http://torrentfreak.com//images/whatcdlogo.jpg"Users of OiNK-replacement What.cd, are receiving emails from what appears to be the RIAA. In it are threats that users must either stop their ‘criminal acts of piracy’ or have charges pressed against them. But is it the RIAA? Rival Waffles.fm? No, it’s a 14 yr old script kiddie out for revenge, says What.cd"

"Users of What.cd were in for more than a little shock today. Members of one of the OiNK replacement sites started receiving worrying emails from the music file-sharers arch nemesis - the mighty RIAA.


The email reads:
Date: 12 Nov 2007 11:35:46 +0100
Message-ID: 2007111XXXXXXX.XXXXX.qmail*bitient.org
To: XXXXXXX
Subject: Music Piracy
From: piracy*riaa.org
Reply-To: piracy*riaa.org
X-Originating-IP: [76.74.24.143]
X-Originating-Email: [piracy*riaa.org]
X-Mailer: Internet Mail Service
Dear registered user of the site What*cd,
We have recently been investigating the activities of the users of the site http*//www*what*cd/ and we have found that this site exists for the sole purpose of music piracy.
Pirating music is a criminal offence and we believe it should be obvious to you that the results outweigh the benefits - hard working artists won’t be rewarded for their work and will stop producing music, ultimately leading to a severely reduced selection of music both in the shops and for download.
The RIAA had hoped that the disabling by the police of the large illegal music site, Oink.cd, would stop a lot of people from engaging in piracy, as they don’t want to be seen as criminals. However, this appears to not be the case, as two large new sites have sprung up in its place.
This email is the final warning to all of you who were members of Oink.cd and are current members of What.cd. If we find you to be committing any more criminal acts of piracy then we will have to press charges against you, as representatives of the major record companies of
America.
Yours Faithfully,
The RIAA

Worrying, especially as the IP address in the email seems to indicate it really is from the RIAA. Visitors to the What.cd site were then greeted with this message:
This week has been terrible. After we did two code audits and fixed our security issues, our wonderful attackers couldn’t get in (yay!), so they turned to brute force. After having been hit by several port scans and a rather fearsome DDoS attack (traffic reaching almost 80 megabits per second (note: that’s 10 megabytes per second)) our server pretty much went to hell. After an extended downtime (ending a couple hours ago) during which we tweaked firewall settings, etc., we decided that it was safe enough to bring the site back up.
Pretty much immediately after the site came back up we had someone trying to brute force our (well passworded) ssh accounts (they’ve now met the hot burny side of the firewall).
What have we learned from all this? That there is a person or a group of people somewhere that wants us to disappear. We originally thought that the attacks were by bored kids, but whoever was behind the DDoS appears to be much more serious than that. We aren’t going to publicly speculate on who is behind the attacks - we’ll leave that to you guys.
Despite these attacks, we are still up and running, and we hope to stay this way for a very long time. We have plans for this site, and we aren’t going to flush them down the drain just because some people don’t like what we’re doing. The first of our plans involves a very cool freeleech plan, but we’re going to wait until we’re sure the tracker’s relatively stable for
that. For the time being, we’re keeping freeleech on until further notice.But what about the emails? Is the RIAA really sending them out? If not, then who is and how did they get the What.cd user database? What.cd think they have the answer in a post on their site, replicated on this Pastebin page.

Other sites are already publishing the information above and a quick Google search does indeed reveal some interesting details. Apparently, the person held responsible for the hacking and the RIAA email is only 14 year old and not as much as a threat some believed him to be. The alleged hacker’s date of birth, his hometown, hobbies and much more are detailed on Google.

Before today, he probably enjoyed telling the world about himself on social networking sites too.

He’s also mentioned on this Pastebin page full of haxor code - along with what.cd.

The youth of today….what’s the world coming to?
Update: It appears someone claiming to be ‘biscuit’ offered the database for sale and even threatened to send it to the RIAA. After deciding that he should keep it - for later ‘blackmail’ purposes he hopefully considered this link and realized it’s not worth it, deleted the database and forgot all about it."

:source: Source: TorrentFreak (http://torrentfreak.com/14-year-old-hacker-threatens-whatcd-071112/)

:lol: This shit is funny :D

It made me giggle, but kudos to the 14 year old, now grow the fuck up and go outside.

Pretty impressive if it is a 14yr old. But then again, they may have issues..

The kid's gotta get out of the house more ;)

He doesn't have a gf to keep him occupied.

Script kiddies get nowhere.:noes:

Script kiddies get nowhere.:noes:
true dat. If it was a 14 year old kid, I suspect his only "skills" are searching google for "hacking tools". I would bet my bottom dollar that he didn't code them himself.

I bet that kid is J.A...

Oh wait... J.A's 16... :lol:

He doesn't have a gf to keep him occupied.
Or a boyfriend!? :blink:

Show/Hide ∼ The guys behind the attacks ∼ posted on Nov-13-07 by What

We highly suggest you change the password associated with the account. They are salted and encrypted, but we have no way of knowing what Richard has done with them.

So, there's been a lot of speculation about who was behind the attacks on us. Waffles? RIAA? We've already come out and told you that it isn't the first. The waffles guys are cool, really. And the RIAA? Well, they don't redirect people to shock sites, as far as I know. So, who else would want to hack us? We've done our detective work, and located the two people. If you want to know who they are, skip to the end of the post. If you want to know who they are and why they hate us so much, read on in the ordinary up-down fashion.

When we first opened our public beta, we were temporarily hosted on the bitient.org server, which was owned by one of our admins (Noah). Noah also lent out hosting space to a few other people, and gave them shell access. When Noah granted us access to his server and IRC network, one of the owners to a site hosted on the server saw us as intruders, and felt a great deal of animosity towards us. This user's nick was 'P3T3R'. We left him alone, because it's never good to make enemies when you're running a site like this, but he seemed very intent on intimidating us. The following is from my IRC logs:

[Sat Nov 3 2007] [23:23:38] (P3T3R) btw, be prepared
[Sat Nov 3 2007] [23:23:42] (P3T3R) i'd watch it if I were you
[Sat Nov 3 2007] [23:24:02] (P3T3R) make the most of what you have while you have it
[Sat Nov 3 2007] [23:24:14] (P3T3R) cos you just might have it taken away from you...
[Sat Nov 3 2007] [23:24:37] (WhatMan) What the hell are you on about, P3T3R?
[Sat Nov 3 2007] [23:24:43] (P3T3R) i'm not quite sure
[Sat Nov 3 2007] [23:24:48] (P3T3R) or am I?

We suspect he was working with his brother 'biscuit', who has a reputation of being quite knowledgeable about linux, and 'hacking' in general.

Things were pretty normal for the next few days, but then we started seeing disturbing things appear in our database. Most of you guys know what these disturbing things were - redirects to shock sites, fake RIAA notices, etc. We initially thought that this was because of SQL injections - after all, TBSource comes with a load of exploits by default. So we went through the site, and patched up all the injection points (there were a lot of them). When we put the site back up, we immediately got hit by another attack. So we took it down again, and found and patched a couple more exploits. Then we put the site back up, and got hit by another attack.

After checking our database logs, it became painfully clear what had happened. The site and the database are hosted on separate servers. The attacker was connecting to the database server from the web server, but it didn't look at all like an SQL injection - none of our ordinary database calls accompanied the malicious queries. So, we decided that the attackers must have access to the web server, and since it was time to move from that temporary server anyways, we packed our bags and left.

This is when the SQL attacks stopped.

As we've already stated, the attackers then turned to brute force. The DDoS attack was well done, which made us think that the attackers were more than bored kids - but then, they sent out a shitload of fake RIAA emails, which looked like the work of a 14 year old. It was these emails that allowed us to track down the attackers.

The emails were well spoofed - the "originating IP" belonged to Dutch offices owned by the RIAA. However, they made a serious fuckup - a load of them were sent from [email protected]. This is not the case of a hacked mail script, as we never had a mail script - this was the case of someone trying poorly to hide their identity. A couple hours after these emails were sent out, every user in #what.cd received a CTCP-Version request from a user called 'biscuit'.

This is where it gets cool.

Sending version requests to everyone in a channel is the sort of thing script kiddies looking for someone to hack would do. As a good sysadmin, I tracked down biscuit's IP address:

[22:17] [Whois] biscuit is [email protected] (Biscuit)
[22:17] [379] biscuit is using modes +wrxt
[22:17] [378] biscuit is connecting from *@*********.bb.sky.com **.***.**.**
And searched for it on the site - I came up with this account: /userdetails.php?id=1106

So, p3t3r and biscuit are on the same IP address. They both hate us, and p3t3r has openly threatened to take our site down. P3T3R has an account on the site, that logs into frequently, but never uses to upload or download. They both have shell access to our original server, so they could get into the database. Biscuit, the "1337 hax0r", sends a version request to everyone on IRC, a couple hours after scam emails have been sent out from a server they have access to. A little more research shows that P3T3R is 14 years old, and biscuit is his brother. It all sounds pretty conclusive to me. I go on to the bitient.org IRC channel to see what I can find. What do I find?

[22:37] (Noah) BISCUIT!
[22:37] (Noah) You'd better not have been the one sending those fake RIAA emails!
[22:37] (P3T3R) :O
[22:37] (Noah) And you most certainly have better not have been the one behind the hack
[22:37] (Noah) the emails CAME FOMR MY IP!
[22:37] (P3T3R) hack?
[22:37] (Noah) FROM THIS FUCKING SERVER

This pretty much convinced me that these two (especially P3T3R) were the ones behind the attacks. So, I'm sure you're all curious as to who these people are.

