[Full-disclosure] RE: thctest (official response :-)

From: vh (vh_at_thc.org)
Date: 07/21/05

  • Next message: Martin Pitt: "[Full-disclosure] [USN-150-1] KDE library vulnerability"
    To: "'netsniper'" <netsniper@mail.ru>, <full-disclosure@lists.grok.org.uk>
    Date: Thu, 21 Jul 2005 11:33:34 +0200
    
    

    Hi folks,

    here is some official response to the hack, or rather "hack" ...

    kudos to netsniper (or better: PHC) who really fooled us with this trick of a
    partial real and partial fake hack - it took us a day to figure things out :-)

    To clear things up:

    (1) The file thc-pwn3d.rar in alt.binaries.warez.quebec-hackers really
        contains password protected data from our web site, from our
        http://www.thc.org/root/tmp CMS directory to be specific.
        The bug was in our .htaccess file, which contained the following entry:
           <limit GET>
              require valid-user
           </limit>
        As netsniper found by testing, POST requests were therefore not protected
        with a password ...
        We use this directory to share stuff with friends from teso, phenoelite etc.
        hence its no secret stuff. Lots of photographs from events can be found on
        our web page without password protection.
        Note: not all people wearing a THC shirt there are from THC. This year we
        gave our t-shirt also to all our friends, fans and groupies :-)

    (2) The passwd and hosts file - clever trick. The PHC guys had legitimate accounts
        on the old segfault box about 1 1/2 years ago. From that time are these old
        files, directly copied because they were allowed to. proof: take the /etc/hosts
        entry for www.thc.org:
            62.67.59.35 www.thc.org
        this is old, old, old. try it yourself, thc.org is now:
            Name: www.thc.org
            Address: 82.165.25.125
        Also the passwd file is way old, however this is something someone without
        access to the box can not verify :-)

    (3) The phrack articles allegedly stolen from www.phrack.org (hosted on the same
        box as www.thc.org):
        Some months ago PHC disgused themselve on irc in the #phrack channel as editors
        and tricked two authors to send them their articles. Clever.
        Both texts are NOT articles in the phrack magazine to be published. As the
    hardcopy
        edition (to be given out for free on What-The-Hack) is already printed, no way
        to make something up here.

    In conclusion: one config mistake by us which was hard to find - congrats here -
    combined with information obtained otherwise (I like the social engineering trick
    for the phrack submissions) to fool everyone including us that www.thc.org was
    hacked. Neat.
    Last: Netsniper was hacking directly from his Ubuntu Linux 1.0.4 machine.
    And I thought real hackers only use Gentoo, Debian or SuSE, and prefer hacking with
    bouncers in between *g*

    Cheers,
         van Hauser / THC

    -----Original Message-----
    Date: Wed, 20 Jul 2005 02:37:25 -0400
    From: netsniper <netsniper@mail.ru>
    To: full-disclosure@lists.grok.org.uk
    Subject: [Full-disclosure] thctest

    I had some fun with The Hacker's Choice website and thought some of you
    may want to learn from their lack of proper security. THC.org hosts project
    files, source code, and many other things. It also includes pictures of
    members and CCC friends, some that seem to request anonymity from public.

    Anyways, here are segfault's passwd and hosts files. I'll leave it up to you
    to determine if they are legit. I have no idea...

    passwd:
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/dev/null
    bin:x:2:2:bin:/bin:/dev/null
    sys:x:3:3:sys:/dev:/dev/null
    sync:x:4:100:sync:/bin:/bin/sync
    games:x:5:100:games:/usr/games:/dev/null
    man:x:6:100:man:/var/cache/man:/dev/null
    lp:x:7:7:lp:/var/spool/lpd:/dev/null
    mail:x:8:8:mail:/var/spool/mail:/dev/null
    news:x:9:9:news:/var/spool/news:/dev/null
    uucp:x:10:10:uucp:/var/spool/uucp:/dev/null
    proxy:x:13:13:proxy:/bin:/dev/null
    alias:x:14:12::/var/qmail/alias:/bin/true
    qmaild:x:15:12::/var/qmail:/bin/true
    qmaill:x:16:12::/var/qmail:/bin/true
    qmailp:x:17:12::/var/qmail:/bin/true
    qmailq:x:18:11::/var/qmail:/bin/true
    qmailr:x:19:11::/var/qmail:/bin/true
    qmails:x:20:11::/var/qmail:/bin/true
    lists:x:30:30::/home/crew/lists:/bin/bash
    postgres:x:31:32:postgres:/usr/local/pgsql:/dev/null
    www-data:x:33:33:www-data:/var/www:/bin/sh
    sshd:x:34:34:sshd:/var/empty:/dev/null
    mysqladm:x:36:36:database:/home/nobody:/dev/null
    ircd:x:39:39:ircd:/home/nobody:/dev/null
    phrackwww:x:40:40:phrackwww:/dev/null:/dev/null
    dnslog:x:62:62:dnslog:/home/nobody:/dev/null
    tinydnszone:x:63:63:tunydnszone:/etc/tinydns:/bin/chroot_bash
    tinydnsaxfr:x:64:64:tinydnsaxfr:/etc/djbdns:/bin/chroot_bash
    who:x:74:74:who:/home/nobody:/dev/null
    named:x:76:76:named:/dev/null:/dev/null
    lastword:x:77:77:lastword:/home/nobody:/dev/null
    tinydns:x:78:78:tinydns:/nonexistend:/dev/null
    namedop:x:89:89:named operator:/home/someone:/bin/bash
    crewuser:x:101:101:crew:/home/nobody:/dev/null
    cvs:x:85:85:cvs:/home/cvs:/dev/null
    ircs:x:86:86:ircs:/dev/null:/dev/null
    dnscache:x:90:90:dnscache:/nonexistend:/dev/null
    nobody:x:65534:65534:nobody:/home/nobody:/bin/sh
    pauthor:x:500:11:author.phrack.org:/var/qmail/alias/author.phrack.org:/nonexistend
    phrack:x:501:11:phrack.org:/var/qmail/alias/phrack.org:/nonexistend
    thccvs:x:800:800:thc,,,:/home/noshell/thccvs:/bin/chroot_cvssh
    vhcvs:x:801:800:van Hausercvs,,,:/home/noshell/vhcvs:/bin/chroot_cvssh
    tickcvs:x:802:800:tickcvs,,,:/home/noshell/tickcvs:/bin/chroot_cvssh
    dhcvs:x:803:800:doc holidaycvs,,,:/home/noshell/dhcvs:/bin/chroot_cvssh
    phrackcvs:x:804:804:phrackcvs:/home/noshell/phrackcvs:/bin/chroot_cvssh
    tesocvs:x:850:850:tesocvs,,,:/home/noshell/tesocvs:/bin/chroot_cvssh
    hertcvs:x:851:851:hertcvs:/home/noshell/hertcvs:/bin/chroot_cvssh
    tesocron:x:900:850:tesocron,,,:/home/nobody:/bin/sh
    thcadmin:x:901:901:THC Admin:/home/thc/thcadmin:/bin/bash
    thcdb:x:902:902:THC DB:/home/thc/thcdb:/bin/bash
    skyper:x:1000:1000:skyper,,,:/home/crew/skyper:/bin/bash
    gamma:x:1001:1001:gamma,,,:/home/crew/gamma:/bin/bash
    vax:x:1002:1002:vax,,,:/home/vax:/bin/bash
    muskrat:x:1005:1005:muskrat,,,:/home/crew/muskrat:/bin/bash
    rpunk:x:1006:1006:rpunk,,,:/home/rpunk:/bin/bash
    oxigen:x:1007:1007:oxigen,,,:/home/oxigen:/bin/bash
    andi:x:1009:1009:andi,,,:/home/andi:/bin/bash
    rm:x:1010:1010:Richard Miller,,,:/home/rm:/bin/bash
    helferlein:x:1013:1013:helferlein,,,:/home/chrooted/helferlein:/bin/chroot_bash
    typo:x:1014:1014:typo,,,:/home/typo:/bin/bash
    plasmoid:x:1016:1016:plasmoid,,,:/home/thc/plasmoid:/bin/bash
    pimmel:x:1016:11:pimmel.com:/var/qmail/alias/pimmel.com:/nonexistend
    wilkins:x:1018:1018:wilkins,,,:/home/thc/wilkins:/bin/bash
    thcwww:x:1020:1020:thcwww,,,:/home/thc/thcwww:/bin/bash
    stealth:x:1021:1021:stealth,,,:/home/stealth:/bin/bash
    hendy:x:1022:1022:hendy,,,:/home/hendy:/bin/bash
    jobe:x:1023:1023:jobe,,,:/home/jobe:/bin/bash
    caddis:x:1024:1024:caddis,,,:/home/caddis:/bin/bash
    mgma:x:1004:1004:gamma,,,:/home/mgma:/bin/bash
    scut:x:1025:1025:scut,,,:/home/scut:/bin/bash
    palmers:x:1026:1026:palmers,,,:/home/palmers:/bin/bash
    owen:x:1027:1027:owen,,,:/home/owen:/bin/bash
    lorian:x:1011:1011:lorian,,,:/home/lorian:/bin/bash
    paul:x:1029:1029:paul,,,:/home/paul:/bin/bash
    edi:x:1030:1030:edi,,,:/home/edi:/bin/bash
    zip:x:1031:1031:zip,,,:/home/zip:/bin/bash
    thok:x:1032:1032:thok,,,:/home/thok:/bin/bash
    tmogg:x:1034:1034:tmogg,,,:/home/tmogg:/bin/bash
    duke:x:1036:1036::/home/duke:/bin/bash
    gaius:x:1037:1037:gaius,,,:/home/gaius:/bin/bash
    ultor:x:1038:1038::/home/ultor:/bin/bash
    grugq:x:1039:1039::/home/grugq:/bin/bash
    rd:x:1040:1040::/home/thc/rd:/bin/bash
    random:x:1041:1041:random,,,:/home/random:/bin/bash
    jc:x:1042:1042:jc,,,:/home/jc:/bin/bash
    mayhem:x:1043:1043:,,,:/home/mayhem:/bin/bash
    bbp:x:1044:1044:,,,:/home/bbp:/bin/bash
    dvorak:x:1045:1045:,,,:/home/dvorak:/bin/bash
    disque:x:1046:1046:,,,:/home/disque:/bin/bash
    whyking:x:1047:1047:,,,:/home/thc/whyking:/bin/bash
    vh:x:1049:1049:,,,:/home/thc/vh:/bin/bash
    nil:x:1050:1050:,,,:/home/thc/nil:/bin/bash

