Following the hacking ofMedElaouniaccounton Facebook,we adviseall usersMoroccan,especially thosefor motion#Feb20,to change theirpassword insocial networksusinga secure connection.
Allmajor sitesborneencryptionof data transfer(GMail,Twitter,Facebook..),but unfortunately notsoautomatic.Thereforethesecurityforceby typingthefollowing addresses: httpS://www.facebook.com/instead ofhttp://facebook.com httpS://gmail.cominstead ofhttp://gmail.com httpS://twitter.cominstead ofhttp://twitter.com Ifyou useMozillaFirefox,there is a plugin-ForceTLSandyou couldinstallthatdoes this jobautomatically. Werecommend usingapublicunsecureconnectionin a cafefor example,without using thehttpS. Ifyou have errorsandmay not use thisconnection method, thank youprevent,we will try togive youalternatives.
One of the most famous and widely used source code editor for windows, Notepad++ now have version6.
The tool is written in C++ and supports plugins, macros, and text
highlighting for many programming languages including C, C++, C#, Visual
Basic, Java, Lua, Python, Perl, SQL, HTML and XML.
PCRE (Perl Compatible Regular Expressions) is supported.
Add Document Map feature (via Menu View->Document Map)
Enhance the loading performance for the large file
Included plugins (Unicode):
Spell Checker v1.3.3
Plugin Manager 1.0.8
that Notepad++ Document Map is only available in Unicode release. The
source code for ANSI release is not maintained anymore, therefore ANSI
binary will be removed in the future releases. As usual, if you find any
critical problem, post a commentary under this article.
To Download Notepad++ (Installer, Zip, Binary Source Code) Click Here
======================================================== Type : Tutorial Level : Easy Purpose : As a website owner you can also aware with this kind of attack to your web server ========================================================
Why I wrote this tutorial about Google Hacking is because there are some people keep messaging me about how to perform Google Hacking… A lot of people that learn about hacking they just think that hacking was going through a webserver or computer and make defacement or stealing data or erase the victim disk drive by running rm -rf, etc….but I told you that the purpose isn't that…because this method also can be used to secure your website from bad hackers also(you can view the countermeasure part below).
If you just think that it's really cool if you have defaced some website and then put your name on its website such as "Hacked by v4L" and then put the screenshot as a profile picture of your facebook for pride(I've saw this kind of guys…ROFL ) I just suggest forget doing this kind of stupid things, before the interpol caught you Google hacking doesn't mean that you can hack into another system instantly(even sometimes you can get through it instantly), because Google Hacking is a trick to gain and reveal some sensitive information..
While you're in Google, it's impossible you find specifications about program that running by someone computer(except he/she wrote it on facebook status or he wrote it somewhere on the net ), because Google is a Web Search Engine(wikipedia) so Google will only listed a computer/server that act as web server. Do not think too much about complex hacking steps….because before you move to a higher level you need to know the basic things.
In this tutorial actually I will wrote the simple basic thing to perform a Google hacking and also perform a very really basic SQL injection like' OR 1=1;– …I believe that some of you that read this tutorial even have a great skill in SQL scripting so you can fit it with your needs.
Okay let's start….
intitle : The intitle operator is used to search websites only within the tags, or the actual page title as defined by the website’s author. inurl : is used to search within a site’s URL itself. This is very useful if you are familiar with a URL string or with standard URL strings used by different content management systems.
We will try to find the administrator log in page address by using some of Google parameter above. Usually the programmer will use word "Administrator Login" , "Admin Login", Super User", "Owner Login", etc…etc as the title of administrator page authentication.
As you can see from picture above there's about 4,310 search result for that query, but you can narrowing your search result by change some parameter, such as change the .com into .nz , .com.au, .co.id, .com.my, .sg, and many more…. While I'm searching about Google Hacking material on the internet, actually I found about more than 10 website that vulnerable with basic SQL injection above…see example below
Countermeasure : 1. For webmaster, put this script in your web page between to prevent the search engine crawler indexing your private page 2. Still for webmaster, you also can create or modify a robots.txt file to disallow a user agent crawling some of your web server folder. example:
Nowadays maybe there's a
lot of people know about cracking (network cracking), it is a
modification or disable features which are considered undesirable by the
person cracking the network. Maybe for some people when they hear about
cracking the network it looks like a very hard to do because it
involved a high skill programming language or understanding networking.
What is Session Hijacking Every time you connected to the web application (usually a dynamic web
application) you will have a unique ID called "session", this session
will identifies you as a valid user and will always valid until you kill
the session (log out process) or the session has expired. Some bad
people trying to identifies or guessing the session ID value to gain
privileges as a valid user in a web application.