We only went so far as to find out info on P3T3R. His name is Peter Cole, and he lives in Yorkshire, in the UK. His email addreses are *****@p3t3r.co.uk and *****@gmail.com (the second one is also his MSN). His AIM is *****, and his Yahoo messenger username is *****. He has a personal web site (hosted on the bitient.org server) at p3t3r.co.uk - sadly, his home address and phone number are hidden from the whois. There's a shitload of information on him, easily accessible via google.

Neither I nor the rest of the staff is going to do anything to him - we just thought you'd like to know who the dickhead with your email address is. You can do with this information what you please.

EDIT: I had a nice chat with Noah earlier - apparently, P3T3R isn't the asshole, his brother is. His brother's name is Richard Cole, uses the email address [email protected] and owns the domain iheist.com - and the whois information for that isn't kept a secret. This is their address and phone number:

Administrative Contact:
Cole, Richard @googlemail.com
### ****
Halifax, Other ### ###
UK
+.######### Fax: +.########

We also got a load more proof from Noah - he read their history file. It is available online here: http://pastebin.ca/770838 The cool shit starts at command 491 (a DOS attack). You can also see biscuit hacking our database, etc.

I've removed his email from the news post for the day, at Noah's request - he wants to flame him without his email getting lost in piles of spam. I'll re-post it when Noah's done.

EDIT again: We've decided to take the emails off for good. You can easily find them with a google search, anyways.
i so like conspiracies :lol:

if those IP's get to the tracker members biscuit is a goner, his simply fucked.

I bet that kid is J.A...

Oh wait... J.A's 16... :lol:


:P I got better stuff to do that dDos a site...

Shouldn't you be googling for Brazilian girls now? :whistling

ye i had that mail too & i won't lie i really thought that that tracker was conspiracy tracker to catch the people who use thous sites but after i found out it was a joke its kinda funny :D

I had an oink account before it got taken down for the 2nd time that is but I still have the email about my account can I join what.cd or waffles somehow? Thanks in advance because I don't have any private trackers for music now it sucks

Don't they have nothing better to do is his life so crap he has to anoy other people. this has to do with waffles? or did i read it wrong if it is why don't these people work together and grow and share their ideas together and build one super site and not just try to take each other down? this is just plain stupidity.

These silly little kids never learn it's allways the people useing the site that get hurt not the site owners all that happens to them is they have no member or no site for 50000 users haveing nowhere to go i would say is a far worse..


I find it funny he is smart enough to take down and find all the person details from a torrent site but his not smart enough to hide his name face and age and home town how ironic

that kid has got some quality though may be he is a script kiddie but he is good at it though

i lol'd

14 years...oh i received that mail

good to know!

Im pretty sure the kid have his own tracker already,
and he's makin' money and he's bored as hell maybe that's why he did that...
Some people are really lame, im sure some people are scared now of torrents... LOL :D

Script kiddies get nowhere.:noes:
true dat. If it was a 14 year old kid, I suspect his only "skills" are searching google for "hacking tools". I would bet my bottom dollar that he didn't code them himself.

i hired a team of detectives to inspect the origins of that kid...


i proudly present, in filesharingtalk first hand an only, his face


















http://img208.imageshack.us/img208/6976/69906021in0.jpg

Pretty impressive smart kid

i hired a team of detectives to inspect the origins of that kid...


i proudly present, in filesharingtalk first hand an only, his face

http://img208.imageshack.us/img208/6976/69906021in0.jpg
Fo' real :O

Lol, thats not the real kid, that one is from the youtube video of a german kid going nuts over a computer game, roflmao.

yeah , seems weird? 14 yr old? How good is the security there then?

Well, he had root access on the server they set the tracker up on. So he had access to everything. They were sharing the server at first. That was what initially set the kid off. He didnt want them sharing the site with them.

Lol, thats not the real kid, that one is from the youtube video of a german kid going nuts over a computer game, roflmao.
i guess it fits :)

Lol I agree. Nooo life :)

im scared :)))))))))))

nice post

hahahahaha, this boy is an own3r ;) Although he has some serious issues :)

Wow this kid is a douche. They need to make a South Park episode about him. Lol

LOL, that's funny. The little guy has too much time on his hands.

That RIAA letter sounds fake.
Definitely nothing like a true letter from a lawyer with an order to cease and decease.
:mellow:

That RIAA letter sounds fake.
Definitely nothing like a true letter from a lawyer with an order to cease and decease.
:mellow:
Yes, I thought the exact same thing. The letter is soo informal. See in the beginning of one of the middle paragraphs, where the RIAA refers to itself in the third person.

Lol :d

yeahi recieved one to