When i've hacked another e-crime server today, i've found this interesting panel who reminds me of something
Brian Krebs has already made a blog post about this, you can read it here: http://krebsonsecurity.com/2011/03/big-scores-and-hi-scores/#more-8778
So, let's review.
This panel don't need a SQL support
Connect infos are saved into config.php
The 'passkey' value is used as password to log-in into panel
It's hashed in MD5 and then SHA-512.
You just need to drop the kit into your server and choose a password:
For the stolen credit cards informations etc...
That stored into a ciphered text file at "data/droplist.txt"
Using XXTEA, the decypher key is the same password you use to log-in.
So even if you 'steal' a droplist.txt you can't decypher it without knowing the good key.
How work the gate ?
When you call the gate, that will return you: 8|0|s|||||none|none|none||none|none|none|none|none|none|noneCould not connect!
The 'Could not connect!' here is due to a bad configuration of jabber/icq notifications, and the 'none' chans are the submited infos ('none' if nothing on the variable).
The coder has never heard of XSS attack:
And same when datas are displayed inside (when logged)
Another stupid things about variables is "password"
You can think you will use the hashed version directly on the variable but not.
When you 'call home' the query need to be done with the the plaintext password, and then it's hashed to MD5/SHA512 and compared with passkey inside config.php
When you double-click on an item:
I wonder how many ZeuS/Carberp/SpyEye/phishing guys use this crap.