I might be repeating my self but a year ago or so my hacking took a new level. When you start getting paid for your evil deeds. You get thrown into a Hollywood film scenario where a nights work can get you money to get by the month, even thus it’s not wast sums of money it’s enough for a poor student like my self. But our whole view of things change. I now started to see other hackers as competition and the databases and servers i collect as information that can be translated into money. This makes me unwilling to teach people my tricks and skills that might set me one above the average hacker out there. But what have changed me the most is the in paranoia i feel. I have always been paranoid because i believe deep inside everyone they are looking out for them self and there advancement. But before i had control over everything, Only i knew what i was doing, i had control of the data and so on. But now am handing them off to a second party. That can cause me problems for me if they get caught. So ever time someone knocks at the door the first thing going through my head is “oh my god, the cops is here!”. This might seem a bit extreme but i am not joking around here. if the doorbell rings 6:00 in the morning i fly up from the bed like the fire alarm just went of. If i could afford it i would have rigged my computer with C4. Thank god for Truecrypt and small portable USB devices otherwise i would never leave my computer!

Edit: All this doesn’t apply yo any porn related hacks as all the paid hacks i have done is for commercial servers.

When i say the scene i mean the porn exploiting scene. This is an underground collection of forums, IRC channels and people. This is a community where the more shells and passfiles you have the bigger dick you have. This is the root to all the problems that exists in the community. We have forums where admins feel they need to get recognized as good exploiters and gives out passfile to any newbie that comes along to earn credits. We have people using fake nicknames trying to scam their way into multiple forums. People are cross posting and posting others work as their own. There has always been trouble with a couple of individuals but it seems that it has gotten worse with the years. I don’t know if the new generation lack morals and loyalty or i just remember the good things about old times. But i am sure the standers of being allowed to call one self an exploiter has sunk a level or to. I met people that only “know” sql injections (sqli), they don’t know what they are doing or why the vulnerability is there. They don’t even understand the base of SQL. They are just fumbling in the dark until they find the light switch. This is a real problem because some day the porn industry will wake up and put down more money on security. As it’s now i can’t see how they are surviving when 90% of all paysites are getting hacked. But how can you fix this problem? I really don’t know i think morals are something you learn and you do what you see others do. Maybe thats why goldenpirates has an awesome team. I love them all and what ever they do in life i wise them luck. Well, thats all for now iam need to get back to filter my javascript application from xss. =/

Well, as I am sitting here semi high and haven’t sleet for 27 hours. I am pondering about what I should do with my new found zeroday. It has gotten me allot of new pass files and it has been a fun day. but what should I do now? I could publish it and write an exploit, would be fun to try out my new found C# skills. Then I’ll lose the whole after a week or so. I think I might hang on to it so I have an edge. I was thinking about maybe hacking the main website for the application and maybe put in a small surprise in the source code. But it will someday be discovered by someone and I lose my access. Although it could be fun. But this application is so poorly coded that a monkey could do better. Worst is that it costs 2000$.

Exploit: My new zeroday tool uses first a “true or false” sql injection to get the admin login that is in plain-text. Then it logs in as admin, uploads an evil img (just a jpg with php-code) then it uses an lfi in the config file to execute my evil img.

Well, my blog career was cut short by a server crash and i haven’t had the time or desire to resurrect the blog but lately i have felt the need to have something to take care of. So respawning the blog came natural. So I got my nickname registered as the domain and starting putting it together again. Anyway I am going to try and post at least once a week and keep you all updated of what fun stuff i have been up to. I really have been busy during the time I have been gone. I still have some small stuff to fix and update but hopefully I’ll be up and running 100% at the end of this week. Stay tuned for more adventures of hithron.

Today I hacked a site where people upload pictures and other people rate’s them. The site has a 100 000 users and for a Swedish site’s it’s big. The problem is it had stored the passwords in the database in plain text. Obviously this is good news for me but for the users it’s really bad. Sites that big should take better care of their users. The point here is webmaster should really think more about encryption and to use the right one. Do not use MD5, SHA-1 or MYSQL(4), they are way too easy to crack with too days GPU cards . If I would encrypt I would use phpass or whirlpool, they are hard nuts to crack. But I’am happy there are ignorant webmasters out there to make my life easy. How would I otherwise get my kickass wordlists?

