Wow ! Backtrack Official Website's Server Hacked By Team Injector !
Attack on backtrack-linux.org From 1337 Team Injector
. .--. .--. .---. .
.'| ) ) / |
| --: --: / .-.| .-. . .
| ) ) / ( |( ) | |
'---' `--' `--' ' `-'`-`-'`-`--|
;
`-'
Since we already tapped into exploit-db and their server lies in the
same subnet with backtrack, we decided to check out their mad
security. Backtrack is run by muts, the same guy who also administers
exploit-db, so no wonder why it was super easy to get a shell...
$ uname -a
Linux backtrack-linux.org 2.6.32.26-175.fc12.x86_64 #1 SMP Wed Dec 1 21:39:34 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux
$ id
uid=48(apache) gid=494(apache) groups=494(apache) context=unconfined_u:system_r:httpd_t:s0
$ alias ls="ls -la"
$ ls
total 110
dr-xr-xr-x. 25 root root 4096 Dec 7 08:42 .
dr-xr-xr-x. 25 root root 4096 Dec 7 08:42 ..
-rw-r--r--. 1 root root 0 Dec 7 08:42 .autofsck
drwx------. 2 root root 4096 Dec 10 03:40 backup
dr-xr-xr-x. 2 root root 4096 Nov 29 19:59 bin
dr-xr-xr-x. 5 root root 1024 Dec 7 08:41 boot
drwxr-xr-x. 17 root root 3580 Dec 7 08:43 dev
drwxr-xr-x. 66 root root 4096 Dec 7 08:42 etc
drwxr-xr-x. 3 root root 4096 Aug 14 20:50 home
dr-xr-xr-x. 9 root root 4096 Aug 11 04:01 lib
dr-xr-xr-x. 9 root root 12288 Nov 29 20:00 lib64
drwx------. 2 root root 16384 Aug 11 02:01 lost+found
drwxr-xr-x. 2 root root 4096 Aug 11 04:42 maint
drwxr-xr-x. 2 root root 4096 Aug 25 2009 media
drwxr-xr-x. 2 root root 4096 Aug 25 2009 mnt
drwxr-xr-x. 2 root root 4096 Aug 25 2009 opt
dr-xr-xr-x. 160 root root 0 Dec 7 08:42 proc
drwxr-xr-x. 5 root root 4096 Dec 3 17:16 recovery
dr-xr-x---. 4 root root 4096 Dec 10 08:50 root
dr-xr-xr-x. 2 root root 12288 Nov 29 19:59 sbin
drwxr-xr-x. 7 root root 0 Dec 7 08:42 selinux
drwxr-xr-x. 2 root root 4096 Aug 25 2009 srv
drwxr-xr-x. 13 root root 0 Dec 7 08:42 sys
drwxrwxrwt. 4 root root 4096 Dec 10 14:08 tmp
drwxr-xr-x. 14 root root 4096 Aug 11 02:03 usr
drwxr-xr-x. 20 root root 4096 Aug 14 20:45 var
$ cat /etc/issue
Fedora release 12 (Constantine)
Kernel \r on an \m (\l)
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:499:virtual console memory owner:/dev:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
mailnull:x:47:497::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:496::/var/spool/mqueue:/sbin/nologin
sshd:x:74:495:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
apache:x:48:494:Apache:/var/www:/sbin/nologin
mysql:x:27:493:MySQL Server:/var/lib/mysql:/bin/bash
ossec:x:500:500::/var/ossec:/sbin/nologin
ossecm:x:501:500::/var/ossec:/sbin/nologin
ossecr:x:502:500::/var/ossec:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
$ cd
/var/www/html/
$ ls
total 90224
drwxr-xr-x. 13 apache apache 4096 Dec 9 12:21 .
drwxr-xr-x. 6 root root 4096 Aug 18 10:30 ..
-rw-r--r--. 1 apache apache 4183 Dec 5 16:50 .htaccess
-rw-r--r--. 1 apache apache 1156 Aug 11 03:17 HT
-rw-r--r--. 1 apache apache 2233 Aug 11 03:17 HT-ORIG
-rw-r--r--. 1 apache apache 1526525 Nov 11 14:01 IMG_0585.JPG
drwxr-xr-x. 2 apache apache 4096 Aug 11 03:16 ads
-rw-r--r--. 1 apache apache 125832 Nov 19 12:18 bootsplash.jpg
-rw-r--r--. 1 apache apache 754444 Aug 11 03:16 bt-nsa.png
-rw-r--r--. 1 apache apache 757498 Aug 11 03:16 bt-nsa2.png
-rw-r--r--. 1 apache apache 81597 Aug 11 03:16 bt4-final-vm.zip.torrent
-rw-r--r--. 1 apache apache 60094 Aug 11 03:16 bt4-final.iso.torrent
-rw-r--r--. 1 apache apache 44 Aug 11 03:16 bt4r1.txt
-rw-r--r--. 1 root root 686248 Nov 23 10:47 bt4r2.png
-rw-r--r--. 1 apache apache 160728 Aug 11 03:16 btfail.png
-rw-r--r--. 1 apache apache 476 Aug 11 03:16 collapsible_ad.html
-rwxr-xr-x. 1 apache apache 13397784 Aug 11 03:16 d.bin
-rw-r--r--. 1 apache apache 121 Aug 11 03:16 d.lic
-rw-r--r--. 1 apache apache 12844822 Aug 11 03:16 d32.bin
drwxr-xr-x. 2 apache apache 4096 Aug 11 03:16 documents
-rw-r--r--. 1 apache apache 3342 Aug 11 03:16 down.php
-rw-r--r--. 1 apache apache 4158 Aug 11 03:16 download-orig.php
-rw-r--r--. 1 apache apache 4945 Nov 22 11:38 download.php
-rw-r--r--. 1 apache apache 15125 Aug 11 03:16 error.php
-rw-r--r--. 1 apache apache 137383 Aug 11 03:16 example-2.jpg
-rw-r--r--. 1 apache apache 1150 Aug 11 03:16 favicon.ico
drwxr-xr-x. 21 apache apache 4096 Nov 22 18:56 forums
-rw-r--r--. 1 apache apache 87176 Aug 11 03:17 google.png
-rw-r--r--. 1 apache apache 53 Aug 11 03:17 googled6c4817aa45e0032.html
-rw-r--r--. 1 apache apache 23 Aug 11 03:17 googlehostedservice.html
-rw-r--r--. 1 apache apache 1978856 Sep 17 08:06 hola.jpg
-rw-r--r--. 1 apache apache 2264271 Sep 17 08:12 hola1.jpg
-rw-r--r--. 1 apache apache 2197361 Sep 17 08:15 hola2.jpg
