salsa-cyber.net research

06-06-2017


In June of 2017 while researching ontools.net, I discovered the site was using vanity DNS Name Servers, ns**.salsa-cyber.net. The domain pulls up a site similar in style and layout to ontools, so my assumption became one of "I bet if I keep digging I'll find a connection". Sure enough the page footer includes a menthon of ontools.net, so definitely a connection here.

The next part here is a bit shady, and frankly was a bit accidental. A moment of "it's not really that simple, right?" but is absolutely was. The index page for salsa-cyber is a login page, protected by SSL, and appears very secure. But the person who setup the server failed to include code to disabled indexing in the .htaccess file. Oops. So then began the process of directory browsing. It didn't take me long to find a GitHub file, README.md, which linked back to the repo the code had come from. This is where it gets really good.

In the github repo I found a .sql file containing all the files one will need to import to use the app. and of course since the app is username and password protected, there is a 'users' table. I found 3 users listed with hashed passwords:

using an online hash decrypter, I found that all 3 passwords had already been cracked. admin's password is "admin", input's is "input", and kasir1's password is... well I think you can guess.

First I tried to login as admin, and the password had been changed from "admin" at some point. Not bad Mr. k4l0nk, not bad. but the passwords for input and kasir1 where left at the default, so I was able to easily login as them. Oops again. So by using simple discovery, I gained unauthorized access to the app on the server. normally in security research you need, ABSOLUTELY NEED, permission to get access to an app without permission. I did it accidently and with little effort. the default password is never admin, just likes X never marks the spot. So now I had access to the app, unauthorized of course- what to do next?

Since I was already in the cave, I decided to go spelunking. unfortunately in this case the app appears to be unused and unsetup. so even with access, there isn't much to report. The big use on this domain is related to the domain itself being vanity nameservers for a bunch of malicious domains, including some fake pharmacy sites and the aforementioned ontools.net. It also seems to be the nameservers for many less than repetuable dating sites and adult content related sites.

below I've included their code snippet, a few things I discovered on their site, and screenshots of the app.

Code Snippets
SALSACYBER.NET Copyright © 2016 by k4l0nk ::OnTools.Net::
  DROP TABLE IF EXISTS `user`;
  /*!40101 SET @saved_cs_client     = @@character_set_client */;
  /*!40101 SET character_set_client = utf8 */;
  CREATE TABLE `user` (
    `idUser` int(3) NOT NULL,
    `namaUser` varchar(30) DEFAULT NULL,
    `idLevelUser` int(2) DEFAULT NULL,
    `uname` varchar(30) DEFAULT NULL,
    `pass` varchar(35) DEFAULT NULL,
    `currentWorkstation` bigint(20) DEFAULT NULL,
    PRIMARY KEY (`idUser`)
  ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
  /*!40101 SET character_set_client = @saved_cs_client */;

  --
  -- Dumping data for table `user`
  --

  LOCK TABLES `user` WRITE;
  /*!40000 ALTER TABLE `user` DISABLE KEYS */;
  INSERT INTO `user` VALUES
  (7,'admin',2,'admin','21232f297a57a5a743894a0e4a801fc3',NULL),
  (8,'input',3,'input','a43c1b0aa53a0c908810c06ab1ff3967',NULL),
  (10,'kasir1',4,'kasir1','29c748d4d8f4bd5cbc0f3f60cb7ed3d0',NULL);
  /*!40000 ALTER TABLE `user` ENABLE KEYS */;
  UNLOCK TABLES;
Noteable data
IP: 188.241.58.16
Host: thcservers.com
Cpanel: http://salsa-cyber.net:2082/
WHO IS data
  Domain Name: SALSA-CYBER.NET
  Registry Domain ID: 2059705752_DOMAIN_NET-VRSN
  Registrar WHOIS Server: whois.name.com
  Registrar URL: http://www.name.com
  Updated Date: 2016-09-18T18:43:12Z
  Creation Date: 2016-09-15T20:52:10Z
  Registrar Registration Expiration Date: 2019-09-15T20:52:10Z
  Registrar: Name.com, Inc.
  Registry Registrant ID: Not Available From Registry
  Registrant Name: Whois Agent
Crawl Data
  /config
  /css
  /font
  /image
  /img
  /js
  /less
  /less
  /sistem
  /sistem/classes
  /sistem/modul	Cetak
  /sistem/ajaxload.php
  /sistem/aksi.php
  /sistem/buka_kasir.php
  /sistem/cek_login.php
  /sistem/coba.php
  /sistem/content.php
  /sistem/index.php
  /sistem/logout.php
  /sistem/media.php
  /sistem/menu.php
  /sistem/menu2.php
  /sistem/upgrade_check.php
  /tools
  /README.md
  /_LISENSI.txt
  /_REQUIREMENTS.txt
  /index.php
  /init-db-ahadpos2.mysql
  /version.php
Screen Shots












© 2019 Dixon Ryder All Rights Reserved.
Privacy & Terms