Firesheep HTTP Session Hijacking
Firesheep is a firefox extension to do the session hijacking. I was very
surprised that this tools can hijack Facebook, Twitter, WordPress,
Amazon, etc from the valid user. The most important thing that this
tools is very easy to configure and to launch an attack. Just a few step
1. Download Firesheep 2. Sit on a unencrypted wireless network
3. Turn on your wireless card(support promiscuous mode, such as :
atheros, orinocco, etc) and join the network
4. Start capturing with firesheep
5. Just wait until some user authenticate at the facebook, twitter, etc.
Step by Step Firesheep Configuration
1. The picture below is the interface of firesheep(clickview –> sidebar –> firesheep) and you can click the red circle for
2. In this picture you should choose which interface you want to capture
the data. for example when you're in a wireless network, you should
activate the wireless adapter.
3. This picture below tells you which website session can hijacked
handle by this addons.
4. Usually when
capturing data, will use TCP port 80, because if it's 443 I think will
be encrypted, but I still didn't try for another port :-) .
GRIM WEPA was written in Java and is intended for use with the Linux Operating System (specifically the Backtrack 4,5 distribution).
GrimWepa 1.1 has been translated for Português-Brasil users. It is available in the downloads section.
GRIM WEPA is no longer being supported
GRIM WEPA is on an indefinite hiatus while I work on other projects.
use Wifite instead of GRIM WEPA. Wifite is a newer wifi cracker with
more functionality and stability than GRIM WEPA. Wifite is available
Please update your bookmarks and links accordingly.
This project will remain open so that I may eventually update GrimWepa.
WEPA is a password cracker for both WEP and WPA-encrypted access points
(routers). This program uses the following applications and suites:
aircrack-ng, to crack WPA and WEP;
airodump-ng, to capture packets and find access points;
airmon-ng, to enumerate devices in monitor mode;
aireplay-ng, to forge and replay packets;
and packetforge-ng, to create replay packets.
iwconfig, to see if devices are in monitor mode;
xterm, to show output to user;
ifconfig, to get the MAC address of devices;
macchanger, to change MAC address of wifi cards.
These applications are required for GRIM WEPA to run properly. All of these applications come standard with Backtrack4.
note: the settings & configuration file for Grim Wepa is saved to /etc/grimwepa.conf
WEPA's cracking methods are archaic and have been around for years. It
simply uses the existing cracking methods in aireplay-ng (for WEP) and
aircrack-ng (for WPA). Grim Wepa is similar in style and functionality
to shamanvirtuel's Spoon series (SpoonWEP, SpoonWPA, and SpoonDRV). The
Spoon suite is still available, though it is not kept updated.
Backtrack 4 Linux distribution has a default WEP/WPA cracker, but it
does not work properly for me; also, the Spoon series does not run
properly for me on BT4, so I created GRIM WEPA foforforr myself and as an
homage to shamanvirtuel.
WEPA has only two options: Crack WEP-encrypted access points (routers)
and crack WPA-encrypted access points. The program can search for new
targets, and auto-selects your cracking method. The options for each
method are as follows:
Attacks for WEP-encrypted Access Points
is able to crack just about any WEP password after about 20,000 IV
(Initialization Vector) data packets have been captured. The capture
usually takes about 2 minutes, and the crack another 2-3 minutes.
Attacks for WPA-encrypted Access Points
Basic deauthorization attack to get handshake.
GRIM WEPA includes a 2MB default password list containing approximately 250,000 commonly-used passwords.
/ Dictionary / Brute-force attack: Currently, there is only one
consistent method of cracking WPA, and that is by brute force.
aircrack-ng can crack hundreds of passwords per second, so this method
is not nearly as arbitrary as has been proposed.
To run GRIM WEPA, navigate to the file's location in Terminal and type:
java -jar grimwepa_X.X.jar
at the command line prompt, where X.X is your version of grimwepa.
Installation is not required for GRIM WEPA to run properly, but it is recommended if you use are going to GRIM WEPA frequently.
GrimWepa can be downloaded and installed by running the "grimstall.sh" script.
For Backtrack Users:
To download the install script via wget, change permissions on it, and
run the install script (which will download the latest version of
grimwepa and install it), copy-and-paste the below code into console (as
Change the directory from /pentest/wireless/grimwepa/ to whichever
directory you want to install to ; /pentest/wireless is commonly found
in Backtrack distributions ; all files in the selected directory will be
deleted (a prompt will confirm this); don't forget the / at the end!
In early March, we received a report from an independent researcher
on mass infections of computers on a corporate network after users had
visited a number of well-known Russian online information resources. The
symptoms were the same in each case: the computer sent several network
requests to third-party resources, after which, in some cases, several
encrypted files appeared on the hard drive.
The infection mechanism used by this malware proved to be very
difficult to identify. The websites used to spread the infection are
hosted on different platforms and have different architectures. None of
our attempts to reproduce the infections were successful. A quick
analysis of KSN statistics that might help to identify the connection
between compromised resources and the malicious code being distributed
did not yield any results, either. However, we did manage to find
something that the news sites had in common.
For purposes of analysis, we selected two information resources which
we knew had been used to distribute the malware— http://www.ria.ru/ (a
major Russian news agency) and http://www.gazeta.ru/ (a popular online
newspaper). Regularly saving the contents of these resources did not
identify any third-party JS scripts occasionally showing up, iframe
tags, 302 errors or any other formal attributes indicating that the
resources have been compromised. The only thing they had in common was
that they both used AdFox advertisement management system codes, through
which teaser exchange was arranged.
The code on the main page of RIA.ru that is used to download additional content from AdFox.ru
We discovered that the malware is loaded via the teasers on AdFox.ru.
Here is how the infection was carried out. A JS script for one of the
teasers loaded on the site included an iframe that redirected the user
to a malicious site in the .EU domain containing a Java exploit.
The contents of an infected and a clean JS script
Analysis of the exploit’s JAR file demonstrated that it exploits a
Java vulnerability (CVE-2011-3544). Cybercriminals have been exploiting
this vulnerability since November in attacks targeting both MacOS and
Windows users. Exploits for this vulnerability are currently among the
most effective and are included in popular exploit packs.
However, the exploit used in this case was unique and had not been
included in any exploit packs: the cybercriminals used their own payload
in the attack.
Part of the JAR file’s payload
As a rule, the operation of such an exploit involves saving a
malicious file, usually a dropper or downloader, on the hard drive.
However, in this case we were in for a surprise: no new files appeared
on the hard drive.
After seizing all necessary privileges on the victim computer, the
exploit does not install malware on the hard drive using Java. Instead,
it uses its payload to inject an encrypted dll from the web directly
into the memory of the javaw.exe process. The address from which the
library is to be downloaded is encrypted in the iframe that was included
in the JS script downloaded from AdFox.ru:
A new malicious RWE section in the JAVAW.exe process
After successfully injecting and launching the malicious code (dll),
Java begins to send requests to third-party resources, which look like
Google search requests:
These requests include data on the browsing history taken from the
user’s browser, as well as a range of additional technical information
about the infected system.
In other words, what we are dealing with here is a very rare kind of
malware – the so-called ‘fileless’ malicious programs that do not exist
as files on the hard drive but operate only in the infected computer’s
RAM. The best known examples of such threats are the CodeRed and Slammer
worms, which caused mass outbreaks at the beginning of the last decade.
This kind of malware only remains operational until the operating
system is restarted, but in this case this is not a critical issue for
the Trojan’s authors.
One reason for this is that the ‘fileless’ malware operates as a bot:
after sending a series of requests to the command server and receiving
replies, the exploit uses several different methods to disable UAC (User
Account Control). After this the bot can install the Lurk Trojan on the
infected machine. It is worth noting that the decision as to whether to
install Lurk on the system is made on the cybercriminals’ server.
The second reason is that the chances of the user returning to the
infected website after rebooting the system are high. This would result
in re-infection, with the bot returning to the victim computer’s RAM.
Because no file is written to the hard drive, it becomes much harder
to detect the problem using antivirus software. If the exploit is not
detected, the bot can be successfully loaded into RAM, becoming
The Trojan-Spy.Win32.Lurk malware can be installed either using
commands "regsrv32” and "netsh add helper dll” or via the
ShellIconOverlayIdentifiers branch of the system registry. Lurk installs
its additional modules as encrypted dll files.
Part of the Lurk code responsible for downloading additional modules
The analysis of the additional modules used by Lurk has provided an
insight into the malicious program’s functionality: it steals users’
sensitive data to gain access to online banking services at several
large Russian banks. Kaspersky Lab first detected this malware in July
2011. Based on our analysis of the protocol used by Lurk to communicate
to the command servers, we determined that over a period of several
months, these servers processed requests from up to 300,000 infected
Reasons behind the incident
After sorting out the technical side of the problem, we notified the
Adfox administration of the incident. They promptly took action,
resulting in the detection and removal of the malware from the infected
In the course of the investigation it was determined that the
cybercriminals had used the account of an Adfox customer to change the
code of news headline banners by adding an iframe redirecting users to
the malicious site.
After modifying code in one of the banners, they were able to attack
not only users on one news site, but also visitors to other resources
carrying this banner. As a result, there could be tens of thousands of
users who were attacked. At the same time, banners of other AdFox
clients did not contain the malicious code.
This is a unique attack, because the cybercriminals used their own PE
file downloader (payload) that can work without creating malicious
files in the infected system, operating entirely inside a trusted Java
Using a teaser network is one of the most effective methods that
attackers can used to install malicious code, since it results in a
large number of popular resources linking to the code.
This attack targeted Russian users. However, we cannot rule out that
the same exploit and the same fileless bot will be used against people
in other parts of the world: they can be distributed via similar banner
or teaser networks in other countries. It is likely that other malware,
not just Trojan-Spy.Win32.Lurk will be used in the process.
As regards protection against this threat, we strongly suggest that all users install a patch that closes the CVE-2011-3544 vulnerability in Java.
This is currently the only reliable way to prevent an infection. As we
mentioned above, exploits for CVE-2011-3544 are the most effective there
are and can be used to install a variety of malicious programs.
In addition, a security solution that includes web antivirus features
should be used at all times. We also recommend that Kaspersky Lab users
enable the Geo Filter feature, which provides manual control of the
browser’s access to resources in different geographical domains, and
block connections to sites in the .eu zone unless accessing them is
essential. We have been detecting numerous malicious resources in this
domain, including those described above, as well as servers used to
distribute the Hlux Trojan, which we discussed in a recent post.
PS. Our heartfelt thanks go to the independent researcher, who wishes
to remain anonymous, for invaluable help in preparing this publication.
Terrible rumor spread in the center out recently on
the technical system operation Anonymous is based on the Linux kernel,
but its note went out through the group account on Twitter denies this
and asserts that this account is fake and full of gaps and that
Anonymous has no intention to command such as this.
On the other hand was responsible for the operating system, Anonymous
added a post to their blog the official pointed them to the comments of
Anonymous on the operating system is misleading and incorrect "and that
in the world of open source and Linux there is no such gaps and used the
old Linux will know this but it is difficult to convince users naive!
The time of writing this post was off work running Anonymous.
" First, we want say thanks to all users where download and test Anonymous-OS
and all you people for your thousands positive feedback. We tried to
answer all your questions and we hope to do it. For your protection, we
deleted all emails and not available anywhere. Also we apologize from
the creators of themes and wallpapers that was included on Anonymous-OS, because we don’t thank them earlier and of course without they knowing that we choose their creations. So, we thanks them.
We disappointed for all these we continue to read on various websites that the Anonymous-OS is fake and full of viruses, trojan, etc.
Until now we think that nothing reported yet. That say something. All
these sites misinform the world, and continue to do this without having
checked the Anonymous-OS. Anyway, from time to
publish this project was attacked by several well known sites in the
technology field and we believe the reason is to fight one more time Linux and opensource software. Before we starting Anonymous-OS we said that if we feel that our efforts cause a bad thing for Linux and opensource software, then we will stop this effort. For now, is not available link to download Anonymous-OS. Please don’t try to download it from any host site or torrent without trusting the user to upload the Anonymous-OS. If you not sure, is better to use another Linux distro. There are many distros where you can use all of these tools including Anonymous-OS.
Maybe we come back in the future and continue Anonymous-OS or something like that.
P.S. Sorry, we forgot say for one more time that of course there is not trojans, malware,etc on Anonymous-OS.
We are Anonymous. We are Legion. We do not Forgive. We do not Forget.
Anonymous Deface page - "POPE is not welcome, out out !!!”
Anonymous blocked access
to two websites linked to the upcoming visit to Mexico by Pope Benedict
XVI. Anonymous Hispano, the hackers succeeded in temporarily knocking
the websites offline and defacing them with their own message: "Hacked system. The POPE is not welcome, out out!!!!!”
In its profile on the social network Facebook, Anonymous Hispano said the Comfil site was "hacked for supporting Benedict XVI." Benedict is scheduled to visit Mexico Friday through Monday, prior to a three-day trip to Cuba.
In a video that was posted on
YouTube, the hackers said that the pope's visit comes at the start of
the campaign ahead of Mexico's July 1 presidential election, and that it
seeks to benefit the ruling-party candidate. The Roman Catholic church,
the video said, seeks "to keep the population shrouded in lies." According to Anonymous, the pope will not see either the poverty or the violence that are ravaging Mexico. He will instead encounter "a country of lies and facades where everything will apparently be wonderful," the cyberactivists said.
Anonymous has conducted
operations in Mexico before, targeting the notorious drug cartels in the
past when members of the hacktivist collective were held captive by the
... Read more »