Find Exploits for specific ports

Volatile Minds blogger Brandon Perry found a nice and easy way to find exploits in metasploit for a specific port:

msf > irb


>> framework.exploits.each_module { |n,e| x=e.new;
print_good("#{e.fullname}:
#{x.datastore['RPORT']}")
if x.datastore['RPORT'].to_i == 445   }; nil

(All in one line... )

You just need to replace the "445" with your target port.

Volatile-Minds Blog

GEMA hacked by anonymous

The GEMA (A german music copyright watchdog) has been hacked a few hours ago by @THE_SENQU / @AnonyPwnies




Several hours the website has been defaced with a Youtube apology screen, like we have seen many times before. (Sorry, this song... etc.)

It says:
"Sorry, this page isn't (not only) available in germany, because it could link to a company for which ANONYMOUS didn't release the necessary "freedom rights". We are sorry. NOT!"

The hackers released a ~17 MB (~350 MB unzipped) SQL-Dump file @ multiple OCHs.
Pic related.
( dump_p-www-direkt.gema.de_interP1_16-07-2011-05-53-34.rar )



Funny about this:
Over one month ago, a unkown person attacked the gema.de website successfully. (SQL Injection).
He released some user names and passwords. Pastebin


Last night all GEMA printers had been attacked, too. The attackers changed / set a random password. "Have fun, setting up the printers. But please use a password this time!"


Right now ( ~16:30) it's still defaced. Or to be more precise it's routed to a HTML-Pastebin ( http://pastehtml.com/view/b4pzxvn2x.html )

"The hackers claim to have stolen a massive amount of GEMA data"
computer.t-online.de

Background music: "Portal - Credits song 'Still alive' http://www.youtube.com/v/Y6ljFaKRTrI

"The GEMA is an association, which represents the copyright musicians and songwriters."
So a translation states. In fact, the GEMA is more like a surveillance agency with shady (nearly gestapo-like) methods to find and bring down potential copyright violaters.


Inside GEMA

---

Update:

17:22 - The battle still continues..
Sometimes the visitors are redirected to the pasteHTML page, sometimes they just get a "503 - service temporary unavailable" message.
The gema IT "experts" managed to put the website back on 5 times, but without solving the security issue.

Link GEMA Statement


17:40 - Video message released / fifth defacement.

Translation:

We are anonymous. Since you didn't follow our last call we are forced to attack your website. Have a nice day. P.S.: IF the admins would spent more time with security then with WoW (World of Warcraft) this attack possibly wouldn't be that effective. thanks for your support!
http://www.youtube.com/watch?v=Kq4R0Bv6xws

Video:




23:17 - Hack "documentation"

It all started with a SQL Injection vulnerability and went to #root on XX virtual machines.
Sometimes the password was the username, sometimes it was just "bla" (Webserver)
UserDump

Big "documentation" picture:

http://img7.imagebanana.com/img/w4ro8rt2/gemahack2.png

Links:

Internal NMap Scans
http://pastebin.com/KNYP6J0f
http://pastebin.com/vD2Rc4CB

German federal police got pwnd...

A server used by the german federal police & border patrol, Bundespolizei & Zoll, got hacked at least 2 days ago. (06.07.2011)

Responsible for the hack is the european (mostly german) "NoName Crew" (Server drops conn, probably hammered)
Dump:
dl.nn-crew.cc


In their statement about that hack they say:

" Data preservation, Bundestrojaner [A trojan, like the US CIPAV], biometric passports.. Even law enforcement agencies say, the current laws are more than enough to catch criminals.

We are [Rem.: german people] no terrorists, but everyone of us has something to hide. We want to secure our privacy and our rights, given by the constitution.
Because of the massive misuse of surveillance, we will fight against such behavior. This has to stop.

The bad guys know how to hide their tracks, your methods will not stop them.
[Note: The police illegally catched/recorded cellphone data and conversations of a whole city district at an Anti-Nazi Demonstration]

The release contains most of the GPS tracking software, including firmware for the used devices.
Also:

• Different Programs used to visualize the data (Incl. a google Maps key)
  
• The PATRAS GPS analysis Software / Interface (GPS2Cell Systems)
  
• A complete SQL Backup of the recent car-surveillances, including movement data, phone numbers for data transfer and for audio etc.
  
• Internal documents how to get some software working, how to patch some things and misc. information
• etc. . .
  

The server used was an Windows OS (x64) with XAMPP installed.

---

A first look showed some serious security flaws.

• All passwords to access the web interface are saved in clear-text. Also, they appeared in several logs in cleartext.
  Sorry, but that's just stupid.
  

In one htdocs/include file ( named: config.php1 ) the credentials for an surveillance interface were saved.

• Username: "root"
• Password: ""

The uploaded Filezilla Configurations also showed and user account with a 4 digit password.
Not, it was not 1234 ;)

One PDF shows information how to fix a serious flaw in the PATRAS Srv / XAMPP.
Apparently, they forgot to shut down the PHPMyAdmin Interface for external access. 02/11

According to the screenshots, provided by NN-Crew, I think they used an SQL Injection vulnerability to compromise the system.
Or, a targeted attack at one of the admins. D.L. has a facebook profile, so, with a little bit SE and a lot of guts, they might have infected his machine.


A Bundespolizei spokeswoman confirmed the breach in an interview.
It's one of the first, big cases for the new founded national cyber defense center.



This and other screenshots of the used php-shells show, they had access to more data than they released in their dump. So, the release should be seen as a "warning shot", i guess.

MTGox DB got leaked. . .

The MTGox Database just got leaked.

There was a huge sell-out of bitcoins this afternoon. (6/19/11)
At first it looked like MTGox, one of the biggest "Bitcoin trading markets" found the hacker and closed the specific, compromised account.

At least, that's what they posted at their official blog:
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.

But, right after that, a post at the Bitcoin.org Board showed some other story:

A .CSV File, containing Usernames, Email addresses and also hashed user passwords.
The DB is over 3MB big and contains over 61.000 names.
I found my testuser, that I created a week ago .

It seems like the hack happened at least 3 days ago.
I found a hash from the accounts file in the Hashkiller DB OpenCrack list from 17.06.2011
http://opencrack.hashkiller.com/20110617-04.html

16. June 2011, he asked to crack hashes from this hack at the Insidepro board
http://forum.insidepro.com/viewtopic.php?p=65015#65015
http://forum.insidepro.com/viewtopic.php?p=65092#65092


Post to DB Dump:
http://forum.bitcoin.org/index.php?topic=19405.0 (Topic got deleted...)




Sad to see, that a page that makes thousands of dollars a week got hacked that fast.






New Statement:

UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.


Update:

....as a way of saying we sincerely sorry for the breach of security that lead to the sell-off, we will be reducing trade fees to 0.3% (from 0.65%) for two weeks following Mt.Gox's reopening.

Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.

They implemented "multi-iteration, triple salted" SHA512 password storing and SMS authentication.

Oh Twitter, you're the devil...

After changing to "New Twitter", I thought the torture was over.

My tweets came in as usual and everything went just fine.

But it seems the phrase "Never change a running system" never reached twitter.

I logged in as usual. Then I saw this message, telling me "This is your homepage, HackingHoradrim" and that I should follow someone. (I follow 200+)

Alright. I supposed it's a side-effect from the new Tweetdeck acquisition and I just had to reload.
Nope, nothing. Friends I asked didn't had a problem.

~ One hour later, tada, works fine. Don't know what it was, but sucked hard.
My 2 cents.

What a beautiful morning....

From time to time it's a good idea to update && upgrade your system.
In my case, it's Debian Lenny.

So, what did i do ?
Updated && upgraded && dist-upgraded via APT, changed the lenny parts to squeeze in /etc/apt/sources.list
Then updated && upgraded, aptitude install apt dpkg aptitude
cat /etc/debian_version gave me a clear 6.0.1

Everything fine?
No sir.

Rebooted and... my system started beeping every other second + flashed the screen like above.

Solution? I put away that machine and i'm using another right now. No time to fix and to be honest:

Maybe i should reinstall it, after years of just upgrading.

Maybe.


Now i took some time to get that problem fixed.
Reboot, Single user, aptitude update & upgrade.
Took another ~40 minutes but was worth it. System up and fine =)

Secure / harden your MySQL Server...

Some of you might run a own MySQL Server or are in charge managing some..
This tutorial helped me a lot, keeping em' clean & a little bit more secure ;)
But always keep in mind, there are different attack vectors than "just" SQLi & the MySQLd.

Topics:

Disable or restrict remote access
Disable the use of LOCAL INFILE
Change root username and password
Remove the "test" database
Remove Anonymous and obsolete accounts
Lower system privileges
Lower database privileges
Enable Logging
Remove History
Patch your systems

Tutorials@SSTeam
With another 'paper', regarding industry-style solutions(esp. credit card, bank details storage)

Tutorial@GreenSQL

WeakNet Linux IV development has started

After the fire @WeakNetLabs, the developers are back on track.

According to the authors, the new linux version will include more tools and support more hardware, esp. WLAN hw.

So far the details I can give are: FluxBox is still the default WM, boot time is around 15 seconds on an 800MHz AMD laptop.

Source:
WeakNet Labs

Genesis

Hey there.

This isn't a always - up-to-date Blog.
It's not about politics, about specific topics or something.
It's a little place, where i can dump things that may interest some other guys...

So, add it or not..

Watch the LinkDump list, too...
--> LinkDump