NetPad eq MALWARE, was: LevCGI.coms NetPad 1.0.2 multiple vulnerabilities

[superpetz () hushmail com]

[SUPERPETZ MALWARE NETPAD & NETMASTER ALERT !]

           .++.
          |()()|
          | /\ |
          <<><>>
          //||\\
         ////\\\\
        /////\\\\\ 
        \\\\\/////
        /////\\\\\
        \\\\\/////
         \\\\////
          ''''''

(collect them all!!)

About Netpad:
-=---------=-

<selective juicy bits from from levcgi.com netpad.cgi readme>

" Yes, the rumors are true; you can use NetPad to hack other's web sites or plain out destroy them. As is the case with 
all of the NetMaster programs, so is this a hazardous tool and can be used for malicious fun at your own risk! Please, 
keep in mind that the following information should be considered for educational purposes only and using this program 
in any illegal manner is at your OWN discretion. I cannot and will not be held responsible for the foul use of this or 
any of my programs!

Now, let's get started with some basics on how web servers and hosting companies work. When you pay for hosting your 
site is on a server with often up to hundreds of other sites! Every user has their own main directory which is located 
at a specific system path. Sometimes it will look like "/home/sites/site24/web/" while other times maybe 
"/www/htdocs/www.domain.com/web/" or something along those lines. Nearly all CGI programs use those paths to 
dynamically create files on the fly as well as reference other needed bits of data. With that knowledge alone you are 
quite capable of dealing some pretty nasty damage!

Remember that when you are setting up NetPad you are required to enter the full path to your main directory. This is so 
you can open and edit the files successfully! But, now what if you were to enter in ANOTHER path instead of yours? Well 
quite simply, you could open up other files on the server, and yes you can even "edit" their files as well! Keep in 
mind this will vary greatly from server to server, but I have learned that many servers leave this in plain site to 
deal the damage with ease. Let's assume that your path is "/home/sites/site24/web/". Obviously by looking at that we 
can come to the conclusion most probably at least 23 other sites are being hosted on your server. So if you try 
entering "/home/sites/site23/web/" you will actually be opening up files for SOMEONE ELSE'S site! This is a great way 
to steal source code, when it normally would be forbidden.

But wait! It gets even worse! Many servers out there allow you to amend/edit files WITHOUT even giving them proper 
permissions! Normally a file must be set to CHMOD 777 if the server is to write to it on the fly, yet some servers out 
there do NOT do this and a file simply set at the standard 644 can be written to! This can potentially cause a big 
security loop-hole as anyone with a mischievous mind can take advantage of it! How you say? Simple! All you would need 
to do is change the path to that of another site on the server and open up their files. Once you have done so you can 
go crazy and edit their pages in anyway you desire!
But how do you know what their files are named you ask? By using your brain! Nearly every single web site is run off 
Apache software, and even more use an "index" file as your main file for each folder. So, when you are trying to hack 
into someone's site using NetPad and want the names of their files so you can play with their site, try starting with 
their index file. First try opening "index.html". If that doesn't work open "index.htm". Still no dice? Well try any of 
these until you get a match: index.cgi, index.pl, index.php, index.asp, index.jhtml, index.shtml, index.cfm... etc. The 
list can go on quite long but these tend to be the most popular choices!

If you are serious in your efforts to wreck havoc on the net, then you should do two things. First, NetPad is a package 
of a larger collection of webmaster tools called NetMaster. Get the full package first! You will be ready for nearly 
anything! You will be able to perform various tasks such as setting file permissions in the browser, uploading files, 
renaming, moving and deleting files and so on! The second thing you should do is think about respect and property. Many 
people spend a long time creating their websites and to many of them it is the milestone of their life; don't go around 
screwing with anyone's site whom you do not even know. Not only is it wrong, but it is illegal in most countries! Not 
only are you really pissing off people and crushing their creative outlet but you are risking jail time. The 
information I have provided was merely a means of education and to exploit many server insecurities 
in an effort to hopefully fix them and keep things more secure. If you are concerned with the security of your server 
confront them! you never know; maybe they will try and fix up their weak spots and keep your site in better hands!

In closing with using NetPad to hack I will state it is your own choice! Doing so can get you wound up in jail. I won't 
be crying for you! Your actions will bring on your own consequences so don't try and shift the blame on me! Think of it 
like this; would you want someone you don't know screwing your site up just because they found a new toy? I didn't 
think so... If you are going to risk getting kicked off your server and possibly go to jail ask yourself if it is worth 
it. "

ALERT DETAILS:
-=----------=-

Path Disclosure and Command Execution vulnerabilities discovered by fellow researchers b0iler(b0iler () hotmail com) 
and BrainRawt(brainrawt () hotmail com) are special features made by EVIL LEVCGI guy. Unfiltered input to open() 
function is special trapdoor for malicious guys to break webservers. Entire Netmaster suite is also for secret hacking 
of websites. BEWARE! DO NOT INSTALL THIS SOFTWARE! IT IS PURPOSELY INSECURE SO YOU CAN GET HAKKED!!

Vendor website: http://www.levcgi.com/

Chek out the following sites if you do not think LEV is a spooky guy:

http://www.taintedthoughts.com/
http://www.lordofdeception.com/
http://www.gothcities.com/

He spooks me all the way to heck!!

(that's all)


Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople