| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040207093400.25228.qmail@web41314.mail.yahoo.com>
From: suprelitehacker at yahoo.com (Liz beth)
Subject: Whitehat Tribute
...._ ..,,-======-.
`''<<:: o. `\
`-." .cdbc`. THE BIG BAD PENGUIN
; ?$$$$$b. PROUDLY PRESENTS
;... .d$$$$$$!> STFU Volume 1
.$$$$$$P"??$$??!!!!>.
,$$$$$$P .?!!!!!!!!!>
$$$$$$$k !!!!!!!!!!!!!!> Feb. 04, 2004
d$$$$$$$$ !!!!!!!!!!!!!!:
d$$$$$$$$$F '!!!!!!!!!!!!!!!:
d$$$$$$$$$$ '!!!!!!!!!!!!!!!!>
$$$$$$$$$$$L !!!!!!!!!!!!!!!!!!
d$$$$$$$$$$$$ '!!!!!!!!!!!!!!!!!!
d$$$$$$$$$$$$ !!!!!XX!!!!!!!!!!!!!
d$$$$$$$$$$$$x!!!!!!#X!!!!!!!!!!!!>
3$$$$$$$$$$$$!!!!!!!!$!!!!!!!!!!!!!
?$$$$$$$$$$$!!!!!!!!!$!!!!!!!!!!!!!>
?$$$$$$$$$$?!!!!!!!Xd!!!!!!!!!!!!!!>
$$$$$$$$$?!!!!!!!WT!!!!!!!!!!!!!!!!
?$$$$$$$F!!!!!!!td!!!!!!!!!!!!!!!!!
$$$$$$$!!!!!!!Ud!!!!!!!!!!!!!!!!!! gr33tz: el8, PHC, immortal, eps,
?$$$$$$!!!!!!W?!!!!!!!!!!!!!!!!!!!> Tom Jones, plan9, efnet, jerkface,
$$$$$C!!!!!!E!!!!!!!!!!!!!!!!!!!!> zemos, mikecc, ace, rocky_, #!IC,
?$$$$$!!!!!!E!!!!!!!!!!!!!!!!!!!!> denver, setenv, adam, |404|, ph33r,
$$$$$X!!!!!!!!!!!!!!!!!!!!!!!!!!> shazam, pr0digy, will, simprix,
$$$$b!!!!9!!!!!!!!!!!!!!!!!!!!!> macd, s0kket, phrackman, SirV,
`$$$$$C!!9!!!!!!!!!!!!!!!!!!!!! nu|l, tri0, bob, mercy, sloth,
?$$$$$$bUi!!!!!!!!!!!!!!!!!!!! fred, waldo, dawgyg, ziphie, digital,
`$$$$$$$$$$$$$b!!!!!!!!!!!!!!! pj, north, jason, justin, razka,
?$$$$$$$$$$$$$f!!!!!!!!!!!!!! dijit, thn, Damien, xar, dis, gr3p,
$$$$$$$$$$$$$)!!!!!!!!!!!!!> kokanin, jerome, pete, matrix,
?$$$$$$$$$$F!!!!!!!!!!!!!!! Syr0kill, slix0r, triumph the insult
"$$$$$$$$$!!!!!!!!!!!!!!!! comic dog, and most importantly:
"$$$$$$$!!!!!!!!!!!!!!!!!; Janet Jacksons right tit. BUT MORE importantly
?$$$$$%!!!!!!!!!!!!!!!!!!; Drew b3rry m0re cuz shez fine and jennifer connelly
$$$$$!!!!!!!!!!!!!!!!!!!!! cuz she's even more fine, i'd like to see them fuck
`$$$$P?(`-, `'(-(-`<>.\'-
,;<(?$$$$-";); `\\ \.<\.'
=<;<<;(<;'?$P"```` `` ` '`
-----------------------------------------------------------------------------------
th3 c0mm1tt33:
B0bB45k3R............th3 m0st 3l33t g4m3 sh0w h0st
p3p3.................m3x1 h4x0r
g1n4.................th3 r34l b1tch
mMm..................mr m4rlb0r0 m4n h1ms3lf
d-r0d................h1gh jump1ng n1gg4 fr0m d4 34sts1d3
0ls3n-tw1nz..........s0m30n3 s4y tw1nz!?!?
sgt-sl4ught3r........th3 b0dygu4rd
urm0m................m1ss 1nf0rm4nt
c4p741n_c0rrup710n........0h sh17 d00d 17z 71m3 t0 c0rrup7
-----------------------------------------------------------------------------------
th3 3l3v3n c0mm4ndm3nts 0f th3 1nt3rn3t:
th0u sh4lt n3v3r s3nd un3ncrypt3d p4ssw0rds 0v3r 3m41L
th0u sh4lt n0t subst1tut3 w3bc4m s3x f0r r34l p13c3 0f 4ss
th0u sh4lt n3v3r th1nk th0u 4r3 t0t4lly s3cur3d
th0u sh4lt n3v3r us3 match.com 4s 4 pl4c3 t0 g3t 4 d4t3
th0u sh4lt n3v3r us3 i-are-see p4ssw0rd f0r 3v3ryth1ng 3ls3
th0u sh4lt n3v3r und3r3st1m4t3 th3 'l4m3r'
th0u sh4lt n0t th1nk s0c14l 3ng1n33r1ng 1s d34d
th0u sh4lt n0t ch4rg3 f0r s0m3th1ng th0u c4nn0t pr0v1d3
th0u sh4lt 4lw4ys ph33r th3 0d4y
th0u sh4lt k33p th3 bl4ckh4t sc3n3 4l1v3
th0u sh4l7 n07 b3 a kiddie p0rn peddler or a fag l1k3 teck7 and hackah j4k
-----------------------------------------------------------------------------------
Link of Importance:
http://teck7.girlscoutcookie.com/ Ryans own match.com site
-----------------------------------------------------------------------------------
TARGET 1:
Ryan MacDonald aka teck7
www.rfxnetworks.com
cl41m t0 f4me:
APF (Advanced Policy Firewall) - 0.9.3 [apf@...x.org]
Copyright (C) 1999-2003, R-fx Networks <proj@...x.org>
Copyright (C) 2003, Ryan MacDonald <ryan@...x.org>
He almost makes people think he knows what he is doing, and that he deserves
money for his time. We have determined that Mr. Ryan MacDonald of RFXNetworks has
not only defrauded his customers, but also exploited their lack of intelligence
through over-charging for his services, while also leaving the integrity of his
client's servers open to the whole world. To demonstrate this lack of care,
integrity, and intelligence by Mr. Ryan MacDonald we will display the information
for a number of his clientele. All below server information is valid as of 3pm
Eastern Time Zone February 3, 2004. Got Root?
[teck7]$./l4m3-scr1pt-k1dd13-c0d3
Dumping all this tards email....
No encryption picked up....
Passwords detected....
Begin dump!
name
William
company
DenyIgnorance
email
william@...yignorance.com
url
http://www.abovetopsecret.com
Request ID
390
Priority
3
Logged
30-1-2004-11:25
Status
CLOSED
Ownership
ryan
Department
Hosting - General/Other
Purchased APF installation
Your e-mail response said---
We thank you for purchasing rfxnetworks.com services. To complete the
service as ordered we require the following information from you:
1) Server hostname/IP
66.98.176.42
2) Server login information
admin: di9ijn0okm
su: @f8uhb7ygv
3) Any special requirements or requests
Currently experiencing SYN floods and am particularly interested in the
better anti-dos of the current APF.
I have an older version of APF running.
please confirm via e-mail to william@...yignorance.com when the install is
complete.
Thank you.
name
Robbie Wallis
company
email
robbie@...b-space.com
url
http://www.4web-space.com
Request ID
391
Priority
1
Logged
30-1-2004-1:19
Status
CLOSED
Ownership
ryan
Department
Managed Services - General/Other
Security Package Needing Adding ASAP
Hello Ryan,
Would appreciate if you could fit this in ASAP as have just restored from
backup before hack occured
Robbie (icq 161554)
Server: plesk.servdns.net
User: root
pass: *Jue7Koa1Lz9
Could I request you set the firewall up even if i have APF installed in the
meantime
Only special requirement is 8443 as its a plesk server
Robbie
The 5 other servers are now ready for you:
216.127.70.106 / e5Mg9l2
207.44.214.67 / d7s1K0b
207.44.236.107 / d6B9kD2
207.44.248.101 / m8iRv0g
69.57.140.95 / l9V8yf1
If you can't get it all done before you leave on Thursday then that's fine,
just keep me updated on your progress. So far I am very pleased with your
work, I can rest a little easier now :)
Ryan
Security Bundle:
We applied our standard security bundle. The bundle is a compilation of
minor tweaks, and permissions changes along with various scripts to remove
un-needed server functions (software, users, paths).