    hosts:
    127.0.0.1 localhost
    213.131.229.154 segfault
    10.1.1.1 wu.sec wu
    62.67.59.35 www.thc.org

    I also ripped some nice stuff from the site, rarred it up, and posted it on
    alt.binaries.warez.quebec-hackers if you take a look. Nothing special, but
    just for fun :-) This hack was pretty lame, seriously...read the nfo

    netsniper
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Martin Pitt: "[Full-disclosure] [USN-150-1] KDE library vulnerability"

    Relevant Pages

    • Re: bktr0: Warning - Unknown Hauppauge Tuner 0x79
      ... I'll contact the maintainers, but if anyone else needs this as ... a quick hack the trick is to program the bktr_tuner.c, ... Antique computer collector looking for PDP-series ...
      (comp.unix.bsd.freebsd.misc)
    • Re: A style question
      ... But I hadn't read the whole thread and missed Rob Warnock's use of ... this same trick in. ... this hack just calls out for generalization as well: ...
      (comp.lang.lisp)
    • Re: Possible to remove "Links" folder in Favorites?
      ... Hah! ... That was some "hack", eh? ... Ted Zieglar ... > That's the trick! ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: madshi terminateprocess hook + windows shutdown
      ... Let's assume for a moment that such a feature, hack, trick, API or whatever exists. ... You utililize it in your application, ...
      (borland.public.delphi.thirdpartytools.general)