Got Owned!
This is why you should have an RSS reader pointed at this site! You may otherwise miss out on some very strange things. Thanks to a friend of mine giving me a call this morning and waking me up, I had this taken care of pretty quickly. If you missed it:
There goes all my cred :) . Apparently the guy who runs this script kiddie haven finally found out about this post. I was wondering when that would happen. Apparently even the barely-literate can knock over a WordPress blog.
Let’s go to the logs!
20080402.log:205.234.212.246 - - [02/Apr/2008:07:55:24 -0400] "GET /wp-login.php?action=lostpassword HTTP/1.1" 200 799 "http://www.mcgrewsecurity.com/wp-login.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
20080402.log:205.234.212.246 - - [02/Apr/2008:07:55:29 -0400] "POST /wp-login.php?action=lostpassword HTTP/1.1" 302 20 "http://www.mcgrewsecurity.com/wp-login.php?action=lostpassword"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
20080402.log:205.234.212.246 - - [02/Apr/2008:07:55:31 -0400] "GET /wp-login.php?checkemail=confirm HTTP/1.1" 200 645 "http://www.mcgrewsecurity.com/wp-login.php?action=lostpassword"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
20080402.log:205.234.212.246 - - [02/Apr/2008:07:55:48 -0400] "GET /wp-login.php?action=rp&key=QA3Ex6N HTTP/1.1" 302 20 "http://us.mc587.mail.yahoo.com/mc/showMessage?fid=Inbox&sort=date&order=
down&startMid=0&.rand=1380447315&midIndex=0&
mid=1_389233_AHtkxEIAAS9AR%2FN0MwJahkCdVho&eps=&f=1&
nextMid=1_388825_ANZkxEIAAO0LR%2FMTrwYK4ja6ew8
&m=1_389233_AHtkxEIAAS9AR%2FN0MwJahkCdVho,1_388825_
ANZkxEIAAO0LR%2FMTrwYK4ja6ew8,1_388312_AL1kxEIAAJfYR%2FKw4QPnv3TS3v
Q,1_387878_AHxkxEIAAOq8R%2FJqzAbDeFGS%2Bq4,1_387365_AL1kxEIAAN4ZR
%2FFfbQMiqwTF%2Fp8,1_386934_ALxkxEIAAYHqR%2FFaSAIQbVuPve4," "
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
20080402.log:205.234.212.246 - - [02/Apr/2008:07:55:51 -0400] "GET /wp-login.php?checkemail=newpass HTTP/1.1" 200 641 "http://us.mc587.mail.yahoo.com/mc/showMessage?fid=Inbox&sort=date&order=do
wn&startMid=0&.rand=1380447315&midIndex=0&
mid=1_389233_AHtkxEIAAS9AR%2FN0MwJahkCdVho&eps=&f=1&
nextMid=1_388825_ANZkxEIAAO0LR%2FMTrwYK4ja6ew8
&m=1_389233_AHtkxEIAAS9AR%2FN0MwJahkCdVho,1_388825_
ANZkxEIAAO0LR%2FMTrwYK4ja6ew8,1_388312_AL1kxEIAAJfYR%2FKw4QPnv3TS3v
Q,1_387878_AHxkxEIAAOq8R%2FJqzAbDeFGS%2Bq4,1_387365_AL1kxEIAAN4ZR
%2FFfbQMiqwTF%2Fp8,1_386934_ALxkxEIAAYHqR%2FFaSAIQbVuPve4,"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
20080402.log:205.234.212.246 - - [02/Apr/2008:07:57:11 -0400] "GET /wp-login.php HTTP/1.1" 200 860 "http://us.mc587.mail.yahoo.com/mc/showMessage?fid=Inbox&
sort=date&order=down&startMid=0&.rand=888861476&
midIndex=0&mid=1_389665_AL1kxEIAALETR%2FN0gw5F92GsKBY&
eps=&f=1&nextMid=1_389233_AHtkxEIAAS9AR%2FN0MwJahkCdVho&
m=1_389665_AL1kxEIAALETR%2FN0gw5F92GsKBY,1_389233_
AHtkxEIAAS9AR%2FN0MwJahkCdVho,1_388825_ANZkxEIAAO0LR
%2FMTrwYK4ja6ew8,1_388312_AL1kxEIAAJfYR%2FKw4QPnv3TS3v
Q,1_387878_AHxkxEIAAOq8R%2FJqzAbDeFGS%2Bq4,1_387365_
AL1kxEIAAN4ZR%2FFfbQMiqwTF%2Fp8,"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
20080402.log:205.234.212.246 - - [02/Apr/2008:07:57:17 -0400] "POST /wp-login.php HTTP/1.1" 302 20 "http://www.mcgrewsecurity.com/wp-login.php"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
20080402.log:205.234.212.246 - - [02/Apr/2008:07:57:19 -0400] "GET /wp-admin/ HTTP/1.1" 200 2669 "http://www.mcgrewsecurity.com/wp-login.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
This is followed by him going to town in my WordPress admin panel. Check out how he gets in, though. He’s uses the “lost password” functionality, then comes back in as if the password email were sent to a yahoo account under his control. Either he brute forced a password (changed to a much stronger one now!) and POP’d the email to his Yahoo account (nope, my host grepped the mail server logs), there’s some 0-day in WordPress’ password recovery, or there’s something else I’m just missing. I unfortunately don’t have whatever he POST’d to that form. I’ll be going through the logs more carefully over the next few days probably. In the meantime, if you’re a web app bug hunter, you might want to take a good look at this part of WordPress 2.5.
Edit: Scratch that, it was something I was missing. Attacker grabbed the username from a PHP error, and bruted an unfortunately bad database password. Nothing to see here :) . I should have known better than to attribute an obvious skiddie attack to 0-day so quickly.
Check out what other miserable things this IP address has been up to on the Internet, as revealed by Google:
- http://www.bobbear.co.uk/happykids.html – Hosting a scam posing as a children’s charity
- http://www.oneworldincome.com/2007/10/23/four-shady-reverse-pension-plans-hits-the-streets/ – A “reverse pension” scam
Lol , it was my proxy IP however im not in the US
hooohoo hey god what should I do if they make my proxy server down ? :(
I just warned you , next time send email about your fuckin script . not this childish act
how ever I can Hack your site again and agian and again.
so watch your language
lol try to find a wordpress exploit hahaaaa you’ll find it homie
I knew defacing was a little too extreme for what you posted – in fact you were right about not giving credit. Sec handled on his own and most defenitely not in name of RootShell, something which (almost) never happens.
Have a nice day :)
And the best part of it all, is that it looked like an April Fool’s joke. If you had cleared it up yesterday, I might have never known.
Ladies and gentlemen, give a warm round of applause for sec himself!
> sec Says:
> April 3rd, 2008 at 1:40 am
> I just warned you , next time send email about your fuckin script .
> not this childish act
which was that… stealing someone else’s material or defacing their website?
techinally he can do whatever he wants with his own stuff which you just linked to really grabbed the source and copied it from there but then again he did do it in the name of Rootshell to be honest.
as you see and your took image shows that I’ve wrote in the title of the post “McGrew Security Memdump” . and not published in my name .
look at the image in your site and the post in my site.
review your act
review his act?
What of yours?
You, without permission, stole content from his site, hot linked images (which is just a douchebag move… what in the five seconds it took you to copy the txt you couldn’t copy the pictures too?), and never once cite the source.
Wow, the title is “McGrew Security Memdump.” The name of the program doesn’t match the name of the program, there is no link for where the content comes from, it makes no mention of coming from some other site, and the post is authored by you…
Wow, yep, you’ve totally done your best effort to make sure people know that the work you posted on your site was original content from some other individual.
Review your act, the original act that caused McGrew to legitimately change an image hosted on HIS site. Oh yeah, and your follow up act as well. Own up, just say it. We know you did it. You stole the content with no thought of giving credit back. We know that until some script kiddie browsing your forum noticed the picture you had no idea that your sloppy theft had been noticed. So own up.
Either that or fsck off.
my forum is open to copy any kinda content
when you submit an exploit to a security site all security sites will put that on their pages WITHOUT any permission.
can you make image for admins of all of the security sites? or what about other security sites? haha so they should employ a graphist to make fuckin image for everyone who extract their contents.
if I wanted to change the source of the fuckin script I could post that in rootshell tools section not tutorial section.
how ever I know your IQ is not enough to understand what I said !
so I use my hack to guide you fuckin mind to understand you your act was lame.
My IQ must not be enough to understand what he said.
Sounds like he just admitted that his forum was cool with theft. And that his site is a “Security Site”, but it came across as a bunch of kids proud of trival web defacements and the use of php shells on porley configured webservers. Truer hackers have never been know! It also sounds like he’s got some crazy wetware hack for our minds, and I for one, am running scared.
s/porley/poorley
lol homie
your fuckin site was hacked Mr.Security ,by who? by me
so shut your fuckin mouth
oOpsSs , you can say anything you want , be relax in your dreams.
babye kids
Anyone catch that?
what a skiddie, call yourself security professionals? ever heard of ethics? obviously never worked a day in the IT industry.
All I can say is why does SEC sound like the biggest retard when he attempts to speak English. Lots of haha’s and lol’s and cursing. Also its typically the case to use Capital letters after punctuation.
Now back to the big boy conversation…
McGrew I am a little disappointed not because you were hacked, but because it was due to weak passwords and brute forcing.
Are you using FreeBSD? You could so easily write a script that would say block IP address after so many failed attempts and it would take 10 minutes.
As a security professional working on defense, you are *always* going to get hacked. There is no such thing as perfect security. I think this is an excellent example to others of how it can happen. WhatWhat (Post 16) has some great ideas to prevent future attacks of this type, but that’s the way the game works. I congratulate McGrew Security for owning up to the weak password so that others can see that even the pros sometimes make mistakes!
Just for the troll, I also agree that SEC is a skiddie and must be about 12 years old in a cold basement nursing on his sister’s teat. hehe
bsd-roo: I’m not defending him, but there are plenty of people who are “security professionals” and have “never worked a day in the IT industry.”
Yea i agree, but surely an intellectual person does not need to be told what grammar, ethics and politeness is. they are what parents and schools teach since kindergarden.