I created my free file hosting website (awoo.cloud) a few months ago in order to learn more about setting up my own webserver and configuring Apache, DNS records, editing html/css, etc. What I did not expect was how quickly self-proclaimed “hackers” moved into my site and started to upload malicious files, within weeks I had over thirty html files and around ten PHP files that were either for phishing pages or fake defacement pages.
An important note to make is I do not make it a practice to look at uploaded files, only ones identified by antivirus or look suspicious. I analyze all of these in a secure lab environment, with that being said let’s look at some of the strange stuff I have encountered.
When I say fake defacement pages this is what I mean:
I knew immediately why this hacker collective (if you could call them that) posted this html page to my site; it was all to be able to send to their hacker friends claiming that they had somehow gained access to my website and uploaded their html page, when in reality I allow anyone to upload files so they did absolutely nothing to hack my website.
I even went a step further to confront them on Facebook:
I worded my message like this because I just knew that if I was polite and did not sound too upset they would feel happy that I even paid them any attention, and I was right:
A quick glance at this hacking group’s Facebook group showed all the normal signs of being run by egotistical hackers: Guy Fawkes masks, bragging about hacked websites, password dumps, and even promoting their information security blog.
The InfoSec community likes to use the term “script-kiddie” to describe these types of hackers, but I believe there should be a new classification of hackers for those who try to deceive others that they are malicious hackers. It is a strange phenomenon for people to admit to crimes they actually did not commit and publically on the internet with their real name tied to their hacker name.
This happened with another hacking group that posted a very similar html page that claimed they had hacked my site:
This “0N3R1D3R” actually took the time to make a hyperlink on this html page to his Facebook page that was publically viewable. It had pages upon pages of him bragging about his previous hacks with very little proof and what appeared to be fake stolen credentials to make himself look more legitimate to his friends.
Again I also confronted him about it in a stern but nice way:
His response was an almost immediate block, followed up with him restricting his timeline to friends only.
I found his Facebook quite amusing:
If you notice, his profile cover image is from the video game “Watch Dogs 2” which is about futuristic hacking, probably very similar to what he tries to betray himself as being capable of. He also lists his work as his hacking group and gives his location which matches up with the IP address that uploaded that html file.
It is easy to make fun of kids like this but to be honest I feel bad for him; he and others like him obviously have a passion and interest in information security but they are completely misguided in how to pursue it. It is very likely some will end up in legal trouble or their social media past will come to haunt them when employers look up information about them.
This is why I feel it is so important to make a career in information security more obtainable, especially for kids and young adults who feel like the only way they can further their passion is by either hacking people or trying to fit into the community by pretending to hack other people. We live in a global society of hackers that seek recognition more than anything else, which is detrimental to the future of hacking since nothing of value is produced from that mindset.
Not all of the files uploaded to my site have been completely unrelated to hacking; here are some examples of phishing pages that I have removed from my site (these would have never worked regardless because I blocked php execution for the uploaded files directory).
AOL phishing page (I found the “Hello” amusing):
Dropbox phishing page for stealing email credentials (he needs to work on his graphic design work):
Here is the associated php file for that phishing page:
I censored the email because when I did some research on it I found it belonged to a landlord in Milwaukee. It could either be a compromised email account or him, but I have no way to confirm.
More concerning files that have been uploaded include what I have researched to be a webshell developed by Indonesian hackers and obfuscated in a simple but clever way to avoid antivirus detection:
The code deobfuscated can be found here: https://github.com/linuxsec/indoxploit-shell/blob/master/shell.php
One hacker even hid his code in a .jpg file in hopes to avoid detection. What his code does however, I have no clue but I know it is obfuscated:
Hope you enjoyed seeing some of the interesting files that I constantly have to remove from my file upload site, if anyone wants to help analyze any of these with me please shoot me an email or LinkedIn request.