The infamous sources for exploits, hacks, etc. Astalavista.net, and Astalavista.com have been hacked. The hacker kept a log of the entire shell session and posted it for everyone’s viewing pleasure.

Astalavista claimed to be run by security experts. From http://astalavista.com/faq:

>> 03. Who’s behind the site?
>>
>> A team of security and IT professionals, and a countless number of contributors from all over the world.

>> 05. Is it true that the site is visited by script-kiddies and warez fans only?
>>
>> Absolutely not! The audience behind the site consists of home users, worldwide companies and corporations, educational and non-profit organizations, government and
military institutions.
>> All of these have been visiting the site on a daily basis for the past couple of years, contributing in various ways, or requesting services and information.

It was very clear that this was untrue.

So why were they hacked? I’ll let the hacker tell you:

Why has Astalavista been targeted?

Other than the fact that they are not doing any of this for the "community" but for the money, they spread exploits for kids, claim to be a security community (with no real sense of security on their own servers), and they charge you $6.66 per months to access a dead forum with a directory filled with public releases and outdated / broken services.

We wanted to see how good that "team of security and IT professionals" really is.

To sum up what you’re about to see…

Astalavista:

[+] Founded in 1997 by a hacker computer enthusiast
[-] Exposed in 2009 by anti-sec group

Apparently, gaining access to the self-proclaimed security expert’s site was as simple as:

anti-sec:~# ./g0tshell astalavista.com -p 80
	[+] Connecting to astalavista.com:80
	[+] Grabbing banner...
		LiteSpeed
	[+] Injecting shellcode...
	[-] Wait for it	
	[~] We g0tshell	
sh-3.2$

The person doing the work was kind enough to post a log of everything that he did with the shell at Pastebin.

The results are absolutely hilarious. Storing passwords in plaintext with MySQL databases. That’s secure, right?

SELECT user,nickname,password,email FROM users WHERE userlevel = 1;

| user | nickname | password | email
| pascal | prozac | ******** | info@astalavista.net |
| Ivan Schmid | rOOtless1 | ******** | ivan.schmid@comvation.com|
| qreymer | Palermo | ******** | eche@home.se |
| Christian Wehrli | g0atherd | ******** | g0atherd@gmx.net |
... etc.

Passwords removed to protect the possibly innocent.

Checking the .bash_history for some users reveals mysql connect strings with passwords in the strings themselves instead of letting it prompt for a password. All in all, if you’re familiar with Linux and security in any fashion, you can get a good chuckle out of how terribly managed this site for security experts is.

The log is quite entertaining. Our hacker was kind enough to show us some messages that were being passed around from the administrators of the site to talk about how they can make more money. Here’s a particularly hilarious one:

select iss_summary,iss_description from eventum_issue where iss_id = 16;


| iss_summary | iss_description |
| Website guidance | Virtual Girl which guides you trought the website.
We need a girl with who you can ( talk )!!!
Also for the News!
So my suggestion is a girl who read you the news loud if you like!
you can choose between read yourselfe or she read it for you or both!
Go to www.heise.de! There is an example for Voice News! It's a good thing!!!
Have a look on the example girls!!

After gaining root access, the hacker leaves us with an ending that is not unlike the fantastic explosion of the Death Star:

sh-3.2# cd /home
sh-3.2# ls -la
total 120
drwxr-xr-x 14 root    root     4096 Mar 11 17:56 .
drwxr-xr-x 25 root    root     4096 Jun  3 02:43 ..
drwx--x--x  9 admin   admin    4096 Nov 28  2007 admin
-rw-------  1 root    root     8192 Jun  4 03:03 aquota.group
-rw-------  1 root    root     8192 Jun  3 02:45 aquota.user
drwx--x--x  6 astanet astanet  4096 Jun  4 09:51 astanet
drwxr-xr-x  2 root    root     4096 Jul 29  2008 backup
drwxr-xr-x  2 root    root     4096 Sep 17  2008 backup.14161
drwx--x--x 10 com     com      4096 Apr 28 12:40 com
drwxr-xr-x  2 root    root     4096 May 17  2007 ftp
drwx------  3 jon     jon      4096 Sep 21  2007 jon
drwx------  2 root    root    16384 Sep 11  2007 lost+found
drwxr-xr-x  2 root    root     4096 Sep 14  2007 my
drwxr-xr-x  5 mysql   mysql    4096 Sep 24  2007 mysqldata
drwx------  2 jon     jon      4096 Sep 15  2007 test
drwxrwxrwt  2 root    root     4096 Jul 29  2008 tmp
sh-3.2# rm -rf backup/
sh-3.2# rm -rf backup.14161/
sh-3.2# rm -rf ftp/
sh-3.2# rm -rf jon/
sh-3.2# rm -rf my/
sh-3.2# rm -rf mysqldata/
sh-3.2# rm -rf test/
sh-3.2# rm -rf tmp/
sh-3.2# cd ~
sh-3.2# rm -rf *
sh-3.2# rm -rf /var/log/
rm: cannot remove directory `/var/log//proftpd': Directory not empty
sh-3.2# rm -rf /home/*
sh-3.2# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 407156
Server version: 5.0.45-community-log MySQL Community Edition (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+-----------------------+
| Database              |
+-----------------------+
| information_schema    |
| astanet_ads           |
| astanet_mailing_lists |
| astanet_mediawiki     |
| astanet_membersystem  |
| com_contrexx          |
| com_contrexx2         |
| com_contrexx2_live    |
| da_roundcube          |
| dolphin               |
| ideapool              |
| mysql                 |
| test                  |
| yourmaster            |
+-----------------------+
14 rows in set (0.03 sec)
mysql> drop database astanet_membersystem;
droQuery OK, 46 rows affected (0.81 sec)
mysql> drop database com_contrexx;
Query OK, 211 rows affected (2.72 sec)
mysql> drop database com_contrexx2;
Query OK, 237 rows affected (2.23 sec)
mysql> drop database com_contrexx2_live;
Query OK, 227 rows affected (7.63 sec)
mysql> drop database ideapool;
Query OK, 69 rows affected (0.19 sec)
mysql> drop database yourmaster;
Query OK, 158 rows affected (0.55 sec)
mysql> drop database astanet_ads;
Query OK, 9 rows affected (0.11 sec)
mysql> drop database astanet_mailing_lists;
Query OK, 24 rows affected (1.47 sec)
mysql> drop database astanet_mediawiki;
Query OK, 31 rows affected (0.51 sec)
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| da_roundcube       |
| dolphin            |
| mysql              |
| test               |
+--------------------+
5 rows in set (0.00 sec)

