Full Disclosure mailing list archives
Latvenergo RIGAS HES-2 HACKED!
From: Zhang Xinghu <zhangxinghu () rocketmail com>
Date: Tue, 3 May 2011 08:48:42 -0700 (PDT)
Latvenergo RIGAS TEC-2 软件漏洞分析技术 http://www.latvenergo.lv/pls/portal/docs/PAGE/LATVIAN/IMAGES/razosana_tec_r.jpg RIGAS TEC-2 (Heat Power Plant) Latvian Energy Grid http://upload.wikimedia.org/wikipedia/en/6/68/Latvian_grid.png SCADA: http://img197.imageshack.us/i/11845309.png/ http://img853.imageshack.us/i/82004790.png/ http://img835.imageshack.us/i/11297056.png/ http://img811.imageshack.us/i/24628503.png/ http://img708.imageshack.us/i/46434198.png/ http://img42.imageshack.us/i/69536191.png/ http://img268.imageshack.us/i/91060646.png/ http://img573.imageshack.us/i/20665870.png/ http://img705.imageshack.us/i/91159778.png/ http://img850.imageshack.us/i/21524239.png/ http://83.136.143.114/ and http://85.15.193.254/ login: henriks password: :henry50 -------------------------------------------------------------------------------------- rb-aciems 83.136.143.114 username cisco privilege 15 secret 5 $1$FKKk$t2NOQP.vSScMbwJWERNU0/ (password "cisco") username henriks privilege 15 secret 5 $1$o8TS$N/hEZX99OrJYekQGffJOK0 (password "henriks") username alfreds privilege 15 secret 5 $1$oezl$miNkMEnzGLy4CVwT3XA7y/ username ugis privilege 15 secret 5 $1$yL4P$ErYRu.UU1lcireNDTvA2T1 username agritis privilege 15 secret 5 $1$bPCB$p8PoLDo6JydfwhqmksEJb/ username normis privilege 15 secret 5 $1$xOvT$E6SYwEiiZw4iXSKPwdd3V. rb-aciems 85.15.193.254 username cisco privilege 15 secret 5 $1$FKKk$t2NOQP.vSScMbwJWERNU0/ username henriks privilege 15 secret 5 $1$o8TS$N/hEZX99OrJYekQGffJOK0 username alfreds privilege 15 secret 5 $1$oezl$miNkMEnzGLy4CVwT3XA7y/ username ugis privilege 15 secret 5 $1$yL4P$ErYRu.UU1lcireNDTvA2T1 username agritis privilege 15 secret 5 $1$bPCB$p8PoLDo6JydfwhqmksEJb/ username normis privilege 15 secret 5 $1$xOvT$E6SYwEiiZw4iXSKPwdd3V. rb-ast63 83.136.143.77 username cisco privilege 15 secret 5 $1$K3qC$bgVeSjpVpmWtgFX8roEpc. (password "cisco") username henriks privilege 15 secret 5 $1$o8TS$N/hEZX99OrJYekQGffJOK0 (password "henry50") username alfreds privilege 15 secret 5 $1$oezl$miNkMEnzGLy4CVwT3XA7y/ username ugis privilege 15 secret 5 $1$yL4P$ErYRu.UU1lcireNDTvA2T1 username agritis privilege 15 secret 5 $1$bPCB$p8PoLDo6JydfwhqmksEJb/ username normis privilege 15 secret 5 $1$xOvT$E6SYwEiiZw4iXSKPwdd3V. username aivars privilege 15 secret 5 $1$Ez4w$eLBbFOCZpm1//M1D9Qysa1 (password "sunset") username arnis privilege 15 secret 5 $1$mBOT$6U31Bpe.2ye4lCBoJl.wX. rb-jwl 83.136.137.253 username henriks privilege 15 secret 5 $1$o8TS$N/hEZX99OrJYekQGffJOK0 (password "henry50") username alfreds privilege 15 secret 5 $1$oezl$miNkMEnzGLy4CVwT3XA7y/ username ugis privilege 15 secret 5 $1$yL4P$ErYRu.UU1lcireNDTvA2T1 username agritis privilege 15 secret 5 $1$bPCB$p8PoLDo6JydfwhqmksEJb/ username normis privilege 15 secret 5 $1$xOvT$E6SYwEiiZw4iXSKPwdd3V. username arnis privilege 15 secret 5 $1$L0oT$eUM9yV8Yb8NT/xJaou8CR/ rb-tec2-ibedro 83.136.143.66 (85.15.200.1) username cisco privilege 15 secret 5 $1$2gKA$AkkCIcEviInzKmgA9uYY.1 (password "cisco") username henriks privilege 15 secret 5 $1$o8TS$N/hEZX99OrJYekQGffJOK0 (password "henry50") username alfreds privilege 15 secret 5 $1$oezl$miNkMEnzGLy4CVwT3XA7y/ username ugis privilege 15 secret 5 $1$yL4P$ErYRu.UU1lcireNDTvA2T1 username agris privilege 15 secret 5 $1$4yfS$GmtMLYEvnMmNLimx3cIEs. username agritis privilege 15 secret 5 $1$bPCB$p8PoLDo6JydfwhqmksEJb/ username normis privilege 15 secret 5 $1$EGe6$n09ZOVK0/Z47LY5QOrmly0 username gints privilege 15 secret 5 $1$Qkow$2epiPs8stbDFNXk35KIiG. (password "wttpc") username arnis privilege 15 secret 5 $1$pzmn$iIoY5KsH/KicXQcnihQwe0 ----------------------------------------------------------------------------------------- Rigas TEC-2 Router configuration: Current configuration : 8665 bytes ! ! Last configuration