Below is a summary of all that is done by this security bundle:
- remove un-needed setuid/gid binaries/revoked sticky bit
- restrict common path permissions to prevent directory traversal
- restrict apache file permissions to prevent global reads
- hardened apache via RLIMIT for CPU time and MEM
- hardened apache via ServerToken and ServerSignature tweaks
- remove un-needed rpms
- removed un-needed default users from system install
- setup increased logging for syslog (/var/log/login_log & /var/log/kernel)
- harden tcpstack via sysctl (/etc/sysctl.conf)
- syncookies/misc env sysctl hardening (/etc/sysctl.conf)
- pamd.login restrictions
- setup smartd
smartd is a daemon that monitors the Self-Monitoring, Analysis and Reporting
Technology (S.M.A.R.T.) system built into many IDE and SCSI hard drives. The
purpose of S.M.A.R.T. is to monitor the reliability of the hard drive and
predict drive failures, and to carry out different types of drive
self-tests.
/etc/smartd.conf
Details about smartd status are logged to /var/log/messages; critical issues
are emailed to address noted in smartd.conf
- setup iftop [& libpcap - required]
/usr/sbin/iftop --help
Iftop is a top like network monitor
- setup libsafe LD_PRELOAD filter
Libsafe is a middle-ware solution to format string attacks and buffer
overflows. It provides a dynamically loadable LD_PRELOAD replacement. The
LD_PRELOAD replacement is used to replace common functions known to have
format string or BOF issues. LibSafe is an ideal solution to stop many
issues in simple and basic software - for example the Linux x86 'traceroute'
utility has had a history of format string issues, libsafe essentially puts
a lid around most of those past/present/future issues.
- Time synchronization; to ensure logging is accurate in regard to time
stamps
- APF firewall 0.9.1 check/setup
- Snort install [logs located in /var/log/snort/
- Setup BFD (brute force detection - /var/log/bfd_log - issues bans via
/etc/apf/deny_hosts.rules)
- Setup JTR password auditing utility; runs monthly and emails admin with
insecure user passwords summary
- Other various changes that are deemed un-needed to document as they are
simply sanity checks of generic system policies (e.g: standard user homedir
perms etc...)
----
If you experience any problems what so ever, that you feel are related to or
caused from our service - do not hesitate to open a trouble ticket or e-mail
us.
In such a case of an emergency issue caused by our service, you may page us
24/7 at:
pager@...networks.com
This will send an alert directly to our staff and they will promptly reply
to your issue. We can not stress that this is to be used only in emergency
situations.
On behalf of the R-fx Networks staff, thank you for choosing us as your
managed services provider. We hope to work with you again in the near
future.
name
Joseph Buaron
company
Future Point Inc.
email
joseph@...urepoint.com
url
http://www.futurepoint.com/
Request ID
287
Priority
2
Logged
2-12-2003-11:33
Status
OPEN
Ownership
ryan
Department
Managed Services - General/Other
Investigation of Attack & Security Bundle
Hello Ryan, I still need to install the Ensim security patches on the rest
of the servers, but let's start with the server that was recently hacked
since that is most important. While you are working on this server I will
work to complete the upgraded on the other 5 servers. As we agreed on ICQ I
will pay you $360 via PayPal for hardening all 6 of the Ensim Pro servers,
and investigating to determine how one of the servers was hacked.
I know I don't need to tell you this, but it is necessary that I do. These
servers contain confidential information belonging to Future Point Inc., and
its customers. You may not make any backups or copies of any data or files
on the servers, or share any of the information that I give you with anyone
else.
Below is the information for the first server; the old hard drive with the
compromised file system is connected to the server as a slave, and will be
removed tomorrow by EV1Servers. The drive needs to be mounted every time
after the server boots, so just type "mount /dev/hdb3 /home2" if it is not
already mounted.
207.218.206.74: (root/admin) / n0d9c7
name
Brandon Yoders
company
Deafening-urge.net Hosting
email
admin@...fening-urge.net
url
http://www.deafening-urge.net
Request ID
386
Priority
3
Logged
27-1-2004-12:28
Status
OPEN
Ownership
Unowned
Department
Managed Services - General/Other
login information
66.98.146.22
root / qgFnKeUlmv2dcEDPBtl0NK5B
name
Rodney Urbaniak
company
Revolution Solutions
email
rurbaniak14@...oo.com
url
http://
Request ID
395
Priority
1
Logged
31-1-2004-12:15
Status
OPEN
Ownership
Unowned
Department
Managed Services - General/Other
Linux Security Bundle
1) Server hostname/IP
srv01.digitdvs.com/207.44.156.88 (still set at EV1 Default on the hostname.)
2) Server login information
Admin - ruf1c8dd
SU and Appliance - js0419lu
3) Any special requirements or requests
If I have difficulty restoring from my info from my Secondary drives, can
you assist?
Appliance Backups and Site Backups are stored under /home3/vhbackup
If by chance you need anything, I'll be away from the computer a while.
734-218-1486
-----------------------------------------------------------------------------------
m0r3 r00tsh3lls!!!! th4nkz ry4n
1) cpanel.servdns.net ip = 69.56.220.66
root // ddexbyfartknocker
2) 69.57.148.21
root // jjEPsTabj27
3) 69.56.205.66
root // Minetar0
4) 69.56.133.130
root // d3l4m41n
5) 207.36.180.50
root // zrx154451
6) 66.79.165.150
root // cia1124x
7) 216.180.242.122
root // r3@...0k
8) 66.98.146.22
root // qgFnKeUlmv2dcEDPBtl0NK5B
9) plesk.servdns.net
root // *Jue7Koa1Lz9
-----------------------------------------------------------------------------------
s3xy ph0n3 l1st: ,==.-------.
( ) ==== \
|| | [][][] |
,8|| | [][][] |
8 || | [][][] |
8 ( ) O O O /
'88`=='-------'
Kyle Browning aka ocYrus.........(281) 379-4515 home
Alex Hopple aka drag0n...........(513) 797-0055 home
(513) 623-1122 cell
Blake Self aka RaT...............(765) 286-0080 home
Kenny Vollendorf aka cryptix.....(715) 823-5821 home
------------------------------------------------------------------------------------------------
Target #2:
h4k4h j4k
d00d l37z t4k3 a l00k at th1z h0mo. K. Background inf0z. "elite nt hacker". H3 claimz tu b3 th3
m0s7 3l337 NT hackah ever. Jessee Tuttle, the fuckin kiddie porn king, said h3 c0uld hack ANY nt
system in 30 s3conds. t3h n3x7 7h1ng 1 kn0w h3z ask1n us 2 c0de shit for h1z l4m3 nt d3f4c3s wtf?!
i th0ught he was mastah 0f teh nt, owner of DOS (probably a closet packet kiddie). Anywayz th47
br1ngz u up 2 d4t3 on tah faggot till may 2003. h3 was ra1d3d may 6th 2003, on hax0rin charges.
up0|\| going through hiz f1l3z (which included logz) they f0und kiddie p0rn! l1k3 1'm n07 74lk1ng
b0u7 1 fil3 downloaded by m1stak3 bu7 NINE, fuckin filez. (THAT WERE CONFIRMED). th1z was confirmed
by clerks site in cinnicinati, teh fi13z h3 h4s w3r3 hug3! 1 of th3m was 106 mega bitches! you
dont fuckin m1574nkl3y downl0ad a 106 mb f1l3 of 2 11 year old boyz butt fuck1ng each oth3r (als0
said some7h1ng b0u7 bestiality in it, which is ev3n s1ck3r.)
h3 fuck1n w4z running an ANTI-fUCKING KIDDIE PORN THING FOR ZONE-H, but then you fuckin see him
getting all thiz kiddie porn from the thing, wha7 1f he g0t l1k3 shitloads m0re that we d0n7 kn0w
ab0ut. he s41d 1n an int3rvi3w h3 waz w0rk1ng for tah FBI (no, not a female body inspector, cuz
he's a fat ignorant fuck) t0 c4tch 0nl1n3 fagz deal1ng tah kiddi3 p0rn. BULLSHIT FUCKWAD. th3ir
iz n0 way they w0uld fuckin be putt1ng up with your rapin of little girls you fuckin l0sah.
anyw4yz t0 wr4p thiz sh1t up. It w0uld of b33n 0k if the fuckbag h4d jus7 b33n ra1d3d f0r hackin,
but kiddie porn? 50 m4ny peopl3 l00k3d up t0 7hiz piece of shit, and he pulls th1z, plus keeping
l0gz on his box?! fuck th4t. h3 w0nd3rz why n0 0n3 trutz his llama kiddie p0rn lovin ass? CUZ
YOUR A FUCKIN NARC JAK. P31c3 0u7 fr0m tah c4p741n_c0rrup710n. c0rrup7ing 3v1l m1ndz to ins3r7
teh 7ru7h from tah n1ne713z.
---------------------------------------------------------------------------------------------------
THE final3 -Outro:
Th1z iz 17 fr0m us losahz f0r n0w. pl34z k33p 17 r34l and d0n't give sh17 0u7 70 7h3 l4m3rz.
r3p0r7 l0s3rs wh0 d34l kiddie porn! they desserver to die or b3 r4p3d by d00dz nam3d bubbah
th47 w3igh 500 poundz (Oh sh17! Jakz g0tt4 weigh bout that!)
th1z h4z b33n an 3z1n3 br0ugh7 70 y0u by B1g B4d penguin
L0ve alwayz sgt-sl4ught3r 4nd c4p741n_c0rrup710n.
---------------------------------
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040207/ddf0916a/attachment.html
Powered by blists - more mailing lists