-rw-r--r--. 1 apache apache 315306 Aug 11 03:17 hola22.png
-rw-r--r--. 1 apache apache 169202 Aug 11 03:17 hola23.png
drwxr-xr-x. 8 apache apache 4096 Nov 21 16:38 images
-rw-r--r--. 1 apache apache 3 Aug 11 03:17 index.html
-rw-r--r--. 1 apache apache 397 Dec 9 12:20 index.php
-rw-r--r--. 1 apache apache 321196 Nov 19 15:06 kanji.png
-rw-r--r--. 1 apache apache 147841 Sep 4 12:37 knock-0.5.tar.gz
-rw-r--r--. 1 apache apache 15410 Dec 9 12:20 license.txt
-rw-r--r--. 1 apache apache 48404480 Nov 14 15:53 mediawiki-1.16.0.tar
-rw-r--r--. 1 apache apache 13946 Aug 11 03:17 nv-xorg.conf
-rw-r--r--. 1 apache apache 1382400 Oct 26 10:38 oiopub-direct.tar
-rw-r--r--. 1 apache apache 1508471 Aug 11 03:17 p2270016.jpg
-rw-r--r--. 1 apache apache 1636957 Aug 11 03:17 p2280018.jpg
drwxr-xr-x. 2 apache apache 4096 Nov 22 11:46 patches
-rw-r--r--. 1 apache apache 582 Nov 22 11:21 r2.php
-rw-r--r--. 1 apache apache 9120 Dec 9 12:20 readme.html
-rw-r--r--. 1 apache apache 712 Nov 10 22:27 s.php
-rw-r--r--. 1 apache apache 63 Aug 11 03:17 show.dud.php
-rw-r--r--. 1 apache apache 801 Aug 11 03:17 show.original.php
-rw-r--r--. 1 apache apache 31 Aug 11 03:17 show.php
-rw-r--r--. 1 apache apache 601 Nov 10 22:28 show.stats.working.php
-rw-r--r--. 1 apache apache 38971 Dec 7 23:23 sitemap.xml
-rw-r--r--. 1 apache apache 2485 Dec 7 23:23 sitemap.xml.gz
drwxr-xr-x. 3 apache apache 4096 Aug 11 03:17 slider
-rw-r--r--. 1 apache apache 714372 Aug 11 03:17 spot-the-release.png
-rw-r--r--. 1 apache apache 1536 Aug 11 03:17 stats.php
-rw-r--r--. 1 apache apache 33 Dec 10 03:34 stats.txt
-rw-r--r--. 1 apache apache 23660 Aug 11 03:17 style.css
-rw-r--r--. 1 apache apache 5 Aug 11 03:17 test.php
drwxr-xr-x. 2 apache apache 4096 Nov 22 09:22 torrents
drwxr-xr-x. 15 apache apache 4096 Nov 27 16:52 wiki
-rw-r--r--. 1 apache apache 4391 Dec 9 12:20 wp-activate.php
drwxr-xr-x. 8 apache apache 4096 Dec 5 08:12 wp-admin
-rw-r--r--. 1 apache apache 40284 Dec 9 12:20 wp-app.php
-rw-r--r--. 1 apache apache 220 Dec 9 12:20 wp-atom.php
-rw-r--r--. 1 apache apache 274 Dec 9 12:20 wp-blog-header.php
-rw-r--r--. 1 apache apache 3926 Dec 9 12:20 wp-comments-post.php
-rw-r--r--. 1 apache apache 238 Dec 9 12:20 wp-commentsrss2.php
-rw-r--r--. 1 apache apache 3173 Dec 9 12:20 wp-config-sample.php
-rw-r--r--. 1 apache apache 2696 Nov 22 19:32 wp-config.php
drwxr-xr-x. 9 apache apache 4096 Dec 9 12:21 wp-content
-rw-r--r--. 1 apache apache 1255 Dec 9 12:20 wp-cron.php
-rw-r--r--. 1 apache apache 240 Dec 9 12:20 wp-feed.php
drwxr-xr-x. 8 apache apache 4096 Aug 13 20:06 wp-includes
-rw-r--r--. 1 apache apache 2002 Dec 9 12:20 wp-links-opml.php
-rw-r--r--. 1 apache apache 2441 Dec 9 12:20 wp-load.php
-rw-r--r--. 1 apache apache 26059 Dec 9 12:20 wp-login.php
-rw-r--r--. 1 apache apache 7774 Dec 9 12:20 wp-mail.php
-rw-r--r--. 1 apache apache 487 Dec 9 12:20 wp-pass.php
-rw-r--r--. 1 apache apache 218 Dec 9 12:20 wp-rdf.php
-rw-r--r--. 1 apache apache 316 Dec 9 12:20 wp-register.php
-rw-r--r--. 1 apache apache 218 Dec 9 12:20 wp-rss.php
-rw-r--r--. 1 apache apache 220 Dec 9 12:20 wp-rss2.php
-rw-r--r--. 1 apache apache 9177 Dec 9 12:20 wp-settings.php
-rw-r--r--. 1 apache apache 18695 Dec 9 12:20 wp-signup.php
-rw-r--r--. 1 apache apache 3702 Dec 9 12:20 wp-trackback.php
-rw-r--r--. 1 root root 99665 Nov 24 00:52 wtfff.png
-rw-r--r--. 1 apache apache 85 Nov 20 13:43 x.gif
-rw-r--r--. 1 apache apache 95481 Dec 9 12:20 xmlrpc.php
$ cat wp-config.php
<?php
/** Enable W3 Total Cache **/
define('WP_CACHE', true); // Added by W3 Total Cache
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, WordPress Language, and ABSPATH. You can find more information by
* visiting {@link https://codex.wordpress.org/Editing_wp-config.php Editing
* wp-config.php} Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'blog');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', '234hi2u3d98as7d23kuh');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* WordPress Localized Language, defaults to English.
*
* Change this to localize WordPress. A corresponding MO file for the chosen
* language must be installed to wp-content/languages. For example, install
* de.mo to wp-content/languages and set WPLANG to 'de' to enable German
* language support.
*/
define ('WPLANG', '');
/* That's all, stop editing! Happy blogging. */
/** WordPress absolute path to the Wordpress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
$ cat show.php
<?php
include 'stats.txt';
?>
$ cat stats.txt
BackTrack 4 - 4916323 downloads
cat download.php
<?php
// DO NOT CHANGE THIS FILE WITHOUT TALKING TO MUTS FIRST> EVEN IF YOU THINK YOU KNOW WHAT YOU ARE DOING!!!
function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}
$ip=getRealIpAddr();
$username="root";
$password="234hi2u3d98as7d23kuh";
$database="counter";
function choose($iso)
{
$num = Rand (1,5);
switch ($num)
{
case 1:
$link="ftp://ftp.uio.no/pub/security/backtrack/$iso";
break;
case 2:
$link="https://ftp.uio.no/pub/security/backtrack/$iso";
break;
case 3:
$link="https://ftp.halifax.rwth-aachen.de/backtrack/$iso";
break;
case 4:
$link="https://ftp.halifax.rwth-aachen.de/backtrack/$iso";
break;
case 5:
$link="https://ftp.halifax.rwth-aachen.de/backtrack/$iso";
break;
// case 6:
// $link="https://moon.backtrack-linux.org/downloads/$iso";
// break;
}
return $link;
}
$version=$_GET["fname"];
if (! (($version=="bt4f") or ($version=="bt4fvm") or ($version=="bt4r1") or ($version=="bt4r1vm") or ($version=="bt3") or ($version=="bt4pf") or ($version=="bt4b") or ($version=="bt4bvm") or ($version=="bt4r2") or ($version=="bt4r2vm")))
{
echo "This page cannot be accessed directly.";
exit;
}
if ($version=="bt4r2")
{
$iso="bt4-r2.iso";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
if ($version=="bt4r2vm")
{
$iso="bt4-r2-vm.tar.bz2";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
if ($version=="bt4f")
{
$iso="bt4-final.iso";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt4fvm")
{
$iso="bt4-final-vm.zip";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt4r1")
{
$iso="bt4-r1.iso";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt4r1vm")
{
$iso="bt4-r1-vm.tar.bz2";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt4pf")
{
$iso="bt4-pre-final.iso";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt4b")
{
$iso="bt4-beta.iso";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt4bvm")
{
$iso="bt4-beta-vm-6.5.1.rar";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt3")
{
$iso="bt3-final.iso";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
else
{
exit;
}
?>
$ cat s.php
<?php
$username="root";
$password="234hi2u3d98as7d23kuh";
$database="counter";
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "select count(DISTINCT ip) as numrows from downloadz where version=\"bt4f\"";
$query2 = "select count(DISTINCT ip) as numrows from downloadz where version=\"bt4fvm\"";
$result=mysql_query($query);
$result2=mysql_query($query2);
$row2 = mysql_fetch_array($result2, MYSQL_ASSOC);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$numrows1 = $row['numrows'];
$numrows2 = $row2['numrows'];
mysql_close();
$total= round(($numrows1 + $numrows2) * 1.4);
echo "BackTrack 4 Final - $total unique downloads";
?>
$ cd wiki
$ ls
total 700
drwxr-xr-x. 15 apache apache 4096 Nov 27 16:52 .
drwxr-xr-x. 13 apache apache 4096 Dec 9 12:21 ..
-rw-r--r--. 1 apache apache 23 Nov 14 16:01 .htpasswd
-rw-r--r--. 1 apache apache 17997 Apr 5 2006 COPYING
-rw-r--r--. 1 apache apache 2073 Jul 27 07:29 CREDITS
-rw-r--r--. 1 apache apache 76 Jul 27 2009 FAQ
-rw-r--r--. 1 apache apache 392287 Mar 12 2010 HISTORY
-rw-r--r--. 1 apache apache 96 Nov 14 16:01 HT
-rw-r--r--. 1 apache apache 4138 Apr 18 2008 INSTALL
-rw-r--r--. 1 apache apache 5469 Nov 28 16:45 LocalSettings.php
-rw-r--r--. 1 apache apache 3649 Nov 11 2008 README
-rw-r--r--. 1 apache apache 58431 Jul 28 03:11 RELEASE-NOTES
-rw-r--r--. 1 apache apache 648 May 7 2009 StartProfiler.sample
-rw-r--r--. 1 apache apache 13307 Mar 25 2010 UPGRADE
drwxr-xr-x. 2 root root 4096 Nov 27 16:53 adsense
-rw-r--r--. 1 apache apache 4707 Feb 15 2010 api.php
-rw-r--r--. 1 apache apache 25 Feb 3 2008 api.php5
drwxr-xr-x. 2 apache apache 4096 Jul 28 03:16 bin
-rw-r--r--. 1 apache apache 8436 Nov 21 14:24 bt-wiki.png
drwxr-xr-x. 2 apache apache 4096 Jul 28 03:16 cache
drwxr-xr-x. 2 apache apache 4096 Nov 14 15:58 config
drwxr-xr-x. 4 apache apache 4096 Jul 28 03:16 docs
drwxr-xr-x. 4 apache apache 4096 Nov 28 16:44 extensions
drwxr-xr-x. 12 apache apache 4096 Nov 23 12:36 images
-rw-r--r--. 1 apache apache 4031 Oct 14 2009 img_auth.php
-rw-r--r--. 1 apache apache 31 Feb 3 2008 img_auth.php5
drwxr-xr-x. 16 apache apache 4096 Jul 28 03:16 includes
-rw-r--r--. 1 apache apache 4329 Jan 1 2010 index.php
-rw-r--r--. 1 apache apache 28 Feb 3 2008 index.php5
drwxr-xr-x. 4 apache apache 4096 Jul 28 03:16 languages
drwxr-xr-x. 13 apache apache 12288 Nov 22 12:55 maintenance
drwxr-xr-x. 2 apache apache 4096 Jul 28 03:16 math
-rw-r--r--. 1 apache apache 3054 Mar 21 2009 opensearch_desc.php
-rw-r--r--. 1 apache apache 39 Mar 3 2008 opensearch_desc.php5
-rw-r--r--. 1 apache apache 174 Feb 3 2010 php5.php5
-rw-r--r--. 1 apache apache 8821 Jul 27 03:40 profileinfo.php
-rw-r--r--. 1 apache apache 383 Mar 21 2009 redirect.php
-rw-r--r--. 1 apache apache 31 Feb 3 2008 redirect.php5
-rw-r--r--. 1 apache apache 89 Feb 3 2010 redirect.phtml
drwxr-xr-x. 2 apache apache 4096 Jul 28 03:16 serialized
-rwxrwxrwx. 1 root root 6816 Nov 23 18:29 sitemap.xml
drwxr-xr-x. 9 apache apache 4096 Nov 28 14:12 skins
-rw-r--r--. 1 apache apache 4905 Mar 8 2010 thumb.php
-rw-r--r--. 1 apache apache 29 Feb 3 2008 thumb.php5
-rw-r--r--. 1 apache apache 1347 Nov 5 2008 trackback.php
-rw-r--r--. 1 apache apache 32 Mar 16 2009 trackback.php5
-rw-r--r--. 1 apache apache 86 Feb 3 2010 wiki.phtml
$ cat .htpasswd
edbadmin:YE8mle4nG1Z.c
cd ..
cat forums/includes/config.php
<?php
/*======================================================================*\
|| #################################################################### ||
|| # vBulletin 4.0.0 Patch Level 1
|| # ---------------------------------------------------------------- # ||
|| # All PHP code in this file is ©2000-2010 vBulletin Solutions Inc. # ||
|| # This file may not be redistributed in whole or significant part. # ||
|| # ---------------- VBULLETIN IS NOT FREE SOFTWARE ---------------- # ||
|| # https://www.vbulletin.com | https://www.vbulletin.com/license.html # ||
|| #################################################################### ||
\*======================================================================*/
/*-------------------------------------------------------*\
| ****** NOTE REGARDING THE VARIABLES IN THIS FILE ****** |
+---------------------------------------------------------+
| If you get any errors while attempting to connect to |
| MySQL, you will need to email your webhost because we |
| cannot tell you the correct values for the variables |
| in this file. |
\*-------------------------------------------------------*/
// ****** DATABASE TYPE ******
// This is the type of the database server on which your vBulletin database will be located.
// Valid options are mysql and mysqli, for slave support add _slave. Try to use mysqli if you are using PHP 5 and MySQL 4.1+
// for slave options just append _slave to your preferred database type.
$config['Database']['dbtype'] = 'mysql';
// ****** DATABASE NAME ******
// This is the name of the database where your vBulletin will be located.
// This must be created by your webhost.
$config['Database']['dbname'] = 'forums';
// ****** TABLE PREFIX ******
// Prefix that your vBulletin tables have in the database.
$config['Database']['tableprefix'] = '';
// ****** TECHNICAL EMAIL ADDRESS ******
// If any database errors occur, they will be emailed to the address specified here.
// Leave this blank to not send any emails when there is a database error.
$config['Database']['technicalemail'] = 'muts@offsec.com';
// ****** FORCE EMPTY SQL MODE ******
// New versions of MySQL (4.1+) have introduced some behaviors that are
// incompatible with vBulletin. Setting this value to "true" disables those
// behaviors. You only need to modify this value if vBulletin recommends it.
$config['Database']['force_sql_mode'] = false;
// ****** MASTER DATABASE SERVER NAME AND PORT ******
// This is the hostname or IP address and port of the database server.
// If you are unsure of what to put here, leave the default values.
$config['MasterServer']['servername'] = 'localhost';
$config['MasterServer']['port'] = 3306;
// ****** MASTER DATABASE USERNAME & PASSWORD ******
// This is the username and password you use to access MySQL.
// These must be obtained through your webhost.
$config['MasterServer']['username'] = 'root';
$config['MasterServer']['password'] = '234hi2u3d98as7d23kuh';
// ****** MASTER DATABASE PERSISTENT CONNECTIONS ******
// This option allows you to turn persistent connections to MySQL on or off.
// The difference in performance is negligible for all but the largest boards.
// If you are unsure what this should be, leave it off. (0 = off; 1 = on)
$config['MasterServer']['usepconnect'] = 0;
// ****** SLAVE DATABASE CONFIGURATION ******
// If you have multiple database backends, this is the information for your slave
// server. If you are not 100% sure you need to fill in this information,
// do not change any of the values here.
$config['SlaveServer']['servername'] = '';
$config['SlaveServer']['port'] = 3306;
$config['SlaveServer']['username'] = '';
$config['SlaveServer']['password'] = '';
$config['SlaveServer']['usepconnect'] = 0;
// ****** PATH TO ADMIN & MODERATOR CONTROL PANELS ******
// This setting allows you to change the name of the folders that the admin and
// moderator control panels reside in. You may wish to do this for security purposes.
// Please note that if you change the name of the directory here, you will still need
// to manually change the name of the directory on the server.
$config['Misc']['admincpdir'] = 'admincphaha';
$config['Misc']['modcpdir'] = 'modcphaha';
// Prefix that all vBulletin cookies will have
// Keep this short and only use numbers and letters, i.e. 1-9 and a-Z
$config['Misc']['cookieprefix'] = 'bb';
// ******** FULL PATH TO FORUMS DIRECTORY ******
// On a few systems it may be necessary to input the full path to your forums directory
// for vBulletin to function normally. You can ignore this setting unless vBulletin
// tells you to fill this in. Do not include a trailing slash!
// Example Unix:
// $config['Misc']['forumpath'] = '/home/users/public_html/forums';
// Example Win32:
// $config['Misc']['forumpath'] = 'c:\program files\apache group\apache\htdocs\vb3';
$config['Misc']['forumpath'] = '';
// ****** USERS WITH ADMIN LOG VIEWING PERMISSIONS ******
// The users specified here will be allowed to view the admin log in the control panel.
// Users must be specified by *ID number* here. To obtain a user's ID number,
// view their profile via the control panel. If this is a new installation, leave
// the first user created will have a user ID of 1. Seperate each userid with a comma.
$config['SpecialUsers']['canviewadminlog'] = '1';
// ****** USERS WITH ADMIN LOG PRUNING PERMISSIONS ******
// The users specified here will be allowed to remove ("prune") entries from the admin
// log. See the above entry for more information on the format.
$config['SpecialUsers']['canpruneadminlog'] = '1';
// ****** USERS WITH QUERY RUNNING PERMISSIONS ******
// The users specified here will be allowed to run queries from the control panel.
// See the above entries for more information on the format.
// Please note that the ability to run queries is quite powerful. You may wish
// to remove all user IDs from this list for security reasons.
$config['SpecialUsers']['canrunqueries'] = '';
// ****** UNDELETABLE / UNALTERABLE USERS ******
// The users specified here will not be deletable or alterable from the control panel by any users.
// To specify more than one user, separate userids with commas.
$config['SpecialUsers']['undeletableusers'] = '';
// ****** SUPER ADMINISTRATORS ******
// The users specified below will have permission to access the administrator permissions
// page, which controls the permissions of other administrators
$config['SpecialUsers']['superadministrators'] = '1,2';
// ****** DATASTORE CACHE CONFIGURATION *****
// Here you can configure different methods for caching datastore items.
// vB_Datastore_Filecache - to use includes/datastore/datastore_cache.php
// vB_Datastore_APC - to use APC
// vB_Datastore_XCache - to use XCache
// vB_Datastore_Memcached - to use a Memcache server, more configuration below
// $config['Datastore']['class'] = 'vB_Datastore_Filecache';
// ******** DATASTORE PREFIX ******
// If you are using a PHP Caching system (APC, XCache, eAccelerator) with more
// than one set of forums installed on your host, you *may* need to use a prefix
// so that they do not try to use the same variable within the cache.
// This works in a similar manner to the database table prefix.
// $config['Datastore']['prefix'] = '';
// It is also necessary to specify the hostname or IP address and the port the server is listening on
/*
$config['Datastore']['class'] = 'vB_Datastore_Memcached';
$i = 0;
// First Server
$i++;
$config['Misc']['memcacheserver'][$i] = '127.0.0.1';
$config['Misc']['memcacheport'][$i] = 11211;
$config['Misc']['memcachepersistent'][$i] = true;
$config['Misc']['memcacheweight'][$i] = 1;
$config['Misc']['memcachetimeout'][$i] = 1;
$config['Misc']['memcacheretry_interval'][$i] = 15;
*/
// ****** The following options are only needed in special cases ******
// ****** MySQLI OPTIONS *****
// When using MySQL 4.1+, MySQLi should be used to connect to the database.
// If you need to set the default connection charset because your database
// is using a charset other than latin1, you can set the charset here.
// If you don't set the charset to be the same as your database, you
// may receive collation errors. Ignore this setting unless you
// are sure you need to use it.
// $config['Mysqli']['charset'] = 'utf8';
// Optionally, PHP can be instructed to set connection parameters by reading from the
// file named in 'ini_file'. Please use a full path to the file.
// Example:
// $config['Mysqli']['ini_file'] = 'c:\program files\MySQL\MySQL Server 4.1\my.ini';
$config['Mysqli']['ini_file'] = '';
// Image Processing Options
// Images that exceed either dimension below will not be resized by vBulletin. If you need to resize larger images, alter these settings.
$config['Misc']['maxwidth'] = 2592;
$config['Misc']['maxheight'] = 1944;
/*======================================================================*\
|| ####################################################################
|| # Downloaded: 22:25, Sat Jan 9th 2010
|| # CVS: $RCSfile$ - $Revision: 32878 $
|| ####################################################################
\*======================================================================*/
happY 1337day ;)
Attack on backtrack-linux.org From 1337 Team Injector
. .--. .--. .---. .
.'| ) ) / |
| --: --: / .-.| .-. . .
| ) ) / ( |( ) | |
'---' `--' `--' ' `-'`-`-'`-`--|
;
`-'
Since we already tapped into exploit-db and their server lies in the
same subnet with backtrack, we decided to check out their mad
security. Backtrack is run by muts, the same guy who also administers
exploit-db, so no wonder why it was super easy to get a shell...
$ uname -a
Linux backtrack-linux.org 2.6.32.26-175.fc12.x86_64 #1 SMP Wed Dec 1 21:39:34 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux
$ id
uid=48(apache) gid=494(apache) groups=494(apache) context=unconfined_u:system_r:httpd_t:s0
$ alias ls="ls -la"
$ ls
total 110
dr-xr-xr-x. 25 root root 4096 Dec 7 08:42 .
dr-xr-xr-x. 25 root root 4096 Dec 7 08:42 ..
-rw-r--r--. 1 root root 0 Dec 7 08:42 .autofsck
drwx------. 2 root root 4096 Dec 10 03:40 backup
dr-xr-xr-x. 2 root root 4096 Nov 29 19:59 bin
dr-xr-xr-x. 5 root root 1024 Dec 7 08:41 boot
drwxr-xr-x. 17 root root 3580 Dec 7 08:43 dev
drwxr-xr-x. 66 root root 4096 Dec 7 08:42 etc
drwxr-xr-x. 3 root root 4096 Aug 14 20:50 home
dr-xr-xr-x. 9 root root 4096 Aug 11 04:01 lib
dr-xr-xr-x. 9 root root 12288 Nov 29 20:00 lib64
drwx------. 2 root root 16384 Aug 11 02:01 lost+found
drwxr-xr-x. 2 root root 4096 Aug 11 04:42 maint
drwxr-xr-x. 2 root root 4096 Aug 25 2009 media
drwxr-xr-x. 2 root root 4096 Aug 25 2009 mnt
drwxr-xr-x. 2 root root 4096 Aug 25 2009 opt
dr-xr-xr-x. 160 root root 0 Dec 7 08:42 proc
drwxr-xr-x. 5 root root 4096 Dec 3 17:16 recovery
dr-xr-x---. 4 root root 4096 Dec 10 08:50 root
dr-xr-xr-x. 2 root root 12288 Nov 29 19:59 sbin
drwxr-xr-x. 7 root root 0 Dec 7 08:42 selinux
drwxr-xr-x. 2 root root 4096 Aug 25 2009 srv
drwxr-xr-x. 13 root root 0 Dec 7 08:42 sys
drwxrwxrwt. 4 root root 4096 Dec 10 14:08 tmp
drwxr-xr-x. 14 root root 4096 Aug 11 02:03 usr
drwxr-xr-x. 20 root root 4096 Aug 14 20:45 var
$ cat /etc/issue
Fedora release 12 (Constantine)
Kernel \r on an \m (\l)
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:499:virtual console memory owner:/dev:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
mailnull:x:47:497::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:496::/var/spool/mqueue:/sbin/nologin
sshd:x:74:495:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
apache:x:48:494:Apache:/var/www:/sbin/nologin
mysql:x:27:493:MySQL Server:/var/lib/mysql:/bin/bash
ossec:x:500:500::/var/ossec:/sbin/nologin
ossecm:x:501:500::/var/ossec:/sbin/nologin
ossecr:x:502:500::/var/ossec:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
$ cd
/var/www/html/
$ ls
total 90224
drwxr-xr-x. 13 apache apache 4096 Dec 9 12:21 .
drwxr-xr-x. 6 root root 4096 Aug 18 10:30 ..
-rw-r--r--. 1 apache apache 4183 Dec 5 16:50 .htaccess
-rw-r--r--. 1 apache apache 1156 Aug 11 03:17 HT
-rw-r--r--. 1 apache apache 2233 Aug 11 03:17 HT-ORIG
-rw-r--r--. 1 apache apache 1526525 Nov 11 14:01 IMG_0585.JPG
drwxr-xr-x. 2 apache apache 4096 Aug 11 03:16 ads
-rw-r--r--. 1 apache apache 125832 Nov 19 12:18 bootsplash.jpg
-rw-r--r--. 1 apache apache 754444 Aug 11 03:16 bt-nsa.png
-rw-r--r--. 1 apache apache 757498 Aug 11 03:16 bt-nsa2.png
-rw-r--r--. 1 apache apache 81597 Aug 11 03:16 bt4-final-vm.zip.torrent
-rw-r--r--. 1 apache apache 60094 Aug 11 03:16 bt4-final.iso.torrent
-rw-r--r--. 1 apache apache 44 Aug 11 03:16 bt4r1.txt
-rw-r--r--. 1 root root 686248 Nov 23 10:47 bt4r2.png
-rw-r--r--. 1 apache apache 160728 Aug 11 03:16 btfail.png
-rw-r--r--. 1 apache apache 476 Aug 11 03:16 collapsible_ad.html
-rwxr-xr-x. 1 apache apache 13397784 Aug 11 03:16 d.bin
-rw-r--r--. 1 apache apache 121 Aug 11 03:16 d.lic
-rw-r--r--. 1 apache apache 12844822 Aug 11 03:16 d32.bin
drwxr-xr-x. 2 apache apache 4096 Aug 11 03:16 documents
-rw-r--r--. 1 apache apache 3342 Aug 11 03:16 down.php
-rw-r--r--. 1 apache apache 4158 Aug 11 03:16 download-orig.php
-rw-r--r--. 1 apache apache 4945 Nov 22 11:38 download.php
-rw-r--r--. 1 apache apache 15125 Aug 11 03:16 error.php
-rw-r--r--. 1 apache apache 137383 Aug 11 03:16 example-2.jpg
-rw-r--r--. 1 apache apache 1150 Aug 11 03:16 favicon.ico
drwxr-xr-x. 21 apache apache 4096 Nov 22 18:56 forums
-rw-r--r--. 1 apache apache 87176 Aug 11 03:17 google.png
-rw-r--r--. 1 apache apache 53 Aug 11 03:17 googled6c4817aa45e0032.html
-rw-r--r--. 1 apache apache 23 Aug 11 03:17 googlehostedservice.html
-rw-r--r--. 1 apache apache 1978856 Sep 17 08:06 hola.jpg
-rw-r--r--. 1 apache apache 2264271 Sep 17 08:12 hola1.jpg
-rw-r--r--. 1 apache apache 2197361 Sep 17 08:15 hola2.jpg
-rw-r--r--. 1 apache apache 315306 Aug 11 03:17 hola22.png
