Seems hackers got the What.CD user database and they are sending fake RIAA emails to all the users. Must have happened during the SQL injection hack.



Delivered-To: my@address
Received: by 10.115.106.10 with SMTP id i10cs44735wam;
Mon, 12 Nov 2007 02:35:00 -0800 (PST)
Received: by 10.114.190.6 with SMTP id n6mr271088waf.1194863700180;
Mon, 12 Nov 2007 02:35:00 -0800 (PST)
Return-Path:
Received: from spunkymail-mx6.g.dreamhost.com (mx1.spunky.mail.dreamhost.com [208.97.132.47])
by mx.google.com with ESMTP id m27si5736940wag.2007.11.12.02.34.59;
Mon, 12 Nov 2007 02:35:00 -0800 (PST)
Received-SPF: neutral (google.com: 208.97.132.47 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=208.97.132.47;
Authentication-Results: mx.google.com; spf=neutral (google.com: 208.97.132.47 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: from bitient.org (unknown [85.17.201.73])
by spunkymail-mx6.g.dreamhost.com (Postfix) with ESMTP id 6EABC2D320
for ; Mon, 12 Nov 2007 02:34:35 -0800 (PST)
Received: (qmail 21760 invoked by uid 10012); 12 Nov 2007 11:34:22 +0100
Date: 12 Nov 2007 11:34:22 +0100
Message-ID: <[email protected]>
To: my@address
Subject: Music Piracy
From: [email protected]
Reply-To: [email protected]
X-Originating-IP: [76.74.24.143]
X-Originating-Email: [[email protected]]
X-Mailer: Internet Mail Service


Subj: Music Piracy
Date: Mon, Nov 12, 2007 at 4:35 AM
From: [email protected]
----------------------------------------------------------------
Dear registered user of the site What.cd,

We have recently been investigating the activities of the users of the
site http://www.what.cd/ and we have found that this site exists for the
sole purpose of music piracy.

Pirating music is a criminal offence and we believe it should be obvious
to you that the results outweigh the benefits - hard working artists
won't be rewarded for their work and will stop producing music,
ultimately leading to a severely reduced selection of music both in the
shops and for download.

The RIAA had hoped that the disabling by the police of the large illegal
music site, Oink.cd, would stop a lot of people from engaging in piracy,
as they don't want to be seen as criminals. However, this appears to
not be the case, as two large new sites have sprung up in its place.

This email is the final warning to all of you who were members of
Oink.cd and are current members of What.cd. If we find you to be
committing any more criminal acts of piracy then we will have to press
charges against you, as representatives of the major record companies of
America.

Yours Faithfully,

The RIAA

Oh you silly script kiddies. Get a life.

FYI

Consider your passwords disclosed
The attacker probably has a copy of password hashes and with a bit of effort can result in cracking of your password.

Change your passwords elsewhere!

Luckily for me, I use a different password on everysite.

Ugh. Yet another reason to use waffles over what.

Someone really doesn't like us! (javascript: klappe_news('a63')) ∼ posted on Nov-12-07 by What
This week has been terrible. After we did two code audits and fixed our security issues, our wonderful attackers couldn't get in (yay!), so they turned to brute force. After having been hit by several port scans and a rather fearsome DDoS attack (traffic reaching almost 80 megabits per second (note: that's 10 megabytes per second)) our server pretty much went to hell. After an extended downtime (ending a couple hours ago) during which we tweaked firewall settings, etc., we decided that it was safe enough to bring the site back up.

Pretty much immediately after the site came back up we had someone trying to brute force our (well passworded) ssh accounts (they've now met the hot burny side of the firewall).

What have we learned from all this? That there is a person or a group of people somewhere that wants us to disappear. We originally thought that the attacks were by bored kids, but whoever was behind the DDoS appears to be much more serious than that. We aren't going to publicly speculate on who is behind the attacks - we'll leave that to you guys.

Despite these attacks, we are still up and running, and we hope to stay this way for a very long time. We have plans for this site, and we aren't going to flush them down the drain just because some people don't like what we're doing. The first of our plans involves a very cool freeleech plan, but we're going to wait until we're sure the tracker's relatively stable for that. For the time being, we're keeping freeleech on until further notice.

Edit by DAQ: These fake RIAA Emails are just that. Fake. http://pastebin.ca/770503 (http://what.cd/external.php?url=http://pastebin.ca/770503) Read that.

Yes, well. It would take large amounts of time to work for 15k user passwords and to use them on top of that. To me it looks like the only target is what.cd and they're really trying to make the staff's life miserable ;)

This mail was originally sent from the what.cd server itself, anything else is smokescreen.

:D i got this nonsense as well. probably a frustrated ex-staff kid.

It's send from what.cd server to what.cd userbase. Staff really has to explain that shit to everyone concerned about security.

Here we go again ?
yet another site database hacked, I think this will be a big nail in the coffin of what.cd on top of the sql injection of the porn image and all the downtime experienced through ddos attacks and 'updates'.

even though the pw's are encrypted on the server, i'd recommend to change your what passwords.

After the Bit-HDTV fiasco, I would change your password on the site. If you use the same password on other sites (shame on you), I would change them NOW.
Also, be prepared to really monitor any unknown emails you may receive. I hope I don't have to tell you not to open any unknown emails people. I would expect now that they have the email list, we are in for some "spam from hell".

OMG!!!
i got the same email :(
wth is going on??

yea just to be sure i changed my pass..

btw i havent recived any email yet but im not worry at all.

I'll never use waffles.fm or what.cd - they can't even secure their shit. I got the email too.

It's all good really, what.cd will end up being the most secure site on the planet.

Stick with it, it has great potential and the staff are really nice.

They can give me a blowjob. I cannot be scared. Fuck RIAA and all subsidiaries, allies.

lol

Here we go, BTW:

Delivered-To: *@gmail.com
Received: by 10.65.124.15 with SMTP id b15cs115316qbn;
Mon, 12 Nov 2007 03:16:57 -0800 (PST)
Received: by 10.82.187.16 with SMTP id k16mr11435119buf.1194866213721;
Mon, 12 Nov 2007 03:16:53 -0800 (PST)
Return-Path: <[email protected]>
Received: from bitient.org ([85.17.201.73])
by mx.google.com with ESMTP id g8si10218673muf.2007.11.12.03.16.53;
Mon, 12 Nov 2007 03:16:53 -0800 (PST)
Received-SPF: neutral (google.com: 85.17.201.73 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=85.17.201.73;
Authentication-Results: mx.google.com; spf=neutral (google.com: 85.17.201.73 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: (qmail 13014 invoked by uid 10012); 12 Nov 2007 11:36:42 +0100
Date: 12 Nov 2007 11:36:42 +0100
Message-ID: <[email protected]>
To: [email protected]
Subject: Music Piracy
From: [email protected]
Reply-To: [email protected]
X-Originating-IP: [76.74.24.143]
X-Originating-Email: [[email protected]]
X-Mailer: Internet Mail Service

I don't think we need to worry about the RIAA.

No, but worry about the atrocious manner in which What.cd is being handled, run and eaten alive.

I'd not bash it so, but I tend to prefer trackers I can use, rather than a looong string of downtime, server errors and "Permission Denied" errors.

Classy guys, really classy.

this only proof how big and strong competition they are..so im not suprise becuase what.cd and waffle will lead in music world or torrents.

Yeah.. I've yet to be be impressed at all by the uptime, performance, security or staff of either what.cd or waffles.

There needs to be a third big tracker IMO.

Well I would say ex staffer prob, possibly disgruntled eh no biggie.Also they have this on the home page now

Edit by DAQ: These fake RIAA Emails are just that. Fake. http://pastebin.ca/770503 (http://what.cd/external.php?url=http://pastebin.ca/770503) Read that.

I want to like what.cd so badly :(

they send me that email too. lol
nice try

Wtf i got this :lol:



Dear registered user of the site What.cd (http://what.cd/),

We have recently been investigating the activities of the users of the
site http://www.what.cd/ and we have found that this site exists for the
sole purpose of music piracy.

Pirating music is a criminal offence and we believe it should be obvious
to you that the results outweigh the benefits - hard working artists
won't be rewarded for their work and will stop producing music,
ultimately leading to a severely reduced selection of music both in the
shops and for download.

The RIAA had hoped that the disabling by the police of the large illegal
music site, Oink.cd (http://oink.cd/), would stop a lot of people from engaging in piracy,
as they don't want to be seen as criminals. However, this appears to
not be the case, as two large new sites have sprung up in its place.

This email is the final warning to all of you who were members of
Oink.cd (http://oink.cd/) and are current members of What.cd (http://what.cd/). If we find you to be
committing any more criminal acts of piracy then we will have to press
charges against you, as representatives of the major record companies of
America.

Yours Faithfully,

The RIAA

Same here haha strange stuff good thing i don't use the emaill address for all torrent sites only this password changed aswell at least they should recomend a password change on the site i think i'm going to look around for a waffles invite instead this site is kind of strange from day one but still good

Ugh. Yet another reason to use waffles over what.
no offence to anyone but waffles is crap :)
they where hacked to so i advise to change passwords there aswell :D

i am not scared they can send as many letters as they want, i am not using same email and pass on trackers so thats good news for me and for others change ur pass of email and trackers as soon as possible.

for me this is spam

Ugh. Yet another reason to use waffles over what.
no offence to anyone but waffles is crap :)
they where hacked to so i advise to change passwords there aswell :DWhy is waffles crap?

Re. changing your password, I'm not so sure it's the best option. If you had a good quality password before, leave it be, if it's complex enough it might take a 25000-node botnet tens of years to crack.

They obviously had full access to the source code and may have altered the password changing script to either store the new password in "safe place" send it off-site somewhere.

Have the admins done an audit to look for altered code?

I just wish they would invest an hour or two in setting up mod_security2.

And they obviously stored email addresses in plain text, when it would be sufficient to just have a hash of it. The user inputs their md5($email) address and you can tell if it is correct or not.

I'm obviously not concerned about the mail, but about the staff, how serious and responsible they are, and how are they handling things over there... all the bugs, the sql exploits, downtimes, and now this.... *sigh*

I don't want to think that these problems are caused by a poor code with major security holes, and/or inexperienced and irresponsible staff who rushed into things, but...

ps: i'm keeping the mail for later amusement

i have already started using different pw n probably will use different nick for these new sites...u can't really trust 'em.

no big deal . every major torrent sites have been hacked before and they still survive

The guy behind the attacks (javascript: klappe_news('a64')) ∼ posted on Nov-13-07 by What
So, there's been a lot of speculation about who was behind the attacks on us. Waffles? RIAA? We've already come out and told you that it isn't the first. The waffles guys are cool, really. And the RIAA? Well, they don't redirect people to shock sites, as far as I know. So, who else would want to hack us? We've done our detective work, and located the two people. If you want to know who they are, skip to the end of the post. If you want to know who they are and why they hate us so much, read on in the ordinary up-down fashion.

When we first opened our public beta, we were temporarily hosted on the bitient.org server, which was owned by one of our admins (Noah). Noah also lent out hosting space to a few other people, and gave them shell access. When Noah granted us access to his server and IRC network, one of the owners to a site hosted on the server saw us as intruders, and felt a great deal of animosity towards us. This user's nick was 'P3T3R'. We left him alone, because it's never good to make enemies when you're running a site like this, but he seemed very intent on intimidating us. The following is from my IRC logs:

[Sat Nov 3 2007] [23:23:38] (P3T3R) btw, be prepared
[Sat Nov 3 2007] [23:23:42] (P3T3R) i'd watch it if I were you
[Sat Nov 3 2007] [23:24:02] (P3T3R) make the most of what you have while you have it
[Sat Nov 3 2007] [23:24:14] (P3T3R) cos you just might have it taken away from you...
[Sat Nov 3 2007] [23:24:37] (WhatMan) What the hell are you on about, P3T3R?
[Sat Nov 3 2007] [23:24:43] (P3T3R) i'm not quite sure
[Sat Nov 3 2007] [23:24:48] (P3T3R) or am I?

We suspect he was working with his brother 'biscuit', who has a reputation of being quite knowledgeable about linux, and 'hacking' in general.

Things were pretty normal for the next few days, but then we started seeing disturbing things appear in our database. Most of you guys know what these disturbing things were - redirects to shock sites, fake RIAA notices, etc. We initially thought that this was because of SQS injections - after all, TBSource comes with a load of exploits by default. So we went through the site, and patched up all the injection points (there were a lot of them). When we put the site back up, we immediately got hit by another attack. So we took it down again, and found and patched a couple more exploits. Then we put the site back up, and got hit by another attack.

After checking our database logs, it became painfully clear what had happened. The site and the database are hosted on separate servers. The attacker was connecting to the database server from the web server, but it didn't look at all like an SQL injection - none of our ordinary database calls accompanied the malicious queries. So, we decided that the attackers must have access to the web server, and since it was time to move from that temporary server anyways, we packed our bags and left.

This is when the SQL attacks stopped.

As we've already stated, the attackers then turned to brute force. The DDoS attack was well done, which made us think that the attackers were more than bored kids - but then, they sent out a shitload of fake RIAA emails, which looked like the work of a 14 year old. It was these emails that allowed us to track down the attackers.

The emails were well spoofed - the "originating IP" belonged to Dutch offices owned by the RIAA. However, they made a serious fuckup - a load of them were sent from [email protected]. This is not the case of a hacked mail script, as we never had a mail script - this was the case of someone trying poorly to hide their identity. A couple hours after these emails were sent out, every user in #what.cd received a CTCP-Version request from a user called 'biscuit'.

This is where it gets cool.

Sending version requests to everyone in a channel is the sort of thing script kiddies looking for someone to hack would do. As a good sysadmin, I tracked down biscuit's IP address:

[22:17] [Whois] biscuit is [email protected] (Biscuit)
[22:17] [379] biscuit is using modes +wrxt
[22:17] [378] biscuit is connecting from *@5acf5b58.bb.sky.com 90.207.91.88

And searched for it on the site - I came up with this account: http://what.cd/userdetails.php?id=1106 (http://what.cd/external.php?url=http://what.cd/userdetails.php?id=1106)

So, p3t3r and biscuit are on the same IP address. They both hate us, and p3t3r has openly threatened to take our site down. P3T3R has an account on the site, that logs into frequently, but never uses to upload or download. They both have shell access to our original server, so they could get into the database. Biscuit, the "1227 hax0r", sends a version request to everyone on IRC, a couple hours after scam emails have been sent out from a server they have access to. A little more research shows that P3T3R is 14 years old, and biscuit is his brother. It all sounds pretty conclusive to me. I go on to the bitient.org IRC channel to see what I can find. What do I find?

[22:37] (Noah) BISCUIT!
[22:37] (Noah) You'd better not have been the one sending those fake RIAA emails!
[22:37] (P3T3R) :O
[22:37] (Noah) And you most certainly have better not have been the one behind the hack
[22:37] (Noah) the emails CAME FOMR MY IP!
[22:37] (P3T3R) hack?
[22:37] (Noah) FROM THIS FUCKING SERVER

This pretty much convinced me that these two (especially P3T3R) were the ones behind the attacks. So, I'm sure you're all curious as to who these people are.

We only went so far as to find out info on P3T3R. His name is Peter Cole, and he lives in Yorkshire, in the UK. His email addreses are [email protected] and [email protected] (the second one is also his MSN). His AIM is P3TP3T3R, and his Yahoo messenger username is pe3te3r. He has a personal web site (hosted on the bitient.org server) at p3t3r.co.uk - sadly, his home address and phone number are hidden from the whois. There's a shitload of information on him, easily accessible via google.

Neither I nor the rest of the staff is going to do anything to him - we just thought you'd like to know who the dickhead with your email address is. You can do with this information what you please.

exactly as i thought - a stupid little kid. :D

time for a little education :whistling

lives in halifax btw.

i have already started using different pw n probably will use different nick for these new sites...u can't really trust 'em.

same here tooo! :P

Well, with shell access to the old server everything was possible, so this explanation makes sense.

Heh, maybe they'll actually stay online now.

Glad to know the emails are fake... but I still don't care for my email floating around out there even though I go out of my way (constantly) to secure it. What.cd won't even pull up for me now... been this way all damn weekend. :(

Like I said in my orginal post, I figured it was some stupid script kiddie with no life and nothing better to do. I don't believe in whipping my kids, but I'd beat the hell outta that little brat. :D

I shouldn't judge, though. When I was young and on the Cult of the Dead Cow BBS and on the 2600 VMB system, I did alot of stupid stuff in the name of "anarchy". They will grow up and hopefully get a good job as a linux admin or a SQL DB manager. LOL.

A little more info:


I had a nice chat with Noah earlier - apparently, P3T3R isn't the asshole, his brother is. His brother's name is Richard Cole, uses the email address [email protected] and owns the domain iheist.com - and the whois information for that isn't kept a secret. This is their address and phone number:

Administrative Contact:
Cole, Richard @googlemail.com
### ****
Halifax, Other HX3 7AN
UK
+.######### Fax: +.########

We also got a load more proof from Noah - he read their history file. It is available online here: http://pastebin.ca/770838 The cool shit starts at command 491 (a DOS attack). You can also see biscuit hacking our database, etc.

I've removed his email from the news post for the day, at Noah's request - he wants to flame him without his email getting lost in piles of spam. I'll re-post it when Noah's done.

Like I said in my orginal post, I figured it was some stupid script kiddie with no life and nothing better to do. I don't believe in whipping my kids, but I'd beat the hell outta that little brat. :D

I shouldn't judge, though. When I was young and on the Cult of the Dead Cow BBS and on the 2600 VMB system, I did alot of stupid stuff in the name of "anarchy". They will grow up and hopefully get a good job as a linux admin or a SQL DB manager. LOL.
Maybe, if they weren't complete idiots.

this is unfortunate, glad to know it was a fake email though :)

After reading that mail, I thought everyone was gonna think this is for real, especially since a bunch of people believed the site was taken down by the RIAA when the homepage was defaced. Good to see I was wrong.

And now that the culprits are found, what.cd should be able to settle down. That can only be good news right? :)

If only I lived in the UK.:boxing:

If only I lived in the UK.:boxing:

:lol:;)

here is another news and this one a dont understand

We highly suggest you change the email address associated with the account. We have no way of knowing what Richard has done with your email addresses. We apologize for this inconvenience

do i need to just change my email from profile and use gmail or i need to leave yahoo account with what i signed and create another yahoo acc after that happend??

thx

Fuck This Shit ...i Got This Same Shit Too ..

here is another news and this one a dont understand

We highly suggest you change the email address associated with the account. We have no way of knowing what Richard has done with your email addresses. We apologize for this inconvenience

do i need to just change my email from profile and use gmail or i need to leave yahoo account with what i signed and create another yahoo acc after that happend??

thx


you can't change your email atm on what. staff is working to fix the issue.

i just deleted my account there... fake or not i was not bery pleased with the site and i have found a better source to download music from... no need to have a user in a site you won't use... right?

Sucks what happened.. I was able to change my email so it seems that the issue was fixed.

i just deleted my account there... fake or not i was not bery pleased with the site and i have found a better source to download music from... no need to have a user in a site you won't use... right?

i think i will do the same. what.cd is not worth my private stuff floating in the internet. beside, there are better + secure music tracker...lil hard to get in though but better than this crap.

I dont understand this..

Change my email?
and what then - I still have to replace it with working email to get confirmation..

And if somebody got my email from which I registered what is going to help if I remove it now?

i will change shit will not for sure now..that is they problem not my..and he can do what ever he like it whit my email as long he cant steel my email..f***** stupid kid..will burn in hell for that :D

Well after changing my email address on every file sharing site I visit and deleting the account that was registered with What.cd my paranoia seems to be passing. :unsure:

Well after changing my email address on every file sharing site I visit and deleting the account that was registered with What.cd my paranoia seems to be passing. :unsure:be careful when changing email addresses ..some trackers are silly and think you are trading the account ..but i guess its ok ... since its the same ip address ...:huh:

At least the guys there are very up front with what is going on with their tracker.

Knew it-seemed to fake(even though was never a member.) that n waffles....I do not care to ever b a member @ either!

I think the important is don't change email & password & login from different IP at the same time

If only I lived in the UK.:boxing:

I do live in the UK and if any of my details end up on the net I'm sure I won't be the only person making the trip to Halifax.