What.CD database compromised?

[mrnobody]

i have already started using different pw n probably will use different nick for these new sites...u can't really trust 'em.

[masterbat]

no big deal . every major torrent sites have been hacked before and they still survive

[fOrUmAs]

The guy behind the attacks ∼ posted on Nov-13-07 by What
So, there's been a lot of speculation about who was behind the attacks on us. Waffles? RIAA? We've already come out and told you that it isn't the first. The waffles guys are cool, really. And the RIAA? Well, they don't redirect people to shock sites, as far as I know. So, who else would want to hack us? We've done our detective work, and located the two people. If you want to know who they are, skip to the end of the post. If you want to know who they are and why they hate us so much, read on in the ordinary up-down fashion.

When we first opened our public beta, we were temporarily hosted on the bitient.org server, which was owned by one of our admins (Noah). Noah also lent out hosting space to a few other people, and gave them shell access. When Noah granted us access to his server and IRC network, one of the owners to a site hosted on the server saw us as intruders, and felt a great deal of animosity towards us. This user's nick was 'P3T3R'. We left him alone, because it's never good to make enemies when you're running a site like this, but he seemed very intent on intimidating us. The following is from my IRC logs:

[Sat Nov 3 2007] [23:23:38] (P3T3R) btw, be prepared
[Sat Nov 3 2007] [23:23:42] (P3T3R) i'd watch it if I were you
[Sat Nov 3 2007] [23:24:02] (P3T3R) make the most of what you have while you have it
[Sat Nov 3 2007] [23:24:14] (P3T3R) cos you just might have it taken away from you...
[Sat Nov 3 2007] [23:24:37] (WhatMan) What the hell are you on about, P3T3R?
[Sat Nov 3 2007] [23:24:43] (P3T3R) i'm not quite sure
[Sat Nov 3 2007] [23:24:48] (P3T3R) or am I?

We suspect he was working with his brother 'biscuit', who has a reputation of being quite knowledgeable about linux, and 'hacking' in general.

Things were pretty normal for the next few days, but then we started seeing disturbing things appear in our database. Most of you guys know what these disturbing things were - redirects to shock sites, fake RIAA notices, etc. We initially thought that this was because of SQS injections - after all, TBSource comes with a load of exploits by default. So we went through the site, and patched up all the injection points (there were a lot of them). When we put the site back up, we immediately got hit by another attack. So we took it down again, and found and patched a couple more exploits. Then we put the site back up, and got hit by another attack.

After checking our database logs, it became painfully clear what had happened. The site and the database are hosted on separate servers. The attacker was connecting to the database server from the web server, but it didn't look at all like an SQL injection - none of our ordinary database calls accompanied the malicious queries. So, we decided that the attackers must have access to the web server, and since it was time to move from that temporary server anyways, we packed our bags and left.

This is when the SQL attacks stopped.

As we've already stated, the attackers then turned to brute force. The DDoS attack was well done, which made us think that the attackers were more than bored kids - but then, they sent out a shitload of fake RIAA emails, which looked like the work of a 14 year old. It was these emails that allowed us to track down the attackers.

The emails were well spoofed - the "originating IP" belonged to Dutch offices owned by the RIAA. However, they made a serious fuckup - a load of them were sent from [email protected]. This is not the case of a hacked mail script, as we never had a mail script - this was the case of someone trying poorly to hide their identity. A couple hours after these emails were sent out, every user in #what.cd received a CTCP-Version request from a user called 'biscuit'.

This is where it gets cool.

