ProtectedNET – Protecting your NET

Posted on Tuesday, 23rd February 2010 by ProtectedNET

Hey ;]

I found another c&c server with stolen passwords’ files there (more than 4K file).
Email addresses ,paypal accounts, twitter accounts, facebook accounts, etc etc.

So i have good news and bad news.
I will start with the bad news.

The bad news is the hacker may have downloaded it.

Good news is ,the logs are deleted, your data are no longer online.

Here is some twitter accounts compromised:
zEro_Goalla
vitinho_abranches@hotmail.com
hns.kenzie@yahoo.com
guido.scinto@gmail.com
mcnicnicz
awsomo3000@gmail.com
ThGomez
crazylizard42@yahoo.com
dinolords
cyclonemarine
Dude57823@gmail.com
Cross117@live.com
rennop
samdheeraj
kidshinex
spencyspazzic
mikeluies
locke.eramus@gmail.com
nicky10107@yahoo.com
nickfritsch@ymail.com
nmccouch@gmail.com
number1wwe
dylanstep@gmail.com
mrbrandnew12
davidwartenbe@gmail.com
trupacupa21
twitt4muslims
ThaEmoKid
crazycat542
R_eynolds
Infrantage2
marcisriekstins
travislowe@myway.com
Leusel7
luislisandro
desman197@yahoo.com
DJBAD
kennethwinder
Hii_iM_Bass
computerwhack
jeremy111
denisacoolgirlz@gmail.com
realhaxor
Happyweirdos@hotmail.com
krentz_unico@hotmail.com
ralph_lakers08@yahoo.com

skybox0404@aim.com
SecertAgentMan
ben.39@hotmail.co.uk
RsDeveloper
dsijancarlo
snowcatsh
noilldillon
preet2445@hotmail.com
darriusdavis@gmail.com
genspenst@gmail.com
f.sommerhoff@gmx.de
nevermindzx@gmail.com
hello2331995@hotmail.com
callumseven
brokenAngelx520
pcemptysoulz
scootboyle@gmail.com
NONSTOPMAFIA@HOTMAIL.COM
Destroy782
billdubwu
benjammin17
benjammin17
Midnightfoxkovu
PCCoolKid
shamahaja
mumbles08
halo8089
diablo9333
mimi_sheshe_bbs@hotmail.com
Adam.4994@live.com
cranK2k
cgkingrobert@gmail.com
robscast@gmail.com
youngavz@yahoo.com


I got thousands of email addresses.

Lets hope the cracker didn’t do much damage.

Stay safe.
-0xAli

Tags: email, facebook, hack, password, server, twitter
Posted in News | Comments (0)

Posted on Sunday, 14th February 2010 by ProtectedNET

Hello gang.

So here is what happened briefly

I made a new facebook honeypot account.

Left it with default privacy settings (only friends can see email address)
Joined a random group.

I get added by two accounts:
Lee Colin (No avatar, it has a few twin/duplicate accounts, all the same)

So it sounds usual, right?

Yeah except it added the email as msn :D
//did you notice i say it? :P

So zacharyshealy42[@]hotmail.com adds me.

“zacharyshealy42h[@]hotmail.com – Is chilling at home!! so tired..”

It never starts talking unless you do.
As every bot it recognizes a word and act upon it.
It never answers immediately.
It doesn’t write, It never shows the “xx is writing or so”.

Here is a convo.

hello
Who are you
hi ..who is this?
hi ..who is this?
You added me
ahhhhh i messaged you on the site right?
I am not quite sure
i'm sorry ..i get to be forgetful at times!!
Same
I'm feeling a little flirty ....lol..you?
Yeah, just saw a cool ted talk
Just got out of the shower...long day been kind of busy! but i'm feeling naughty!
heh
so what's up? ..... want to have some fun? ;)
That depends on your definition of fun :P
I like to show off...i also enjoy teasin' a bit too ....like that babe??
what the <:o)
i like it when a guy knows what he wants!! do u like a naughty girl? ;)
I'd love to have u kickback while i stroke ur c*ck and look right into your eyes ;) like that??
this can't be a halthy thing to do online -.-'
I need a man that can make me squirt......have u ever made a girl squirt? lolz
why do you say lolz
gonna change my clothes ... want to see ?
hmm
I want to show off on cam......maybe even show off a little for you .... but do u have a cam?
ok well u sound cute so i'm gonna show u.... 1 second..k?
http://bit.ly/dgZaqH k, now fill out ur info ..don't worry it's FREE......when you get in go to the private chat called flurtygurls ;) ..k?
fill my info?! :P
i use this site to play on cuz i don't want to be recorded !...this site doesn't allow users to record my webcam! you know?
lol nice cover
credit card is just to verify your age, you'll get in for free thru my page but you need to verify babe that you're an adult ...can't show ass and p*ssy to minors .. u know?
sure!?
let me know when you're done or if you need help ...i'll be gettin' lubbed up and ready ;)
What's your name
Jenny
cool name xD
Jenny
cool name xD
AM Jenny
Lmao bot, gotcha good
haa if i were a bot, would i be wearing this hat? lolz
brb.. 1 second ... got to restart my cam ...u comming?
k ur good let me know when you're in the chat babe..
are you in yet?
k
bot
haa if i were a bot, would i be wearing this hat? lolz
k


Anyway the bit.ly link redirects to http://www.freelocalcams.com/?cid=19047
The character name there is jenny so yeah.
The site is SFW, no nudity (just some pics) and no javascript and other scripts or anything.
Just a frame
[http://securejoinsite.com/join.php?act=el3030.19047&siteid=elx_vadultd&iframe=y&ud_xSiteID=19047&ud_xSiteName=elx_msafer&ud_xSiteTemp=CU&ud_IP=41.23x.xxx.xx&ud_refUrl=&tnum=12&ci_j2_ccn=c1&ci_j2_ccn_key=ffa4a33d122f820afd68b2670dce96d3&ci_max_width=450]
Like i’d trust securejoinsite.com cuz it says so :P

So yeah another facebook smart bot but now talking on MSN too!

Peace
-0xAli

Posted in Social-Media | Comments (1)

Posted on Wednesday, 3rd February 2010 by ProtectedNET

Whenever i see something like this i think:
What?
Who?
Why?
How?
Bullseye?
_____________

So “What?”

Interesting Twitter hack. Within hours, with no action from their part, 50,000 people started following @THCx. THCx signed up a week ago.

Yeah, someone got somehow enough privilege to make 50K twitter accounts follow him.
Here is a snapshot of the google
_____________

Who?
Good question.
I believe the attacker is the account owner @THCx and the owner of http://thcx.org/.
He also have the adsense public id of 6526580082060981, google can get his [G]email from the id pub-6526580082060981 which is in his adsense [ads] in the blog.
(And Google analytics id “UA-7485327-24″ aswell)
It’s maybe bogrrrrrrrrrrrr56[@t]gmail.com
Ask google or ask the chinese :D

Contact info of some domains:
Mark Walhberg
6456845456555
Whatever Yo 13-37
Leet, 31337
FR

Obviously not the most accurate info.

IP: 91.121.221.37 Roubaix, France
ISP: Ovh Systems
Hosted sites on the same IP:
dehe.com (Creation date: 17 Dec 2004)
dupedb.com (Creation date: 15 Jul 2009)
forums.dupedb.com (Creation date: 15 Jul 2009)
ks305660.kimsufi.com (Creation date: 19 Sep 2006)
mininova-alternative.com (Creation date: 26 Nov 2009)
thcx.org (Creation date: 27 Jan 2010)
tracker.dupedb.com (Creation date: 15 Jul 2009)
twitterx.org (Creation Date: 26 Jan 2010)
vps504.dehe.com (Creation date: 17 Dec 2004)
www.dupedb.com (Creation date: 15 Jul 2009)
Domains purchased from eNom.
_____________

Why?
Money.
It’s the most simple equation of “making money online”.
Blog [domain+hosting]+content+traffic = Money.

He made a mistake which is using adsense, why? simply becuase google will close the account before he even knows it.
They got good ways of detected blackhat/spam/bad traffic.
Also he will have to wait to get the check from google so good luck waiting a month or more.
_____________

How?

Neither twitter nor the attacker have spoken so it’s all a theory.

He definitely didn’t hack twitter.
And it can’t be a phishing attack, not that number in couple of days.
So it’s the weakest link, a third party application which had access to those people’s accounts privilege via twitter API.

So he hacked one (people have mentioned TweetMeme and NutshellMail being the one, noone is sure tho).
Then made the other accounts follow him.
If you find yourself have followed @THCx please post what applications have access to your account.

_____________

Bullseye?

Yes sure, he got the traffic and advertising he wanted.
http://search.twitter.com/search?q=thcx.org&rpp=100
Thousands of retweets ,i think they are automated too.
So he only needed access to the 3rd party app and then the money would flow into his pocket (in a perfect world :D).
_____________

So he registers on twitter, bought a domain in January 26, 2010 hosted it (twitterx.org), with the help of magic he gets 20K followers and 0 tweets.

About the blog twitterx.org the default post-install is Posted @ 6:55 AM on January 26, 2010.
The blog was about twitter only (tools&tips etc..) he wanted to make it bigger for more profit.
So he bought thcx.org on the 27th of jan, fills it with collection of other articles (Business ,Celebrity ,Entertainment ,Gadgets ,Gaming ,Health ,Other ,Politics ,Science ,Security ,Software ,Sports ,Tech News ,World News).
And not manually of course ,He is taking the news/articles from RSS feeds of other sites.
Anyway he got more 30K followers.

Here is a snapshot of the page if google deleted the cache for some reason
http://protectednet.com/files/THC.htm

And twitter finally noticed so they suspended his account.

Some sites say it was a big phishing attempt but that is not true.

Twitter have forced password restore/change for the users that were following @THCx.
Thanks twitter?

http://thenextweb.com/socialmedia/2010/02/02/twitter-forcing-users-change-password-reported-threat-phishing-attacks/
http://www.switched.com/2010/02/02/twitter-resetting-passwords-following-phishing-attack/
http://www.pcworld.com/article/188382/twitter_phishing_forces_users_to_reset_passwords.html
http://www.digitaltrends.com/computing/twitter-phishing-attack-time-for-tweeters-to-reset-passwords/
http://www.readwriteweb.com/archives/new_twitter_phishing_scam_is_making_the_rounds.php
http://mashable.com/2010/02/02/twitter-under-phishing-attack/
http://blogs.zdnet.com/security/?p=2349

That’s all.

Stay safe.
-0xAli

Posted in News, Vulnerabilities | Comments (1)

Posted on Friday, 22nd January 2010 by ProtectedNET

Size: 2.1 MB – 4.8 MB

Security issues have been identified that could allow an attacker to compromise a system that is running Microsoft Internet Explorer and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this item, you may have to restart your computer.

More information for this update can be found at http://go.microsoft.com/fwlink/?LinkId=179104

Posted in Vulnerabilities | Comments (0)

Posted on Wednesday, 20th January 2010 by ProtectedNET

“Computer programming is tremendous fun. Like music, it is a skill that derives from an unknown blend of innate talent and constant practice. Like drawing, it can be shaped to a variety of ends – commercial, artistic, and pure entertainment. Programmers have a well-deserved reputation for working long hours but are rarely credited with being driven by creative fevers. Programmers talk about software development on weekends, vacations, and over meals not because they lack imagination, but because their imagination reveals worlds that others cannot see.”
Larry O’Brien and Bruce Eckel

Posted in General | Comments (0)

Posted on Tuesday, 19th January 2010 by ProtectedNET

He has now 124,367 Followers on 9:24 AM 1/20/2010 GMT

He is gaining now 200 follower on every minute.
Freaking fast ratio.
Follow Bill gates on twitter

Edit[1]: he has now 253,340 Followers //6:12 AM 1/21/2010 GMT

Edit[2]: he has now 465,593 Followers //7:09 PM 2/14/2010

Posted in News | Comments (1)

Posted on Saturday, 9th January 2010 by ProtectedNET

My personal site, i will post my latest projects there maybe exploits aswell ;P
0xA.li

Posted in General | Comments (0)

Posted on Saturday, 9th January 2010 by ProtectedNET

click me

Was searching for something in google (srsly not music or crack/keygens :P)

US Digital Millennium Copyright Act

DMCA complaint

Never saw that before.

peace.

Posted in General | Comments (0)

Posted on Tuesday, 5th January 2010 by ProtectedNET

Don’t worry guys (and girls :P) i am not dead.

Just busy with a new project book

Peace

Posted in General | Comments (0)

Posted on Wednesday, 23rd September 2009 by ProtectedNET

When you install AppServ it installs this page (click me).

It’s a good example of not-how-to deal with user input or GET vars.

In the second line:
$appservlang = $_GET['appservlang'];

In line #69
<a href=\”appserv/README-$appservlang.php?appservlang=$appservlang\”><span class=\”app\”>”._README.”</span></a>

and the variable appservlang is not sanitized by any method.

Here is how can you test the vulnerability:
Read the rest of this entry…

Posted in Vulnerabilities | Comments (0)