With a little side of applesauce...

Thursday, February 1, 2007

Anatomy of a fckeditor hack

Introduction

As more crackers begin to exploit security holes in web application, I find that it is helpful to be able to do some of your own forensic analysis in the attempt to fix the exploited security holes. The following article details my process for finding information about a successful compromise on a web application hosted on one of my own servers. You will notice that many successful web application attacks have similar characteristics, so you will become faster and faster at finding the exploited application.

Process of Elimination:

When I cat out my log files, I always grep for a couple of different items:

1. Start with the information that I know:
- ie For this defacement, I knew the location of the defaced file:
- http://myweb/default.htm

Here are the entries matching default.htm in the access_log:


access_log:200.118.2.219 - - [07/May/2006:10:45:55 -0500] “GET /default.htm HTTP/1.1″ 200 529 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
access_log:213.219.122.11 - - [07/May/2006:10:46:55 -0500] “GET /default.htm HTTP/1.0″ 200 529 “-” “Wget/1.9.1″
access_log:202.122.243.167 - - [07/May/2006:10:47:41 -0500] “GET /default.htm HTTP/1.1″ 200 529 “-” “libwww-perl/5.805″
access_log:164.71.2.5 - - [07/May/2006:10:49:18 -0500] “GET /default.htm HTTP/1.0″ 200 529 “-” “Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)”
access_log:218.227.202.243 - - [07/May/2006:10:53:02 -0500] “GET /default.htm HTTP/1.0″ 200 529 “-” “mozilla4.0″
access_log:72.177.110.25 - - [10/May/2006:20:05:59 -0500] “GET /default.htm HTTP/1.1″ 200 529 “-” “Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3″
access_log:161.11.120.62 - - [10/May/2006:20:55:11 -0500] “GET /default.htm HTTP/1.1″ 200 529 “http://www.zone-h.org/en/defacements/view/id=3777766/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
access_log:68.185.200.70 - - [10/May/2006:21:00:41 -0500] “GET /default.htm HTTP/1.1″ 200 529 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3″
access_log:68.185.200.70 - - [10/May/2006:21:04:41 -0500] “GET /default.htm HTTP/1.1″ 304 - “http://www.zone-h.org/en/defacements/view/id=3777766/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3″
access_log:68.191.220.68 - - [10/May/2006:22:00:05 -0500] “GET /default.htm HTTP/1.1″ 200 529 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3″
access_log:149.168.132.137 - - [11/May/2006:06:28:23 -0500] “GET /default.htm HTTP/1.1″ 200 529 “http://www.zone-h.org/en/defacements/filter/filter_domain=.edu/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3″
access_log:204.65.220.10 - - [11/May/2006:07:28:00 -0500] “GET /default.htm HTTP/1.1″ 200 529 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3″
access_log:71.11.242.247 - - [11/May/2006:08:12:13 -0500] “GET /default.htm HTTP/1.1″ 200 529 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.2) Gecko/20060502 Ubuntu/dapper Firefox/1.5.0.2″
access_log:68.191.219.175 - - [11/May/2006:08:13:05 -0500] “GET /default.htm HTTP/1.1″ 200 529 “-” “Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3″
access_log:68.191.219.175 - - [11/May/2006:08:17:58 -0500] “GET /default.htm HTTP/1.1″ 404 209 “-” “Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3″
error_log:[Thu May 11 08:17:58 2006] [error] [client 68.191.219.175] File does not exist: /webroot/myweb/default.htm

If I check the timestamp of the default.htm file:

-rw-r–r– 1 root root 529 May 7 10:45 default.htm

with my log entries, I find:

access_log:200.118.2.219 - - [07/May/2006:10:45:55 -0500] “GET /default.htm HTTP/1.1″ 200 529 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

I also notice that a popular defacement site has hit this file:

access_log:161.11.120.62 - - [10/May/2006:20:55:11 -0500] “GET /default.htm HTTP/1.1″ 200 529 “http://www.zone-h.org/en/defacements/view/id=3777766/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

This corresponds my theory of a web defacement, as most attackers that are doing defacement like to place the sites up on zone-h, or other defacement archive sites.

2. I run host on the ip address from the matching log entry to see if I can find more information about the host:

me@mylap:~$ host 200.118.2.219
Host 219.2.118.200.in-addr.arpa not found: 3(NXDOMAIN)

I find that the host is not found, but this is not unusual. The attack could have come from a compromised host, a spoofed ip address, or an anonymous proxy.

3. I grep out all entries that match the ip address 200.118.2.219:

victim:/var/log/oldapache# cat access_log | grep 200.118.2.219
200.118.2.219 - - [07/May/2006:10:43:53 -0500] “GET /feeds/In_the_News_rssp.cfm HTTP/1.1″ 200 12216 “http://www.google.com/search?hl=tr&q=index.cfm%3FcommentID%3D&btnG=Ara&lr=” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:43:58 -0500] “GET /admin/fckeditor HTTP/1.1″ 301 247 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:43:58 -0500] “GET /admin/fckeditor/ HTTP/1.1″ 403 218 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:44:11 -0500] “POST /admin/fckeditor/editor/filemanager/browser/default/connectors/cfm/connector.cfm?Command=FileUpload&Type=zeh&CurrentFolder=/&ServerPath=/Images/ HTTP/1.1″ 200 111 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:44:23 -0500] “GET /zeh/zeh3.jpg.asp HTTP/1.1″ 200 34542 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:44:31 -0500] “POST /admin/fckeditor/editor/filemanager/browser/default/connectors/cfm/connector.cfm?Command=FileUpload&Type=zeh&CurrentFolder=/&ServerPath=/Images/ HTTP/1.1″ 200 111 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:44:47 -0500] “GET /zeh/irc.jpg.php HTTP/1.1″ 200 8581 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:44:48 -0500] “GET /zeh/irc.jpg.php?image=smiley HTTP/1.1″ 200 92 “http://myweb/zeh/irc.jpg.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:44:49 -0500] “GET /zeh/irc.jpg.php?image=folder HTTP/1.1″ 200 90 “http://myweb/zeh/irc.jpg.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:44:49 -0500] “GET /zeh/irc.jpg.php?image=arrow HTTP/1.1″ 200 70 “http://myweb/zeh/irc.jpg.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:44:49 -0500] “GET /zeh/irc.jpg.php?image=file HTTP/1.1″ 200 93 “http://myweb/zeh/irc.jpg.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:44:52 -0500] “POST /zeh/irc.jpg.php HTTP/1.1″ 200 3668 “http://myweb/zeh/irc.jpg.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:44:58 -0500] “POST /zeh/irc.jpg.php HTTP/1.1″ 200 3652 “http://myweb/zeh/irc.jpg.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:45:14 -0500] “POST /admin/fckeditor/editor/filemanager/browser/default/connectors/cfm/connector.cfm?Command=FileUpload&Type=/&CurrentFolder=/&ServerPath=/Images/ HTTP/1.1″ 200 111 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:45:55 -0500] “GET /default.htm HTTP/1.1″ 200 529 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.118.2.219 - - [07/May/2006:10:46:00 -0500] “GET /skins/BlogFusion/_stylesheet.css HTTP/1.1″ 200 12835 “http://myweb/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

Now, we are getting some interesting information:

a. We now have our point of entry:

200.118.2.219 - - [07/May/2006:10:43:53 -0500] “GET /feeds/In_the_News_rssp.cfm HTTP/1.1″ 200 12216 “http://www.google.com/search?hl=tr&q=index.cfm%3FcommentID%3D&btnG=Ara&lr=” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

The attacker used a google search of:
http://www.google.com/search?hl=tr&q=index.cfm%3FcommentID%3D&btnG=Ara&lr=

which returned a list of sites running BlogFusion, obviously an application that contains the vulnerability. (Our site was high on the list).

b. We have the first appearance of the vulnerable application:

200.118.2.219 - - [07/May/2006:10:43:58 -0500] “GET /admin/fckeditor HTTP/1.1″ 301 247 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”


The fckeditor has had a recent vulnerability found which allows remote attackers to upload malicious PHP files to the server:
http://www.frsirt.com/english/advisories/2006/0502

c. Next, we see the vulnerability exploited to upload a folder with files to the server:

200.118.2.219 - - [07/May/2006:10:44:11 -0500] “POST /admin/fckeditor/editor/filemanager/browser/default/connectors/cfm/connector.cfm?Command=FileUpload&Type=zeh&CurrentFolder=/&ServerPath=/Images/ HTTP/1.1″ 200 111 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”


I notice the “zeh” in the URL, so I return to my directory listing of the webroot, and find:

drwxr-xr-x 2 root root 4096 May 7 10:44 zeh

Notice that both default.htm and the zeh folder are owned by root.root… This troubles me, and don’t quite understand how/why this has happened yet…

cA. I get a directory listing of the zeh folder:

victim:/var/log/oldapache# ls zeh/
irc.jpg.php zeh3.jpg.asp

- We don’t support ASP, so I open the irc.jpg.php file, and find:

<?php
/*
* IRC v1
* Copyright (C) 2006 MyBasH-CRUEL-sYsTeM sHocK | VuRuCuTeaM | <mybash@vurucuteam.com>
*
* Bu Kod Tamamiyle <D6>zg<FC>r Yazilimdir.
* K<F6>t<FC> Amaclar ile kullanilmamak sartiyla istenildigi gibi Kullanilabilir
* Programin amaci ftp olmadan hostunuza baglanti kurup
* Dosya ekleyip kaldira bilmektir.
* Kodumuz 6 Dilde yazilmistir.
* Server Diline G<F6>re Otomatik Secim Yapar.
* Kodu hosta attiktan sonra adres cubuguna kodun uzantisini verip baglanin
* Ve Asla kimseye bu kodun uzantisini vermeyiniz.!!
*
* -------------------------------------------------------------------------
* Hackerlar Metrosu Turkiye Hack Bilisim Platformu
* -------------------------------------------------------------------------
/* ------------------------------------------------------------------------- */

PAYDIRT!!! This is definitely not the initial hack, but is part of the payload. If you visit the irc.jpg.php file, it gives you a directory listing of the current directory, with an option to copy or download any of the files that the web server can read. (see LISTING E) The application also allows you to specify a directory, so I was able to find that the application could also read the /etc/ directory, (though most of the files are protected from copy/download).

Since we have found the payload, but not the initial hack, I look back to the fckeditor POST log entry:

200.118.2.219 - - [07/May/2006:10:44:11 -0500] “POST /admin/fckeditor/editor/filemanager/browser/default/connectors/cfm/connector.cfm?Command=FileUpload&Type=zeh&CurrentFolder=/&ServerPath=/Images/ HTTP/1.1″ 200 111 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

I do a Google search and found the following exploit:
http://milw0rm.com/exploits/1484


<?php
# ---fckeditor_22_xpl.php 15.38 04/12/2005 #
# #
# FCKEditor 2.0 <= 2.2 shell upload #
# coded by rgod #
# site: http://retrogod.altervista.org #
# #
# usage: launch from Apache, fill in requested fields, then go! #
# #
# Sun-Tzu: "Security against defeat implies defensive tactics; ability to #
# defeat the enemy means taking the offensive" #

/* -> a short explaination: if a user cam call directly

http://[target]/[path]/editor/filemanager/browser/default/connectors/php/connector.php

he can upload malicious contempt on a target server, including arbitrary
php code, and launch commands on it

this works when php connector is enabled in config.php and when, ex.,
in Apache httpd.conf "AddType application/x-httpd-php" directive we have
an extension not specified in FCKEditor Config[DeniedExtensions][File]
array.

However, FCKeditor is integrated in a lot of applications, and if you
succeed to upload the shell (see details in the output of this script)
search for a local inclusion issue inside of them and include the uploaded
file */

This exploit can be used to attack any remote instance by running fckeditor_22_xpl.php on any php4 enabled web server. (I tested from my localhost). (See LISTING D for a successful attack). It is easy to automate, and my guess is that the attacker used a Google query tool, such as gooscan, and fed the results into the fckeditor_22_xpl.php app.

This pulls up a list of Blogfusion sites. Blogfusion, to their credit, has posted a blog entry here:
http://www.blogfusion.com/blog/index.cfm?commentID=87

with a patched version of fckeditor for blogfusion consumption. It gives information about how to remove the offending content and install the fixed version of fckeditor…

NOTES:

LISTING A:

fckeditor.php hack info (REQUIRED FORMS):
host: victim (FQDN or ip address)
path: /me/myweb/admin/
cmd: ?Command=FileUpload&Type=zeh&CurrentFolder=/&ServerPath=/Images/

LISTING B:

search query string:
http://www.google.com/search?hl=tr&q=index.cfm%3FcommentID%3D&btnG=Ara&lr=

LISTING C:

####begin of directory listing notes
me@victim:/webroot/myweb$ ls -l
total 180
-rw-r–r– 1 www-data www-data 8601 Sep 14 2005 Application.cfm
lrwxrwxrwx 1 www-data www-data 23 Sep 12 2005 CFIDE -> /webroot/CFIDE/
drwxr-xr-x 2 root root 4096 Sep 15 2005 File
drwxr-xr-x 8 www-data www-data 12288 May 5 16:45 Image
-rw-r–r– 1 www-data www-data 5141 Sep 12 2005 StartHere.html
-rw-r–r– 1 www-data www-data 2535 Sep 12 2005 _ping-photo.cfm
-rw-r–r– 1 www-data www-data 2425 Sep 12 2005 _ping.cfm
drwxr-xr-x 2 www-data www-data 4096 Feb 13 11:42 _private
drwxr-xr-x 13 www-data www-data 4096 Nov 21 10:46 admin
drwxr-xr-x 4 www-data www-data 4096 Sep 12 2005 backup
-rw-r–r– 1 www-data www-data 698 Sep 12 2005 comments.cfm
drwxr-xr-x 2 www-data www-data 4096 Sep 19 2005 database
-rw-r–r– 1 root root 529 May 7 10:45 default.htm
-rw-r–r– 1 www-data www-data 1406 Sep 12 2005 favicon.ico
drwxr-xr-x 2 www-data www-data 4096 Dec 7 11:59 feeds
drwxr-xr-x 3 www-data www-data 4096 Sep 12 2005 files
drwxr-xr-x 2 www-data www-data 4096 Sep 12 2005 help
-rw-r–r– 1 www-data www-data 697 Sep 12 2005 index.cfm
drwxr-xr-x 2 www-data www-data 4096 Sep 12 2005 ini
drwxr-xr-x 2 www-data www-data 4096 Sep 12 2005 install
-rw-r–r– 1 www-data www-data 2722 Sep 14 2005 ldap.cfm
-rw-r–r– 1 www-data www-data 876 Sep 13 2005 login.cfm
-rw-r–r– 1 www-data www-data 9507 Apr 26 10:06 mangle.rss
-rw-r–r– 1 www-data www-data 716 Sep 12 2005 password.cfm
drwxr-xr-x 2 www-data www-data 4096 Mar 29 17:09 pdfcontent
-rw-r–r– 1 www-data www-data 705 Sep 12 2005 photos.cfm
-rw-r–r– 1 www-data www-data 5365 Sep 12 2005 randomWord.cfm
-rw-r–r– 1 www-data www-data 828 Sep 12 2005 readmekenn.cfm
-rw-r–r– 1 www-data www-data 1176 Sep 12 2005 readmekenn.htm
-rw-r–r– 1 www-data www-data 763 Sep 12 2005 sendtofriend.cfm
drwxr-xr-x 7 www-data www-data 4096 Sep 12 2005 skins
-rw-r–r– 1 www-data www-data 81 Apr 21 13:33 survey.cfm
drwxr-xr-x 3 www-data www-data 4096 Jan 19 14:20 tags
-rw-r–r– 1 www-data www-data 365 Jan 19 11:18 tagtest.cfm
drwxr-xr-x 2 www-data www-data 4096 Apr 26 09:18 udf
-rw-r–r– 1 www-data www-data 104 Sep 12 2005 versionInfo.txt
-rw-r–r– 1 www-data www-data 1362 Apr 26 10:01 writexml_tester.cfm
drwxr-xr-x 2 root root 4096 May 7 10:44 zeh
me@victim:/webroot/myweb$
me@victim:/webroot/myweb$ cd zeh/
me@victim:/webroot/myweb/zeh$ ls
irc.jpg.php zeh3.jpg.asp
me@victim:/webroot/myweb/zeh$ cd ..
me@victim:/webroot/myweb$ ls
Application.cfm StartHere.html admin favicon.ico index.cfm login.cfm photos.cfm sendtofriend.cfm tagtest.cfm zeh
CFIDE _ping-photo.cfm backup feeds ini mangle.rss randomWord.cfm skins udf
File _ping.cfm comments.cfm files install password.cfm readmekenn.cfm survey.cfm versionInfo.txt
Image _private database help ldap.cfm pdfcontent readmekenn.htm tags writexml_tester.cfm
me@victim:/webroot/myweb$ cp -R zeh/ /var/log/oldapache/
cp: cannot create directory `/var/log/oldapache/zeh’: Permission denied
me@victim:/webroot/myweb$ sudo cp -R zeh/ /var/log/oldapache/
me@victim:/webroot/myweb$
####end of directory listing notes

LISTING D:

#####begin fckeditor.php SUCCESS
<html><head><title> ******* FCKEditor 2.0 <= 2.2 shell upload**************
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body>
<p class="Stile6">
******* FCKEditor 2.0 <= 2.2 shell upload**************

<p class="Stile6">a
script by rgod at <a xhref="http://retrogod.altervista.org"target="_blank">
http://retrogod.altervista.org</a>
<table width="84%">
<tr>
<td width="43%"><form name="form1" method="post" action="/fckeditor.php"><input
type="text" name="host"> <span class="Stile5">* target (ex:www.sitename.com)
</span>

<input type="text" name="path"> <span class="Stile5">* path (ex:
/FCKEditor/ or just / ) </span>

<input type="text" name="cmd"> <span
class="Stile5"> * specify a command</span>

<input type="text" name="port">
...
truncated
...
# milw0rm.com [2006-02-09]
#####end of fckeditor.php.rendered SUCCESS


LISTING E:

#####begin irc.jpg.php rendered:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>VuRuCu TeaM-IRC v1</title>

<style type="text/css">
body { font: small sans-serif; text-align: center }
img { width: 17px; height: 13px }
a, a:visited { text-decoration: none; color: navy }
hr { border-style: none; height: 1px; background-color: silver; color: silver }
#main { margin-top: 6pt; margin-left: auto; margin-right: auto; border-spacing: 1px }
#main th { background: #eee; padding: 3pt 3pt 0pt 3pt }
.listing th, .listing td { padding: 1px 3pt 0 3pt }
.listing th { border: 1px solid silver }
.listing td { border: 1px solid #ddd; background: white }
.listing .checkbox { text-align: center }
.listing .filename { text-align: left }
.listing .size { text-align: right }
.listing .permission_header { text-align: left }
.listing .permission { font-family: monospace }
.listing .owner { text-align: left }
.listing .group { text-align: left }
.listing .functions { text-align: left }
.listing_footer td { background: #eee; border: 1px solid silver }
#directory, #upload, #create, .listing_footer td, #error td, #notice td { text-align: left; padding: 3pt }
#directory { background: #eee; border: 1px solid silver }
#upload { padding-top: 1em }
#create { padding-bottom: 1em }
.small, .small option { font-size: x-small }
textarea { border: none; background: white }
table.dialog { margin-left: auto; margin-right: auto }
td.dialog { background: #eee; padding: 1ex; border: 1px solid silver; text-align: center }
#permission { margin-left: auto; margin-right: auto }
#permission td { padding-left: 3pt; padding-right: 3pt; text-align: center }
td.permission_action { text-align: right }
#symlink { background: #eee; border: 1px solid silver }
#symlink td { text-align: left; padding: 3pt }
#red_button { width: 120px; color: #400 }
#green_button { width: 120px; color: #040 }
#error td { background: maroon; color: white; border: 1px solid silver }
#notice td { background: green; color: white; border: 1px solid silver }
#notice pre, #error pre { background: silver; color: black; padding: 1ex; margin-left: 1ex; margin-right: 1ex }
code { font-size: 12pt }
td { white-space: nowrap }
</style>

<script type="text/javascript">
<!--
function activate (name) {
if (document && document.forms[0] && document.forms[0].elements['focus']) {
document.forms[0].elements['focus'].value = name;
}
}
//-->
</script></head><body alink="black" bgcolor="#000000" link="white" text="red" vlink="blue">
<h1 style="margin-bottom: 0pt;">VuRuCu TeaM| IRC v1</h1>
<form enctype="multipart/form-data" action="irc.jpg.php" method="post">
<table id="main">
<tr>
<td colspan="7" id="directory"><a xhref="http://victim/me/myweb/zeh/irc.jpg.php?dir=%2Fwebroot%2Fme%2Fmyweb%2Fzeh%2F">Directory</a>:
<input name="dir" size="42" value="/webroot/me/myweb/zeh/" onfocus="activate('directory')" type="text">
<input name="changedir" value="change" onfocus="activate('directory')" type="submit"></td>
</tr>
<tr>
<td colspan="7" style="height: 1em;"></td>
</tr>
</table>
</form>
<!--webbot bot="HTMLMarkup" endspan -->&nbsp;<!--webbot bot="HTMLMarkup" startspan -->
<p align="center"><!--webbot bot="HTMLMarkup" startspan --><font face="Verdana"><center>
<h2><span id="lightf_light"></span></h2>
</center></font>
</body></html>
<html>
########end of irc.jpg.php rendered
LISTING F:
#####begin of defaced default.htm
<head>
<meta http-equiv="Content-Language" content="tr">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>Hacked by LORD // Turkish Hacker</title>
</head>

<body bgcolor="#000000">
<p align="center">&nbsp;</p>
<p align="center"><font color="#00FF00" size="6" face="MS Serif">HACKED BY LORD</font></p>
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center"><font face="MS Serif" size="6" color="#00FF00">Turkish Hacker</font></p>
</body>
</html>
#####end of defaced default.htm

2 comments:

Anonymous said...

Great post! I never heard of Gooscan. I got zone-h'd a few years back, slapped me into action regarding web security.

sysmox said...

Also dotnetnucke and other opensource infected and hacked