Stories about Defacer

The first time, I do not mendeface, and will never do it. So how do I know how mendeface? I think I just saw the way people mendeface and I was not an expert in this matter. If I make a mistake then I apologize. This is a simple way when you think that mendeface they just replace the files on a computer. Currently, the search for exploits is the first case, exploits the real fruit of the skills, knowledge of the true hackers. I do not recommend that you mendeface all websites, especially to get credit cards, passwords, source code, billing info, email databases, etc. ... (so you really do not know the destroyer of self).

This tutorial consists of 3 main parts, namely:
1. Host Security Gap
2. Infiltrate
3. Deleting Tracks

Very easy, and I will show it to you.

1. Host Security Gap
There are two categories of script kiddies: first, someone who scan the internet to a host that has a security hole with a certain exploit and find a specific website to try a variety of exploits. This first group of scanning thousands of sites with a particular exploit. They do not care who they hack, and for what. They did not set targets and do not have a definite purpose. In my opinion these people have their reasons too contrived as:

- "I just make sure that they update his web security"
- "I only have a political message too!"
- "I do deface to get media attention"

The people who mendeface become famous or to show that they are very skilled and powerful, it is necessary maturity and stated that there is a better way than to deface the grounds illusory.


Scanning Script Kiddie: You need to know the existence of security gaps, whether it's the service running, the operating system or its CGI files. How do you know of the security hole? What version is running? you need to know how to find a web exploit on the internet (with google.com). Using a script to scan ip range on a particular port that has a security hole. Or use http://www.netcraft.com/ to know what kinds of servers, operating systems and applications that run (frontpage, php, asp, etc. ..). nmap and other port scanners can scan quickly to thousands of ip on an open port. This is a favorite technique for those who want to do a mass hacking.


Target Website Script Kiddie: Let the script kiddies to hack on various websites lawas. The main step is to gather information as much as possible sites. Searching for operating systems that run through netcraft.com or use: telnet http://www.site.com/ 80 then GET / HTTP/1.1 find what services are run through a port scan. Finding specifications by doing telnet service. Looking for a variety of CGI scripts, or other files that allow you to access the server with the exploit / cgi / cgi-bin and browsing to the website.

After searching various information that you have then you can do:


2. Infiltration
To do this you can find a variety of exploits that can be used to access the website. If you are scanning and you will know what the right exploit to use. Two main temnpat to find exploits is through the website and http://www.securityfocus.com/ http://www.packetstormsecurity.org/. After failing to exploit, check and make sure that it is to exploit service version, operating system, run scripts, etc.. Exploits are generally made using two programming languages are C and Perl. Perl scripts have the extension. Pl or. Cgi, while C has the extension. C, to compile a C file (on * nix systems) use the command gcc-o file.c then exploit12: ./exploit12. As for Perl is doing the command chmod 700 file.pl (not really needed) then: Perl.pl. file This is just a simple compilation technique or theory is only possible exploits. Just do a little research how to use it. Another thing yanganda need to check if the exploit is remote or local. If a local exploit then you harusmemiliki an account or physical access to these computers. If the remote then you can do it over a network (internet).

Not only can compile the exploit, there's one important thing you need to know is:

Deleting Tracks
Once you get the information about the host in order to find a suitable exploit that allows you to infiltrate. Why did not immediately do? the problem is to remove the traces belonging to hacking your hard, hard to predict. Just because you are to "kill" sys log berartibahwa not you are not tracked by logger or IDS (Intrusion Detection System) is executed. Lots of script kiddies who underestimate the ability of the admin who made the target of their host. Instead the script kiddie trying to use the second isp account to start hacking, it will be tracked but will not get caught. If you do not have this facility then you MUST have a lot of Wingate, shell accounts, or trojans to bounce off. Simultaneously connect a person would make it difficult to track down anda.Log Wingate and the shell is often removed after 2-7 days. Although the log maintained entirely, remains difficult for the admin to track Wingate further his or shell script kiddie before the log should be deleted. And rarely an admin watching carefully occurrence of an attack, even less likely to want to chase the attacker, which is important for them is to secure their box and forget what has happened.

For security reasons, if you use the Wingate and the shell, do not do anything for him "pissed off" admin too much (which they call the authorization or you are trying to track down) and delete your log to be safe. How do I do?

In summary, we need some Wingate. Wingate by nature tend to change the ip or shutdown all the time, so take the latest list or programs that scan the internet. You can get a list of Wingate is up to date on

http://www.cyberarmy.com/lists/wingate/ or you can also use a program called winscan. Now suppose you have 3 Wingate:

212.96.195.33 port 23
202,134,244,215 port 1080
203.87.131.9 port 23

To use it run telnet and connect to port 23, the response will look like this:

CSM Proxy Server>

To connect to our next Wingate type ip: port like this:

CSM Proxy Server> 202.134.244.215:1080

If an error occurs then the proxy that you try to contact does not exist or you have to login to the proxy. If all goes well, you will get a 3 series and linked shell account. In a shell account you can link shells together by:

[j00 @ server j00] $ ssh 212.23.53.74

You get free shells to work to get the other dihack shell, the following is a list of free shell account. Remember, register with false information and if possible, through a Wingate.

SDF (freeshell.org) - http://sdf.lonestar.org/
GREX (cyberspace.org) - http://www.grex.org/
NYX - http://www.nxy.net/
ShellYeah - http://www.shellyeah.org/
HOBBITON.org - http://www.hobbiton.org/
FreeShells - http://www.freeshells.net/
DucTape - http://www.ductape.net/
Free.Net.Pl (Polish server) - http://www.free.net.pl/
XOX.pl (Polish server) - http://www.xox.pl/
IProtection - http://www.iprotection.com/
CORONUS - http://www.coronus.com/
ODD.org - http://www.odd.org/
Marmont - http://www.marmoset.net/
flame.org - http://www.flame.org/
freeshells - http://freeshells.net.pk/
LinuxShell - http://www.linuxshell.org/
takiweb - http://www.takiweb.com/
Freeport - http://freeport.xenos.net/
BSDSHELL - http://free.bsdshell.net/
ROOTshell.be - http://www.rootshell.be/
shellasylum.com - http://www.shellasylum.com/
Daforest - http://www.daforest.org/
FreedomShell.com - http://www.freedomshell.com/
LuxAdmin - http://www.luxadmin.org/
shellweb - http://shellweb.net/
blekko - http://blekko.net/

After getting shell, you can compile the exploit, and you become difficult to track. To be sure, delete all the shows bukuti your existence.

Well, there are some things on the server side script kiddies need to know. Necessity to edit or delete the log. Munkin true script kiddies using a rootkit which can automatically delete the log. There are 2 main logging daemons which I will explain, the klogd is a kernel logs, and syslogd which form the system log. The first step to doing "kill" the daemon in order not to any log your actions.

[root @ hacked root] # ps-def | grep syslogd
[root @ hacked root] # kill -9 pid_of_syslogd

In the first line we find the syslogd pid, while the second row we did "kill" the daemon, you can also use / etc / syslog.pid for syslogd pid.

[root @ hacked root] # ps-def | grep klogd
[root @ hacked root] # kill -9 pid_of_klogd

The same measures we use also to klogd

Now has the default logger kill, then the script kiddies need to remove them from the log. To find where syslogd put the log, check the file / etc / syslog.conf. Of course if you do not care if the admin knows that you delete the entire log. In this case you really have a "destroyer", a damn Defacer, the admin will know that the box when they infiltrated terdeface website. So there's no point to add these logs, they will remove them. The reason is that the admin does not know that there had been break-ins. I will write the main reason these people are breaking into a box (system).

Mendeface website - lamer, no goal, just wanted to destroy the system.

Sniffing the network passwords - there are several programs that allow you to do Sniff passwords sent from and to a system. If this system is on an ethernet network then you can do Sniff packets (which contain passwords) is devoted to the various systems in these segments.


Conduct DDoS attacks. - Lamer, the admin has many opportunities to consider how you are sending hundreds of MB through connections.


Another attack on a system - this and sniffing techniques above are commonly used, not the job lamer. You know how with a rootshell you can launch an attack of this system instead of the limitations freeshell. You have absolute control of the log of the shell.

Obtaining Sensitive Information - Some companies have systems with valuable information such as Credit Card database, software source code, a list of username / password, and other confidential information that a hacker wants.

To learn and have fun - a lot of people do it for the sensation of hacking and the experience. I do not see this as a crime as long as no damage whatsoever. In fact some people even help admin hackers are doing a patch of 'holes' found. Although classified as illegal, if not destroy someone else's system.

I will explain the basics such as log files: utmp, wtmp, lastlog, and. Bash_history. These files are usually located at / var / log / but I heard also in / etc / / usr / bin and other places. In many different systems it is best to do find /-iname 'utmp' | find /-iname 'wtmp' | find /-iname 'lastlog'. and also looking through the directory / usr / / var / and / etc / on the other logs. Now I will explain these three files:

utmp is the log file that records those who access the system, I think you can see why this log should be added. Because you do not want to let anyone mengatahui that you are in the system.

wtmp is a log file that records the login and logout, you certainly did not want it known by admin. Must be edited to show that you have never logged in or log out and lastlog is a file that records all activity log record. Also history of the shell you are using also recorded all commands you type, you should find the $ HOME directory and edit it.

. sh_history,. history, and. bash_history is a common name, which must be edited rather than deleted. If you delete them the same thing told admin that "yuhuuu, your system penetration!". The Newbie Script kiddies often followed mendeface and rm-rf / to be safe. Avoid this unless you are rada-rada crazy. In this case I suggest to not try to exploit the system again. Another way to find the log file is to run a script to check the open files (and manually view to determining what in-logs) or search for files that are edited, the command like: find /-ctime 0-print

There are a few popular scripts which can hide your presence from logs such as: zap, clear and cloak. Zap works to replace your presence on the log with the number 0, while Clear will delete the log of your existence, and the Cloak will replace your presence with other information. In my experience, acct-cleaner is heavy enough script to delete the account log. Many who have rootikit script log eraser, and when installed it will not log you aware of the existence. If you are on NT systems, the log files in C: \ WINNT \ system32 \ LogFiles \, delete this file, the NT admin often do not check or know the significance is lost.

The last thing about the removal of impressions, I will not explain in detail about this because it requires a separate discussion. I am only talking about rootkits. Are rootkits that? They are widely used to remove your tracks when entering a system. Makes you keep "hidden" in the system. Login without a password, not in the log by the wtmp or lastlog and without even having to have the file / etc / passwd. With this rootkit to make commands like ps to hide the process, so no one knows what programs you run. They send out fake reports on netstat, ls, and as if everything was normal. Oh, do not like it, there are some weaknesses of the rootkit, on some orders that do cause strange because the binary does not work correctly. They also leave fingerprints (ways to know that there are files in the rootkit). Only a great admin that can be checked rootkits, so this is not a serious threat, but it is worth considering. Rootkit is made with a LKM (loadable kernel module) which is ideal to hide your presence and most of the admin is not aware of any suspicious activities.

In writing this tutorial I include feelings. I do not want any more script kiddies who scan hundreds of websites to be exploited. I do not want my name and nickname dicatut. I was tired of hearing people say things like, "There is no computer system is 100% secure, Update your web server, Hacked by .... etc.." Leave nick or name of their group and then run away. I think a lot of people who want to learn everything in order to break the system, which is often disguised in the name of science.

This tutorial is trying to say that how simple it into a system. But it is not a complete guide, I did not explain many things. I hope this tutorial admin find and find it helpful, learned that his website should be maintained and often do patches. Protect yourself with IDS and find many security holes on your own system (using Vuln scanner). Also set the settings to an external system log is not a bad idea. The admin should see some thoughts script kiddies and learn a few things they do ... and those caught breaking into your system. Adil khan?

Remember, the same as the destroyer Mendeface (lamer). I know many people who do deface and now regret it. You will only be a script kiddie and a lamer remain eternal.

so.