Sunday, February 07, 2010

Directory traversal as a reconnaissance tool

Like most of you, I find malicious or fraudulent online advertisers annoying to say the least.
My typical response, upon receipt of rogue AV pop-ups, or redirects to clearly fraudulent sites, is to "closely scrutinize" the perpetrating site.
This effort often bears fruit as is evident in the following analysis.

My interest was recently peaked when being made aware of a number of related sites committing abuse against a variety of brands; all quite clearly in violation of copyrights and trademarks.
An example, for your consideration: messenger-download.info
After a little exploration it was quickly determined that these cretins seek only to con victims out of credit card data with the promise of illegal downloads for a fee.
Apparently these dbags have been at it for awhile.
They make it look like you're going to receive access to a legitimate offering then they suck you in to freedownloadzone.com.
This, of course, pissed me off, so...off to the races.
A poke here, a tickle there, and voila.../etc/passwd.



This Centos server, running Apache 2.2.3 (very dated), complete with craptastic PHP code, is a textbook lesson in how to not run a web server.
Includes, anyone?



What's lovely about grabbing /etc/passwd with directory traversal (file path traversal, if you prefer) is the discovery of all the additional abusive URLs in play on this same server. Additionally you'll note more than a few culprits, learned to be based in the Phillipines after running their user names through Maltego.
Here's a text dump of the raw /etc/passwd grab.

A little regex parsing produced 256 +/- URLs, all pointing back to freedownloadzone.com, and all GoDaddy domains (shocking!).
Rather than post all the URLs here, for brevity, please refer to the text file.

Lesson to be learned for the bad guys: secure development practices apply to you as well, or the whitehats may come knocking.

A parting thought for freedownloadzone.com, and it's shadow org, helpmedownload.com.
By the way, you have XSS issues too: http://bit.ly/cT2P8F

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

6 comments:

Kurt said...

Frigging brilliant! Nicely done.

Anonymous said...

I like this. I like this a lot.

Beto_atx said...

very nice

Anonymous said...

hahaha

hacking the badguys...cool!!!!!

Bill Wildprett said...

Very sweet work Russ! Your thoroughness in going after the low-lifes online is commendable.

An exemplary approach we can al learn from.

Rafal Los said...

Payback's a bitch, ain't she?

Brilliant work sir... we should be able to use this type of method to shut these bastards down. Damn us being the "good guys".

Moving blog to HolisticInfoSec.io

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...