Updated: first edit i made a mistake and stated that paypal was the victim of the 0 day when it was infact ZPanel. Sorry for any inconvenience or misleading information.
Earlier today a well known hacker group, Hack the planet had released a Zine which contains breached information on 2 well known website image service Imageshack and anti virus giant Symantec and a 0 day exploit has been released for
payment gateway giant Paypal ZPanel Hosting control panel systems.
Even though the leak is clearly marked as being done by HTP other media has been reporting these two attacks as part of Anonymous #Nov5 attacks which have started today.
The leaked data was uploaded to various places, and contains a heap of information from the Imageshack server as well as all the exploits or vulnerabilities they had found and a reason behind the attack “Well, we like a challenge, so we decided to find out what changes were made. “.
Insight to the image shack attack from HTP
Heres a list of criteria we found that evidenced the hardened security on all
of ImageShack’s equipment:
- Run all MySQL instances as root
- Ensure all kernels are 2008 or earlier
- Routers compromisable via /level/16/exec/-/show/run
- Hardcode database passwords into as many files as possible (though we do
give them credit, the root MySQL pass ‘mutaborius’ was never cracked by
- Implement a firewall that allows outgoing backconnects
- Add tasks to root’s crontab that regularly run files owned by the www user
- Run outdated Nginx
- Enable register_globals
- Use one $1 shadow hash for everything
Protip, if your security sucks this much, your incoming firewall rules and
your keyauth won’t save you.
That being said, ImageShack has been completely owned, from the ground up.
We have had root and physical control of every server and router they own.
This message is followed by a extremely large amount of server information such as shells, file permission listings, source codes and much more.
Towards the end of the Imageshack section is a bit of commentary from HTP that claim that @Le_Researcher ratted on them when the attack was going on and the admin attempted to stop this but failed to do so.
Recently, one specific brownhat (see Pwned Lineup/LeReS) alerted Jack, so of
course Jack opened up his logs, and reimaged his boxes, and saved the fucking
Unfortunately, our zines have a strict no-bullshit policy. Thanks for keeping
UDP open for us, Jack.
OH SHIT, HE SET UP A HACK DETECTOR. GAME OVER MAN. GAME OVER.
# cat /home/image/svn/setup/misc/detect.php
As stated above antivirus giant Symantec was also breached and as a result it has had its complete database dumped as well as 4000+ user accounts many of which appear to be Symantec employees or related companies.
paypal ZPanel part of the attack is a 0 day exploit.
We have a Zero Bug attacking all the login and overlay files.
Run anti-virus. Give me a systems display!
* The systems display comes up. Red flashes everywhere, signifying new attacks.
* PLAGUE presses a key.
The rabbit is in the administration system.
The zine also contains a heap of personal information that is claimed to belong to some people that are close to the infosec and anonymous scene.
Possibly more information to come on this once i get a chance to properly go over all the details line by line.