| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Sep 2010 22:10:12 +0000
From: Ben <iluv2cane@...il.com>
To: full-disclosure@...ts.grok.org.uk
Cc: auto595158@...hmail.com, tuscl.founder@...il.com
Subject: Re: Tuscl.net SQL injection with 30k Plain Text
Passwords & 80k Email list
*From:* "www.tuscl.net" <tuscl.founder@...il.com>
*To:* auto595158@...hmail.com, iluv2cane@...il.com, benhuoh@...il.com,
benhu@...sics.uakron.edu
*Date:* Wed, 08 Sep 2010 19:01:24 +0000
Just received this email from the owner of the site:
Ben
How 'bout I send a couple of strippers over to your condo there in Akron so
you can cane them. You're still at 1381 Waters Edge, right?
Then maybe I will blast out an email to all your colleagues there at the
physics department of the University of Akron with this little jewel...
*I have a suggestion for a Mood Pictures movie whic would be called
something like "Crime Deterrent Video for Girls." ...
*
Ah, hell, Ben, you know the plot... but what I really like is the last line
of the email:
*"I think it is a nice psychological touch to imagine a class of 14 or 15
year-old girls being made to see the canings shown in this video. "
*
I'm sure the FBI will be all over that.
Tell you what Mr. Ben Yu-Kuang Hu, let's make a deal. You clean up the mess
you made, stay the hell off my site, and I will forget this little escapade
ever happened.
Deal?
-----------------------------------------------
So first off, I should report your ass to the FBI for prostitution.
Second, this email account I signed up with, happened to contain the same
password for your site as it did it's email.
So to hide myself further and cause you to run around chasing my proxies and
pin the blame on some retard who is obsessed over BDSM.
Third, Ill fix your website, give me the root password :D
On Fri, Sep 3, 2010 at 8:37 PM, Ben <iluv2cane@...il.com> wrote:
> worked in firefox....
> if you see the title bar stating 3,8
> thats the union select ;)
> also per this page: http://www.tuscl.net/contact-login.php
>
> Recently we lost a week's worth of user data. We believe it was the work of
> hackers, and have tightened our security measures.
>
>
> On Fri, Sep 3, 2010 at 8:32 PM, Jhfjjf Hfdsjj <taser3000@...oo.com> wrote:
>
>>
>> Well, one thing I will point out is that the link you submitted for the
>> actual SQL injection doesnt seem to work. Either they fixed it or you messed
>> up the link.
>> ------------------------------
>> *From:* Ben <iluv2cane@...il.com>
>> *To:* full-disclosure@...ts.grok.org.uk
>> *Sent:* Fri, September 3, 2010 11:09:04 AM
>> *Subject:* [Full-disclosure] Tuscl.net SQL injection with 30k Plain Text
>> Passwords & 80k Email list
>>
>> I found many sql injections on Tuscl.net (The ultimate strip club list)
>>
>> I tried notifying the site, no response. The server is ran on a vmware. So
>> anything that is done to it is restored, apon reboot.
>>
>> This is a dump of usernames passwords and emails for the site. They are in
>> plain text. I have removed records that had the system generated password
>> that the user never changed.
>>
>> http://tinyurl.com/397rzqs
>> http://bit.ly/bkVnPY
>> http://is.gd/eTqna
>> http://jump.fm/FOJRO
>> http://www.mediafire.com/?l6i1vd25il61a6b
>> http://www.megafileupload.com/en/file/265174/users-sql-zip.html
>> http://www.4shared.com/file/w0qqRyDf/userssql.html
>> http://rapidshare.com/files/416858410/users.sql.zip
>> http://rapidshare.com/files/416860069/users.sql.zip
>> http://www.speedyshare.com/files/24097837/users.sql.zip
>> http://uploading.com/files/e1741mm9/users.sql.zip/
>> http://bit.ly/cFvd8B
>> http://is.gd/eTsn5
>>
>>
>>
>> http://www.tuscl.net/c.php?CID=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17
>>
