Astalavista.net and Astalavista.com Hacked

The infamous sources for exploits, hacks, etc. Astalavista.net, and Astalavista.com have been hacked. The hacker kept a log of the entire shell session and posted it for everyone’s viewing pleasure.

Astalavista claimed to be run by security experts. From http://astalavista.com/faq:

>> 03. Who’s behind the site?
>>
>> A team of security and IT professionals, and a countless number of contributors from all over the world.

>> 05. Is it true that the site is visited by script-kiddies and warez fans only?
>>
>> Absolutely not! The audience behind the site consists of home users, worldwide companies and corporations, educational and non-profit organizations, government and
military institutions.
>> All of these have been visiting the site on a daily basis for the past couple of years, contributing in various ways, or requesting services and information.

It was very clear that this was untrue.

So why were they hacked? I’ll let the hacker tell you:

Why has Astalavista been targeted?

Other than the fact that they are not doing any of this for the "community" but for the money, they spread exploits for kids, claim to be a security community (with no real sense of security on their own servers), and they charge you $6.66 per months to access a dead forum with a directory filled with public releases and outdated / broken services.

We wanted to see how good that "team of security and IT professionals" really is.

To sum up what you’re about to see…

Astalavista:

[+] Founded in 1997 by a hacker computer enthusiast
[-] Exposed in 2009 by anti-sec group

Apparently, gaining access to the self-proclaimed security expert’s site was as simple as:

anti-sec:~# ./g0tshell astalavista.com -p 80
	[+] Connecting to astalavista.com:80
	[+] Grabbing banner...
		LiteSpeed
	[+] Injecting shellcode...
	[-] Wait for it	
	[~] We g0tshell	
sh-3.2$

The person doing the work was kind enough to post a log of everything that he did with the shell at Pastebin.

The results are absolutely hilarious. Storing passwords in plaintext with MySQL databases. That’s secure, right?

SELECT USER,nickname,password,email FROM users WHERE userlevel = 1;

| user | nickname | password | email
| pascal | prozac | ******** | info@astalavista.net |
| Ivan Schmid | rOOtless1 | ******** | ivan.schmid@comvation.com|
| qreymer | Palermo | ******** | eche@home.se |
| Christian Wehrli | g0atherd | ******** | g0atherd@gmx.net |
... etc.

Passwords removed to protect the possibly innocent.

Checking the .bash_history for some users reveals mysql connect strings with passwords in the strings themselves instead of letting it prompt for a password. All in all, if you’re familiar with Linux and security in any fashion, you can get a good chuckle out of how terribly managed this site for security experts is.

The log is quite entertaining. Our hacker was kind enough to show us some messages that were being passed around from the administrators of the site to talk about how they can make more money. Here’s a particularly hilarious one:

select iss_summary,iss_description from eventum_issue where iss_id = 16;


| iss_summary | iss_description |
| Website guidance | Virtual Girl which guides you trought the website.
We need a girl with who you can ( talk )!!!
Also for the News!
So my suggestion is a girl who read you the news loud if you like!
you can choose between read yourselfe or she read it for you or both!
Go to www.heise.de! There is an example for Voice News! It's a good thing!!!
Have a look on the example girls!!
http://www.yaoti.com/de/free_yaoti.html
or that
http://www.yellostrom.de/

After gaining root access, the hacker leaves us with an ending that is not unlike the fantastic explosion of the Death Star:

sh-3.2# cd /home
sh-3.2# ls -la
total 120
drwxr-xr-x 14 root    root     4096 Mar 11 17:56 .
drwxr-xr-x 25 root    root     4096 Jun  3 02:43 ..
drwx--x--x  9 admin   admin    4096 Nov 28  2007 admin
-rw-------  1 root    root     8192 Jun  4 03:03 aquota.group
-rw-------  1 root    root     8192 Jun  3 02:45 aquota.user
drwx--x--x  6 astanet astanet  4096 Jun  4 09:51 astanet
drwxr-xr-x  2 root    root     4096 Jul 29  2008 backup
drwxr-xr-x  2 root    root     4096 Sep 17  2008 backup.14161
drwx--x--x 10 com     com      4096 Apr 28 12:40 com
drwxr-xr-x  2 root    root     4096 May 17  2007 ftp
drwx------  3 jon     jon      4096 Sep 21  2007 jon
drwx------  2 root    root    16384 Sep 11  2007 lost+found
drwxr-xr-x  2 root    root     4096 Sep 14  2007 my
drwxr-xr-x  5 mysql   mysql    4096 Sep 24  2007 mysqldata
drwx------  2 jon     jon      4096 Sep 15  2007 test
drwxrwxrwt  2 root    root     4096 Jul 29  2008 tmp
sh-3.2# rm -rf backup/
sh-3.2# rm -rf backup.14161/
sh-3.2# rm -rf ftp/
sh-3.2# rm -rf jon/
sh-3.2# rm -rf my/
sh-3.2# rm -rf mysqldata/
sh-3.2# rm -rf test/
sh-3.2# rm -rf tmp/
sh-3.2# cd ~
sh-3.2# rm -rf *
sh-3.2# rm -rf /var/log/
rm: cannot remove directory `/var/log//proftpd': Directory not empty
sh-3.2# rm -rf /home/*
sh-3.2# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 407156
Server version: 5.0.45-community-log MySQL Community Edition (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+-----------------------+
| Database              |
+-----------------------+
| information_schema    |
| astanet_ads           |
| astanet_mailing_lists |
| astanet_mediawiki     |
| astanet_membersystem  |
| com_contrexx          |
| com_contrexx2         |
| com_contrexx2_live    |
| da_roundcube          |
| dolphin               |
| ideapool              |
| mysql                 |
| test                  |
| yourmaster            |
+-----------------------+
14 rows in set (0.03 sec)
mysql> drop database astanet_membersystem;
droQuery OK, 46 rows affected (0.81 sec)
mysql> drop database com_contrexx;
Query OK, 211 rows affected (2.72 sec)
mysql> drop database com_contrexx2;
Query OK, 237 rows affected (2.23 sec)
mysql> drop database com_contrexx2_live;
Query OK, 227 rows affected (7.63 sec)
mysql> drop database ideapool;
Query OK, 69 rows affected (0.19 sec)
mysql> drop database yourmaster;
Query OK, 158 rows affected (0.55 sec)
mysql> drop database astanet_ads;
Query OK, 9 rows affected (0.11 sec)
mysql> drop database astanet_mailing_lists;
Query OK, 24 rows affected (1.47 sec)
mysql> drop database astanet_mediawiki;
Query OK, 31 rows affected (0.51 sec)
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| da_roundcube       |
| dolphin            |
| mysql              |
| test               |
+--------------------+
5 rows in set (0.00 sec)

Let’s hope the “Security Experts” have off-site backups. In the meantime, you can check out the original here or download it in .txt format here.

The hacker left the ending with a wonderful quote suited for Astalavista.com/net:

What a journey! We’re not sure exactly why the "Terminator" had any influence on their naming (conventions) but we’re sure Arnold himself wouldn’t be in the wrong to say this pack of morons *wont be back*.

Well done anti-sec, well done.

If you liked this post, then please consider subscribing to my feed.