I've had the chance to go through some of the logs on some "hacked" sites by
Pimpshiz. From the look of the directory structure left behind he is
definitely using FrontPage. He is also grabbing his logo for the hacks from
http://www.liquid2k.com/pimpshiz/scary.gif. He is leaving two text files on
the boxes, one named i.txt that contains "Server breached by PimpShiz" and
another called erica.txt which appears to be a phone number minus the area
code.
I am definitely convinced that he is not exploiting anything new like he
claims and is simply finding boxes with poorly configured permissions.
Wouldn't exactly consider this clown a hacker.
------------------------------------------------------------------------
Steve Manzuik Calgary, Alberta, Canada
Moderator - Win2K Security Advice (403)660-2997
Security Analyst - Bindview RAZOR Team
smanzuik_at_razor.bindview.com
http://razor.bindview.com
* - The opinions expressed in this email are mine, and mine alone. They - *
* - do not reflect those of my employer or anyone else for that matter. - *
------------------------------------------------------------------------
> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS_at_SECURITYFOCUS.COM]On
> Behalf Of Jason Witty
> Sent: Friday, October 06, 2000 4:47 AM
> To: INCIDENTS_at_SECURITYFOCUS.COM
> Subject: Re: pimpshiz / put i.txt
>
>
> I may be going out on a limb here, but the 'exploit' PimpShitz is using
> looks more like a simple HTTP PUT instead of an HTTP GET. A
> friend of mine
> just got hit last week (I havn't seen the logs, but he described
> them), and
> the i.txt file was placed into a directory, via a standard HTTP PUT (wrong
> permissions on the directory). So his little '0-Day 3xp01t' is probably
> nothing more than Netscape HTML Editor's publish function or
> Front Page for
> that matter. Just my two....
>
> Jason
>
>
> At 12:08 AM 10/6/00 GMT, Tony Turk wrote:
> >I have spoken to pimpshiz, and he DOES NOT use the RDS' sploit.
> He does use
> >a 0day, but I am unsure of it's nature. He has defaced all
> IIS/NT servers,
> >so that at least narrows it down. More logs would be nice though.
> >
> >
> >>From: Steve <Steve_at_SECURESOLUTIONS.ORG>
> >>Reply-To: Steve <Steve_at_SECURESOLUTIONS.ORG>
> >>To: INCIDENTS_at_SECURITYFOCUS.COM
> >>Subject: Re: pimpshiz / put i.txt
> >>Date: Thu, 5 Oct 2000 06:27:19 -0600
> >>
> >>I attemtped to contact Pimpshiz and got the following;
> >>
> >>"I will do an interview but I will not discuss my techniques or
> exploit."
> >>
> >>He has told media outlets that he has some 0day sploit that no one knows
> >>about. I would love to see more logs as I am starting to think
> that he is
> >>simply using the RDS exploit.
> >>
> >>For those of you who have been defaced by this, in my opinion, script
> >>kiddie, check www.wiretrip.net/rfp for the original advisory on the RDS
> >>exploit, there is a spot that talks about log entries to watch for.
> >>
> >>-Steve
> >>
> >>-----Original Message-----
> >>From: Jonathan Rickman
> >>To: INCIDENTS_at_SECURITYFOCUS.COM
> >>Sent: 10/4/00 7:07 PM
> >>Subject: Re: pimpshiz / put i.txt
> >>
> >>I seem to remember seeing one of his recent defacements mention that one
> >>could look for the file i.txt as well as several others once the main
> >>page
> >>was restored as proof that he still owned them. Don't quote me on that,
> >>but I'm pretty sure that's what it said. Check the attrition archives.
> >>
> >>you could just email pimpshiz and ask...he'll probably tell you.
> >>
> >>--
> >>Jonathan Rickman
> >>X Corps Security
> >>http://www.xcorps.net
> >
> >_________________________________________________________________________
> >Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> >
> >Share information about yourself, create your own public profile at
> >http://profiles.msn.com.
> >
> >
Received on Oct 10 2000
Intro
