Jul 27, 2013

The Wlinkster hacking | How it was hacked

After coming up with a post on the negative publicity of Wlinkster, I have generated a few haters (who happen to be the same as the founders and people associated with Wlinkster). At the same time, what I have also been blessed with are a few sincere readers. I have been contacted by the founder Sagar Rana, many times, the last message being the following (pardon his grammar) in many of my public posts (and they are getting marked as spam automatically by Facebook).
DELETE YOUR BLOG POST ABOUT "WLINKSTER" THIS IS THE LAST WARNING FOR YOU OR I WILL DO THE SAME AND THOUSANDS OF PEOPLE GONNA VIEW THAT INCLUDING YOUR PIC AND YOU FACEBOOK. I HAVE TOLD YOU MORE THAN 10 TIMES IF YOU WILL NOT DELETE THAT POST THEN BE READY FOR THE WORST THING OF YOUR LIFE THANKS. DON'T GET PERSONALLY WITH ME CEO / FOUNDER AT WLINKSTER SAGAR RANA
However, that is not the reason why I am writing this. I am writing this because I was contacted by the person who hacked Wlinkster. Naturally, he used a fake email and a good proxy before sending me the mail, and I don't think there is a way to get back to him. Let me just tell you what he has to say.


Hi Shaumik,

Thank you for taking my time. I need to explain my reasons behind the Wlinkster Hacking.

Hacking the website was very easy. Took me less then 2 minutes to find a hole within his site. In the section where you post a comment, you select the music upload. What I did, I uploaded a PHP script. Once I was able to execute the PHP script I made, I knew I will hack the website. I've written PHP code (which I have attached) and I was able to edit the website and delete the files. I copied the code and hidden within his website (I used ben10.php) and deleted the uploaded version. I also uploaded phpMyAdmin and also unzipped it to his postphotos directory. I was able to view his mySQL password on config.php.

My mission was to delete all the passwords because people were at risk. What I did first, I TRUNCATE members which deleted all the members and left a message on his website. Sagar had backup and the passwords was returned. But he lost 3,000 members from his last backup. Sagar, being a fake developer, had no idea what was happening and he changed the SQL password. I was able to read the new password and hacked again. This time, I updated all the passwords to something else.

Sagar never gives in. So, I started to hack his pages. I also placed warnings to warn others Sagar will not protect your passwords. I sent him warnings to protect the people but the man won't listen. He doesn't care about others safely like I do. I ended up killing his site by entering 1777 to his website root directory (took him 24 hours to find out).

I only hacked it for the people. I was a victim once before and I want to stop people like Sagar Rana because he is an risk to bad hackers. Or access their email accounts with their passwords.

I have attached the database (with all the passwords deleted) and also the PHP script I written for this project. Please don't abuse the database as I trust you.

Regards,

The Nice Hacker :o)

PS: Love your blog. Keep it up!

To prove that I have the database and the php script, I am attaching a picture here (removing the emails) which shows my details.


The script contains this comment at the start and contains some well written PHP.
/*
So you have found this script. Took you a while.
PROTECT THE PASSWORDS!
Please stop spamming, Sagar! You're not good at this.
I have warned you.
*/
I would not be posting the script online.

Meanwhile, a friend of mine found another little vulnerability. Have a look at his blog.

Sagar Rana, if you are reading this, try and improve the security of your site rather than fooling around in Zuckerberg's posts and threatening others.

Update (29/7/13):
I received a reply to my email thanking me about this post. However, he had a concern. Let me just post his reply.

Hello Shaumik,

I hope you are well, Thank you for posting up the blog the other day. A good read.

I am letting you know Sagar has hacked someone else's website. http://fabinn.com

He left his signature "cybermaster217" on the website. I believe he used my hack code.

Please note, the hack was not done by me.

Regards,

The Nice Hacker


As for you Sagar, if it was indeed you, I think you should start working on improving your site's security first.

Liked this post? Have any suggestions? Just let me know. Feel free to comment below!

0 responses:

Post a Comment