Blackhat hacker penguinman2100 demonstrates how to hack google to upload any hacker files or pictures to any website using PHP Photo exploits.

The blackhat hacker penguinman2100 hacks into websites using this tutorial as you can see in our video.

He has illegally hacked into sites such as http://textideas.com and http://www.sq-bleiburg.at as he has proven with the access in this video.

Penguinman2100 writes on his cracker blog:

**NEWS: I have recently become intrested in “Google Hacking” now I know that sounds pretty bad but it isnt really. “Google Hacking” is basically accessing things on Google in which the average person cant do and in which some illegal activity can occur.

The blackhat hacker Penguinman2100 is also known as Zachary D., he is male and 19 years old, and he currently lives in Calgary, Alberta (Canada), where laws against blackhat hacking in google do not exist.

His hack partner SteveTheMaster (Steve Nahilian) also a blackhat and is a much dangerous hacker with advanced skills.

Zach~
Hello! we are hacking partners. my name is zach. im not as good as of a hacker as steve, but i’ll do my part.

Steve~
sup, i am Stevethemaster (click here to chat on AIM) from Steve Company, i am the king of goldfinger & Qcode64 hacking. i do every type of hacking known to hackers on da web, l00k 0ut 4 my vids. Zach is my hacking partner, he has a great mind on image hacks. we are from spiralmountain.co.uk

Thank you to Zachary D. and Steve the Master Hacker for producing these excellent hacking video tutorials to teach blackhats how to hack illegally into websites such as textideas.com. Please we are waiting for episode 2 of How to Hack Google! Keep up the good works and submit great hacking tutorials for our readers!

From: Goebbels Amadeus
Date: Sun, 2 Dec 2007 06:12:54 +0100 (CET)