-rw-r--r--. 1 apache apache 169202 Aug 11 03:17 hola23.png
drwxr-xr-x. 8 apache apache 4096 Nov 21 16:38 images
-rw-r--r--. 1 apache apache 3 Aug 11 03:17 index.html
-rw-r--r--. 1 apache apache 397 Dec 9 12:20 index.php
-rw-r--r--. 1 apache apache 321196 Nov 19 15:06 kanji.png
-rw-r--r--. 1 apache apache 147841 Sep 4 12:37 knock-0.5.tar.gz
-rw-r--r--. 1 apache apache 15410 Dec 9 12:20 license.txt
-rw-r--r--. 1 apache apache 48404480 Nov 14 15:53 mediawiki-1.16.0.tar
-rw-r--r--. 1 apache apache 13946 Aug 11 03:17 nv-xorg.conf
-rw-r--r--. 1 apache apache 1382400 Oct 26 10:38 oiopub-direct.tar
-rw-r--r--. 1 apache apache 1508471 Aug 11 03:17 p2270016.jpg
-rw-r--r--. 1 apache apache 1636957 Aug 11 03:17 p2280018.jpg
drwxr-xr-x. 2 apache apache 4096 Nov 22 11:46 patches
-rw-r--r--. 1 apache apache 582 Nov 22 11:21 r2.php
-rw-r--r--. 1 apache apache 9120 Dec 9 12:20 readme.html
-rw-r--r--. 1 apache apache 712 Nov 10 22:27 s.php
-rw-r--r--. 1 apache apache 63 Aug 11 03:17 show.dud.php
-rw-r--r--. 1 apache apache 801 Aug 11 03:17 show.original.php
-rw-r--r--. 1 apache apache 31 Aug 11 03:17 show.php
-rw-r--r--. 1 apache apache 601 Nov 10 22:28 show.stats.working.php
-rw-r--r--. 1 apache apache 38971 Dec 7 23:23 sitemap.xml
-rw-r--r--. 1 apache apache 2485 Dec 7 23:23 sitemap.xml.gz
drwxr-xr-x. 3 apache apache 4096 Aug 11 03:17 slider
-rw-r--r--. 1 apache apache 714372 Aug 11 03:17 spot-the-release.png
-rw-r--r--. 1 apache apache 1536 Aug 11 03:17 stats.php
-rw-r--r--. 1 apache apache 33 Dec 10 03:34 stats.txt
-rw-r--r--. 1 apache apache 23660 Aug 11 03:17 style.css
-rw-r--r--. 1 apache apache 5 Aug 11 03:17 test.php
drwxr-xr-x. 2 apache apache 4096 Nov 22 09:22 torrents
drwxr-xr-x. 15 apache apache 4096 Nov 27 16:52 wiki
-rw-r--r--. 1 apache apache 4391 Dec 9 12:20 wp-activate.php
drwxr-xr-x. 8 apache apache 4096 Dec 5 08:12 wp-admin
-rw-r--r--. 1 apache apache 40284 Dec 9 12:20 wp-app.php
-rw-r--r--. 1 apache apache 220 Dec 9 12:20 wp-atom.php
-rw-r--r--. 1 apache apache 274 Dec 9 12:20 wp-blog-header.php
-rw-r--r--. 1 apache apache 3926 Dec 9 12:20 wp-comments-post.php
-rw-r--r--. 1 apache apache 238 Dec 9 12:20 wp-commentsrss2.php
-rw-r--r--. 1 apache apache 3173 Dec 9 12:20 wp-config-sample.php
-rw-r--r--. 1 apache apache 2696 Nov 22 19:32 wp-config.php
drwxr-xr-x. 9 apache apache 4096 Dec 9 12:21 wp-content
-rw-r--r--. 1 apache apache 1255 Dec 9 12:20 wp-cron.php
-rw-r--r--. 1 apache apache 240 Dec 9 12:20 wp-feed.php
drwxr-xr-x. 8 apache apache 4096 Aug 13 20:06 wp-includes
-rw-r--r--. 1 apache apache 2002 Dec 9 12:20 wp-links-opml.php
-rw-r--r--. 1 apache apache 2441 Dec 9 12:20 wp-load.php
-rw-r--r--. 1 apache apache 26059 Dec 9 12:20 wp-login.php
-rw-r--r--. 1 apache apache 7774 Dec 9 12:20 wp-mail.php
-rw-r--r--. 1 apache apache 487 Dec 9 12:20 wp-pass.php
-rw-r--r--. 1 apache apache 218 Dec 9 12:20 wp-rdf.php
-rw-r--r--. 1 apache apache 316 Dec 9 12:20 wp-register.php
-rw-r--r--. 1 apache apache 218 Dec 9 12:20 wp-rss.php
-rw-r--r--. 1 apache apache 220 Dec 9 12:20 wp-rss2.php
-rw-r--r--. 1 apache apache 9177 Dec 9 12:20 wp-settings.php
-rw-r--r--. 1 apache apache 18695 Dec 9 12:20 wp-signup.php
-rw-r--r--. 1 apache apache 3702 Dec 9 12:20 wp-trackback.php
-rw-r--r--. 1 root root 99665 Nov 24 00:52 wtfff.png
-rw-r--r--. 1 apache apache 85 Nov 20 13:43 x.gif
-rw-r--r--. 1 apache apache 95481 Dec 9 12:20 xmlrpc.php
$ cat wp-config.php
<?php
/** Enable W3 Total Cache **/
define('WP_CACHE', true); // Added by W3 Total Cache
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, WordPress Language, and ABSPATH. You can find more information by
* visiting {@link https://codex.wordpress.org/Editing_wp-config.php Editing
* wp-config.php} Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'blog');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', '234hi2u3d98as7d23kuh');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* WordPress Localized Language, defaults to English.
*
* Change this to localize WordPress. A corresponding MO file for the chosen
* language must be installed to wp-content/languages. For example, install
* de.mo to wp-content/languages and set WPLANG to 'de' to enable German
* language support.
*/
define ('WPLANG', '');
/* That's all, stop editing! Happy blogging. */
/** WordPress absolute path to the Wordpress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
$ cat show.php
<?php
include 'stats.txt';
?>
$ cat stats.txt
BackTrack 4 - 4916323 downloads
cat download.php
<?php
// DO NOT CHANGE THIS FILE WITHOUT TALKING TO MUTS FIRST> EVEN IF YOU THINK YOU KNOW WHAT YOU ARE DOING!!!
function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}
$ip=getRealIpAddr();
$username="root";
$password="234hi2u3d98as7d23kuh";
$database="counter";
function choose($iso)
{
$num = Rand (1,5);
switch ($num)
{
case 1:
$link="ftp://ftp.uio.no/pub/security/backtrack/$iso";
break;
case 2:
$link="https://ftp.uio.no/pub/security/backtrack/$iso";
break;
case 3:
$link="https://ftp.halifax.rwth-aachen.de/backtrack/$iso";
break;
case 4:
$link="https://ftp.halifax.rwth-aachen.de/backtrack/$iso";
break;
case 5:
$link="https://ftp.halifax.rwth-aachen.de/backtrack/$iso";
break;
// case 6:
// $link="https://moon.backtrack-linux.org/downloads/$iso";
// break;
}
return $link;
}
$version=$_GET["fname"];
if (! (($version=="bt4f") or ($version=="bt4fvm") or ($version=="bt4r1") or ($version=="bt4r1vm") or ($version=="bt3") or ($version=="bt4pf") or ($version=="bt4b") or ($version=="bt4bvm") or ($version=="bt4r2") or ($version=="bt4r2vm")))
{
echo "This page cannot be accessed directly.";
exit;
}
if ($version=="bt4r2")
{
$iso="bt4-r2.iso";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
if ($version=="bt4r2vm")
{
$iso="bt4-r2-vm.tar.bz2";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
if ($version=="bt4f")
{
$iso="bt4-final.iso";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt4fvm")
{
$iso="bt4-final-vm.zip";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt4r1")
{
$iso="bt4-r1.iso";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt4r1vm")
{
$iso="bt4-r1-vm.tar.bz2";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt4pf")
{
$iso="bt4-pre-final.iso";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt4b")
{
$iso="bt4-beta.iso";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt4bvm")
{
$iso="bt4-beta-vm-6.5.1.rar";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
elseif ($version=="bt3")
{
$iso="bt3-final.iso";
$link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
header( "Location: $link ");
exit;
}
else
{
exit;
}
?>
$ cat s.php
<?php
$username="root";
$password="234hi2u3d98as7d23kuh";
$database="counter";
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "select count(DISTINCT ip) as numrows from downloadz where version=\"bt4f\"";
$query2 = "select count(DISTINCT ip) as numrows from downloadz where version=\"bt4fvm\"";
$result=mysql_query($query);
$result2=mysql_query($query2);
$row2 = mysql_fetch_array($result2, MYSQL_ASSOC);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$numrows1 = $row['numrows'];
$numrows2 = $row2['numrows'];
mysql_close();
$total= round(($numrows1 + $numrows2) * 1.4);
echo "BackTrack 4 Final - $total unique downloads";
?>
$ cd wiki
$ ls
total 700
drwxr-xr-x. 15 apache apache 4096 Nov 27 16:52 .
drwxr-xr-x. 13 apache apache 4096 Dec 9 12:21 ..
-rw-r--r--. 1 apache apache 23 Nov 14 16:01 .htpasswd
-rw-r--r--. 1 apache apache 17997 Apr 5 2006 COPYING
-rw-r--r--. 1 apache apache 2073 Jul 27 07:29 CREDITS
-rw-r--r--. 1 apache apache 76 Jul 27 2009 FAQ
-rw-r--r--. 1 apache apache 392287 Mar 12 2010 HISTORY
-rw-r--r--. 1 apache apache 96 Nov 14 16:01 HT
-rw-r--r--. 1 apache apache 4138 Apr 18 2008 INSTALL
-rw-r--r--. 1 apache apache 5469 Nov 28 16:45 LocalSettings.php
-rw-r--r--. 1 apache apache 3649 Nov 11 2008 README
-rw-r--r--. 1 apache apache 58431 Jul 28 03:11 RELEASE-NOTES
-rw-r--r--. 1 apache apache 648 May 7 2009 StartProfiler.sample
-rw-r--r--. 1 apache apache 13307 Mar 25 2010 UPGRADE
drwxr-xr-x. 2 root root 4096 Nov 27 16:53 adsense
-rw-r--r--. 1 apache apache 4707 Feb 15 2010 api.php
-rw-r--r--. 1 apache apache 25 Feb 3 2008 api.php5
drwxr-xr-x. 2 apache apache 4096 Jul 28 03:16 bin
-rw-r--r--. 1 apache apache 8436 Nov 21 14:24 bt-wiki.png
drwxr-xr-x. 2 apache apache 4096 Jul 28 03:16 cache
drwxr-xr-x. 2 apache apache 4096 Nov 14 15:58 config
drwxr-xr-x. 4 apache apache 4096 Jul 28 03:16 docs
drwxr-xr-x. 4 apache apache 4096 Nov 28 16:44 extensions
drwxr-xr-x. 12 apache apache 4096 Nov 23 12:36 images
-rw-r--r--. 1 apache apache 4031 Oct 14 2009 img_auth.php
-rw-r--r--. 1 apache apache 31 Feb 3 2008 img_auth.php5
drwxr-xr-x. 16 apache apache 4096 Jul 28 03:16 includes
-rw-r--r--. 1 apache apache 4329 Jan 1 2010 index.php
-rw-r--r--. 1 apache apache 28 Feb 3 2008 index.php5
drwxr-xr-x. 4 apache apache 4096 Jul 28 03:16 languages
drwxr-xr-x. 13 apache apache 12288 Nov 22 12:55 maintenance
drwxr-xr-x. 2 apache apache 4096 Jul 28 03:16 math
-rw-r--r--. 1 apache apache 3054 Mar 21 2009 opensearch_desc.php
-rw-r--r--. 1 apache apache 39 Mar 3 2008 opensearch_desc.php5
-rw-r--r--. 1 apache apache 174 Feb 3 2010 php5.php5
-rw-r--r--. 1 apache apache 8821 Jul 27 03:40 profileinfo.php
-rw-r--r--. 1 apache apache 383 Mar 21 2009 redirect.php
-rw-r--r--. 1 apache apache 31 Feb 3 2008 redirect.php5
-rw-r--r--. 1 apache apache 89 Feb 3 2010 redirect.phtml
drwxr-xr-x. 2 apache apache 4096 Jul 28 03:16 serialized
-rwxrwxrwx. 1 root root 6816 Nov 23 18:29 sitemap.xml
drwxr-xr-x. 9 apache apache 4096 Nov 28 14:12 skins
-rw-r--r--. 1 apache apache 4905 Mar 8 2010 thumb.php
-rw-r--r--. 1 apache apache 29 Feb 3 2008 thumb.php5
-rw-r--r--. 1 apache apache 1347 Nov 5 2008 trackback.php
-rw-r--r--. 1 apache apache 32 Mar 16 2009 trackback.php5
-rw-r--r--. 1 apache apache 86 Feb 3 2010 wiki.phtml
$ cat .htpasswd
edbadmin:YE8mle4nG1Z.c
cd ..
cat forums/includes/config.php
<?php
/*======================================================================*\
|| #################################################################### ||
|| # vBulletin 4.0.0 Patch Level 1
|| # ---------------------------------------------------------------- # ||
|| # All PHP code in this file is ©2000-2010 vBulletin Solutions Inc. # ||
|| # This file may not be redistributed in whole or significant part. # ||
|| # ---------------- VBULLETIN IS NOT FREE SOFTWARE ---------------- # ||
|| # https://www.vbulletin.com | https://www.vbulletin.com/license.html # ||
|| #################################################################### ||
\*======================================================================*/
/*-------------------------------------------------------*\
| ****** NOTE REGARDING THE VARIABLES IN THIS FILE ****** |
+---------------------------------------------------------+
| If you get any errors while attempting to connect to |
| MySQL, you will need to email your webhost because we |
| cannot tell you the correct values for the variables |
| in this file. |
\*-------------------------------------------------------*/
// ****** DATABASE TYPE ******
// This is the type of the database server on which your vBulletin database will be located.
// Valid options are mysql and mysqli, for slave support add _slave. Try to use mysqli if you are using PHP 5 and MySQL 4.1+
// for slave options just append _slave to your preferred database type.
$config['Database']['dbtype'] = 'mysql';
// ****** DATABASE NAME ******
// This is the name of the database where your vBulletin will be located.
// This must be created by your webhost.
$config['Database']['dbname'] = 'forums';
// ****** TABLE PREFIX ******
// Prefix that your vBulletin tables have in the database.
$config['Database']['tableprefix'] = '';
// ****** TECHNICAL EMAIL ADDRESS ******
// If any database errors occur, they will be emailed to the address specified here.
// Leave this blank to not send any emails when there is a database error.
$config['Database']['technicalemail'] = 'muts@offsec.com';
// ****** FORCE EMPTY SQL MODE ******
// New versions of MySQL (4.1+) have introduced some behaviors that are
// incompatible with vBulletin. Setting this value to "true" disables those
// behaviors. You only need to modify this value if vBulletin recommends it.
$config['Database']['force_sql_mode'] = false;
// ****** MASTER DATABASE SERVER NAME AND PORT ******
// This is the hostname or IP address and port of the database server.
// If you are unsure of what to put here, leave the default values.
$config['MasterServer']['servername'] = 'localhost';
$config['MasterServer']['port'] = 3306;
// ****** MASTER DATABASE USERNAME & PASSWORD ******
// This is the username and password you use to access MySQL.
// These must be obtained through your webhost.
$config['MasterServer']['username'] = 'root';
$config['MasterServer']['password'] = '234hi2u3d98as7d23kuh';
// ****** MASTER DATABASE PERSISTENT CONNECTIONS ******
// This option allows you to turn persistent connections to MySQL on or off.
// The difference in performance is negligible for all but the largest boards.
// If you are unsure what this should be, leave it off. (0 = off; 1 = on)
$config['MasterServer']['usepconnect'] = 0;
// ****** SLAVE DATABASE CONFIGURATION ******
// If you have multiple database backends, this is the information for your slave
// server. If you are not 100% sure you need to fill in this information,
// do not change any of the values here.
$config['SlaveServer']['servername'] = '';
$config['SlaveServer']['port'] = 3306;
$config['SlaveServer']['username'] = '';
$config['SlaveServer']['password'] = '';
$config['SlaveServer']['usepconnect'] = 0;
// ****** PATH TO ADMIN & MODERATOR CONTROL PANELS ******
// This setting allows you to change the name of the folders that the admin and
// moderator control panels reside in. You may wish to do this for security purposes.
// Please note that if you change the name of the directory here, you will still need
// to manually change the name of the directory on the server.
$config['Misc']['admincpdir'] = 'admincphaha';
$config['Misc']['modcpdir'] = 'modcphaha';
// Prefix that all vBulletin cookies will have
// Keep this short and only use numbers and letters, i.e. 1-9 and a-Z
$config['Misc']['cookieprefix'] = 'bb';
// ******** FULL PATH TO FORUMS DIRECTORY ******
// On a few systems it may be necessary to input the full path to your forums directory
// for vBulletin to function normally. You can ignore this setting unless vBulletin
// tells you to fill this in. Do not include a trailing slash!
// Example Unix:
// $config['Misc']['forumpath'] = '/home/users/public_html/forums';
// Example Win32:
// $config['Misc']['forumpath'] = 'c:\program files\apache group\apache\htdocs\vb3';
$config['Misc']['forumpath'] = '';
// ****** USERS WITH ADMIN LOG VIEWING PERMISSIONS ******
// The users specified here will be allowed to view the admin log in the control panel.
// Users must be specified by *ID number* here. To obtain a user's ID number,
// view their profile via the control panel. If this is a new installation, leave
// the first user created will have a user ID of 1. Seperate each userid with a comma.
$config['SpecialUsers']['canviewadminlog'] = '1';
// ****** USERS WITH ADMIN LOG PRUNING PERMISSIONS ******
// The users specified here will be allowed to remove ("prune") entries from the admin
// log. See the above entry for more information on the format.
$config['SpecialUsers']['canpruneadminlog'] = '1';
// ****** USERS WITH QUERY RUNNING PERMISSIONS ******
// The users specified here will be allowed to run queries from the control panel.
// See the above entries for more information on the format.
// Please note that the ability to run queries is quite powerful. You may wish
// to remove all user IDs from this list for security reasons.
$config['SpecialUsers']['canrunqueries'] = '';
// ****** UNDELETABLE / UNALTERABLE USERS ******
// The users specified here will not be deletable or alterable from the control panel by any users.
// To specify more than one user, separate userids with commas.
$config['SpecialUsers']['undeletableusers'] = '';
// ****** SUPER ADMINISTRATORS ******
// The users specified below will have permission to access the administrator permissions
// page, which controls the permissions of other administrators
$config['SpecialUsers']['superadministrators'] = '1,2';
// ****** DATASTORE CACHE CONFIGURATION *****
// Here you can configure different methods for caching datastore items.
// vB_Datastore_Filecache - to use includes/datastore/datastore_cache.php
// vB_Datastore_APC - to use APC
// vB_Datastore_XCache - to use XCache
// vB_Datastore_Memcached - to use a Memcache server, more configuration below
// $config['Datastore']['class'] = 'vB_Datastore_Filecache';
// ******** DATASTORE PREFIX ******
// If you are using a PHP Caching system (APC, XCache, eAccelerator) with more
// than one set of forums installed on your host, you *may* need to use a prefix
// so that they do not try to use the same variable within the cache.
// This works in a similar manner to the database table prefix.
// $config['Datastore']['prefix'] = '';
// It is also necessary to specify the hostname or IP address and the port the server is listening on
/*
$config['Datastore']['class'] = 'vB_Datastore_Memcached';
$i = 0;
// First Server
$i++;
$config['Misc']['memcacheserver'][$i] = '127.0.0.1';
$config['Misc']['memcacheport'][$i] = 11211;
$config['Misc']['memcachepersistent'][$i] = true;
$config['Misc']['memcacheweight'][$i] = 1;
$config['Misc']['memcachetimeout'][$i] = 1;
$config['Misc']['memcacheretry_interval'][$i] = 15;
*/
// ****** The following options are only needed in special cases ******
// ****** MySQLI OPTIONS *****
// When using MySQL 4.1+, MySQLi should be used to connect to the database.
// If you need to set the default connection charset because your database
// is using a charset other than latin1, you can set the charset here.
// If you don't set the charset to be the same as your database, you
// may receive collation errors. Ignore this setting unless you
// are sure you need to use it.
// $config['Mysqli']['charset'] = 'utf8';
// Optionally, PHP can be instructed to set connection parameters by reading from the
// file named in 'ini_file'. Please use a full path to the file.
// Example:
// $config['Mysqli']['ini_file'] = 'c:\program files\MySQL\MySQL Server 4.1\my.ini';
$config['Mysqli']['ini_file'] = '';
// Image Processing Options
// Images that exceed either dimension below will not be resized by vBulletin. If you need to resize larger images, alter these settings.
$config['Misc']['maxwidth'] = 2592;
$config['Misc']['maxheight'] = 1944;
/*======================================================================*\
|| ####################################################################
|| # Downloaded: 22:25, Sat Jan 9th 2010
|| # CVS: $RCSfile$ - $Revision: 32878 $
|| ####################################################################
\*======================================================================*/
happY 1337day ;)