Sending version requests to everyone in a channel is the sort of thing script kiddies looking for someone to hack would do. As a good sysadmin, I tracked down biscuit's IP address:

[22:17] [Whois] biscuit is [email protected] (Biscuit)
[22:17] [379] biscuit is using modes +wrxt
[22:17] [378] biscuit is connecting from *@5acf5b58.bb.sky.com 90.207.91.88

And searched for it on the site - I came up with this account: http://what.cd/userdetails.php?id=1106

So, p3t3r and biscuit are on the same IP address. They both hate us, and p3t3r has openly threatened to take our site down. P3T3R has an account on the site, that logs into frequently, but never uses to upload or download. They both have shell access to our original server, so they could get into the database. Biscuit, the "1227 hax0r", sends a version request to everyone on IRC, a couple hours after scam emails have been sent out from a server they have access to. A little more research shows that P3T3R is 14 years old, and biscuit is his brother. It all sounds pretty conclusive to me. I go on to the bitient.org IRC channel to see what I can find. What do I find?

[22:37] (Noah) BISCUIT!
[22:37] (Noah) You'd better not have been the one sending those fake RIAA emails!
[22:37] (P3T3R)
[22:37] (Noah) And you most certainly have better not have been the one behind the hack
[22:37] (Noah) the emails CAME FOMR MY IP!
[22:37] (P3T3R) hack?
[22:37] (Noah) FROM THIS FUCKING SERVER

This pretty much convinced me that these two (especially P3T3R) were the ones behind the attacks. So, I'm sure you're all curious as to who these people are.

We only went so far as to find out info on P3T3R. His name is Peter Cole, and he lives in Yorkshire, in the UK. His email addreses are [email protected] and [email protected] (the second one is also his MSN). His AIM is P3TP3T3R, and his Yahoo messenger username is pe3te3r. He has a personal web site (hosted on the bitient.org server) at p3t3r.co.uk - sadly, his home address and phone number are hidden from the whois. There's a shitload of information on him, easily accessible via google.

Neither I nor the rest of the staff is going to do anything to him - we just thought you'd like to know who the dickhead with your email address is. You can do with this information what you please.

[Polarbear]

exactly as i thought - a stupid little kid.

time for a little education

lives in halifax btw.

[raj3186]

i have already started using different pw n probably will use different nick for these new sites...u can't really trust 'em.

same here tooo!

[Daniel]

Well, with shell access to the old server everything was possible, so this explanation makes sense.

[WhoopDeDoo]

Heh, maybe they'll actually stay online now.

[Defy]

Glad to know the emails are fake... but I still don't care for my email floating around out there even though I go out of my way (constantly) to secure it. What.cd won't even pull up for me now... been this way all damn weekend.

[psxcite]

Like I said in my orginal post, I figured it was some stupid script kiddie with no life and nothing better to do. I don't believe in whipping my kids, but I'd beat the hell outta that little brat.

I shouldn't judge, though. When I was young and on the Cult of the Dead Cow BBS and on the 2600 VMB system, I did alot of stupid stuff in the name of "anarchy". They will grow up and hopefully get a good job as a linux admin or a SQL DB manager. LOL.

A little more info:

I had a nice chat with Noah earlier - apparently, P3T3R isn't the asshole, his brother is. His brother's name is Richard Cole, uses the email address [email protected] and owns the domain iheist.com - and the whois information for that isn't kept a secret. This is their address and phone number:

Administrative Contact:
Cole, Richard @googlemail.com
### ****
Halifax, Other HX3 7AN
UK
+.######### Fax: +.########

We also got a load more proof from Noah - he read their history file. It is available online here: http://pastebin.ca/770838 The cool shit starts at command 491 (a DOS attack). You can also see biscuit hacking our database, etc.

I've removed his email from the news post for the day, at Noah's request - he wants to flame him without his email getting lost in piles of spam. I'll re-post it when Noah's done.

[WhoopDeDoo]

Like I said in my orginal post, I figured it was some stupid script kiddie with no life and nothing better to do. I don't believe in whipping my kids, but I'd beat the hell outta that little brat.

I shouldn't judge, though. When I was young and on the Cult of the Dead Cow BBS and on the 2600 VMB system, I did alot of stupid stuff in the name of "anarchy". They will grow up and hopefully get a good job as a linux admin or a SQL DB manager. LOL.

Maybe, if they weren't complete idiots.