Despite the misleading subject of my e-mail, I want to
bring to attention an important topic which hasn’t been
discussed enough among the security industry: the exploit
and vulnerability research market.
Since this might be a vastly secretive community, I will
introduce some of the members of this dramatically disturbing tale:
Since a few years ago, few companies emerged, who offer
rewards for exploit information and vulnerability research.
In the beginning, only iDefense (US-based) openly disclosed
its activities.
In the last 3-7 years we have seen ZDI (TippingPoint, now
3Com and soon its Chinese major shareholder..), WSLabi (the
failed attempt on creating an auction market model for these
sales) and Netragard (the old DMCA publicity stunt SNOsoft).
Now I’ll start telling a tale of distrust, lies, middle men
and other creatures of the infraworld…
Once upon a time, there was an increasingly powerful work
force capable of crafting weapons which existed only in a
digital world. This force didn’t have a name. They didn’t
pursue certifications. They were anonymous. But some realized
they also had the power of influencing people, controlling the
flow of information from anywhere at any time. Humanity has
seen for ages how the power of controlling information can
take down whole nations. Nowadays, in an open and free market,
the corporate world is nothing but a battlefield.
There’s no crimson tie. No blood escaping the bodies of its
soldiers. The soldiers are John Does, fighting for a decent
paycheck at any cost, selling out their spirits and time for
the corporate machine. Selling out their comrades and dignity.
Losing the values, principles and matter that make them human.
Unknowingly, they are becoming mere tools of few individuals
who have a neverending desire for fame and wealth.
Have you ever considered your future in their hands? You’ve
been working for 50 years, your liver and kidneys start failing,
creating visible symptoms, stains in your skin. You can’t handle
life in the same way anymore. For what? What have you done in
those 50 years but serving another man to become more wealthy
and over powered. The approaching day of your death and its
mere vision strikes you like a burning iron blade.
In this New Age battlefield, you can make a difference. A
talented youth started emerging and dedicated passionately to
fulfill its curiosity. Day after day, spending countless hours
in front of a machine. Understanding it’s inner design and
details, breaking it apart and reassembling it the way it wasn’t
meant to be assembled.
Some others dedicated painful discipline to physical work and
trained themselves for achieving perfection in both intellectual
and physical matters. Others fell in the way and never made it
to the final round.
After realizing they could not let the corporate world exhaust
them, they tried another way. The emerging market of digital
ammunition seemed to be a potential solution for their problems.
But, unbeknown to them, they were wrong. They didn’t think at
first glance of the impossibly huge amounts of lies and fallacies
they were about experience. Because in a world where you can
claim something while denying your obligation to prove it, the
only power that is left is that of common sense and intuition.
The ability to sense the deceitful and know the truthful.
Once day, our John Doe decided to approach an independent digital
weapons dealer, looking for better offers than those coming from
more established business men. He knew that more then business men,
they were only middle men. After numerous experiences with these
little twerps, he realized they were also abusing their condition.
John was also especially disappointed with the fact that in the
world of digital ammunitions, there’s no real way of providing the
goods without turning them instantly useless and vulnerable to abuse.
John knew that these middle men were taking cuts far higher than
their alleged 10 to 15 percent of the sale. How could John prove it
otherwise? There was no way of ensuring that their contacts were
getting the very exact figure John demanded.
Despite this fact, John also realized that in this market of smoke,
the seller is not supposed to set the price of the goods. These
middle men, in their great mistake of thinking that wisdom and
knowledge are the very same thing, wanted John to believe that
they were the ones who set the price of the goods.
John’s disappointment was growing to incredibly high stakes: “As a
child, whenever I tried to tell the candy shop clerk that the
chocolate bars cost as much as the peanut butter ones, he simply
tried to smack my head down. I wasn’t supposed to even swap the
labels in a failed attempt to fool this man, who had been making
candy bars for more time than I was actually able to barely say
my name.”
John had been crafting digital weapons for so many time, with
such a high talent and effectiveness, that he was much less
dispensable than this middle men. His personal background, of an
extremely tough childhood full of misery and hostility, also
gave him the necessary wisdom and experience in this world for
quickly spotting the weaknesses of these ego-crazed men. Their
weakness lies in the fact that without John and his comrades,
they have no business. They lack far more than just knowledge.
They lack wisdom, passion and truly devoted dedication to whatever
they do. Sooner or later they will make the same mistake of other
weapon dealers: getting killed with their own goods.
Hypocrisy among these poorly educated middle-men was so high,
that they resorted to low tricks and ridiculous attempts to gain
the trust of people like John. They went as far as insulting the
intelligence of those who provided them with the goods they are
unable to produce themselves. No matter how hard the tried, it
never brought anything back but silence. The silence that can be
clearly understood as a fully precise signal of genuine despise.
The fundamental error behind their approach is that trust can’t
be gained for cheering, boosting the ego, claiming great benefits
and wealth. Trust is something sculpted in hard rock, taking years
to become an admirable master piece. It doesn’t come attached to
an email.
At the end, John and his comrades found out that wasting their
time with these miserable beings was far less than fruitful. It
was exhausting them as much as the corporate world did. They
realized that any day above ground is a good day. Let the snakes
change their skin and show their true colors. In the desert,
being unable to match with environment has deadly consequences.
It might take years, or decades, but time will set them all where
they belong. Life does not forgive and everything has come to an
end… because they lack of patience, the end will approach their
nefarious activities sooner than they ever thought and John and
his comrades will be free again.
And this tale has to come to an end itself… the end of a
story about middle-men and their madness.
Time’s striking force.
- Paul Amadeus Goebbels

very interesting, mr goebbels.

There have been a lot of Mac web blogs hacker defaced recently by hackers that are using 0day XSS scripting exploits in Wordpress.

One victim of the 0day XSS Miles Evans from MacApper.com writes:

“I took the liberty of analyzing the hack a bit in the hopes it helps others prevent this from happening to them. Although we had updated our blog to the latest version of Wordpress, near as I can tell the hack was accomplished via an XSS (cross site scripting) exploit. By executing some malicious code in the query string the hacker was able to write to our .htaccess file the following:

#this is for rotten mac fanbois - suck it down.
#RewriteRule ^divider.png$ /rotten/divider.png [L]
#RewriteRule ^rotten.jpg$ /rotten/rotten.jpg [L]
#RewriteCond %{REQUEST_URI} !^/rotten.*
#RewriteRule !rotten/index.html$ /rotten/index.html [L]

The problem is that the exploit appears to be unknown to Wordpress as far as I can see (I will be reporting it to them), so other Wordpress blogs may be susceptible. I wish I could offer more help.”

“[…] By default WP wants to handle the .htaccess file dynamically so it needs to be set world writable. We tweaked this before putting the blog back online and we should be safe now. If anyone needs a hand feel free to email me (milesevans _AT_ macapper.com).”

Loweded Wookie adds some helpful technical feedback for advanced Mac users:

“When I was using XOOPS I got hacked once but all the little retard did was create a file called index.html. All I did was alter the Apache file so that PHP files were executed before HTML files and any hack after that from little brained people would have been thwarted. Any further attempts to hack WordPress are thwarted by a simple permissions change. Of course .Mac accounts are different because the hacker would first have to find your machine, intercept the Kerberos encrypted password (yeah, good luck on that one), and then do some damage. Considering many .Mac pages are edited using iWeb then any hacked pages would be up for a grand total of… however long it takes to upload to .Mac. Hell, comment floods can be removed simply by clicking the comment box and hitting delete in iWeb.”

Another reader, Chris, asks the very question that came into our mind as we read this report:

“To even GET data to the server, it would have to be a type 2 attack. I doubt this was overlooked in the release of WordPress 2.3.1, since the primary release was for security. Secondly, the vulnerable page would have to be a publicly accessible page, making a type 2 XSS even more rare. Finally, why would you possibly leave your HTACCESS file world-writable, and how would this “hacker” write files back to your server using a type 2 exploit anyways? At most it could be redirected to another site. Please explain.”

Wookie offers more technical advice:

“It’s more common than you know. This was something that needed to be done on older versions of XOOPS. It had to have at least administrator rights to access the file but the passwords etc are all plain text so it’s reasonably easy to hack a PHP based content management system and WordPress is no exception.”

Another Macintosh web blog, GlenWolsey.com, a Macblog site on blogspot has been taken down by a blackhat XSS hacker. The black-hat technique used in this attack was also a Wordpress XSS overwriting of a world-writable .HTACESS file.

A quote from the hacked site: “This website has been flagged for excessive Apple fanboism, and has been taken down for 24 hours. This is a message to the rest of the Mac community, so listen up. Ever heard of hubris? Tone it down, and you will not be attacked. Everyone else is open game.”

The XSS Blackhat hacker, known as Malcor, has posted many threats to his own pages:

“The target will be posted on this site once the attack begins. I will be sending said target a note with a heads up before. Hopefully, by the end of the attack, a sea change will begin to happen. Does anyone disagree with me that the Mac world be a much more pleasant place if smugness wasn’t tolerated?”

“The attacks will be untraceable, and unstoppable.”

Source: http://malcor.blogspot.com

November 19, 2007 (IDG News Service) — If Samy Kamkar plays his cards right, he may be allowed to visit Myspace again in just a few months. For the time being, however, he’s not even allowed to touch a computer, following a January 2007 guilty plea for creating what many consider to be the first Web 2.0 worm: the Samy worm.

Samy’s worm wasn’t malicious, but it did force News Corp.’s MySpace social-networking site to shut down in late 2005 after forcing more than 1 million users to declare Samy a “hero” on their profile pages.

Last week, Samy, who is now 21, made his first public appearance since his conviction, attending the OWASP App Sec 2007 conference, host by eBay in San Jose, California. He was treated like a celebrity at the show, but there were some complications. Under the terms of his plea agreement, he can only use computers for work, so he was forced to show slides that he’d dictated to a friend on a computer that was operated by a conference staffer.

Kamkar: When I wrote the worm, it initially wasn’t a worm. Initially I was just trying to spruce up my MySpace profile. I also wanted to show off to a couple of friends, so I thought ‘wouldn’t it be cool if I did this? [..] As a programmer, it wasn’t too much to learn how to use AJAX, which really helped make the worm work and proliferate really quickly. It only took a few days to write the thing from start to finish and it was only in the last day that I thought that this could be a worm.

(days? *cough*)

Hacker Hierarchy

Psychologist and Expert Hacker Marc Rogers says there are several subgroups of hackers —

newbies, cyberpunks, coders and cyber terrorists.

Newbies are hackers who have access to hacking tools but aren’t really aware of how computers and programs work. Cyberpunks are savvier and are less likely to get caught than a newbie while hacking a system, but they have a tendency to boast about their accomplishments. Coders write the programs other hackers use to infiltrate and navigate computer systems. A cyber terrorist is a professional hacker who infiltrates systems for profit — he might sabotage a company or raid a corporation’s databases for proprietary information.

Hackers and Crackers

Many computer programmers insist that the word “hacker” applies only to law-abiding enthusiasts who help create programs and applications or improve computer security. Anyone using his or her skills maliciously isn’t a hacker at all, but a cracker.

Even if the so-called hackers using malicious hacking skills have always, and continue to label themselves and their peers as hackers first and foremost, the nomenclature does not legally apply according to the Arbitration of What Stuff is Called Act of 2002. In addition, loosely organized social groups and clubs have not traditionally been permitted to determine their own names or identities. All definitions related to hacking must be approved by at least one academic over the age of 55 years old in an authorative tone whilst speaking to a relatively-ignorant IT journalist about the latest sensationalized hacker story. - Ed.

Crackers infiltrate systems and cause mischief, or worse. Unfortunately, most people outside the hacker community use the word as a negative term because they don’t understand the distinction between hackers and crackers.

Spying on e-mail: Hackers have created code that lets them intercept and read e-mail messages — the Internet’s equivalent to wiretapping. Today, most e-mail programs use encryption formulas so complex that even if a hacker intercepts the message, he won’t be able to read it.

Hacker Culture

Individually, many hackers are antisocial. Their intense interest in computers and programming can become a communication barrier. Left to his or her own devices, a hacker can spend hours working on a computer program while neglecting everything else.

There are many websites dedicated to hacking. The hacker journal “2600: The Hacker Quarterly” has its own site, complete with a live broadcast section dedicated to hacker topics. The print version is still available on newsstands. Web sites like Hacker.org promote learning and include puzzles and competitions for hackers to test their skills.

Not all hackers try to explore forbidden computer systems. Some use their talents and knowledge to create better software and security measures. In fact, many hackers who once used their skills to break into systems now put that knowledge and ingenuity to use by creating more comprehensive security measures. In a way, the Internet is a battleground between different kinds of hackers — the bad guys, or black hats, who try to infiltrate systems or spread viruses, and the good guys, or white hats, who bolster security systems and develop powerful virus protection software.

Glenn Chapman/AFP/Getty Images
Hackers work together to create “mashups” of Yahoo applications at Google Hack Day 2006.

Hacking For a Living

Hackers who obey the law can make a good living. Several companies hire hackers to test their security systems for flaws. Hackers can also make their fortunes by creating useful programs and applications, like Stanford University students Larry Page and Sergey Brin. Page and Brin worked together to create a search engine they would eventually name Yahoo. Today, they are tied for 26th place on Forbes’ list of the world’s most wealthy billionaires [source: Forbes].

Famous Hackers: Lamo

Adrian Lamo hacked into computer systems using computers at libraries and Internet cafes. He would explore high-profile systems for security flaws (such as open proxies), exploit the flaws (or make use of the proxy) to “hack” into the system, and then send a message to the corresponding company, letting them know about the security flaw. Unfortunately for Lamo, he was doing this on his own time rather than as a paid consultant — his activities were illegal. He also snooped around a lot, reading sensitive information and giving himself access to confidential material. He was caught after breaking into the computer system belonging to the New York Times.

It’s likely that there are thousands of hackers active online today, but an accurate count is impossible. Many (>99%) hackers don’t really know what they are doing — they’re just using dangerous tools they don’t completely understand.

Source: How Computer Hackers Really Work, by a Non Hacker

Dr Craig Wright has described a new attack vector known as Cross-Site Faxing (XSF) that abuses weaknesses in OCR 2.0 anti-phishing technology to bypass commercial anti-CSF appliances such as the i-XSS BloggerShield and UBsecure’s new XRCF Webfender 2.1.

On Nov 18, Dr Craig Wright (cwright@bdosyd.com.au) writes to pen-test:

“I have thought of an alternate path to loading a virus bases on a network OCR’d fax server. In the scenario, we have to assume that the system is sending the output to a web front end or HTTP enabled email (not that uncommon).”

Dr Wright subsequently illustrates to the reader what he has previously written using the following hypothetical scenario:

• The system has no input filters and prints all characters to the email, web app.
• The OCR engine is highly accurate and does not add spaces etc.
• The email or web app displays exactly what it received

“Now given that scenario, we have a possible XSS (cross-site-scripting) attack. If there are no filters for an outgoing connection (i.e. no firewall/proxy that strips scripts) and the client browser/email application allows access to the Internet, the attacker could create a script in the page that makes a call to an external system to download a file … a script could also embed a simple XOR obfuscation key to modify the downloaded code. On the web server it would be inert. When XOR’d with the key in the script (after being downloaded and installed), this will thus bypass the AV server (if there is one) and install the malware on the users system. […] Regards, Dr Craig Wright (GSE-Compliance)”

It is interesting to see this challenge considered by the security community. Are there currently any products we can purchase to scan incoming faxes? What about physical mail? A malicious attacker could embed scripting into an application form that is then printed and sent through snail mail to a recipient mail desk which scans the mail and forwards as a pdf or tiff image to the unsuspecting victim.

This attack is very deadly as it takes advantage of embed or macro or client side exploits against pdf or tiff clients and users. This is a very dangerous attack vector that must be explored, and all security consultants are encouraged to alert the wider community of the dangers of Cross Site Faxing and Cross-Site Postage exploits.