OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] RE: thctest (official response :-)

From: vh (vhthc.org)
Date: Thu Jul 21 2005 - 04:33:34 CDT


Hi folks,

here is some official response to the hack, or rather "hack" ...

kudos to netsniper (or better: PHC) who really fooled us with this trick of a
partial real and partial fake hack - it took us a day to figure things out :-)

To clear things up:

(1) The file thc-pwn3d.rar in alt.binaries.warez.quebec-hackers really
    contains password protected data from our web site, from our
    http://www.thc.org/root/tmp CMS directory to be specific.
    The bug was in our .htaccess file, which contained the following entry:
       <limit GET>
          require valid-user
       </limit>
    As netsniper found by testing, POST requests were therefore not protected
    with a password ...
    We use this directory to share stuff with friends from teso, phenoelite etc.
    hence its no secret stuff. Lots of photographs from events can be found on
    our web page without password protection.
    Note: not all people wearing a THC shirt there are from THC. This year we
    gave our t-shirt also to all our friends, fans and groupies :-)

(2) The passwd and hosts file - clever trick. The PHC guys had legitimate accounts
    on the old segfault box about 1 1/2 years ago. From that time are these old
    files, directly copied because they were allowed to. proof: take the /etc/hosts
    entry for www.thc.org:
        62.67.59.35 www.thc.org
    this is old, old, old. try it yourself, thc.org is now:
        Name: www.thc.org
        Address: 82.165.25.125
    Also the passwd file is way old, however this is something someone without
    access to the box can not verify :-)

(3) The phrack articles allegedly stolen from www.phrack.org (hosted on the same
    box as www.thc.org):
    Some months ago PHC disgused themselve on irc in the #phrack channel as editors
    and tricked two authors to send them their articles. Clever.
    Both texts are NOT articles in the phrack magazine to be published. As the
hardcopy
    edition (to be given out for free on What-The-Hack) is already printed, no way
    to make something up here.

In conclusion: one config mistake by us which was hard to find - congrats here -
combined with information obtained otherwise (I like the social engineering trick
for the phrack submissions) to fool everyone including us that www.thc.org was
hacked. Neat.
Last: Netsniper was hacking directly from his Ubuntu Linux 1.0.4 machine.
And I thought real hackers only use Gentoo, Debian or SuSE, and prefer hacking with
bouncers in between *g*

Cheers,
     van Hauser / THC

-----Original Message-----
Date: Wed, 20 Jul 2005 02:37:25 -0400
From: netsniper <netsnipermail.ru>
To: full-disclosurelists.grok.org.uk
Subject: [Full-disclosure] thctest

I had some fun with The Hacker's Choice website and thought some of you
may want to learn from their lack of proper security. THC.org hosts project
files, source code, and many other things. It also includes pictures of
members and CCC friends, some that seem to request anonymity from public.

Anyways, here are segfault's passwd and hosts files. I'll leave it up to you
to determine if they are legit. I have no idea...

passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/dev/null
bin:x:2:2:bin:/bin:/dev/null
sys:x:3:3:sys:/dev:/dev/null
sync:x:4:100:sync:/bin:/bin/sync
games:x:5:100:games:/usr/games:/dev/null
man:x:6:100:man:/var/cache/man:/dev/null
lp:x:7:7:lp:/var/spool/lpd:/dev/null
mail:x:8:8:mail:/var/spool/mail:/dev/null
news:x:9:9:news:/var/spool/news:/dev/null
uucp:x:10:10:uucp:/var/spool/uucp:/dev/null
proxy:x:13:13:proxy:/bin:/dev/null
alias:x:14:12::/var/qmail/alias:/bin/true
qmaild:x:15:12::/var/qmail:/bin/true
qmaill:x:16:12::/var/qmail:/bin/true
qmailp:x:17:12::/var/qmail:/bin/true
qmailq:x:18:11::/var/qmail:/bin/true
qmailr:x:19:11::/var/qmail:/bin/true
qmails:x:20:11::/var/qmail:/bin/true
lists:x:30:30::/home/crew/lists:/bin/bash
postgres:x:31:32:postgres:/usr/local/pgsql:/dev/null
www-data:x:33:33:www-data:/var/www:/bin/sh
sshd:x:34:34:sshd:/var/empty:/dev/null
mysqladm:x:36:36:database:/home/nobody:/dev/null
ircd:x:39:39:ircd:/home/nobody:/dev/null
phrackwww:x:40:40:phrackwww:/dev/null:/dev/null
dnslog:x:62:62:dnslog:/home/nobody:/dev/null
tinydnszone:x:63:63:tunydnszone:/etc/tinydns:/bin/chroot_bash
tinydnsaxfr:x:64:64:tinydnsaxfr:/etc/djbdns:/bin/chroot_bash
who:x:74:74:who:/home/nobody:/dev/null
named:x:76:76:named:/dev/null:/dev/null
lastword:x:77:77:lastword:/home/nobody:/dev/null
tinydns:x:78:78:tinydns:/nonexistend:/dev/null
namedop:x:89:89:named operator:/home/someone:/bin/bash
crewuser:x:101:101:crew:/home/nobody:/dev/null
cvs:x:85:85:cvs:/home/cvs:/dev/null
ircs:x:86:86:ircs:/dev/null:/dev/null
dnscache:x:90:90:dnscache:/nonexistend:/dev/null
nobody:x:65534:65534:nobody:/home/nobody:/bin/sh
pauthor:x:500:11:author.phrack.org:/var/qmail/alias/author.phrack.org:/nonexistend
phrack:x:501:11:phrack.org:/var/qmail/alias/phrack.org:/nonexistend
thccvs:x:800:800:thc,,,:/home/noshell/thccvs:/bin/chroot_cvssh
vhcvs:x:801:800:van Hausercvs,,,:/home/noshell/vhcvs:/bin/chroot_cvssh
tickcvs:x:802:800:tickcvs,,,:/home/noshell/tickcvs:/bin/chroot_cvssh
dhcvs:x:803:800:doc holidaycvs,,,:/home/noshell/dhcvs:/bin/chroot_cvssh
phrackcvs:x:804:804:phrackcvs:/home/noshell/phrackcvs:/bin/chroot_cvssh
tesocvs:x:850:850:tesocvs,,,:/home/noshell/tesocvs:/bin/chroot_cvssh
hertcvs:x:851:851:hertcvs:/home/noshell/hertcvs:/bin/chroot_cvssh
tesocron:x:900:850:tesocron,,,:/home/nobody:/bin/sh
thcadmin:x:901:901:THC Admin:/home/thc/thcadmin:/bin/bash
thcdb:x:902:902:THC DB:/home/thc/thcdb:/bin/bash
skyper:x:1000:1000:skyper,,,:/home/crew/skyper:/bin/bash
gamma:x:1001:1001:gamma,,,:/home/crew/gamma:/bin/bash
vax:x:1002:1002:vax,,,:/home/vax:/bin/bash
muskrat:x:1005:1005:muskrat,,,:/home/crew/muskrat:/bin/bash
rpunk:x:1006:1006:rpunk,,,:/home/rpunk:/bin/bash
oxigen:x:1007:1007:oxigen,,,:/home/oxigen:/bin/bash
andi:x:1009:1009:andi,,,:/home/andi:/bin/bash
rm:x:1010:1010:Richard Miller,,,:/home/rm:/bin/bash
helferlein:x:1013:1013:helferlein,,,:/home/chrooted/helferlein:/bin/chroot_bash
typo:x:1014:1014:typo,,,:/home/typo:/bin/bash
plasmoid:x:1016:1016:plasmoid,,,:/home/thc/plasmoid:/bin/bash
pimmel:x:1016:11:pimmel.com:/var/qmail/alias/pimmel.com:/nonexistend
wilkins:x:1018:1018:wilkins,,,:/home/thc/wilkins:/bin/bash
thcwww:x:1020:1020:thcwww,,,:/home/thc/thcwww:/bin/bash
stealth:x:1021:1021:stealth,,,:/home/stealth:/bin/bash
hendy:x:1022:1022:hendy,,,:/home/hendy:/bin/bash
jobe:x:1023:1023:jobe,,,:/home/jobe:/bin/bash
caddis:x:1024:1024:caddis,,,:/home/caddis:/bin/bash
mgma:x:1004:1004:gamma,,,:/home/mgma:/bin/bash
scut:x:1025:1025:scut,,,:/home/scut:/bin/bash
palmers:x:1026:1026:palmers,,,:/home/palmers:/bin/bash
owen:x:1027:1027:owen,,,:/home/owen:/bin/bash
lorian:x:1011:1011:lorian,,,:/home/lorian:/bin/bash
paul:x:1029:1029:paul,,,:/home/paul:/bin/bash
edi:x:1030:1030:edi,,,:/home/edi:/bin/bash
zip:x:1031:1031:zip,,,:/home/zip:/bin/bash
thok:x:1032:1032:thok,,,:/home/thok:/bin/bash
tmogg:x:1034:1034:tmogg,,,:/home/tmogg:/bin/bash
duke:x:1036:1036::/home/duke:/bin/bash
gaius:x:1037:1037:gaius,,,:/home/gaius:/bin/bash
ultor:x:1038:1038::/home/ultor:/bin/bash
grugq:x:1039:1039::/home/grugq:/bin/bash
rd:x:1040:1040::/home/thc/rd:/bin/bash
random:x:1041:1041:random,,,:/home/random:/bin/bash
jc:x:1042:1042:jc,,,:/home/jc:/bin/bash
mayhem:x:1043:1043:,,,:/home/mayhem:/bin/bash
bbp:x:1044:1044:,,,:/home/bbp:/bin/bash
dvorak:x:1045:1045:,,,:/home/dvorak:/bin/bash
disque:x:1046:1046:,,,:/home/disque:/bin/bash
whyking:x:1047:1047:,,,:/home/thc/whyking:/bin/bash
vh:x:1049:1049:,,,:/home/thc/vh:/bin/bash
nil:x:1050:1050:,,,:/home/thc/nil:/bin/bash

hosts:
127.0.0.1 localhost
213.131.229.154 segfault
10.1.1.1 wu.sec wu
62.67.59.35 www.thc.org

I also ripped some nice stuff from the site, rarred it up, and posted it on
alt.binaries.warez.quebec-hackers if you take a look. Nothing special, but
just for fun :-) This hack was pretty lame, seriously...read the nfo

netsniper
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/