Last night I was sitting at my computer preparing to go to sleep. When “skalman” came into the IRC channel and told me he had a mission for me. A friend of his had some trouble with a former partner of his and now he wanted to get some evidence that he thought was on the server of another company the partner ran. I was really tired at that point, but I’ll have a go I thought because my girl is coming tomorrow and that mean no time for the fun stuff. I started looking around and it didn’t take that long before I have everything I needed, htpasswd-files, MYSQL tables and root login for MYSQL. But they had block access from remote locations in the MYSQL configuration file. Turns out they do the epic mistake almost everyone dose, they had en phpmyadmin. And sure enough I logged in, did my “into outfile” trick and puff, I had a shell. Everything went as planned when a thought entered my mind, “Didn’t I turn off the proxy before… did it turn it back on?” I felt the panic spreading thru my body and the error was obvious. I turned on the proxy as fast as I could. I don’t think this would have happened if I wasn’t so tired. Although I don’t think anything will happen, I really hope not. Just in case I’am going to try and root the box to clean out every clue I left behind. I didn’t find the evidence this individual was looking for but it was fun to take a look around. Well I need to take a shower my girl is on route to my secret hacker lair =)

About two years ago I understood that most sites that uses a database is vulnerable to an SQL-injection. This was when not that many people knew about the risks in my country and I took full advantage of that. But one year ago something changed, SQL-injection got to the script kiddies and BOOM! Everyone was now a hacker. The media called it “The return of the hobby hacker”, and they are right. You don’t need a lot of skills to do a simple SQL-injection, although there are more advanced types of injections like a “true of false”-injection. This trend we see in Sweden is not the general one said a security expert at Symantec. The problem I see is that when knowledge like SQL-injection comes in the main stream it by default comes to when people that are stupid and ignorant. It comes to people that want a pad on the back and that is the problem. The numbers of hobby hacker is increasing and because the cyberspace is a land of anarchy they feel safe doing what they are doing. But I feel this hype has reached it climax and is now on the way down. Just because the programmers are getting aware that this is a big problem. I’am sad to see that my job is getting harder every day but ill rather work my ass of and be one in a hundred then being one in a million. Hopefully the era of SQL-injections is on its way to a sudden end. All thought I shouldn’t underestimate the power of stupidity in the programmers either.

In other news I had my first “hacker” or bot crawl my site testing for vulnerabilities today. A R57 anyone? http://kkobold.extra.hu/export.txt just viewed it for five seconds and saw the username/password other then that I can’t say if it secure.
74.53.77.50 is the IP number the attack came from and it seems to be a exploited web server. I think the hacker came in thru http://www.media-courses.com and it seems have a big SQL-injection flaw. May hack it and download the exploit code for fun. But, right now I need to talk to a guy about a header image for a blog.

You would think people like me know you should have good security and strong passwords, but you would be wrong. Seems like now and again I stumble upon some kind of hacker-community and high members and admins some time’s have the same password on other site’s. You should never use the same password twice for important stuff like an admin account. Some site’s you will even find really bad wholes like a simple sql-injection. I remember a year or so back when Sweden was a target for Turkish hackers because some drawings of Muhammad. Anyway one of these groups got some attention in the Swedish media. And I thought to myself “hum, might take a look”. Didn’t take me that long to find an injection, on the only page they had coded by them self (That said a lot about the group). As stupid as I was back then I wrote a script in perl and started to loop down the users. I started focusing on cracking the admin hashes, and sure enough I got a few hit’s. Logged in and posted a Muhammad picture on the front page and then posted the database on a forum from a fake account.
This would be the end of the story I thought and went to sleep feeling good about my retaliation. When I woke up the next day all hell had broken lose. People was hijacking Turkish accounts and the Turkish hacker forum was overflowing with spammers. As revenge the Turkish group made a ddos-attack on the forum I posted the database on. On top of this the Swedish media was talking about a cyber war between Sweden and turkey. Radio and newspapers was all over this. Well, shit dose happen. Not every day you get a accused for starting a war. =(

Here are some articles for the Swedish readers:

http://www.idg.se/2.1085/1.125941
http://www.idg.se/2.1085/1.125361
http://www.svd.se/nyheter/inrikes/artikel_497671.svd
http://www.sr.se/ekot/artikel.asp?artikel=1658549
http://www.sr.se/webbradio/webbradio.asp?type=db&id=819400
http://www.bestsecuritytips.com/news+article.storyid+367.htm

First and last time I take responsibility for this attack. It would have been so much better living of them for a while. Taking everything from the inner circle, living of them like a parasite. I would have had my own script kiddy army and they would have been none the wiser.