Came across a Pony panel recently and the original one not the 'TF' version.
Alright let's talk about Pony, the guys have some cool stats.
The panel is on 95.170.83.145 and the sql server used by pony is located elsewhere on 178.63.77.68
I've tried to add my own user inside the panel, but i got some difficulty forcing me to dump the f*cker and review the source code.
I've read just a small part of the code but that was fun, here is the authentication function:
![]()
They call mixed_sha1():
![]()
random_salt_value_start, random_salt_value_end are strings who don't change, but the coder named them 'random' for an unknown reason, i'm still not sure if joke or human stupidity.
ok cool, i know how to hash my password, where they records IPs now ?
![]()
Panel in Russian but code comments in English... ok i start to believe a retard edited the code.
get_login_log():
![]()
Alright, let's get bad guys IPs:
SELECT * FROM pony_system_log WHERE log_source LIKE 'login'
![]()
And that all i need to know for remove traces after on the panel and stay stealth.
Now let's have a fast look on Pony builder:
![]()
Loader:
![]()
Settings:
![]()
Themes:
![]()
Changelog (available here http://pastebin.com/ufiueRSH):
![]()
Files:
![]()
The builder is coded with Delphi and the payload in assembler.
Pony 1.9 got leaked in december 2012 and translated to English by Unic0de.
![]()
Personally at the end of 2012 i've do a courtesy visit to a PPI affiliate (Hacking Moneycloud)
Someone trying to sell Pony the same day it got leaked (lol?):
![]()
Now for the panel of our bad guys, login:
![]()
Dashboard:
![]()
FTP list:
![]()
Filters:
![]()
Countries:
![]()
Date:
![]()
HTTP list:
![]()
Others:
![]()
Stats:
![]()
Stolen passwords in the last 24 hours:
![]()
Stolen passwords in the last month:
![]()
OS popularity:
![]()
FTP Clients popularity:
![]()
Browsers popularity:
![]()
E-mail client popularity:
![]()
Domains:
![]()
Error logs:
![]()
Error report:
![]()
Reports:
![]()
View report:
![]()
Management:
![]()
Server Settings:
![]()
Add New User:
![]()
Change password:
![]()
Help:
![]()
Panel (Russian) can be downloaded here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1558&p=19374#p19374
Alright let's talk about Pony, the guys have some cool stats.
The panel is on 95.170.83.145 and the sql server used by pony is located elsewhere on 178.63.77.68
I've tried to add my own user inside the panel, but i got some difficulty forcing me to dump the f*cker and review the source code.
I've read just a small part of the code but that was fun, here is the authentication function:
They call mixed_sha1():
ok cool, i know how to hash my password, where they records IPs now ?
get_login_log():
Alright, let's get bad guys IPs:
SELECT * FROM pony_system_log WHERE log_source LIKE 'login'
Now let's have a fast look on Pony builder:
Changelog (available here http://pastebin.com/ufiueRSH):
Files:
Pony 1.9 got leaked in december 2012 and translated to English by Unic0de.
Someone trying to sell Pony the same day it got leaked (lol?):
Now for the panel of our bad guys, login:
Dashboard:
Всего E-mail паролей в списке -> Total E-mail passwords: 10467
Всего сертификатов в списке -> Total certificates: 1
Всего RDP в списке -> Total RDP: 114
Всего уникальных отчетов -> Total unique reports: 10588
Получено дубликатов -> Received duplicate: 11211
Не обработано отчетов -> Not processed Reports: 1
Событий в системных логах -> Events in the system log files: 219865
Полный размер отчетов в БД -> Full size records in the database: 16.84 MB
Полный размер БД -> Full database size: 78.52 MB
Добавлено FTP (HTTP) за последние 24 часа -> Posted FTP (HTTP) in the last 24 hours: 54 (6771)
Добавлено FTP (HTTP) за последний час -> Posted FTP (HTTP) for the last 3 hours: 3 (132)
Добавлено FTP (HTTP) за последние 10 минут -> Posted FTP (HTTP) for the last 10 minutes: 0 (17)
Добавлено отчетов за последние 24 часа -> Published reports for the last 24 hours: 821
Добавлено отчетов за последний час -> Published reports in the last hour: 22
Добавлено отчетов за последние 10 минут -> Published reports in the last 10 minutes: 2
Всего сертификатов в списке -> Total certificates: 1
Всего RDP в списке -> Total RDP: 114
Всего уникальных отчетов -> Total unique reports: 10588
Получено дубликатов -> Received duplicate: 11211
Не обработано отчетов -> Not processed Reports: 1
Событий в системных логах -> Events in the system log files: 219865
Полный размер отчетов в БД -> Full size records in the database: 16.84 MB
Полный размер БД -> Full database size: 78.52 MB
Добавлено FTP (HTTP) за последние 24 часа -> Posted FTP (HTTP) in the last 24 hours: 54 (6771)
Добавлено FTP (HTTP) за последний час -> Posted FTP (HTTP) for the last 3 hours: 3 (132)
Добавлено FTP (HTTP) за последние 10 минут -> Posted FTP (HTTP) for the last 10 minutes: 0 (17)
Добавлено отчетов за последние 24 часа -> Published reports for the last 24 hours: 821
Добавлено отчетов за последний час -> Published reports in the last hour: 22
Добавлено отчетов за последние 10 минут -> Published reports in the last 10 minutes: 2
FTP list:
Скачать список FTP -> Download the FTP list
Скачать список SSH -> Download the SSH list
Очистить список FTP -> Delete the FTP list
Очистить список SSH -> Delete the SSH list
Показать фильтр -> Show Filter
Скачать список SSH -> Download the SSH list
Очистить список FTP -> Delete the FTP list
Очистить список SSH -> Delete the SSH list
Показать фильтр -> Show Filter
Filters:
HTTP list:
Others:
Скачать список E-mail -> Download the E-mail list
Скачать сертификаты -> Download Certificates
Скачать список RDP -> Download the RDP list
Очистить список E-mail -> Remove E-mail list
Удалить сертификаты -> Remove certificates
Очистить список RDP -> Remove RDP list
Скачать сертификаты -> Download Certificates
Скачать список RDP -> Download the RDP list
Очистить список E-mail -> Remove E-mail list
Удалить сертификаты -> Remove certificates
Очистить список RDP -> Remove RDP list
Stats:
Stolen passwords in the last 24 hours:
Stolen passwords in the last month:
OS popularity:
FTP Clients popularity:
Browsers popularity:
E-mail client popularity:
Domains:
Error logs:
Скачать логи -> Download logs
Очистить логи -> Remove logs
Очистить логи -> Remove logs
Error report:
Скачать отчет -> Download the report
Повторно обработать отчет -> Reprocess the report
Удалить отчет -> Delete the report
Повторно обработать отчет -> Reprocess the report
Удалить отчет -> Delete the report
Reports:
Скачать все отчеты -> Download all reports
Скачать необработанные отчеты -> Download the raw reports
Удалить все отчеты -> Delete records
Показать фильтр -> Show Filter
Скачать необработанные отчеты -> Download the raw reports
Удалить все отчеты -> Delete records
Показать фильтр -> Show Filter
View report:
Скачать отчет -> Download the report
Повторно обработать отчет -> Reprocess the report
Удалить отчет -> Delete the report
Повторно обработать отчет -> Reprocess the report
Удалить отчет -> Delete the report
Management:
Server Settings:
Пароль для дешифровки отчетов -> Password for decrypt reports
Add New User:
Оптимизировать (сжать) таблицы MySQL -> Optimize (compress) the MySQL table
Пересоздать таблицы MySQL -> Recreate the MySQL table
Пересоздать таблицы MySQL -> Recreate the MySQL table
Change password:
Help:
Panel (Russian) can be downloaded here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1558&p=19374#p19374