Get best of the week

Second order leak analysis: when it leaks from those who steal data from a bank

Everyone has become accustomed to the fact that the data of customers of Russian banks here and there pop up either in the public domain or put up for sale in various shadow forums.



Now I want to talk about where this information comes from, as an example of a specific case with a famous Russian bank. In order not to offend anyone (and the banks are very touchy and like to publicly hysteria with the forces of their PR departments, denying everything in the style of "you're lying and" they are carrying out an information attack "), I will call this bank conditionally" Epsilon ".


I came across an analysis of two very interesting PHP applications that accidentally ended up in the public domain on one of the servers in the Netherlands. But first things first…


A letter from the security researcher Alex Gor (on Twitter - 0xyzq ) was sent to the mail of my Telegram channel “ Information Leaks. The letter contained a screenshot (see above) and an archive with what is actually of interest.


«» (, «80.http.get.title:"index of /"») Censys.io 95.179.156.7, , , (.php, .html, .txt .zip). Shodan, 80- «» 23.12.2019, – BinaryEdge, «» 09.02.2020.



– «A» , «P» — «Parse», «v22» – 22. , ( ).


:


  • parse.php – 31.12.2019, 11 757
  • next.php – 24.12.2019, 6 678

, , PHP- REST API , «» , (. ), . REST API HTTP-, JSON. , « » , .


1. parse.php ( HTML-) : «prefix», «from», «to».




$reference REST API ( ), iOS- , , , json- «result_ .txt» (. ).


$reference id (type), ( ddmmyy), , 7 . :


H03 111119 0000001


H03 – id, 111119 – (11.11.2019). . 0000001 – . 0000000 9999999, , .


request() parse.php, $reference , ( ):



, . , .


2. next.php , , REST API: ( HTML-) «AAAAAA».




$reference REST API, , , «result_next_ AAAAAA.txt» (. ).


(. ) , , $reference p, ( ddmmyy). :


p151119


p – , 151119 – (15.11.2019).



– , PHP- .


, «» PHP-, ( ), «parse» «next» «files».



(parse.php) , , .



30 , 133 728 ( ).


(next.php) , , , , ( ), (, , , ..).



21 , 113 442 ( ).


, .


, 29.12.2019 04.01.2020, .


, , « ». «» – , .


, . , , . – , , .


, REST API, , — 404- . : , , – “Authorization: Bearer“ HTTP- ( ). , , . - HTTP- , . PHP- .


, , , , . , , « » .


News about information leaks and insiders can always be found on the Telegram channel " Information leaks. "

More articles:


All Articles