btw... c$ is a windows default read only share, as this scrpt gave them acess to c, i asume he was on c$...
http://en.wikipedia.org/wiki/Administrative_share--------------------------
lolz.. he closed the forum and youtube link... rofl.....
(guess he didn't want to get into trouble...)
well, its was a python code that used rpc
----------------------------
anyways if it helps:
(hfsrpc.py) - was in the cmd windows...
---------picture in with post had:
setting the local host and rhost to the same port something like "444444"
(both were the same for coming in
and remote port, setting up windows traffic to a random connecting port....
something like "124445"
(creating a fake random port conection)
(both were the same for going out...)
Ports are from (memory/don't remember them ... weren't assigned to specific services/protocols as such they must have been random...)
then script sending it through the broadcast to gain access to the root folder of hfs... (random victim)
as if you remotely oppend a cmd prompt on that machine...(unknown if it gave write permissions definitely read/traverse)
didn't have/give much, but it was a python code(he replied back and said so not so much who.how.what)... but deliberate to gain access into hfs2.3a and the c: drive of an hfs machine...
i haven't been hacked, and i'm surprised to see comments of those who have.
-----------------------
this is as much as i can be of help, unknown what protocol/data/how they are getting in, just trying to share form what i saw when i replied to this post... (the fact that on a previous chinese post shows that this user has used this script miscoulious, and possible that he isn't the creator, show that he might never "sign in"...
http://www.rejetto.com/forum/italiano/template-craccato-***importante***-11437/
itialin poster saying xpolit user did this:
-------
https://translate.google.com/#auto/en/Ciao%20a%20tutti%2C%0Ami%20rifaccio%20vivo%2C%20perch%C3%A8%20oggi%20ho%20notato%20che%20il%20mio%20webserver%20era%20stato%20craccato!%0AIn%20pratica%2C%20digitando%20l'indirizzo%20associato%2C%20al%20posto%20della%20pagina%20template%20che%20avevo%20impostato%2C%20compariva%20il%20messaggio%3A%0A%0Ahacked%20by%20xpl01t%20HFS%200day%20exploiter%0A%0ACollegandomi%20al%20server%2C%20mi%20sono%20accorto%20che%20era%20presente%20un%20file%20*tpl%20modificato%20dall'hacker.%20Ho%20subito%20ripristinato%20il%20mio%20ma%20la%20cosa%20mi%20allarma.%20Mi%20sa%20che%20urge%20una%20patch%20correttiva!%20La%20versione%20che%20uso%20%C3%A8%20la%202.3%0A%0AVedi%20anche%20http%3A%2F%2Fwww.rejetto.com%2Fforum%2Fhfs-~-http-file-server%2F%2528hfs-2-3a%2529-0day-vulnerability-discovered-by-me!%2F%20%0A%0ASaluti%0AAL
----------