Let’s hope the “Security Experts” have off-site backups. In the meantime, you can check out the original here or download it in .txt format here.

The hacker left the ending with a wonderful quote suited for Astalavista.com/net:

What a journey! We’re not sure exactly why the "Terminator" had any influence on their naming (conventions) but we’re sure Arnold himself wouldn’t be in the wrong to say this pack of morons *wont be back*.

Well done anti-sec, well done.

If you liked this post, then please consider subscribing to my feed.

Time and time again the contextually delivered advertisements from Google are displayed with hilarious results.

Apparently Google ads are intelligent enough to know what racist, tory, bigots usually need in their future:

(source)

Though, I’m not sure tattoo removal would be an option for all of them:

If you liked this post, then please be sure to subscribe to my feed.

[UPDATE - 02/12/08 - The Complete Guide to the 2008 Internet Outage has been finished. It contains the most up to date information including detailed images and explanations to help unravel this cable mess. Please check it out here]

I find it humorous that the recent cable cuttings have caused another, yet another divide that we are more commonly seeing on the internet: those that “wear the foil hats” and those that don’t. While I understand where the stereotype comes from–

–I think, on the internet, it has taken on a whole new meaning. Case in point: here’s a Wikipedia article on the subject.

[UPDATE: now there is even a Wikipedia article discussing the 'conspiracy theories' surrounding the submarine cable damages as well.]

Even though we jest about it and throw about the term lightly, there are those in the world who believe to the bottom of their soul that they are keeping themselves safe by adorning such a hat. These people are usually a bit psychotic and often exhibit symptoms of dementia praecox.

As a person who has been unfairly grouped into this stereotypical association which exists between “conspiracy theorists” (man, that sounds spooky) and the mentally ill, let me step forward and say:

“I am not (that) crazy.”

In a world where the word ‘conspiracy’ is tossed at someone the moment they try to make an argument, it appears, at least to this author, that we setting ourselves up for failure. Isn’t it healthy and constructive to question the world around you in search of complete understanding of a particular subject?

As the internet grows exponentially greater in mass along with the human race, we are going to be faced with an world that will be growing ever smaller. It may be sooner than we think when neighborhoods, are filled to the breaking point, with humans reproducing in the closest of quarters.

We may find ourselves in a society where paranoia of even those who are close in proximity to you becomes a necessity for survival instead of the words of a “few crazy individuals.” When people are at war with one another for territory the size of a city block.

When I was in school, I learned how to ask questions and find answers. This fundamental skill grew within me from grade school through college. Yet, for some reason, those, who are considered educated among us, are able to ridicule and choose to otherwise ignore our questions whenever we start to ask. I am lucky that I work in a place which allows me to have open conversations with my peers about the world around us. I am lucky that the woman that I am in a relationship with allows me to have a similar environment in my home.

I encourage anyone reading this to try and make your life, your workplace, and your home, a similar place. Try to surround yourself with people who encourage critical thinking and who don’t take everything at face value.

I have tried to introduce evidence which may help to explain the recent events which have turned into a veritable “Cablecut-gate” that has gripped the web. Yet, there are still those who choose the simpler way out.

There will always be people who are willing to accept the simpler answer and go on with their lives. There are even those in the aforementioned group that will go to great lengths to prove their simple truth. Whether it be through books, photos, sound bytes, or even quotes from their favorite puppet on Fox and Friends (sorry, I had to), there will also be those of us who have an undying desire to search for truth and understanding in the events which shape the world around us.

If you happen to agree with me, or you’re into what is apparently the “tin-foil hat crowd,” then please read my previous posts on the subject.

…and so:

I will batten down the hatches and pull the rubber-band of my tinfoil hat down to snap against the bottom of my chin. Because I, for one, refuse to believe that this is what could have possibly occurred: