Hackers Run Wild Spending BitTorrent Tracker’s Donations

The SuperTorrents BitTorrent tracker has been the subject of a major security breach, with hackers donating all the site’s money to a religious group. The hackers even went as far as contacting the site’s host and canceled all of their seedboxes.

According to a so-called ’scene notice’ circulating at the moment, the 35,000 member site was compromised when the hackers discovered that the admin of ST used the same password on a lot of other sites, as he does on other accounts - email etc.

The hackers discovered that the same password secured the site’s PayPal donations account. They claimed that due to the admin of ST making derogatory comments about a religious group, they decided to donate all the sites available donations - over $2000 - to an Internet portal dedicated to that same religion.

read entire story... (http://torrentfreak.com/hackers-spend-bittorrent-tracker-donations-071229/)

"Hackers" :lol:

That is pretty funny , watch out who you flame would be good words of advice . :yup:



" the hackers discovered that the admin of ST used the same password on a lot of other sites, as he does on other accounts - email etc. "



Don't we all ? :whistling

glad they decided to do something funny with the money instead of just plain steal it. :lol:

From Ersan on ST:





Now this is the story all about how Ersan's life got flipped turned upside down and I'd like to take a minute and just sit right there and tell you how Ersan became the prince of a town called bel air


This weeks source of lulz is provided free of charge via a site called supertorrents.org and the nicest Administrator you've ever met, Ersan.


Supertorrents: A semi-decent private torrent site with around 35,000 members and a couple min to a couple hour pres, has always complained that they have never gotten any attention in scene notices, well it’s your (un)lucky day! Supertorrents makes approximately $2,000-$10,000/m (sup fbi?) Screenshot1.png. From here our lulz rampage began when we found out this super secret password that was 10 characters with no upper case letters numbers or symbols was also Ersan's password for every single other account that he had, including: paypal, softlayer, gmail, youtube and some other accounts we disabled/deleted for fun.


This all began a few days ago. Me and some friends were scoping around supertorrents irc network, when we discovered that they had a public prechan. Upon discovering this moderate scene security problem some friends and I decided to check the security of said prebot, turns out it was not so secure. Upon rooting the box and grabbing the unsecure predb and some scripts to play with we then rainbow tabled'd his password hash


First on our list to do was to donate all of SuperTorrents donation money ($2054.28) to waheguroo.com, because sikh's are awesome, if you disagree you are a faggot and can die in a fire. To prove it was Ersan that we pwned and not some other n00b here check out screenshot2.png for the irc log (BTW it really was medicalmj, that guy is 1337 and you guys should've recognized). He eventually realized and filed a chargeback, apparently Ersan doesn't like Sikh's (fucking racist) see screenshot3.png


Second we logged into his gmail with of course the same username and password! from here we found some goodies like, his actual name which is only like 4 characters off from his nickname (idiot), his actual street address and even what car he drives (a 19 year old driving a Lexus IS300, I guess donations must be doing really well). We then moved over all of his spam into his inbox, for shits and giggles (he sure gets a lot of penis enlargement spam, I'm pretty sure it's intentional). I proceeded doing this until I realized this genius didn't even have anything in place to make sure his account wasn't pwned. At this point we just deleted his account, because maximum lulz were acheived. See screenshots3.png 4 5 6 for further proof


Lastly we logged into his softlayer account panel where he hosts the supertorrents seedboxes and cancelled them. At absolute worst we have cleaned up some of this insecure torrent filth for at least a few days, between no servers and no more email to respond to softlayers questions. Hows that for digitalguilt?, Ersan. (screenshot7.png)


In closing supertorrents members, how secure do you feel knowing the admin of your site uses ONE 10 char password with no upper case, symbols or numbers to protect nearly all of his accounts. Doesn't it make you wonder how secure your ip is being associated with a person like that? A person who has no job and spends your donation money on a Lexus?


Anyway, to the scene: We have done our part, wiping another insecure torrent site off the map. Now you must do yours! supertorrents only topsite access is to a known pay-per-leech site called c0re. Siteops there are serilkila and evilmike. There have been other scene notices regarding serilkila and our information only solidifies it. Nearly all of these torrent sites are on c0re and if we can cut it off we can begin to have security again in our scene.

peace in the middle east

p.s. CellKill had nothing to do with the making of this scene notice. We did however, want the world to know how big of a faggot he is (you're famous now)

greetz to renfieldSo yeah, most of that is true except:

They don't have my real street address.
I don't drive a lexus, that was a VIN that I looked up for my dad because I had a carfax account and he's computer illiterate.
SoftLayer did not cancel my servers.
Google recovered my account and reset my password.
From what I can tell, the server that they're talking about was not rooted, but I'm going to reload the OS on it anyway...
This has no effect on SuperTorrents in any way, it just screws with my personal email and finances for a few days.

The worst part is not knowing the extent of the damages that have been done, if all that was done was what was stated above then I'll be fine. If they downloaded all of my emails and chat logs or something then I have a real problem on my hands.

The security and general well-being of ST is intact, there's nothing they have access to that can incriminate or deal damage to anyone or anything related to ST.

Update:

They don't have my real street address.
I don't drive a lexus, that was a VIN that I looked up for my dad because I had a carfax account and he's computer illiterate.
SoftLayer did not cancel my servers.
Google recovered my account and reset my password.
From what I can tell, the server that they're talking about was not rooted, but I'm going to reload the OS on it anyway...
This has no effect on SuperTorrents in any way, it just screws with my personal email and finances for a few days.
The worst part is not knowing the extent of the damages that have been done, if all that was done was what was stated above then I'll be fine. If they downloaded all of my emails and chat logs or something then I have a real problem on my hands.
---------------------------------
Nice attempt at damage control.... :\
We do have your real street address, among with a few others you were using. If we were just going to blank it out anyway, whats it matter? Shouldn't you be happy we did that, I guess we could go with the unedited copies of your name and addresses for the third notice. You just made an order trollandtoad.com (lol, nerd) would you like us to post the usps tracking number & address? (1) Your address is talked about many times in google chats, once again you're lucky we dont post them here.
You did buy a lexus, for $12,000. Heres some screenshots (2&3). We could always post more information about it, as we have your entire email box from a few weeks ago until now. Would you like us to? was it your father or brother that you got the carfax for, lol?
Correct softlayer did not cancel your servers, they did however cancel your account. Oh well I guess we can't win them all
You did not recover your google account, heres a nice timestamp to prove it (4). BTW quit sending I forgot my password emails to it, it's not helping. (5)
Be thankful Eric, that we didn't give you the raging that was easily possible with all of the email and google chat logs we
have. We PROBABLY won't release those, but hey you never know! http://www.supertorrents.org/punbb/img/smilies/smile.png
Face it, this kid drives a Lexus financed and paid for by piracy and p2p users hard earned dollars. This tool contributes nothing to the scene yet profits off of it and must be purged. I ask again st users, how secure do you feel with an admin that has your ip that is clearly lying to you and not smart enough to use a remotely secure password or stop using I forgot my password when his account is already pwned? Your choice....
cellkill is next
greets to rofles

Once again, I do not have a lexus, I thought about buying one but there's no way I can afford it, the VIN numbers I looked up were for my father, he works for the florida government in law enforcement and wanted to run title searches on the two cars I looked up - run your own history reports and you'll see that there was no title transfer in the last several months. I drive a 1993 honda accord that I bought from my dad's friend for $2500 and recently replaced the engine in, which is something I talked about on IRC quite a bit... (if any of that is important to you)
Softlayer did not cancel my account, and I currently have full access to it, the subaccount they had access to has been disabled.
The only thing I don't have access to anymore is my e-mail.
Apparently google didn't reset my password, it will 'take up to 15 business days to investigate the issue' and they probably do have my real address, but the one on softlayer is somewhere I haven't lived in months... There's nothing I can do about that, the only thing I can do is wait for google. I have no control over what these people do with my information - I do hope there's no public release of my home address or I will be forced to move, my name is not so important. If anyone knows how to contact google directly please let me know, otherwise I have no more options but to wait for them to 'investigate'...

Let me stress again that none of this affects supertorrents in any way, it only affects me personally, the passwords and e-mail addresses associated with ST are different than my personal ones - whether that was their intention or not is something I don't know.

pwnt

That's despicable. They should be ashamed of themselves. Poor guy.

*Muhahaha*

I'm sorry. That's totally uncalled for.

*snicker*

Seriously, I hope he gets it all straightened out.

LMAO.