The infamous sources for exploits, hacks, etc. Astalavista.net, and Astalavista.com have been hacked. The hacker kept a log of the entire shell session and posted it for everyone’s viewing pleasure.

Astalavista claimed to be run by security experts. From http://astalavista.com/faq:

>> 03. Who’s behind the site?
>>
>> A team of security and IT professionals, and a countless number of contributors from all over the world.

>> 05. Is it true that the site is visited by script-kiddies and warez fans only?
>>
>> Absolutely not! The audience behind the site consists of home users, worldwide companies and corporations, educational and non-profit organizations, government and
military institutions.
>> All of these have been visiting the site on a daily basis for the past couple of years, contributing in various ways, or requesting services and information.

It was very clear that this was untrue.

So why were they hacked? I’ll let the hacker tell you:

Why has Astalavista been targeted?

Other than the fact that they are not doing any of this for the "community" but for the money, they spread exploits for kids, claim to be a security community (with no real sense of security on their own servers), and they charge you $6.66 per months to access a dead forum with a directory filled with public releases and outdated / broken services.

We wanted to see how good that "team of security and IT professionals" really is.

To sum up what you’re about to see…

Astalavista:

[+] Founded in 1997 by a hacker computer enthusiast
[-] Exposed in 2009 by anti-sec group

Apparently, gaining access to the self-proclaimed security expert’s site was as simple as:

anti-sec:~# ./g0tshell astalavista.com -p 80
[+] Connecting to astalavista.com:80
[+] Grabbing banner…
LiteSpeed
[+] Injecting shellcode…
[-] Wait for it
[~] We g0tshell
sh-3.2$

The person doing the work was kind enough to post a log of everything that he did with the shell at Pastebin.

The results are absolutely hilarious. Storing passwords in plaintext with MySQL databases. That’s secure, right?

select user,nickname,password,email from users where userlevel = 1;
| user | nickname | password | email
| pascal | prozac | ******** | info@astalavista.net |
| Ivan Schmid | rOOtless1 | ******** | ivan.schmid@comvation.com|
| qreymer | Palermo | ******** | eche@home.se |
| Christian Wehrli | g0atherd | ******** | g0atherd@gmx.net |
... etc.

Passwords removed to protect the possibly innocent.

Checking the .bash_history for some users reveals mysql connect strings with passwords in the strings themselves instead of letting it prompt for a password. All in all, if you’re familiar with Linux and security in any fashion, you can get a good chuckle out of how terribly managed this site for security experts is.

The log is quite entertaining. Our hacker was kind enough to show us some messages that were being passed around from the administrators of the site to talk about how they can make more money. Here’s a particularly hilarious one:

mysql> select iss_summary,iss_description from eventum_issue where iss_id = 16;
| iss_summary | iss_description |
| Website guidance | Virtual Girl which guides you trought the website.
We need a girl with who you can ( talk )!!!
Also for the News!
So my suggestion is a girl who read you the news loud if you like!
you can choose between read yourselfe or she read it for you or both!
Go to www.heise.de! There is an example for Voice News! It's a good thing!!!
Have a look on the example girls!!
http://www.yaoti.com/de/free_yaoti.html
or that
http://www.yellostrom.de/

After gaining root access, the hacker leaves us with an ending that is not unlike the fantastic explosion of the Death Star:

sh-3.2# cd /home
sh-3.2# ls -la
total 120
drwxr-xr-x 14 root root 4096 Mar 11 17:56 .
drwxr-xr-x 25 root root 4096 Jun 3 02:43 ..
drwx--x--x 9 admin admin 4096 Nov 28 2007 admin
-rw------- 1 root root 8192 Jun 4 03:03 aquota.group
-rw------- 1 root root 8192 Jun 3 02:45 aquota.user
drwx--x--x 6 astanet astanet 4096 Jun 4 09:51 astanet
drwxr-xr-x 2 root root 4096 Jul 29 2008 backup
drwxr-xr-x 2 root root 4096 Sep 17 2008 backup.14161
drwx--x--x 10 com com 4096 Apr 28 12:40 com
drwxr-xr-x 2 root root 4096 May 17 2007 ftp
drwx------ 3 jon jon 4096 Sep 21 2007 jon
drwx------ 2 root root 16384 Sep 11 2007 lost+found
drwxr-xr-x 2 root root 4096 Sep 14 2007 my
drwxr-xr-x 5 mysql mysql 4096 Sep 24 2007 mysqldata
drwx------ 2 jon jon 4096 Sep 15 2007 test
drwxrwxrwt 2 root root 4096 Jul 29 2008 tmp
sh-3.2# rm -rf backup/
sh-3.2# rm -rf backup.14161/
sh-3.2# rm -rf ftp/
sh-3.2# rm -rf jon/
sh-3.2# rm -rf my/
sh-3.2# rm -rf mysqldata/
sh-3.2# rm -rf test/
sh-3.2# rm -rf tmp/
sh-3.2# cd ~
sh-3.2# rm -rf *
sh-3.2# rm -rf /var/log/
rm: cannot remove directory `/var/log//proftpd': Directory not empty
sh-3.2# rm -rf /home/*
sh-3.2# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 407156
Server version: 5.0.45-community-log MySQL Community Edition (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+-----------------------+
| Database |
+-----------------------+
| information_schema |
| astanet_ads |
| astanet_mailing_lists |
| astanet_mediawiki |
| astanet_membersystem |
| com_contrexx |
| com_contrexx2 |
| com_contrexx2_live |
| da_roundcube |
| dolphin |
| ideapool |
| mysql |
| test |
| yourmaster |
+-----------------------+
14 rows in set (0.03 sec)
mysql> drop database astanet_membersystem;
droQuery OK, 46 rows affected (0.81 sec)
mysql> drop database com_contrexx;
Query OK, 211 rows affected (2.72 sec)
mysql> drop database com_contrexx2;
Query OK, 237 rows affected (2.23 sec)
mysql> drop database com_contrexx2_live;
Query OK, 227 rows affected (7.63 sec)
mysql> drop database ideapool;
Query OK, 69 rows affected (0.19 sec)
mysql> drop database yourmaster;
Query OK, 158 rows affected (0.55 sec)
mysql> drop database astanet_ads;
Query OK, 9 rows affected (0.11 sec)
mysql> drop database astanet_mailing_lists;
Query OK, 24 rows affected (1.47 sec)
mysql> drop database astanet_mediawiki;
Query OK, 31 rows affected (0.51 sec)
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| da_roundcube |
| dolphin |
| mysql |
| test |
+--------------------+
5 rows in set (0.00 sec)

Let’s hope the “Security Experts” have off-site backups. In the meantime, you can check out the original here or download it in .txt format here.

The hacker left the ending with a wonderful quote suited for Astalavista.com/net:

What a journey! We’re not sure exactly why the "Terminator" had any influence on their naming (conventions) but we’re sure Arnold himself wouldn’t be in the wrong to say this pack of morons *wont be back*.

Well done anti-sec, well done.

If you liked this post, then please consider subscribing to my feed.

There has been a shooting reported shooting at Radford University. At the building known as “the Bonnie.” The suspect was seen at the Bonnie. The initial shooting is reported to have occurred on Calhoun and Madison.

Students received calls and text messages letting them know that they should seek shelter and that the city was looking for a black male with a do-rag, no shirt, and a camo jacket. I spoke to a University student who is currently seeking shelter in her dorm room at the University. On her way back from the 7-11, there was apparently a long line of cop cars which seemed odd to her, for a Thursday evening. Police have not confirmed what they were investigating but it is almost certain, at this time, that it was a shooting.

She confirmed that a friend of hers was nearby when it occurred and that he was very shaken up by it.

“I can’t believe our school doesn’t send an email out.”

“Think of how many parents are freaking out right now.”

Students and parents are turning to their University web site and finding no information. At this time, both the alert section on the University website and the alert section in the University police website have no alerts of any kind listed.

The shooter is, apparently still loose as students have not received any indication from the University that it is safe to leave their shelter.

“There are still people walking around campus that have no idea. Some people didn’t even get notified.”

More as the story develops.

10:29pm EST: sources say that there was one victim shot nine times and that the suspect was last seen in or near the Bonnie. This has not yet been confirmed by any officials.

10:54pm EST: sources say two more people have been shot, though this has not been officially confirmed. The University still has no information posted to their alerts on their website. News sources say tactical teams were deployed in a couple of University buildings. Students reporting that a building check will be occurring. The initial shooting is reported to have occurred on Calhoun and Madison. Confusion and distress evident as students turn to their University website and find no information.

11:04pm EST: text message received by students form the University:

11:16pm EST: University finally updates their website with alert:

11:24pm EST: no further reports on any additional shootings beyond the first. Currently, one victim was confirmed to be shot in the chest. The victim was taken to the hospital and reports indicate that they did not survive the shooting, though no official word, yet.

12:13am EST: CNN has confirmed the death of the victim in the shooting.

1:30am EST: another update from the University that there are still no sightings of the shooter.

2:53am EST: another txt message update from the University@2:10am EST: