Hacker Busted in Sri Lanka ( Real Story )

pjayampathi

Well-known member
  • Jan 20, 2008
    6,253
    39
    48
    what do u mean? :confused:

    google on the PHP Shell Script and u will find thread posted by a person named Zonta.. That was his script and that is why we misunderstood our gov page was hacked by a SL Zonta.. I think the real zonta dosen't even know abt this.. :baffled:
     

    viraj_slk

    Active member
  • Oct 1, 2007
    505
    35
    28
    google on the PHP Shell Script and u will find thread posted by a person named Zonta.. That was his script and that is why we misunderstood our gov page was hacked by a SL Zonta.. I think the real zonta dosen't even know abt this.. :baffled:

    oh i think he does. and if you search more carefully you'll find that both zontas are the same. i am pretty sure.... ;)
     

    chandima3010

    Well-known member
  • Jul 6, 2007
    5,923
    196
    63
    Kurunegala
    SL gov site serama 2.50 ewane.koheda wadak karanna puluwan eunata pain gahala wada berieun lauwa site hadawala gattama ohoma thamai. army.lk ekata una de dakkane.
    i have spotted lots of security holes in gov sites.Esp. citizen.lk
     

    MegaZonTa

    Member
    Sep 16, 2009
    87
    4
    0



    Ya some of us including me was surprised by this sudden attack on the WPC website. Since it was at the end of war, I thought it must be done by some canadian *%@#!! LTTE supporter. But no, then I got to know about Zonta, who pretty much like ZeroThunder is a kid who is just very curious about hacking stuff. Nothing wrong there. most of us are or were at some stage.

    I posted this incident on elakiri out of interest earlier
    http://www.elakiri.com/forum/showthread.php?t=188735

    Anyway what Zonta did may have been sort of an experiment, which it seems eventually had backfired on him. I think i can guess how he did the hack attack.

    Pls bear in mind hacking innocent websites that are useful to people, especially as Sri Lankans, defacing a government website is not at all approved :dull:

    So pls do not try your script kiddie activities on our national sites.

    Okay so here's what I think Zonta got up to
    :P

    Zonta used Shell Upload attack to gain access to the WPC site. You don't need to be so clever for this.
    The attacker uses a google dork to find potentially vulnerable websites:
    so he/she goes to Google and types:
    inurl:upload.php

    Or go to Advanced Search, select 'Date, usage rights, numeric range, and more' and set 'Region:' to Sri Lanka and then use the Google dork

    you will get a list of SL sites that will probably let you upload files. not all of them are vulnerable. some are. what's common about these sites is that they provide file upload services to users. some of them already got hacked by our curious SL hacking enthusiasts!

    so you go to such a site, check the way it lets you upload files and if you know what you are doing you can guess whether it's vulnerable. You simple find an r57, c99, c100 etc.. shell and upload it. and that's all!

    in Zonta's case, he seems to have uploaded a c100 shell. When uploaded to a site and then when accessed, the php script in those uploaded files gets executed and you get a shell prompt into the server where you can manipulate the website. for example you can replace the index file with your hack sigi.

    you don't always have to upload this malicious file (shell script) in php format. there are some other formats that servers still identify the php code in. not jpg, no that rarely works.

    you have to check the file type if you are offering file uploading services. and make the file go through proper validations to see through disguises (malicious scripts in the file etc..). i am still learning about building a proper file upload function and how to make it more secure. a colleague of mine told me that file mime type check alone is not enough as it's set by the client side, therefore can be forged. anyway this para was only for those interested web app developers. read on..

    although WPC have now taken off that mistake of its site, which was their website's file upload section (upload.php), i was still able to find it in google cache until recently. so my doubt was a bit more confirmed. you can't see that cache anymore...

    anyway here's what you can see now on a google search:
    e5idc5.jpg


    surprised why Zonta didnt use any proxies. but then again maybe he did...

    Proud of our skilled investigators!
    ;)

    relly???.. wow ! I didn't use a proxy , not even a vpn.And I don't use c100 . I use private shit.
     

    hasiwarna

    Member
    Oct 29, 2007
    2,017
    50
    0
    හංදියේ



    Ya some of us including me was surprised by this sudden attack on the WPC website. Since it was at the end of war, I thought it must be done by some canadian *%@#!! LTTE supporter. But no, then I got to know about Zonta, who pretty much like ZeroThunder is a kid who is just very curious about hacking stuff. Nothing wrong there. most of us are or were at some stage.

    I posted this incident on elakiri out of interest earlier
    http://www.elakiri.com/forum/showthread.php?t=188735

    Anyway what Zonta did may have been sort of an experiment, which it seems eventually had backfired on him. I think i can guess how he did the hack attack.

    Pls bear in mind hacking innocent websites that are useful to people, especially as Sri Lankans, defacing a government website is not at all approved :dull:

    So pls do not try your script kiddie activities on our national sites.

    Okay so here's what I think Zonta got up to
    :P

    Zonta used Shell Upload attack to gain access to the WPC site. You don't need to be so clever for this.
    The attacker uses a google dork to find potentially vulnerable websites:
    so he/she goes to Google and types:
    inurl:upload.php

    Or go to Advanced Search, select 'Date, usage rights, numeric range, and more' and set 'Region:' to Sri Lanka and then use the Google dork

    you will get a list of SL sites that will probably let you upload files. not all of them are vulnerable. some are. what's common about these sites is that they provide file upload services to users. some of them already got hacked by our curious SL hacking enthusiasts!

    so you go to such a site, check the way it lets you upload files and if you know what you are doing you can guess whether it's vulnerable. You simple find an r57, c99, c100 etc.. shell and upload it. and that's all!

    in Zonta's case, he seems to have uploaded a c100 shell. When uploaded to a site and then when accessed, the php script in those uploaded files gets executed and you get a shell prompt into the server where you can manipulate the website. for example you can replace the index file with your hack sigi.

    you don't always have to upload this malicious file (shell script) in php format. there are some other formats that servers still identify the php code in. not jpg, no that rarely works.

    you have to check the file type if you are offering file uploading services. and make the file go through proper validations to see through disguises (malicious scripts in the file etc..). i am still learning about building a proper file upload function and how to make it more secure. a colleague of mine told me that file mime type check alone is not enough as it's set by the client side, therefore can be forged. anyway this para was only for those interested web app developers. read on..

    although WPC have now taken off that mistake of its site, which was their website's file upload section (upload.php), i was still able to find it in google cache until recently. so my doubt was a bit more confirmed. you can't see that cache anymore...

    anyway here's what you can see now on a google search:
    e5idc5.jpg


    surprised why Zonta didnt use any proxies. but then again maybe he did...

    Proud of our skilled investigators!
    ;)

    ammiiiyyyyoooooooooo.. mama ahuwamai okakk.. dannam matath aasai test korala balanna :P
    eth bayai
    nikamata hari CID eken alluwoth monada kiyanne test kola kivwata ahaida man ahanne ? :P :P