It looks like Anonymous has taken antipiratbyran.se offline. But before the site went completely offline a lot of people saw a "500 Internal Server Error", which also listed the servername plus version: w3bb-h4xxor/1.3.3.7.
So does this mean that the same Anons also have hacked the server? ... Actually not!
Showing posts with label hacking. Show all posts
Showing posts with label hacking. Show all posts
Oct 8, 2012
Sep 19, 2012
RevolutionTT hacked?
It looks like the online bittorrent tracker RevolutionTT ("RevTT") has been hacked, or has it?
All I know for now, is that a user with the username Afghanis has posted this torrent on ThePirateBay: "RevTT accounts and passwords ( www.revolutiontt.me ) - Enjoy".
I downloaded the torrent, and this is what I found:
A "Read Me.nfo" file with the following text:
A "RevTT (www.revolutiontt.me) Database (Username and passwords).rtf" file, with usernames and passwords:
Looking at the metadata of the Rich Text Format (.rtf) file, I found this:
\ansicpg1252 <-- U.S. Windows Code Page
\deflang1033 <-- default language (http://latex2rtf.sourceforge.net/RTF-Spec-1.0.txt)
\*\generator Msftedit 5.41.21.2510 <-- I got the same on my Win7 Pro using MS Wordpad
\sl276 <-- paragraph style (which one is 1276?)
\lang9 <-- language (not english?)
And for the torrent file:
Single Announce: http://fr33dom.h33t.com:3310/announce
Comment: Enjoy
Created by: uTorrent/2210
Creation date: Tue Sep 18 2012 20:39:16 GMT+0200 (Romance Daylight Time)
(Uploaded to TPB: 2012-09-18 22:21:09 GMT)
First I removed all lines not containing a username and password:
Total lines: 18158 (from 19048)
The I made a list of unique usernames: 7698
And one with unique passwords: 7703
Weird stats? Not really, users are more likely to type their password wrong, than their username (based on my own experience).
And just for fun, I made a list of users trying to login with their mail (list contain duplicates):
Trying to login with mail:
Gmails: 69 times
Hotmails: 64 times
Yahoo: 30 times
But does the usernames and passwords come from RevTT?
Well, look at these passwords:
r3v0lut!0n
PS.0MG_RTT_t0rr3ntz_PLZ_080601;
RTTludixrous
laRTTpw440
dig8talrevtt
Lets just say "probably" ;-)
Based on the strength of multiply of the passwords (e.g. 'PS.0MG_RTT_t0rr3ntz_PLZ_080601;' <-- I fucking like that guy!) and based on many duplicates, many different passwords for the same user, and based on the fact that RevTT has many more users than ~7k, then I conclude that these passwords wasn't bruteforces (from a database full of hashes), but instead probably 'sniffed'. Either someone got access to the server (and added a "save passwords remote/cleartext" to login.php), or maybe RevTT was a victim of MitM? (I've seen this before against torrent trackers). Right now RevTT is forcing https (credit to them!), but what I could read from some of the victims, is that this dump is old, so it might be before RevTT started using https only?
All I know for now, is that a user with the username Afghanis has posted this torrent on ThePirateBay: "RevTT accounts and passwords ( www.revolutiontt.me ) - Enjoy".
I downloaded the torrent, and this is what I found:
A "Read Me.nfo" file with the following text:
A "RevTT (www.revolutiontt.me) Database (Username and passwords).rtf" file, with usernames and passwords:
Looking at the metadata of the Rich Text Format (.rtf) file, I found this:
\ansicpg1252 <-- U.S. Windows Code Page
\deflang1033 <-- default language (http://latex2rtf.sourceforge.net/RTF-Spec-1.0.txt)
\*\generator Msftedit 5.41.21.2510 <-- I got the same on my Win7 Pro using MS Wordpad
\sl276 <-- paragraph style (which one is 1276?)
\lang9 <-- language (not english?)
And for the torrent file:
Single Announce: http://fr33dom.h33t.com:3310/announce
Comment: Enjoy
Created by: uTorrent/2210
Creation date: Tue Sep 18 2012 20:39:16 GMT+0200 (Romance Daylight Time)
(Uploaded to TPB: 2012-09-18 22:21:09 GMT)
First I removed all lines not containing a username and password:
Total lines: 18158 (from 19048)
The I made a list of unique usernames: 7698
And one with unique passwords: 7703
Weird stats? Not really, users are more likely to type their password wrong, than their username (based on my own experience).
And just for fun, I made a list of users trying to login with their mail (list contain duplicates):
Trying to login with mail:
Gmails: 69 times
Hotmails: 64 times
Yahoo: 30 times
But does the usernames and passwords come from RevTT?
Well, look at these passwords:
r3v0lut!0n
PS.0MG_RTT_t0rr3ntz_PLZ_080601;
RTTludixrous
laRTTpw440
dig8talrevtt
Lets just say "probably" ;-)
Based on the strength of multiply of the passwords (e.g. 'PS.0MG_RTT_t0rr3ntz_PLZ_080601;' <-- I fucking like that guy!) and based on many duplicates, many different passwords for the same user, and based on the fact that RevTT has many more users than ~7k, then I conclude that these passwords wasn't bruteforces (from a database full of hashes), but instead probably 'sniffed'. Either someone got access to the server (and added a "save passwords remote/cleartext" to login.php), or maybe RevTT was a victim of MitM? (I've seen this before against torrent trackers). Right now RevTT is forcing https (credit to them!), but what I could read from some of the victims, is that this dump is old, so it might be before RevTT started using https only?
Sep 10, 2012
NotD: Elan0r
Jun 6, 2012
LinkedIn hacked?
The professional social networking website LinkedIn has been hacked, according to various sites.
I managed to get a copy of the dump:
And as it can be seen, the dump consist of lots of SHA1 hashes. However, something is very wrong with many of these hashes! Apparently the hackers has been adding some kind of padding to some of the hashes.
So far, I can't figure out what's up with this file. Who would dump this? And if you're going to dump this, then why not add mail / names to the list?
I managed to get a copy of the dump:
And as it can be seen, the dump consist of lots of SHA1 hashes. However, something is very wrong with many of these hashes! Apparently the hackers has been adding some kind of padding to some of the hashes.
So far, I can't figure out what's up with this file. Who would dump this? And if you're going to dump this, then why not add mail / names to the list?
May 18, 2012
amnesty.org.uk hacked
As it can be seen from a post from websense, then the amnesty.org.uk was hacked again, again...
(screenshot from websense)
The exploit used is CVE-2012-0507 ("Java AtomicReferenceArray Type Violation Vulnerability") - which is exploitet using MetaSploit Framework (MSF).
(screenshot from websense)
The exploit used is CVE-2012-0507 ("Java AtomicReferenceArray Type Violation Vulnerability") - which is exploitet using MetaSploit Framework (MSF).
Subscribe to:
Posts (Atom)