>> Common Passwords and the number of accounts that shared them
>>
>> password - 269
>> 123456 - 173
>> tuscl - 84
>> stripper - 67
>> qwerty - 62
>> 12345 - 49
>> 12345678 - 47
>> 1234 - 42
>> baseball - 36
>> monkey - 36
>> princess - 34
>> stripclub - 33
>> strip - 32
>> jennifer - 32
>> abc123 - 32
>> mustang - 31
>> pussy - 29
>> lapdance - 27
>> andrew - 27
>> jmh1978 - 27
>> letmein - 27
>> fuckyou - 27
>> 696969 - 27
>> michelle - 26
>> harley - 25
>> dallas - 25
>> 111111 - 25
>> shadow - 24
>> corvette - 24
>> trustno1 - 24
>> sunshine - 22
>> dragon - 21
>> jordan - 21
>> love - 21
>> butthead - 20
>> batman - 20
>> danielle - 20
>> buster - 20
>> password1 - 20
>> hello - 20
>> biteme - 20
>> gaydar - 20
>> Michael - 19
>> george - 19
>> hockey - 19
>> ginger - 19
>> 6969 - 19
>> Bandit - 19
>> lasvegas - 18
>> taylor - 18
>> tigger - 18
>> yankees - 18
>> chicago - 18
>> fucker - 18
>> blahblah - 17
>> football - 17
>> 1escobar2 - 17
>> 1111 - 17
>> Jessica - 17
>> 123456789 - 16
>> testing - 16
>> phoenix - 16
>> badboy - 16
>> gemini - 16
>> ranger - 16
>> heather - 15
>> gateway - 15
>> secret - 15
>> welcome - 15
>> 654321 - 15
>> aaaaaa - 15
>> tennis - 15
>> asshole - 15
>> maggie - 14
>> pepper - 14
>> charlie - 14
>> golfer - 14
>> strippers - 14
>> redskins - 14
>> summer - 14
>> peanut - 14
>> chicken - 13
>> jeremy - 13
>> hunter - 13
>> m0ntlure - 13
>> fuckoff - 13
>> dancer - 13
>> bitch - 13
>> lucky - 13
>> whatever - 13
>> killer - 13
>> prince - 13
>> robert - 13
>> orange - 13
>> thomas - 13
>> hawaii - 12
>> redsox - 12
>> tiger - 12
>> titties - 12
>> gators - 12
>> Password - cnt
>> florida - 12
>> kitten - 12
>> austin - 12
>> merlin - 12
>> canada - 12
>> diamond - 12
>> boston - 12
>> master - 12
>> yellow - 12
>> falcon - 12
>> jasmine - 12
>> 1234567 - 12
>> cookie - 12
>> superman - 12
>> midnight - 12
>> blowme - 12
>> jackass - 12
>> sparky - 12
>> peekaboo - 11
>> doctor - 11
>> brandy - 11
>> 8675309 - 11
>> madison - 11
>> braves - 11
>> brooklyn - 11
>> money - 11
>> anthony - 11
>> samantha - 11
>> ashley - 11
>> lucky1 - 11
>> amanda - 11
>> booboo - 11
>> SOCCER - 11
>> tarheels - 11
>> bigdog - 11
>> pookie - 11
>> private - 11
>> tiffany - 11
>> martin - 11
>> silver - 11
>> lakers - 10
>> eatme - 10
>> junior - 10
>> platinum - 10
>> sex - 10
>> iloveyou - 10
>> nicole - 10
>> vegas - 10
>> wolfpack - 10
>> 55555555 - 10
>> barney - 10
>> melissa - 10
>> molly - 10
>> passw0rd - 10
>> sexy - 10
>> nascar - 10
>> dietcoke - 10
>> chris - 10
>> boomer - 10
>> test123 - 10
>> johnny - 10
>> red123 - 10
>> asdfgh - 10
>> ncc1701 - 10
>> 314159 - 10
>> internet - 10
>> jackson - 10
>> computer - 10
>> peaches - 10
>> horny - 10
>> sierra - 10
>> rush2112 - 10
>>
>> Here is the complete list of email addresses registered. The site had no
>> validated so, I am sure, some are fake.
>> http://www.tuscl.net/emails.zip
>> http://rapidshare.com/files/416871314/emails.zip
>> http://www.mediafire.com/?67rzfbvmyr1c492
>> http://www.speedyshare.com/files/24098846/emails.zip
>> http://www.megafileupload.com/en/file/265210/emails-zip.html
>>
>> The path to the working directory is: /home/httpd/vhosts/
>> tuscl.net/httpdocs/
>>
>> The SQL information is
>> "localhost" - "tuscl" - "szg4wpl9"
>>
>> Also if you want to look at all the nudey photos uploaded here is where
>> they are
>> http://www.tuscl.net/pictures/
>>
>> There are other sites that could have been comprimised as well:
>> vanjonesthinksimanasshole.com
>> tuscl.com
>> onerun.com
>> ecampguide.com (contains another 1200 plain text passwords)
>> troopedge.com
>>
>> Well have fun!
>> Owner or media if you want get ahold of me:
>> auto595158@...hmail.com
>>
>>
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists