Show/Hide ∼ The guys behind the attacks ∼ posted on Nov-13-07 by What
We highly suggest you change the password associated with the account. They are salted and encrypted, but we have no way of knowing what Richard has done with them.
So, there's been a lot of speculation about who was behind the attacks on us. Waffles? RIAA? We've already come out and told you that it isn't the first. The waffles guys are cool, really. And the RIAA? Well, they don't redirect people to shock sites, as far as I know. So, who else would want to hack us? We've done our detective work, and located the two people. If you want to know who they are, skip to the end of the post. If you want to know who they are and why they hate us so much, read on in the ordinary up-down fashion.
When we first opened our public beta, we were temporarily hosted on the bitient.org server, which was owned by one of our admins (Noah). Noah also lent out hosting space to a few other people, and gave them shell access. When Noah granted us access to his server and IRC network, one of the owners to a site hosted on the server saw us as intruders, and felt a great deal of animosity towards us. This user's nick was 'P3T3R'. We left him alone, because it's never good to make enemies when you're running a site like this, but he seemed very intent on intimidating us. The following is from my IRC logs:
[Sat Nov 3 2007] [23:23:38] (P3T3R) btw, be prepared
[Sat Nov 3 2007] [23:23:42] (P3T3R) i'd watch it if I were you
[Sat Nov 3 2007] [23:24:02] (P3T3R) make the most of what you have while you have it
[Sat Nov 3 2007] [23:24:14] (P3T3R) cos you just might have it taken away from you...
[Sat Nov 3 2007] [23:24:37] (WhatMan) What the hell are you on about, P3T3R?
[Sat Nov 3 2007] [23:24:43] (P3T3R) i'm not quite sure
[Sat Nov 3 2007] [23:24:48] (P3T3R) or am I?
We suspect he was working with his brother 'biscuit', who has a reputation of being quite knowledgeable about linux, and 'hacking' in general.
Things were pretty normal for the next few days, but then we started seeing disturbing things appear in our database. Most of you guys know what these disturbing things were - redirects to shock sites, fake RIAA notices, etc. We initially thought that this was because of SQL injections - after all, TBSource comes with a load of exploits by default. So we went through the site, and patched up all the injection points (there were a lot of them). When we put the site back up, we immediately got hit by another attack. So we took it down again, and found and patched a couple more exploits. Then we put the site back up, and got hit by another attack.
After checking our database logs, it became painfully clear what had happened. The site and the database are hosted on separate servers. The attacker was connecting to the database server from the web server, but it didn't look at all like an SQL injection - none of our ordinary database calls accompanied the malicious queries. So, we decided that the attackers must have access to the web server, and since it was time to move from that temporary server anyways, we packed our bags and left.
This is when the SQL attacks stopped.
As we've already stated, the attackers then turned to brute force. The DDoS attack was well done, which made us think that the attackers were more than bored kids - but then, they sent out a shitload of fake RIAA emails, which looked like the work of a 14 year old. It was these emails that allowed us to track down the attackers.
The emails were well spoofed - the "originating IP" belonged to Dutch offices owned by the RIAA. However, they made a serious fuckup - a load of them were sent from
[email protected]. This is not the case of a hacked mail script, as we never had a mail script - this was the case of someone trying poorly to hide their identity. A couple hours after these emails were sent out, every user in #what.cd received a CTCP-Version request from a user called 'biscuit'.
This is where it gets cool.
Sending version requests to everyone in a channel is the sort of thing script kiddies looking for someone to hack would do. As a good sysadmin, I tracked down biscuit's IP address:
[22:17] [Whois] biscuit is
[email protected] (Biscuit)
[22:17] [379] biscuit is using modes +wrxt
[22:17] [378] biscuit is connecting from *@*********.bb.sky.com **.***.**.**
And searched for it on the site - I came up with this account: /userdetails.php?id=1106
So, p3t3r and biscuit are on the same IP address. They both hate us, and p3t3r has openly threatened to take our site down. P3T3R has an account on the site, that logs into frequently, but never uses to upload or download. They both have shell access to our original server, so they could get into the database. Biscuit, the "1337 hax0r", sends a version request to everyone on IRC, a couple hours after scam emails have been sent out from a server they have access to. A little more research shows that P3T3R is 14 years old, and biscuit is his brother. It all sounds pretty conclusive to me. I go on to the bitient.org IRC channel to see what I can find. What do I find?
[22:37] (Noah) BISCUIT!
[22:37] (Noah) You'd better not have been the one sending those fake RIAA emails!
[22:37] (P3T3R)
[22:37] (Noah) And you most certainly have better not have been the one behind the hack
[22:37] (Noah) the emails CAME FOMR MY IP!
[22:37] (P3T3R) hack?
[22:37] (Noah) FROM THIS FUCKING SERVER
This pretty much convinced me that these two (especially P3T3R) were the ones behind the attacks. So, I'm sure you're all curious as to who these people are.
We only went so far as to find out info on P3T3R. His name is Peter Cole, and he lives in Yorkshire, in the UK. His email addreses are *****@p3t3r.co.uk and *****@gmail.com (the second one is also his MSN). His AIM is *****, and his Yahoo messenger username is *****. He has a personal web site (hosted on the bitient.org server) at p3t3r.co.uk - sadly, his home address and phone number are hidden from the whois. There's a shitload of information on him, easily accessible via google.
Neither I nor the rest of the staff is going to do anything to him - we just thought you'd like to know who the dickhead with your email address is. You can do with this information what you please.
EDIT: I had a nice chat with Noah earlier - apparently, P3T3R isn't the asshole, his brother is. His brother's name is Richard Cole, uses the email address
[email protected] and owns the domain iheist.com - and the whois information for that isn't kept a secret. This is their address and phone number:
Administrative Contact:
Cole, Richard @googlemail.com
### ****
Halifax, Other ### ###
UK
+.######### Fax: +.########
We also got a load more proof from Noah - he read their history file. It is available online here:
http://pastebin.ca/770838 The cool shit starts at command 491 (a DOS attack). You can also see biscuit hacking our database, etc.
I've removed his email from the news post for the day, at Noah's request - he wants to flame him without his email getting lost in piles of spam. I'll re-post it when Noah's done.
EDIT again: We've decided to take the emails off for good. You can easily find them with a google search, anyways.
Bookmarks