on 06-28-2017 I completed my research and alerted the hosting provider to the malicious site, they removed the site so it no longer poses a threat.
In June of 2017 while researching ontools.net, I discovered the site was using vanity DNS Name Servers, ns**.salsa-cyber.net. The domain pulls up a site similar in style and layout to ontools, so my assumption became one of "I bet if I keep digging I'll find a connection". Sure enough the page footer includes a menthon of ontools.net, so definitely a connection here.
The next part here is a bit shady, and frankly was a bit accidental. A moment of "it's not really that simple, right?" but is absolutely was. The index page for salsa-cyber is a login page, protected by SSL, and appears very secure. But the person who setup the server failed to include code to disabled indexing in the .htaccess file. Oops. So then began the process of directory browsing. It didn't take me long to find a GitHub file, README.md, which linked back to the repo the code had come from. This is where it gets really good.
In the github repo I found a .sql file containing all the files one will need to import to use the app. and of course since the app is username and password protected, there is a 'users' table. I found 3 users listed with hashed passwords:
First I tried to login as admin, and the password had been changed from "admin" at some point. Not bad Mr. k4l0nk, not bad. but the passwords for input and kasir1 where left at the default, so I was able to easily login as them. Oops again. So by using simple discovery, I gained unauthorized access to the app on the server. normally in security research you need, ABSOLUTELY NEED, permission to get access to an app without permission. I did it accidently and with little effort. the default password is never admin, just likes X never marks the spot. So now I had access to the app, unauthorized of course- what to do next?
Since I was already in the cave, I decided to go spelunking. unfortunately in this case the app appears to be unused and unsetup. so even with access, there isn't much to report. The big use on this domain is related to the domain itself being vanity nameservers for a bunch of malicious domains, including some fake pharmacy sites and the aforementioned ontools.net. It also seems to be the nameservers for many less than repetuable dating sites and adult content related sites.
below I've included their code snippet, a few things I discovered on their site, and screenshots of the app.Code Snippets
SALSACYBER.NET Copyright © 2016 by k4l0nk ::OnTools.Net::
DROP TABLE IF EXISTS `user`; /*!40101 SET @saved_cs_client = @@character_set_client */; /*!40101 SET character_set_client = utf8 */; CREATE TABLE `user` ( `idUser` int(3) NOT NULL, `namaUser` varchar(30) DEFAULT NULL, `idLevelUser` int(2) DEFAULT NULL, `uname` varchar(30) DEFAULT NULL, `pass` varchar(35) DEFAULT NULL, `currentWorkstation` bigint(20) DEFAULT NULL, PRIMARY KEY (`idUser`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- -- Dumping data for table `user` -- LOCK TABLES `user` WRITE; /*!40000 ALTER TABLE `user` DISABLE KEYS */; INSERT INTO `user` VALUES (7,'admin',2,'admin','21232f297a57a5a743894a0e4a801fc3',NULL), (8,'input',3,'input','a43c1b0aa53a0c908810c06ab1ff3967',NULL), (10,'kasir1',4,'kasir1','29c748d4d8f4bd5cbc0f3f60cb7ed3d0',NULL); /*!40000 ALTER TABLE `user` ENABLE KEYS */; UNLOCK TABLES;Noteable data
IP: 184.108.40.206 Host: thcservers.com Cpanel: http://salsa-cyber.net:2082/WHO IS data
Domain Name: SALSA-CYBER.NET Registry Domain ID: 2059705752_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.name.com Registrar URL: http://www.name.com Updated Date: 2016-09-18T18:43:12Z Creation Date: 2016-09-15T20:52:10Z Registrar Registration Expiration Date: 2019-09-15T20:52:10Z Registrar: Name.com, Inc. Registry Registrant ID: Not Available From Registry Registrant Name: Whois AgentCrawl Data
/config /css /font /image /img /js /less /less /sistem /sistem/classes /sistem/modul Cetak /sistem/ajaxload.php /sistem/aksi.php /sistem/buka_kasir.php /sistem/cek_login.php /sistem/coba.php /sistem/content.php /sistem/index.php /sistem/logout.php /sistem/media.php /sistem/menu.php /sistem/menu2.php /sistem/upgrade_check.php /tools /README.md /_LISENSI.txt /_REQUIREMENTS.txt /index.php /init-db-ahadpos2.mysql /version.phpScreen Shots