Pages:
Author

Topic: Hack my site, receive bitcoins (Read 2734 times)

newbie
Activity: 56
Merit: 0
June 20, 2013, 10:56:37 PM
#40
Gee if you see the problem why are you still allowing hackers full access to your buddies server?  nm, you clearly know what you are doing.   Roll Eyes
sr. member
Activity: 350
Merit: 250
June 20, 2013, 10:48:10 PM
#39
newbie
Activity: 56
Merit: 0
June 20, 2013, 10:37:51 PM
#38
lol, oh ok... so the 49 vulnerabilities including 25 serious ones mean nothing.
why are you asking for help if you obviously know it all and can't learn a thing?
my assessment of your high school coding is worth thousands.

jackass


here's the report I sent the idiot op, don't waste your time tryng to earn his pittance offer


http://s3.postimg.org/rnegf0m6n/Untitled.jpg

I hit your server 25,000 times.  You have serious vulnerabilities as listed in this image:
http://postimg.org/image/rnegf0m6n/


06.20 20:04.24, Started scanning http://http:80//198.12.67.18/test:80/ ...
06.20 20:04.24, Start URL : http://http:80//198.12.67.18/test:80/
06.20 20:04.24, Scanning Mode : Heuristic
06.20 20:04.24, Server banner: Unknown
06.20 20:04.25, Crawling started, URL: http://http//198.12.67.18/test:80/
06.20 20:04.26, Unable to detect custom 404 pattern automatically.
06.20 20:04.26, Some crawling options will be automatically disabled.
06.20 20:04.26, Processing file /198.12.67.18/test:80
06.20 20:04.27, Analyzing client side JavaScripts
06.20 20:04.27, Analyzing file: http://http/198.12.67.18/test:80/
06.20 20:04.27, Script analysis done
06.20 20:04.27, Processing file /198.12.67.18/test:80 (variation 1)
06.20 20:04.27, Processing file /198.12.67.18/test:80 (variation 2)
06.20 20:04.27, Searching for possible site errors.
06.20 20:04.27, Searching for aspect alerts.
06.20 20:04.27, Crawling done.
06.20 20:04.27, Scanning started.
06.20 20:05.20, Finished scanning.
06.20 20:05.20, Flush file buffers.
06.20 20:05.41, Started scanning http://198.12.67.18:80/test:80/ ...
06.20 20:05.41, Start URL : http://198.12.67.18:80/test:80/
06.20 20:05.41, Scanning Mode : Heuristic
06.20 20:05.41, Server banner: Apache 2.x
06.20 20:05.41, Crawling started, URL: http://198.12.67.18/test:80/
06.20 20:05.42, Apache mod_negotiation filename bruteforcing
06.20 20:05.42, Error page Web Server version disclosure
06.20 20:05.43, Searching for possible site errors.
06.20 20:05.43, Searching for aspect alerts.
06.20 20:05.43, Crawling done.
06.20 20:05.43, Scanning started.
06.20 20:05.45, Apache httpd Remote Denial of Service
06.20 20:06.00, CSRF testing finished.
06.20 20:06.00, Finished scanning.
06.20 20:06.00, Flush file buffers.
06.20 20:06.47, Started scanning http://198.12.67.18:80/ ...
06.20 20:06.47, Start URL : http://198.12.67.18:80/
06.20 20:06.47, Scanning Mode : Heuristic
06.20 20:06.47, Server banner: Apache 2.x
06.20 20:06.47, Crawling started, URL: http://198.12.67.18/
06.20 20:06.49, Processing file /
06.20 20:06.49, Apache mod_negotiation filename bruteforcing
06.20 20:06.49, Error page Web Server version disclosure
06.20 20:06.51, Analyzing client side JavaScripts
06.20 20:06.51, Analyzing file: http://198.12.67.18/
06.20 20:06.51, Script analysis done
06.20 20:06.51, Processing file / (variation 1)
06.20 20:06.51, Processing file / (variation 2)
06.20 20:06.51, Searching for possible site errors.
06.20 20:06.51, Searching for aspect alerts.
06.20 20:06.51, Crawling done.
06.20 20:06.51, Scanning started.
06.20 20:06.51, Apache httpd Remote Denial of Service
06.20 20:07.08, Possible sensitive files
06.20 20:07.12, Possible sensitive directories
06.20 20:07.15, Possible sensitive directories
06.20 20:07.53, Restart crawling
06.20 20:07.53, Processing file /test.php
06.20 20:07.53, Processing file /phpmyadmin
06.20 20:07.53, Processing file /test
06.20 20:07.53, Processing file /index.php
06.20 20:07.54, Processing file /test
06.20 20:07.54, Processing file /phpmyadmin
06.20 20:07.54, Password type input with auto-complete enabled
06.20 20:07.54, User credentials are sent in clear text
06.20 20:07.54, Processing file /test/basic.css
06.20 20:07.54, Processing file /test/login.php
06.20 20:07.54, Password type input with auto-complete enabled
06.20 20:07.54, User credentials are sent in clear text
06.20 20:07.54, Processing file /phpmyadmin/index.php
06.20 20:07.54, Password type input with auto-complete enabled
06.20 20:07.54, User credentials are sent in clear text
06.20 20:07.54, Processing file /phpmyadmin/index.php (variation 1)
06.20 20:07.54, Processing file /phpmyadmin/themes
06.20 20:07.54, Processing file /phpmyadmin/index.php (variation 2)
06.20 20:07.54, Password type input with auto-complete enabled
06.20 20:07.54, User credentials are sent in clear text
06.20 20:07.54, Processing file /phpmyadmin/index.php (variation 4)
06.20 20:07.54, Processing file /phpmyadmin/themes/original
06.20 20:07.54, Processing file /phpmyadmin/themes/original/img
06.20 20:07.54, Processing file /phpmyadmin/phpmyadmin.css.php
06.20 20:07.54, Processing file /phpmyadmin/Documentation.html
06.20 20:07.55, Processing file /phpmyadmin/Documentation.html (variation 1)
06.20 20:07.56, Processing file /phpmyadmin/print.css
06.20 20:07.56, Processing file /phpmyadmin/phpmyadmin.css.php (variation 1)
06.20 20:07.56, Session token in URL
06.20 20:07.56, Processing file /phpmyadmin/index.php (variation 3)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, User credentials are sent in clear text
06.20 20:07.56, Processing file /test/style/fg_membersite.css
06.20 20:07.56, Broken links
06.20 20:07.56, Processing file /test/scripts/gen_validatorv31.js
06.20 20:07.56, Processing file /test/style
06.20 20:07.56, Processing file /test/login.php (variation 1)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, Processing file /test/UPC.ttf
06.20 20:07.56, Processing file /phpmyadmin/themes
06.20 20:07.56, Processing file /phpmyadmin/themes/original
06.20 20:07.56, Processing file /phpmyadmin/phpmyadmin.css.php (variation 2)
06.20 20:07.56, Session token in URL
06.20 20:07.56, Processing file /phpmyadmin/themes/original/img
06.20 20:07.56, Processing file /phpmyadmin/index.php (variation 7)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, User credentials are sent in clear text
06.20 20:07.56, Broken links
06.20 20:07.56, Processing file /phpmyadmin/index.php (variation 5)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, Processing file /phpmyadmin/index.php (variation 9)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, Session token in URL
06.20 20:07.56, Processing file /phpmyadmin/changelog.php
06.20 20:07.57, Processing file /phpmyadmin/docs.css
06.20 20:07.57, Processing file /phpmyadmin/index.php (variation 6)
06.20 20:07.57, Processing file /phpmyadmin/index.php (variation Cool
06.20 20:07.57, Processing file /phpmyadmin/translators.html
06.20 20:07.57, Broken links
06.20 20:07.57, Processing file /phpmyadmin/license.php
06.20 20:07.57, Processing file /test/scripts
06.20 20:08.06, Processing file /test/style
06.20 20:08.06, Processing file /test/scripts
06.20 20:08.08, Processing file /phpmyadmin/setup
06.20 20:08.08, Analyzing client side JavaScripts
06.20 20:08.08, Analyzing file: http://198.12.67.18/phpmyadmin/
06.20 20:08.08, Analyzing file: http://198.12.67.18/test/login.php
06.20 20:08.08, Script analysis done
06.20 20:08.08, Processing file /phpmyadmin/index.php (variation 11)
06.20 20:08.08, Password type input with auto-complete enabled
06.20 20:08.08, Processing file /phpmyadmin/index.php (variation 10)
06.20 20:08.08, Password type input with auto-complete enabled
06.20 20:08.08, Processing file /phpmyadmin/index.php (variation 12)
06.20 20:08.08, Password type input with auto-complete enabled
06.20 20:08.08, Searching for possible site errors.
06.20 20:08.08, Searching for aspect alerts.
06.20 20:08.08, Session Cookie without HttpOnly flag set
06.20 20:08.08, Session Cookie without Secure flag set
06.20 20:08.08, Crawling done.
06.20 20:08.08, Scanning started.
06.20 20:08.18, Cross Site Scripting (verified)
06.20 20:35.33, Cross Site Scripting (verified)
06.20 20:35.33, Possible username or password disclosure
06.20 20:35.37, Possible server path disclosure (Unix)
06.20 20:35.37, Possible username or password disclosure
06.20 20:35.38, Error message on page
06.20 20:35.39, Email address found
06.20 20:35.40, Email address found
06.20 20:35.40, Possible server path disclosure (Unix)
06.20 20:36.09, Possible sensitive directories



sr. member
Activity: 350
Merit: 250
June 20, 2013, 10:07:51 PM
#37
dear OP.  turn off your website.  it's bad.

back in a couple.

short version:
You have more than 30 vulnerabilities including a severe one that you need to address immediately.  I've only completed 5% of my scan.

I think I found your problem.


sending report via PM


Actually, you didn't find anything but the already existing XSS that I knew about... using Web Vulnerability Scanner.
legendary
Activity: 2058
Merit: 1452
June 20, 2013, 09:44:36 PM
#36
short version:
You have more than 30 vulnerabilities including a severe one that you need to address immediately.  I've only completed 5% of my scan.
This sounds like those "your computer has 9001 viruses! click here for free security scan" ads.
newbie
Activity: 56
Merit: 0
June 20, 2013, 09:06:55 PM
#35
dear OP.  turn off your website.  it's bad.

back in a couple.

short version:
You have more than 30 vulnerabilities including a severe one that you need to address immediately.  I've only completed 5% of my scan.

I think I found your problem.


sending report via PM

newbie
Activity: 56
Merit: 0
June 20, 2013, 08:52:45 PM
#34
I'll check both your sites, but your bounty is low...  checking now....
legendary
Activity: 1316
Merit: 1003
June 20, 2013, 07:35:19 AM
#33
Can somebody check my site for a bounty?
PM me.
hero member
Activity: 700
Merit: 500
What doesn't kill you only makes you sicker!
June 20, 2013, 04:34:58 AM
#32
He blind hacked it in minutes without source access, so I am offering the bounty for the same thing. td204 is right in that I am using that 3rd party form for logins, so you can look for it and see the source.

I can understand why you're doing this as it recreates the environment that the hacker had but if you give everyone a copy of your source it'll

a) prevent duplication of effort
b) make it easier for people to debug
c) other bugs might be identified for you
d) will get you a much better response as you're only providing $5 for what amounts to penetration testing
sr. member
Activity: 313
Merit: 250
i ♥ coinichiwa
June 20, 2013, 04:09:43 AM
#31
He blind hacked it in minutes without source access, so I am offering the bounty for the same thing. td204 is right in that I am using that 3rd party form for logins, so you can look for it and see the source.

Did you get my PM? It's not the 3rd party part, it's (at least) your custom save script.
vip
Activity: 1316
Merit: 1043
👻
June 20, 2013, 04:00:14 AM
#30
Quote
He blind hacked it in minutes without source access, so I am offering the bounty for the same thing.

What? You know that you pay 0.05 BTC regardless, so why not make it faster by (privately) releasing the source?

Also, check access logs.
sr. member
Activity: 350
Merit: 250
June 20, 2013, 12:11:27 AM
#29
I think the point everyone is missing is that the PHP file was altered.

Not something that's easy to do from the database.
This.

Do you use eval() anywhere?
No.

Just as a sanity check; the screenshot you provided, is this what you actually saw yourself?
Or is this what the 'hacker' provided you with?

I did some checks on your website, but there is nothing really compromised as far as I can see.
I did manage to register on your website and inject some code into scan.php
e.g.: http://198.12.67.18/test/scan.php?code=%22%22%3ETroolol%3Ca

By some source-code reviewing I saw you had used a login-script you downloaded somewhere ("Registration/Login Form by html-form-guide.com"). By downloading the package I found out which php-files exist in your directory (or existed) and managed to register myself as user "test".

Didn't spend a lot of time, but maybe the code is vulnerable somewhere. The package I downloaded seems okay.. did you get an older version?
That is what I saw and everyone else visiting my site.

Well... the form is vulnerable to XSS (and screenshot looks like, too) as single quotes in inputs are not escaped... but that alone would not gain him database credentials. did he really modify some files or only made it look like they were modified?

Can you provide the php source code? A code rewiew would be easier than blind guessing.


Proof for XSS:
enter
Code:
' onfocus='alert(1337)
as user (or pass) and click on the input field afterwards. Could also be used in a similar way to inject images/html code into the website or steal cookies.


He blind hacked it in minutes without source access, so I am offering the bounty for the same thing. td204 is right in that I am using that 3rd party form for logins, so you can look for it and see the source.
sr. member
Activity: 313
Merit: 250
i ♥ coinichiwa
June 19, 2013, 06:10:44 PM
#28
Well... the form is vulnerable to XSS (and screenshot looks like, too) as single quotes in inputs are not escaped... but that alone would not gain him database credentials. did he really modify some files or only made it look like they were modified?

Can you provide the php source code? A code rewiew would be easier than blind guessing.


Proof for XSS:
enter
Code:
' onfocus='alert(1337)
as user (or pass) and click on the input field afterwards. Could also be used in a similar way to inject images/html code into the website or steal cookies.

newbie
Activity: 31
Merit: 0
June 19, 2013, 06:08:42 PM
#27
Just as a sanity check; the screenshot you provided, is this what you actually saw yourself?
Or is this what the 'hacker' provided you with?

I did some checks on your website, but there is nothing really compromised as far as I can see.
I did manage to register on your website and inject some code into scan.php
e.g.: http://198.12.67.18/test/scan.php?code=%22%22%3ETroolol%3Ca

By some source-code reviewing I saw you had used a login-script you downloaded somewhere ("Registration/Login Form by html-form-guide.com"). By downloading the package I found out which php-files exist in your directory (or existed) and managed to register myself as user "test".

Didn't spend a lot of time, but maybe the code is vulnerable somewhere. The package I downloaded seems okay.. did you get an older version?
vip
Activity: 1316
Merit: 1043
👻
June 19, 2013, 06:02:11 PM
#26
Do you use eval() anywhere?
hero member
Activity: 700
Merit: 500
What doesn't kill you only makes you sicker!
June 19, 2013, 06:00:49 PM
#25
I think the point everyone is missing is that the PHP file was altered.

Not something that's easy to do from the database.
sr. member
Activity: 252
Merit: 250
June 19, 2013, 05:55:39 PM
#24
I'll take a look into this, but it wouldn't explain why the hacker didn't cleanly deface the main page and left some odd escaped tags - this is what leads me to believe it was done ONLY using the form.


if he was using the form then he used sql injection which i  provided the fix above for.
no new data in the database asking with permanently modifying the page says otherwise.

 Is apache the only other potential beach?


apache doesn't look like it is a potential issue unless you are using stock apache. lol if you are using cpanel or plesk for the webhost then it should be fine. the only i found was the sql. running a sniffer on your site brought up no holes in security for me at least. : P the only way he could of gotten access to the database is 1 if you have remote login. and 2 if you didnt have slq protected inputs. which you fixed i guess.
sr. member
Activity: 252
Merit: 250
June 19, 2013, 05:25:09 PM
#23
it probably your little 10yr old sister... who knows user/pass Tongue

j/k


lol could be :x
sr. member
Activity: 462
Merit: 250
Free World
June 19, 2013, 04:52:02 PM
#22
it probably your little 10yr old sister... who knows user/pass Tongue

j/k
sr. member
Activity: 252
Merit: 250
June 19, 2013, 04:49:29 PM
#21
I'll take a look into this, but it wouldn't explain why the hacker didn't cleanly deface the main page and left some odd escaped tags - this is what leads me to believe it was done ONLY using the form.


if he was using the form then he used sql injection which i  provided the fix above for.
no new data in the database asking with permanently modifying the page says otherwise.

 Is apache the only other potential beach?


Ive dealt with apache holes in the past. Most professional hosts have those blocked as its really easy to block the holes.  The problem i saw with your website and what you are describing is that he jsut sql injected. I cannot recreate what he did exactly but if you look up sql injections you will see a boatload of different ones that can be used to gain super/root access to database's etc. I believe he just used a simple sql injection. my script i provided you with just looks for sql injection like codes put it. it logs the string they used, the ip, and a few other things in a .txt named [WEB]SQL_Injection.txt. and example of logs are here:

Quote
IP: 142.68.145.165
Method: COOKIE
Value: {"distinct_id": "75dde009-e9fe-4dd3-a685-b758925f480f","$initial_referrer": "$direct","$initial_referring_domain": "$direct"}
Script:
Time: Sunday 20th 2012f May 2012 03:48:52 PM
==================================

this guy tried to send that value to inject something into my game servers website database. failed as you an see. logs it for you to do w/e with. whati do with the ips is i just ban them from my game, websites, etc which is really easy to do. If you like to have some fun you can use his ip to find out were he lives, sniff the ip for open ports, security holes so that then you can put a "suprise" on his computer. i don't condone doing this just and example Smiley



i put this on anything that has any contact with my database. also your config files on your website * i didnt sniff your site* but you should block access to stuff that a normal user should not have access to using .htaccess. cpanel also has a feature to do this for you. im old school so i write my .htaccess by hand.
Pages:
Jump to: