
 
 
E-Mail address: intelsource919@gmail.com

AntiSec Claims Mantle Of Lulz Security, Attempts To Out Do The Lulz Boat


June 28, 2011


Two major leaks from #AntiSec at Anonymous Operations.

http://pastebin.com/SN9Zb2xJ

http://pastebin.com/j3VraKD3


AntiSec bragged today on their twitter that they would eclipse the formidable but now disbanded Lulz Security. Then they got off to a roaring start by disclosing these two leaks.

Friday, June 24, 2011

Mikano Steel Web Site Hacked !

By Commander X

5:45 PM PT June 24, 2011

HackerLeaks has just been notified by an anonymous source that the Mikano Steel web site has been badly hacked. The site is located at -

http://www.mikanosteel.com/


The site was massively defaced, as the screen shots will show. HackerLeaks staff have verified that 30 minutes after the leak was received the site is still in the state shown in these photos. The defacement and attack are part of Operation Let There Be Light In Nigeria, a joint Op of Naija Cyber Hactivists, the Peoples Liberation Front - and Anonymous. According to our source, members of all three groups participated. Operation Let There Be Light In Nigeria according to the source of this disclosure is an Operation to bring badly needed affordable electrical energy to the Nigerian people. The site was also defaced with the following message:

" Hacked By The Naija Cyber Hactivists
This site was hacked using a tiger 1 kva generator with 5 littres of fuel ! no be so he suppose be :-(
#LetThereBeLightInNigeria
    NaijaCyberHactivists have officially Decided to identify with the Nigerian Million March project  facebook.com/event.php?eid=219476691418888 (Let there be light in Nigeria). The official #Hashtag would be #LetThereBeLightInNigeria
       Our aim is to identify both from the Cyber Space and the Fields with,collaboration with The PLF and Anonymous
        We are standing against Darkness !
        We are saying enough is enough !
        We are saying Let there be light in Nigeria !
        Young and Old ,
        Liberal , Progressives and Conservatives
        North, South,East and West
       Christians and Muslims.
        We can not sit at our systems, browsing facebook, tweeting while expecting a revolution.
        Every time we decide not to exercise our rights, We contribute to the oppresion of the human body
        and the repression of the human mind.
        You have a choice to make,... walk willingly  in into your own submission
        Or
        A choice to get up, walk the walk and say enough is enough -No more darkness in Nigeria!
        There is going to be a peaceful action named Nigerian Million March.
        The Nigerian Million March, is a PEACEFUL march with NO POLITICAL AGENDA and is NOT POLITICALLY AFFILIATED and not started by NaijaCyberHactivists.
     
        What is the purpose of the peaceful “Nigerian Million March”?
        To create a greater awareness that the lack of electricity denies Nigerians of their basic necessities of life such as: Employment, Security, Good Health, Education, Economic Growth and many more.
     
        For more info : http://www.facebook.com/event.php?eid=219476691418888
                        http://www.nigerianmillionmarch.com/
     
        This is a noble cause for our nation and we have decided to identify with this project.
        You will hear more from us -STAY TUNED!
   
       Naijacyberhactivists - In Source Code We Trust, Fighting for a cause.
       Our Mission : Hand Over The Whip To The Horse!
   
    http://twitter.com/#!/NaijaCyberHack
Naijacyberhactivists@yahoo.com
   
    We would be using defacement and ddos as a media to make the #LightUpNigeria movement known to the public
    The main targets would be http://www.phcnonline.com/  and http://www.mikano-intl.com/
   
    The Op #LetThereBeLightInNigeria would be going live on 24th June 2011 and subsequent attacks will follow suit
    as stated below :
   
    #LetThereBeLightInNigeria Attack 1 - June 24th
    #LetThereBeLightInNigeria Attack 2 - July 24th
    #LetThereBeLightInNigeria Attack 3 - August 24th
    #LetThereBeLightInNigeria Attack 4 - September 24th"


According to one of the sources of this leak, the hackers used the follwing technique to gain entry into the site: "okay i just used a sqli simple injection
used havij to dump it
then asked flip0ut to help me with the admin page
he got it and i entered it
when i got in there was a cms editor i was familiar with
so i just started working on it
i first i use havij to dunp this url http://www.mikanosteel.com/product-image. php?picid=6'"

The source for this disclosure also indicated that the database from this site was also stolen and is being forwarded to HackerLeaks. This is a breaking release and we will update this post as more info is sent to us.