Robert Lemos

                                           |
                                       \       /            _\/_
    Robert Lemos - Again                 .-'-.              //o\  _\/_
                                    --  /     \  --           |   /o\\
  ^^~^~^~^~^~^~^~^~~^~^~^~^~^~^~^~^~^~^-=======-~^~~^^~~^~^~^~|~~^~^|^~`
     I'm homeless, jobless, times is hard                           |
       I'm not hopeless, but I gotta eat regardless
         No family to run to I'm 22
           Now tell me what the fuck am I supposed to do

Hack to the future!

Remember the intro where we talked about notable whitehats we owned? Lemos
isn't one of them. He's just a whitehat that we like to mess with who writes
for securityfocus.

We dropped Lemos in our last issue, but his typical lame whitehat retorts were
so funny we thought we'd try to squeeze another out of him. He also called us
hacker rats, which is totally NOT cool.

Here's his list of potential ways we got in last time.

    * An unpublished or unpatched flaw in Wordpress that they exploited.
        # no comment
    * An unpublished or unpatched flaw in PHP.
        # no comment
    * The site was compromised by a known flaw before I had installed the
      latest patch.
        # no comment
    * The attackers were able to brute force the password for the administrator
      account using a hash for my particular password culled from a previous
      compromise at a different site where I owned an account.
        # why bother brute forcing? and doesn't that mean you reuse passwords?
        sucker.
    * A misconfiguration in the site allowed the attackers to escalate
      privileges.
        # no comment.

Bob will be helping us out by spreading the zine around to a few publicists, we
really are after a movie/book deal eventually and figure he's the right guy to
help us out.

$ id; uname -a
uid=80(apache) gid=80(apache) groups=80(apache)
Linux rs2cruz.nexcess.net 2.6.9-78.0.22.ELsmp #1 SMP Thu Apr 30 19:14:39 EDT
2009 i686 i686 i386 GNU/Linux
$ cd /home/robertle/public_html/; ls -la
total 308
drwxr-sr-x  5 robertle robertle  4096 Mar 24 17:31 .
drwx--s--x  4 robertle robertle  4096 May 13  2008 ..
-r--r--r--  1 robertle robertle   169 May 12  2008 .htaccess
-rw-r--r--  1 robertle robertle   397 Jul 10 10:09 index.php
-rw-r--r--  1 robertle robertle 15410 Jul 10 10:09 license.txt
-rw-r--r--  1 robertle robertle  7642 Jul 10 10:09 readme.html
drwxr-sr-x  7 robertle robertle  4096 Jul  6 09:40 wp-admin
-rw-r--r--  1 robertle robertle 40543 Jul 10 10:10 wp-app.php
-rw-r--r--  1 robertle robertle   220 Jul 10 10:10 wp-atom.php
-rw-r--r--  1 robertle robertle   274 Jul 10 10:10 wp-blog-header.php
-rw-r--r--  1 robertle robertle  3649 Jul 10 10:10 wp-comments-post.php
-rw-r--r--  1 robertle robertle   238 Jul 10 10:10 wp-commentsrss2.php
-rw-r--r--  1 robertle robertle  2601 Jan  7  2009 wp-config.php
-rw-r--r--  1 robertle robertle  2626 Jul 10 10:10 wp-config-sample.php
drwxr-sr-x  5 robertle robertle  4096 Mar 24 17:30 wp-content
-rw-r--r--  1 robertle robertle  1254 Jul 10 10:10 wp-cron.php
-rw-r--r--  1 robertle robertle   220 Jul 10 10:10 wp-feed.php
drwxr-sr-x  6 robertle robertle  4096 Jul  6 09:41 wp-includes
-rw-r--r--  1 robertle robertle  1946 Jul 10 10:11 wp-links-opml.php
-rw-r--r--  1 robertle robertle  2341 Jul 10 10:11 wp-load.php
-rw-r--r--  1 robertle robertle 21019 Jul 10 10:11 wp-login.php
-rw-r--r--  1 robertle robertle  7113 Jul 10 10:11 wp-mail.php
-rw-r--r--  1 robertle robertle   487 Jul 10 10:11 wp-pass.php
-rw-r--r--  1 robertle robertle   218 Jul 10 10:11 wp-rdf.php
-rw-r--r--  1 robertle robertle   316 Jul 10 10:11 wp-register.php
-rw-r--r--  1 robertle robertle   220 Jul 10 10:11 wp-rss2.php
-rw-r--r--  1 robertle robertle   218 Jul 10 10:11 wp-rss.php
-rw-r--r--  1 robertle robertle 21520 Jul 10 10:11 wp-settings.php
-rw-r--r--  1 robertle robertle  3434 Jul 10 10:11 wp-trackback.php
-rw-r--r--  1 robertle robertle 92522 Jul 10 10:11 xmlrpc.php
$ cat /home/robertle/public_html/wp-config.php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, WordPress Language, and ABSPATH. You can find more information by
 * visiting
{@link http://codex.wordpress.org/Editing_wp-config.php Editing
 * wp-config.php} Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'robertle_wordpress');

/** MySQL database username */
define('DB_USER', 'robertle_wp2008');

/** MySQL database password */
define('DB_PASSWORD',
's9e#hy%isjUI7@4kdfh+_dijfb');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys.
 *
 * Change these to different unique phrases!
 * You can generate these using the
{@link
http://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
 *
 * @since 2.6.0
 */
define('AUTH_KEY',
'~JX*S.)[@UJ8pTg,Qb\"_M7$0#-zd0-sux-A8$MEJ0;e)@Zr|1t{k@N@tA>:acZ2r@*(is<aRg');
define('SECURE_AUTH_KEY', 'i1D2k++|pZM;HsQ\'JUaHo3RyT7R-zd0-sux-D&D7uGV[s[
Sa1NI/4zeM92?C%W.#r/gb:vZ');
define('LOGGED_IN_KEY',
':d(e%LYH.>=lzuhz1<v67^-zd0-sux-T{RNWv:Wtf>Mfz8R4[\'G>W/%y%v_5l4Sh``9m7 &RJ');
define('NONCE_KEY', 'fhsdf87f9sFD&*(W#HV*(&F(D98f7f32hif98dsh2ncdsuiufoiseh');
/**#@-*/


// You guys see that? zd0-sux...who is this zd0 and what have they done to
// bother you, little Bobby?


/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a
unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * WordPress Localized Language, defaults to English.
 *
 * Change this to localize WordPress.  A corresponding MO file for the chosen
 * language must be installed to wp-content/languages. For example, install
 * de.mo to wp-content/languages and set WPLANG to 'de' to enable German
 * language support.
 */
define ('WPLANG', '');

/* That's all, stop editing! Happy blogging. */

/** WordPress absolute path to the Wordpress directory. */
if ( !defined('ABSPATH') )
 define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
?>

Little Bobby rm'd all the users from his blog :( including n3td3v :(

(1,'admin','$P$BEXt/0MTFOcYugwh/IaZ.V2f5ntHe/.','administrator','feedback@rober
tlemos.com','http://www.robertlemos.com','2005-03-30 00:17:34','',0,'Rob');

No point dragging this out. Lemos knows nothing about security, not a single
jot. Real whitehat hackers laugh at this guy, much in the same way they laugh
at what ends up in these zines. Mock us at your peril Bob. One other thing -
get the name right.

Comments