August 2005

An Online MD5 Hash Database

MD5 Hashes protect a verity of content types such as in the case of pass phrases, session ids, etc the logic behind it is that to compute an equivalent of MD5 of all possible plain text would be a computational nightmare.

This computational nightmare has been brought one step closer to becoming an hackers’/crackers’ best friend with the introduction of the “Online MD5 Hash Database“. The Online MD5 Hash Database does exactly as it names says, stores in excess of 12 Million different MD5 values and their corresponding plain text equivalents.

How good the engine you say? will it was able to crack this MD5 Hash in near “real-time”: 1870a829d9bc69abf500eca6f00241fe (wordpress). How did it do it? well it some user has inputted the word wordpress into its Hash database.

I did the same for the words: security (e91e6348157868de9dd8b25c81aebfb9), securiteam (1d167077e74e969b9b7d34b2d901d697) and SecuriTeam (0a6b8933fcc5ea8234d49769de76cddc).

Smells FISH(y)

I’m an administrator of a VPS (Virtual Private Server). A few days ago I noticed something weird on the VPS : a weird process running a Perl script, that redirects its output to the O mighty black hole: /dev/null. The prompt variable of Bash (PS1) was set to be empty and the script itself was written like a VBA code (without indentation or line breaks). When I made a quick glance at the script, I saw that one Regex inside was looking for a command such as rmdir (for example), and it will unlink a directory.

Sounds like a back door that someone wrote, and all that it needs now is to open a shell for you and get over with it …

Well NO! This script was used by KDE (in this case) for simple SSH connection, that mimics the behavior of sftp, but over a simple ssh connection. The owner of the VPS used the KDE’s way (Konqueror ?) to login into the server… and KDE installed the script for the user.
Now when the user logged in, the commands “users” and “who” will not show you the user itself (“who -a” will show something, but not who is the user or the IP of the connected user). “last” also will not give you much information about the login, and if you try to hide the process, then even “ps” will not help (I first saw that issue using ps)…
Oh btw the script also read and wrote information to and from /var/log/messages.

BTW, this script implements the FISH protocol.

How do I know that you ask? Well thats what the Perl script says 😛 .
It seems that KDE (and other clients) try to help their users by implementing a sftp like actions without leaving the ssh client.

Sounds cool ? well I guess so… but then again, it IS a back door. That is if someone will be able to make the “server” talk with him without any need for authentication.

People should stop being lazy, and start using the right tool for the right job. Using FISH, can be exploited the same way that rlogin, telnet and NULL Session are .