change at 18:36:17 EET-EDT Mon May 1 2011 by henriks ! NVRAM config last updated at 21:11:22 EET-EDT Mon May 1 2011 ! version 12.4 service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption ! hostname rb-tec2-ibedro ! boot-start-marker boot-end-marker ! logging buffered 32768 debugging enable secret 5 $1$1Jog$NgC5Ve1J4ZV4d.Ns4cYuK/ ! no aaa new-model ! resource policy ! clock timezone EET 2 clock summer-time EET-EDT recurring last Sun Mar 3:00 last Sun Oct 3:00 clock calendar-valid ip subnet-zero ! ! ip cef no ip dhcp use vrf connected ip dhcp excluded-address 10.40.8.0 10.40.8.1 ! ip dhcp pool IP-phones network 10.40.8.0 255.255.255.128 default-router 10.40.8.1 dns-server 10.0.37.1 10.0.37.2 domain-name int.letcom.lv option 150 ip 10.0.38.1 10.0.38.2 lease 7 ! ! ip vrf LE_Inet rd 29600:76 ! ip vrf MGMT rd 29600:74 ! ip domain name int.letcom.lv ip host letccm1.int.letcom.lv 10.0.38.1 ip host letccm2.int.letcom.lv 10.0.38.2 ip name-server 10.0.37.1 ip name-server 10.0.37.2 ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-667169674 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-667169674 revocation-check none rsakeypair TP-self-signed-667169674 ! ! crypto pki certificate chain TP-self-signed-667169674 certificate self-signed 01 3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 36363731 36393637 34301E17 0D303631 30313230 38313835 365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3636 37313639 36373430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 A0F4672C 6EF80F91 9D851665 82D889B2 80B941CF 83D43B3B 4FB12E26 6275EC81 6B8DCEBC 31A61E8C BDC16231 06483344 A72D8E7F 6A599EEA EB1289C7 F0F38C0F AE7B9658 329F7576 1DB562B1 DBABCB63 3C659189 213BD2AD C63BF833 5B56E96D 8D97B277 01B887ED 4C144C2F 518D68A7 5017A4AE 9220ED74 41A7F894 6B176679 02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D 11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F 0603551D 23041830 16801433 BBC541C9 12011912 3A3411C7 21226E63 E1054730 1D060355 1D0E0416 041433BB C541C912 0119123A 3411C721 226E63E1 0547300D 06092A86 4886F70D 01010405 00038181 0029FB38 3C4E3003 559F8E97 114C14D4 058CD8AB A10E34B1 9A596DB7 0118BDC1 2E057694 E274966D 4328410E B6DE0433 A8DDFEA3 8331D8B5 0108ECE6 B72A86DE 3100A6B5 6E4C40FE 7C3D67D8 29E27DC1 070E7AAF AD4E89DB C584A12A DA889080 36AEF818 171F4CFB C84723DD 00AEA553 7FC6B43A A3D5954C 4C093C54 6FD742F5 22 quit username cisco privilege 15 secret 5 $1$2gKA$AkkCIcEviInzKmgA9uYY.1 username henriks privilege 15 secret 5 $1$o8TS$N/hEZX99OrJYekQGffJOK0 username alfreds privilege 15 secret 5 $1$oezl$miNkMEnzGLy4CVwT3XA7y/ username ugis privilege 15 secret 5 $1$yL4P$ErYRu.UU1lcireNDTvA2T1 username agris privilege 15 secret 5 $1$4yfS$GmtMLYEvnMmNLimx3cIEs. username agritis privilege 15 secret 5 $1$bPCB$p8PoLDo6JydfwhqmksEJb/ username normis privilege 15 secret 5 $1$EGe6$n09ZOVK0/Z47LY5QOrmly0 username gints privilege 15 secret 5 $1$Qkow$2epiPs8stbDFNXk35KIiG. username arnis privilege 15 secret 5 $1$pzmn$iIoY5KsH/KicXQcnihQwe0 ! ! ! ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$ no ip address duplex auto speed auto ! interface FastEthernet0/0.74 encapsulation dot1Q 74 ip vrf forwarding MGMT ip address 10.33.1.22 255.255.255.252 no snmp trap link-status ! interface FastEthernet0/0.75 description VoIP encapsulation dot1Q 75 ip address 10.40.255.30 255.255.255.252 no snmp trap link-status ! interface FastEthernet0/0.76 encapsulation dot1Q 76 ip vrf forwarding LE_Inet ip address 83.136.143.66 255.255.255.252 no snmp trap link-status ! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface FastEthernet0/1.2 encapsulation dot1Q 2 ip vrf forwarding MGMT ip address 10.100.15.113 255.255.255.240 no snmp trap link-status ! interface FastEthernet0/1.3 encapsulation dot1Q 3 ip vrf forwarding LE_Inet ip address 85.15.200.1 255.255.255.248 no snmp trap link-status ! interface FastEthernet0/1.4 description VoIP encapsulation dot1Q 4 ip address 10.40.8.1 255.255.255.128 no snmp trap link-status ! ip classless ip route 0.0.0.0 0.0.0.0 10.40.255.29 ip route vrf LE_Inet 0.0.0.0 0.0.0.0 83.136.143.65 ip route vrf MGMT 0.0.0.0 0.0.0.0 10.33.1.21 ! ! no ip http server ip http access-class 23 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! logging 10.1.37.7 access-list 23 permit 10.10.10.0 0.0.0.7 snmp-server community r05n3pcom RO snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vrrp snmp-server enable traps ds1 snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps xgcp snmp-server enable traps flash insertion removal snmp-server enable traps ds3 snmp-server enable traps envmon snmp-server enable traps icsudsu snmp-server enable traps isdn call-information snmp-server enable traps isdn layer2 snmp-server enable traps isdn chan-not-avail snmp-server enable traps isdn ietf snmp-server enable traps ds0-busyout snmp-server enable traps ds1-loopback snmp-server enable traps atm subif snmp-server enable traps bgp snmp-server enable traps bulkstat collection transfer snmp-server enable traps cnpd snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps dial snmp-server enable traps dsp card-status snmp-server enable traps entity snmp-server enable traps event-manager snmp-server enable traps frame-relay snmp-server enable traps frame-relay subif snmp-server enable traps hsrp snmp-server enable traps ipmobile snmp-server enable traps ipmulticast snmp-server enable traps mpls ldp snmp-server enable traps mpls traffic-eng snmp-server enable traps mpls vpn snmp-server enable traps msdp snmp-server enable traps mvpn snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface-old snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message snmp-server enable traps pppoe snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps rtr snmp-server enable traps syslog snmp-server enable traps l2tun session snmp-server enable traps vsimaster snmp-server enable traps vtp snmp-server enable traps voice poor-qov snmp-server enable traps voice fallback snmp-server enable traps dnis snmp-server enable traps dnis snmp-server host 10.0.19.49 r05n3pcom snmp-server host 10.2.0.49 r05n3pcom ! ! ! control-plane ! ! ! voice-port 0/3/0 cptone FI ! voice-port 0/3/1 cptone FI ! voice-port 0/3/2 cptone FI ! voice-port 0/3/3 cptone FI ! ccm-manager redundant-host LETCCM1 ccm-manager mgcp no ccm-manager fax protocol cisco ccm-manager music-on-hold ccm-manager config server LETCCM1 LETCCM2 ccm-manager config ! mgcp mgcp call-agent LETCCM2 2427 service-type mgcp version 0.1 mgcp dtmf-relay voip codec all mode out-of-band mgcp rtp unreachable timeout 1000 action notify mgcp modem passthrough voip mode nse mgcp modem passthrough voip codec g711alaw mgcp package-capability rtp-package no mgcp package-capability res-package mgcp package-capability sst-package no mgcp package-capability fxr-package mgcp package-capability pre-package no mgcp timer receive-rtcp mgcp sdp simple mgcp fax t38 inhibit mgcp rtp payload-type g726r16 static ! mgcp profile default ! ! ! dial-peer voice 999030 pots service mgcpapp port 0/3/0 ! dial-peer voice 999033 pots service mgcpapp port 0/3/3 ! dial-peer voice 999031 pots service mgcpapp port 0/3/1 ! ! dial-peer voice 999032 pots service mgcpapp port 0/3/2 ! ! ! line con 0 login local line aux 0 line vty 0 4 privilege level 15 login local transport input telnet ssh line vty 5 15 privilege level 15 login local transport input telnet ssh ! scheduler allocate 20000 1000 ntp server 10.33.1.21 ! end ------------------------------------------------------------------------------------- China Youth Hackers Alliance
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Latvenergo RIGAS HES-2 HACKED! Zhang Xinghu (May 03)
- <Possible follow-ups>
- Re: Latvenergo RIGAS HES-2 HACKED! Robert Sampers (May 04)
- Re: Latvenergo RIGAS HES-2 HACKED! Zhang Xinghu (May 05)