Guerilla marketing on twitpic targetting Android devices

In this blogpost we will describe a new method observed by us that tries to trick android users into buying subscriptions. The guerilla marketing tactics caught our attention as of this week several people complained about twitpic serving malware. We decided to investigate this issue a little bit further and eventually were able to reproduce the supposed 'malware' and capture its behavior.

First things first, although several people reported the download of malware in the form of an apk file, we were not able to reproduce that situation. We were able though, to reproduce a very nifty full page forward from the website twitpic.com to a landing page were several tactics were used to trick the user into clicking on specific links and eventually acknowledging the purchase of a subscription worth €5 a week.

The story starts by visiting the website twitpic.com. Twitpic is a well known and frequently used platform to share pictures on twitter. Once a twitpic link is opened, the screen below appears after 3 seconds, making the average Android user think the application WhatsApp is interfering and an update for the program is available.

What is actually happening?
While visiting twitpic.com the website loads a lot of ads. One of these ads is from AppNexus. This add makes a connection (in our case) to ams1.ib.adnxs.com. Which in this case, loads a page from track2.buyfaq.com/300x250.html. This supposed banner contains the following html code:

The banner loads an iFrame. This iFrame again is loaded from http://mt.moneyandroid.com/topic/mobi/mcenter.php?aid=98&ext=6

This specific mcenter.php?aid=98&ext=6 checks the user agent of the visiting client and screen width used. If the User-Agent does not match that of an Android device or the screen width does not match that of an Android device it will skip the JavaScript part that is displayed below and will only load the HTML content. In our case, where we use an Android device it will load the HTML+JavaScript code displayed below:

The webpage http://mt.moneyandroid.com/topic/mobi/download.php?i=[string] serves a HTTP/1.1 302 Moved Temporarily and contains the following value:
http://app-update.whatsapp.com.earic.com/topic/whatsapp/white.php?lp=1&aff_sub3=NL_[TmobileNetherlandsbv]_3_a90_v22_2014-06-15
In the JavaScript code several functions are initiated. A setTimeOut function is called waiting 3000 milliseconds to execute a function that creates a click event on the HTML a-element which will initiate the provided href URL to load. In this case a HTTP/1.1 302 Moved Temporarily page was thrown containing a new URL. The browser of your Android device will forward to that page, taking over the previous Twitpic page. Once forwarded the image below will appear.

As shown in the pop-up above, WhatsApp needs an update. The domain used seems to be app-update.whatsapp.com..., very trustworthy. The "OK" button can be pressed. And a countdown will start, as shown below:

If you look closely to the domain you will see that the domain used is not "app-update.whatsapp.com" but instead "app-update.whatsapp.com.earic.com". Earic.com is an educational website, it is not clear weather this domain is hijacked, hacked or willingly cooperating. Obviously the original domain whatsapp.com is not involved in anyway, the crooks are just trying to let us think this domain is involved and thus make it look trustworthy.

Once you click the "Download now" button the webpage below is shown.

Here in small letters your subscription is described, in top the subscription costs of 5 euro are displayed. Below it says you are a member automatically. Users that don't read carefully will just press the download button to, what they believe, install the WhatsApp update.
Once you press the "Download" button, the following page is displayed:

Your mobile number is filled in automatically and you just have to press the "Continue" button. Once the "Continue" button is pressed an SMS-text message is sent to the mobile phone containing a verification link in it. Once that link is clicked the subscription is acknowledged and you will be charged 5 euros per week.

International -ongoing- BlackShades customers raid -Summary

Rumours within the cybercrime underground started to appear early May about people getting arrested and their equipment getting seized. Nothing uncommon so far, apart from that this time more and more people started to arise, with all the same stories, everywhere from Europe. At one point people even started posting 'proof'. Convincing proof.
If all turns out to be true we are being witness of one of the biggest international raids -ever- related to cybercrime.

Below is a summary of what the uproar is about. It contains user posts on different unrelated forums. 'Proof' users posted, some news articles that could be related, and probably most convincing, a domain seized by the FBI.

The domain bshades.eu went offline on Wednesday. According to its whois information the domain is seized by the FBI:

Most uproar is on hackforums.net where a dozen topics have been started some with even more than 70 pages of comments and more and more people showing up saying they have been a victim of the raid.
The image below show a Dutch hackforums user saying he was victim of the raid.

On this Belgium forum a user tells his story in Dutch.

He even posts some proof, most important sentence is: "Uw betrokkenheid inzake de aankooop, het bezit, de verspreiding en het gebruik van hackerools (Software om computers van derden te misbruiken)"
Translated: "Your involvement in buying, possesing, spreading and the use of hackertools."

The officer that signed the document is indeed, according to his linkedin profile, a ICT investigator.

This user from Finland posts another piece of 'proof'.

According to Mikko Hypponen this translates to: "It's a warrant for search and seizure, related to 'importing Blackshades XXXX' into Finland."

Below is a picture of someone claiming the Police is in front of his house because of a search warrant regarding BlackShades, as proof he posts this picture.

Here's a German user posting evidence of his arrest:

Another German person posting his comments:

And last one, here's a Dutch user talking about his arrest on a sole Dutch forum.

Then the newspapers. Most remarkable is that only French newspaper RTL seems to have inside information. They reported about a raid going on in France with in France alone 70 search warrants(!!) related to the use of BlackShades malware.

Dutch police declines to comment.

But most fascinating is this article from Reuters: "REUTERS SUMMIT-FBI plans cyber crime crackdown, arrests coming in weeks".
It says: "expects to announce searches, indictments and multiple arrests over the next several weeks, the agency's official in charge of combating cyber crime said on Wednesday."

What connects all these arrests is that they are all connected to the BlackShades RAT. Most users complain they once bought the BlackShades RAT and that is why are being arrested right now.

If all the above is true we are just seeing the tip of the iceberg. And are probably being witness of one of the biggest international raids ever related to cybercrime.

UPDATE #1:

The Dutch person provided me with some evidence.
According to the paper the investigation in the Netherlands has the name: "Rouwmantel".

DNS Amplification DDoS Attacks, Booter services and who's behind them.

Lately DNS Amplification DDoS Attacks have drawn a lot of attention. Especially since CloudFlare dedicated several blog posts to them (here and here), and the StopHaus movement almost broke the internet with it.

DNS Amplification Attacks
DNS Amplification attacks work by sending a spoofed UDP packet to a recursive DNS resolver. This DNS server in return will answer the received request to the sender of the packet. The sender of this packet is the spoofed address, which makes it the target of the attack. What makes this attack unique is that the UDP packet sent is of small size, and the packet returned by the DNS server is of large size. This way you amplify the network traffic eventually sent to the target hoping that it cannot handle such an amount and stops responding.
One of the benefits of this attack is that it is very hard to trace the origin. In DDoS attacks botnet are often used, but in this attack you can even mask the bots it is coming from.

Statistics
To get some more insight on this kind of DDoS Attack, I decided to collect as many data as possible to get a good collection of statistics. In one month I collected 1,244,584 attacks and extracted their details.
Below are the different records I've witnessed:

isc.org in any +ed	1158923
. in any +e	39651
version.bind ch txt +	405
ripe.net in any +e	125
directedat.asia in any +e	55
. in type256 +e	50
169a41e5.openresolverproject.org in a +	11
www.google.com in a +	10
dnsscan.shadowserver.org in a +	6
nukes.directedat.asia in a +e	6
isc.org in any +	5
amazon.com in a +	5
directedat.asia in a +e	4
isc.org in any +e	4
google.com in a +ed	3
mydnsscan.us in any +e	3
ripe.net in any +	3
. in any +	2
nukes.directedat.asia in any +e	2
ddostheinter.net in a +e	2
ya.ru in a +	2
ddostheinter.net in any +e	2
directedat.asia in a +	2
nasa.gov in any +	2
77bytelee.co.uk in txt +e	1
a1607665836p49394i23167.d2013052812000114314.t6014	1
google.com in a +e	1
ripe.net in any +ed	1
google.com in a +	1
www.ru in a +	1

A list of targetted hosts can be found here. Who's behind this?

Obviously "isc.org in any +ed" is clearly the most used record, not much creativity there. By sending a very small "dig ANY isc.org @dns-host" you'll get a big response directly going to the target of 3433 bytes:

root@ubuntu:~# dig ANY isc.org @8.8.8.8
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.8.1-P1 <<>> ANY isc.org @8.8.8.8
;; global options: +cmd
;; Got answer:

;; QUESTION SECTION:
;isc.org.                       IN      ANY
;; ANSWER SECTION:
isc.org.                7200    IN      RRSIG   SPF 5 2 7200 20130719232951 20130619232951 50012 isc.org. Q8n5F9ZucnRaYw762EghVeq9NLLFN4tuAvJZTue/spQJUnRKcM5WuwR4 F8FuEh55EbIs5YxnrG2LbDmEJDOBh0aER+lE6Ts8TdCyZoTVylSf0kmr tmzf0r80Q5xBOdPMfsSARNxWrFDQr03r69IU0Lsp4EbneiM6wIiI7oyJ bz0=
isc.org.                7200    IN      SPF     "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"
isc.org.                3600    IN      RRSIG   NSEC 5 2 3600 20130719232951 20130619232951 50012 isc.org.

...

;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jun 23 23:56:27 2013
;; MSG SIZE  rcvd: 3433

pastebin: http://pastebin.com/mWQXYNQB

But as we look closer several domains are of more interest, especially the names of these five draw attention:
directedat.asia: http://pastebin.com/wxF2EQq9
nukes.directedat.asia: http://pastebin.com/m6x6RMAU 8235 bytes
ddostheinter.net: -
mydnsscan.us: http://pastebin.com/mSTL4tZG 20714 bytes
dd0s.asia: http://pastebin.com/Jcxrq8wQ 2538 bytes

As can be spotted pretty quickly, the size and content of in particular mydnsscan.us easily highlight malicious purposes.

If we look at the name servers used we'll see the following:
mydnsscan.us
ns1.mydnsscan.us -
ns2.mydnsscan.us 188.122.91.99
ns3.mydnsscan.us 188.122.91.99
ns4.mydnsscan.us -
ns1.directedat.asia 74.91.18.226
ns2.directedat.asia 74.91.18.226

directedat.asia
ns1.directedat.asia 74.91.18.226
ns2.directedat.asia 74.91.18.226

dd0s.asia
ns1.dd0s.asia 74.91.18.226
ns2.dd0s.asia 74.91.18.226

These 3 domains have one corresponding IP address which links them together.
IP address 188.122.91.99 is of particular interest as it runs an fbi.gov IRC server, w00t w00t!

Turns out the guy behind this operation is 16 year old ------ ----. Here's his facebook[removed], skype: [removed], another skype: [removed], hackforums[removed], leakforums[removed] and last but not least, his YouTube account[removed].
******, as his preferred nickname is, is a great talented guy who's very curious and interested in technology. Sadly at this stage of his life he's focused on making money the wrong way. And that's probably why he runs many booter and stress services, with according to his own records 10Gbps capacity. Some examples are: Galaxy booter, Private booter, Versatile booter, apidown.com, var-dev.com, Dos Boss' DDoS service, Ethernal Booter and many more, according to some of his posts on hackforums he also owns a 4k botnet[removed].

Well ------, as I've done previously with a guy that owned a bitcoin mining botnet, you can contact me and will remove all of your contact details. You sure know how to reach me.

ps. I'm setting up a website which shows ongoing attacks realtime. Anyone willing to voluntarily contribute can contact me. Shoutout to @DnsSmurf who's doing similair things.

Russische spionen die via YouTube communiceerden ontmaskerd.

Voor het eerst sinds het einde van de koude oorlog heeft Duitsland publiekelijk twee Russische spionnen ontmaskerd. De twee spionnen, een echtpaar codenamed Pit and Tina, echte namen Andreas and Heidrun Anschlag, ontvingen jaarlijks 100.000 Euro van hun geheime werkgever de SVR, het vroegere KGB. Ondanks onderhandelingen met de Russische regering zal de rechtszaak tegen hen doorgaan, dit omdat Rusland verstek heeft laten gaan tijdens onderhandelingen. Beide zijn in Oktober 2011 gearresteerd. Het rekruteren van Raymond Valentino Poeteray, een medewerker van het Nederlandse Ministerie van Buitenlandse Zaken, wordt beschouwd als hun grootste succes, hij verkocht hen top-secret NAVO documenten.

De woning van de verdachten in Marburg Michelbach.

Raymond Valentino Poeteray

Gehieme boodschappen via YouTube
Het echtpaar gebruikte onderandere YouTube accounts om te communiceren. Beide account zijn nog toegankelijk. De accounts lijken een voorliefde te hebben voor de voetballer Christiano Ronaldo en reageren alleen onder video's die veel bekeken worden en waar heel veel onder gereageerd wordt. Uit de reacties is op het eerste gezicht niet veel interessants op te maken, maar ongetwijfeld zullen de boodschappen ontcijfert moeten worden. Het account cristianofootballer plaatst telkens een lang bericht, het account Alpenkuh1 plaatst echter telkens maar 1 zin. Ondanks dat het echtpaar zich uitgaf als vluchtelingen met een Oostenrijks paspoort, gevlucht uit Zuid Amerika, heeft het account cristianofootballer als land "Rusland" en Alpenkuh1 als land "Duitsland". Dit is opvallend omdat het echtpaar tegen hun omgeving op geen enkele manier hun connectie met Rusland kenbaar maakte.
Wie is er in staat de geheime boodschappen te ontdekken?

Stembreker.nl de sleutel tot een coup!

Pats boem daar is G500, de nieuwe partij met leider Sywert van Lienden en zijn trouwe volgelingen die hevig worden geënthousiasmeerd door Sywerts jeugdige fanatisme. En hoewel er al jaren wordt gediscussieerd over digitale stemcomputers pleurt Sywert even een app online die gaat bepalen wat jij gaat stemmen!
En ja, dat allemaal via jouw browser thuis, via zijn app, in zijn database en via zijn algoritme dat even gaat bepalen wat jij moet gaan stemmen! Tja, vertrouwen, dat hebben we wel in Sywert.

Laat ik even dit als eerste zeggen, mensen als Sywert hebben we nodig. Daardoor maken we namelijk sprongen vooruit. Waar men al jaren discussieert over digitaal stemmen voert Sywert het gewoon even eigenhandig in. Gewoon, omdat hij het tijd daarvoor vind, en hij er zijn stemmen mee wint. Want waar vallen stemmen te winnen? Juist, achter dit beeldscherm waar deze lettertjes op verschijnen.

Enfin, you win some, you lose some. Hieronder de haken en ogen aan deze applicatie.

De applicatie gebruikt HTTPS verkeer, which is good! Echter verschuilt de applicatie zich achter CloudFlare (En is daardoor natuurlijk niet terug te vinden *kuch* *kuch* 31.*.103.144). Mooi spul dat CloudFlare, alleen voor een SSL oplossing biedt het slechts één mogelijkheid. En dat is een klassieke Man in the Middle oplossing. (Hieronder afgebeeld).

Het verkeer tussen CloudFlare en de Client wordt versleuteld, echter ontsleuteld CloudFlare het om de inhoud te kunnen bekijken. En dat is waar een probleem zich voordoet. CloudFlare heeft dus de beschikking tot álle data die via de applicatie verstuurd wordt, het kan deze inzien én manipuleren. Als CloudFlare het kan, dan kan de Amerikaanse overheid het helemaal, willen we zoiets?

Gelukkig loopt het verkeer vanaf CloudFlare richting de server in Nederland wel weer via SSL, de "Full SLL" optie die CloudFlare biedt, zoals hieronder te zien is:

Daarnaast is men 1 ding vergeten, en dat is dat de website ook gewoon bereikbaar is via poort 80, zonder SSL dus. Dit biedt uiteraard enkele handigheidjes om in te breken op de server, onder andere:

De webmail:

De phpMyAdmin:

En nog een webmail:

En nóg een webmail:

Daarnaast wordt het stemadvies met een smsje verstuurd. En een smsje kunnen we natuurlijk gewoon spoofen!

Dat er enigszins is nagedacht over de beveiliging moeten we natuurlijk niet vergeten, zo wordt er gebruik gemaakt van een telefoonnummer en een wachtwoord. Daarnaast verschijnt er een captcha, wat computer gestuurde registratie onmogelijk maakt (en laten we voor het gemaak de captcha oplossende chinezen even vergeten) als laatste moet een op het mobieltje verschenen code ter verificatie worden ingevoerd. Veiligheidsmaatregelen die een doel lijken te dienen.

Maar wat de ontwikkelaars dan precies met al deze pagina's aan het doen zijn? https://stembreker.nl/test.php
https://stembreker.nl/login_form/
https://stembreker.nl/export/
https://stembreker.nl/temp/
https://stembreker.nl/phpMyAdmin/changelog.php
https://stembreker.nl/heartbeat/
https://stembreker.nl/config/
https://stembreker.nl/advies/
En laten we deze maar helemaal vergeten:

Enfin, verstopt achter CloudFlare, dus hierbij de portscan van de server 31.*.103.144 wat natuurlijk 'gewoon' een random ip is... ;)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp closed smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s

Nu is dit natuurlijk flink wat gebash tegen deze app. Maar dat maakt het hele idee niet minder interessant! Mensen als Sywert zijn een verrijking voor de samenleving, en zonder dit soort types blijven we compleet stil staan. Sywert, thumbs up!

Ps.
Ook props natuurlijk voor Paul, Richard en Daniel voor de mooie app!

Source code of Management System used for Dorifel/Citadel

I stopped publicizing my findings on the Dorifel/Citadel servers because most of my goals have been achieved and because people started messing with my findings. (Logging in on people's bank accounts, spoiling their privacy etc)

But since other company's are still on the hunt I'd like to share some interesting information with them.

Here's the source code of the management system. It manages the donkey/money mules, exploits, sellers, infections and browser versions.. It gives you an insight of the database structure and file structure, which can be of great value in further investigation.

Source code can be downloaded here. 

Complete details of the Dorifel servers, including its 'master' server in Austria

Below are my findings of the two servers used in the (targetted) attack mainly taking place in the Netherlands.

We have 2 server setups that are close to identical, their ip-adresses are:
184.22.103.202 (Domain: reslove-dns.com)
184.82.162.163 (Domains: 10ba.com, windows-update-server.com, wsef32asd1.org, dns-local.org)
Both are hosted within AS21788

From now on I consider both IP-adresses as one server. Or both IP-adresses as a proxy.

Both have the following ports open:

PORT      STATE    SERVICE              VERSION
22/tcp    open     ssh                  OpenSSH 5.5p1 Debian 6 (protocol 2.0)
80/tcp    open     http                 nginx 0.7.67
111/tcp   open     rpcbind (rpcbind V2) 2 (rpc #100000)
545/tcp   open     http                 Apache httpd 2.2.16
2407/tcp  open     http                 Apache httpd 2.2.3 ((CentOS))
2408/tcp  open     http                 Apache httpd 2.2.3
41666/tcp open     status (status V1)   1 (rpc #100024)

The SSH-keys are:
 | ssh-hostkey: 1024 c6:2f:e9:64:2c:ac:27:77:ed:da:60:a2:da:46:1f:fb (DSA)
 |_ 2048 e9:97:b5:d7:7d:01:f2:03:7b:9f:22:4c:a0:eb:a9:a5 (RSA)
Googling both of them brings up this page, prompting us with another IP-adres and domain name to investigate: 184.22.62.88 with the domain passget.com (date: 2011-10-26 04:22). This time SSH on port 222 is used instead of 22.

Directory listing of 184.22.103.202 and 184.82.162.163 (nginx/0.7.67 PHP/5.3.3-7+squeeze13):
/index/
/icons/
 |_/small/
/www/
 |_/images/
 |_/secure/ (Fragus login)
       |_/files/ (virus binaries)
               |_23 (Virustotal)
               |_24 (Virustotal)
               |_25 (Virustotal)
               |_26 (Virustotal)
               |_27 (Virustotal)
               |_28 (Virustotal)
               |_29 (Virustotal)
               |_30 (Virustotal)
               |_31 (Virustotal)
               |_32 (Virustotal)
       |_/templates/
               |_/english/ (Fragus login)
/web/
 |_/mak/
/doc/
/cgi-bin/
/img/
/uk/
/jump/
/ssl/
 |_ /milk/ (phpMyAdmin)
 |_/billk/
/bl/
/gl/
/ppp/ (password login)
 |_/css/
      |_/css/
      |_/ajax/
 |_/img/
 |_/data/
 |_/install/
      |_/install/
 |_/temp/
      |_/stat/
      |_/options/
      |_/temp/
      |_/config/
 |_/script/
      |_/script/
 |_/ppp/
      |_/bd/
      |_/card/
      |_/bot/
      |_/priv/
      |_/del/
      |_/c2txt2c/
      |_/virustxt/
      |_/govtxt/
      |_/xls/
      |_/searchform/
      |_/convertxtodvd/
      |_/intellitxt/
      |_/1txt1/
      |_/search_txt/
      |_/pictlogotxt110x60/
      |_/1txt2/
      |_/1txt3/
      |_/login_txt/
      |_/customnews_txt/
      |_/password_txt/
      |_/robots-txt/
/ver/
/vox/
/mak/
/server-status/

3 interesting finds here. Apparently Fragus is used for administratering the bots. Screenshot of the login:

phpMyAdmin is used with only 3 languages installed (en-US, en-UK, ru-RU), screenshot below:

And the last one is a login with only a password field, screenshot below:

A complete backup of the files can be found here: http://www.sendspace.com/file/ak8q2f
But please remember everything is full of virusses, so be carefull.

I will keep updating this blog.

Update 0:18:
Pretty fast after posting this blog both IP-adresses stopped displaying any html messages. Eventhough the servers themselves are still up. Which is an indiction of them just being proxies.

Update 2:12
Discovered that these 3 domains once pointed to this same server, google has some good cache pages:
handicaptaskprint.info (Registrated 10/7/2012) 149.154.154.47
intermediatedefragger.info (Registrated 26/7/2012) Undefined
onesizefitsallnik.info (Registrated 10/7/2012) 149.154.154.47

Here we have just one ip-adres 149.154.154.47 which once hosted the domain: lertionk13.be
This domain was registrated by: Elsakov Oleg using email adress thefirstweek@yandex.ru.
The name Elsakov Oleg points to yet another domain, bank-auth.org. Which has an A record pointing to: 158.255.211.28.
These 2 domains are connected to the "Police Trojan". More details here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf

If you look closely at the files and types of malware used by this gang, you'll see everything matches. They make the same directory listing mistakes over and over, and use exactly the same files. So this can be considered their fingerprint.

The gang registrated a certificate for https://bank-auth.org on the 1-8-2012. So they are probably planning to do something valuable with the website, which is running the default installation at the time being.

Update:
Oh well, I think we pretty close to the source now.
Lets get further into investigating this bank-auth.org domain. It resolves to: 158.255.211.28.
Once we investigate this machine further this is the first thing to pop-up: Apache/2.2.16 (Debian) Server at 158.255.211.28 Port 80.
That same Apache version with Debian again. I don't know why they use this version all the time, but one thing is for sure, they don't know nothing about directory listing, so I'm mirroring their site again....
And because this time I have ALL the logs, I'll make sure the right people receive them aswell!
I will upload a mirror of the site later. The admin passwords included.

I've made an online backup of the admin panel here, with all the original data.
This could be the IP-adress of the russian owner: 188.187.144.152. Not sure though. But this 'person' is also known as Ozgur Morkan and according to it's IBAN number he's from Turkey. If we look at this page we'll see the Russian IP-adres 188.187.144.152 involved in another kind of scam, this time the owner is known as Olga: http://www.anti-scam-forum.net/showFullThread_1288628426.htm

Further investigation reveals that the https://bank-auth.org domain with its valid certificate is used for the injection of malicious code within the victims browser. Several warning messages shows the criminals are no native speaking Dutchies:

Om technische redenen, het internet bankieren dienst is tijdelijk niet beschikbaar, gelieve in te loggen in 24 uur

Since the files found on the server are all in Dutch, the Dorifel compaign can be considered a targetted campaign against The Netherlands. Its a good example of the capabilities of Citadel, which was used to spread Dorifel.

Directory listing of https://bank-auth.org:

/
/index/
/cgi-bin/
/7/
/icons/
/www/
/p/
 |_dns.php
 |_ing.php
 |_ing2.php
 |_jys.php
/ca/
 |_/admin/
/javascript/
/inc/
/abc/
 |_inc.php
 |_sig1nl
 |_sig2nl
 |_sig3
 |_waitnl
/phpmyadmin/
 |_/themes/
/ing/
 |_inc.php
 |_tan1.txt
 |_wait
 |_wait.txt
/sns/
 |_WARNING.txt
 |_inc.php
 |_sig1
 |_sig1.txt.crypt
 |_sig2
 |_sig2.txt.crypt
 |_sig3
 |_sig3.txt.crypt
 |_wait
/abn/
 |_inc.php
 |_sig1
 |_sig2
 |_sig3
 |_wait

/rabo/
 |_WARNING.txt
 |_inc.php
 |_sig1
 |_sig1.txt.crypt
 |_sig2
 |_sig2.txt.crypt
 |_sig3
 |_sig3.txt.crypt
 |_wait

index.php
7.php
www.php
inc.php
sns.php
abn.php


ps.
I've been convicted for hacking already, never tried to steel a penny though. These guys have never been convicted. For me now it's very very hard in the security industry (Banks for example, is out of the question). Yet I stay on the right side. But thats probably because I'm such a bad bad boy!