Astalavista claimed to be run by security experts. From http://astalavista.com/faq:
>> 03. Who’s behind the site?
>> A team of security and IT professionals, and a countless number of contributors from all over the world.
>> 05. Is it true that the site is visited by script-kiddies and warez fans only?
>> Absolutely not! The audience behind the site consists of home users, worldwide companies and corporations, educational and non-profit organizations, government and
>> All of these have been visiting the site on a daily basis for the past couple of years, contributing in various ways, or requesting services and information.
It was very clear that this was untrue.
So why were they hacked? I’ll let the hacker tell you:
Why has Astalavista been targeted?
Other than the fact that they are not doing any of this for the "community" but for the money, they spread exploits for kids, claim to be a security community (with no real sense of security on their own servers), and they charge you $6.66 per months to access a dead forum with a directory filled with public releases and outdated / broken services.
We wanted to see how good that "team of security and IT professionals" really is.
To sum up what you’re about to see…
[+] Founded in 1997 by a hacker computer enthusiast
[-] Exposed in 2009 by anti-sec group
Apparently, gaining access to the self-proclaimed security expert’s site was as simple as:
anti-sec:~# ./g0tshell astalavista.com -p 80 [+] Connecting to astalavista.com:80 [+] Grabbing banner... LiteSpeed [+] Injecting shellcode... [-] Wait for it [~] We g0tshell sh-3.2$
The person doing the work was kind enough to post a log of everything that he did with the shell at Pastebin.
The results are absolutely hilarious. Storing passwords in plaintext with MySQL databases. That’s secure, right?
SELECT USER,nickname,password,email FROM users WHERE userlevel = 1;
| user | nickname | password | email
| pascal | prozac | ******** | email@example.com |
| Ivan Schmid | rOOtless1 | ******** | firstname.lastname@example.org|
| qreymer | Palermo | ******** | email@example.com |
| Christian Wehrli | g0atherd | ******** | firstname.lastname@example.org |
Passwords removed to protect the possibly innocent.
Checking the .bash_history for some users reveals mysql connect strings with passwords in the strings themselves instead of letting it prompt for a password. All in all, if you’re familiar with Linux and security in any fashion, you can get a good chuckle out of how terribly managed this site for security experts is.
The log is quite entertaining. Our hacker was kind enough to show us some messages that were being passed around from the administrators of the site to talk about how they can make more money. Here’s a particularly hilarious one:
select iss_summary,iss_description from eventum_issue where iss_id = 16;
| iss_summary | iss_description |
| Website guidance | Virtual Girl which guides you trought the website.
We need a girl with who you can ( talk )!!!
Also for the News!
So my suggestion is a girl who read you the news loud if you like!
you can choose between read yourselfe or she read it for you or both!
Go to www.heise.de! There is an example for Voice News! It's a good thing!!!
Have a look on the example girls!!
After gaining root access, the hacker leaves us with an ending that is not unlike the fantastic explosion of the Death Star:
sh-3.2# cd /home sh-3.2# ls -la total 120 drwxr-xr-x 14 root root 4096 Mar 11 17:56 . drwxr-xr-x 25 root root 4096 Jun 3 02:43 .. drwx--x--x 9 admin admin 4096 Nov 28 2007 admin -rw------- 1 root root 8192 Jun 4 03:03 aquota.group -rw------- 1 root root 8192 Jun 3 02:45 aquota.user drwx--x--x 6 astanet astanet 4096 Jun 4 09:51 astanet drwxr-xr-x 2 root root 4096 Jul 29 2008 backup drwxr-xr-x 2 root root 4096 Sep 17 2008 backup.14161 drwx--x--x 10 com com 4096 Apr 28 12:40 com drwxr-xr-x 2 root root 4096 May 17 2007 ftp drwx------ 3 jon jon 4096 Sep 21 2007 jon drwx------ 2 root root 16384 Sep 11 2007 lost+found drwxr-xr-x 2 root root 4096 Sep 14 2007 my drwxr-xr-x 5 mysql mysql 4096 Sep 24 2007 mysqldata drwx------ 2 jon jon 4096 Sep 15 2007 test drwxrwxrwt 2 root root 4096 Jul 29 2008 tmp sh-3.2# rm -rf backup/ sh-3.2# rm -rf backup.14161/ sh-3.2# rm -rf ftp/ sh-3.2# rm -rf jon/ sh-3.2# rm -rf my/ sh-3.2# rm -rf mysqldata/ sh-3.2# rm -rf test/ sh-3.2# rm -rf tmp/ sh-3.2# cd ~ sh-3.2# rm -rf * sh-3.2# rm -rf /var/log/ rm: cannot remove directory `/var/log//proftpd': Directory not empty sh-3.2# rm -rf /home/* sh-3.2# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 407156 Server version: 5.0.45-community-log MySQL Community Edition (GPL) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> show databases; +-----------------------+ | Database | +-----------------------+ | information_schema | | astanet_ads | | astanet_mailing_lists | | astanet_mediawiki | | astanet_membersystem | | com_contrexx | | com_contrexx2 | | com_contrexx2_live | | da_roundcube | | dolphin | | ideapool | | mysql | | test | | yourmaster | +-----------------------+ 14 rows in set (0.03 sec) mysql> drop database astanet_membersystem; droQuery OK, 46 rows affected (0.81 sec) mysql> drop database com_contrexx; Query OK, 211 rows affected (2.72 sec) mysql> drop database com_contrexx2; Query OK, 237 rows affected (2.23 sec) mysql> drop database com_contrexx2_live; Query OK, 227 rows affected (7.63 sec) mysql> drop database ideapool; Query OK, 69 rows affected (0.19 sec) mysql> drop database yourmaster; Query OK, 158 rows affected (0.55 sec) mysql> drop database astanet_ads; Query OK, 9 rows affected (0.11 sec) mysql> drop database astanet_mailing_lists; Query OK, 24 rows affected (1.47 sec) mysql> drop database astanet_mediawiki; Query OK, 31 rows affected (0.51 sec) mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | da_roundcube | | dolphin | | mysql | | test | +--------------------+ 5 rows in set (0.00 sec)
The hacker left the ending with a wonderful quote suited for Astalavista.com/net:
What a journey! We’re not sure exactly why the "Terminator" had any influence on their naming (conventions) but we’re sure Arnold himself wouldn’t be in the wrong to say this pack of morons *wont be back*.
Well done anti-sec, well done.
If you liked this post, then please consider subscribing to my feed.