When Scriptkiddies Attack

Usually I don’t blog about the hundreds of ridiculous or down right crazy emails I receive each year, but this exchange makes all the others seem completely reasonable in comparison. Normally my unwanted emails range from people asking obviously blackhat questions presented as whitehat questions to offers of under the table payments in return for coding malware, but this email was something special. If you don’t follow me on twitter (Why don’t you follow me on twitter? ), I’ve been spending a while working on intel.malwaretech.com (a botnet tracker for various peer-to-peer botnet) and tweeting my progress. Yesterday I tweeted the following GIF showing my real-time tracking interface I’d just finished).

Within a couple of minutes of tweeting, I received the following email from someone with a name matching that of one of my followers.

Basically, he’s mistaken my botnet tracker for me posting screenshots of my botnet on twitter (I guess there are probably people who do that???), and wants me to give him the code.

I was still in the process of updating the tracker, so I didn’t notice the email until a follow-up was send 20 minutes later.

I particularly like this one for a couple reasons: If I wasn’t such an upstanding citizen, I think my idea of being “blackhat for one second” would involve something a little more profitable and ambitious than giving out free malware to scriptkiddies (but I guess that’s what blackhats do???) and the fact that he claims to have a remote RDP exploit and flash zeroday, but the best monetary amount he can offer is $50.

You can probably guess what the next email is if you’re familiar with the popular phrase: “If at first you don’t succeed, then result to blackmail”.

I wasn’t really sure if this was a troll or not, so I just replied with my standard canned response to such threats.

I also looked up his facebook page and went through the pictures, but due to some CIA grade redaction I doubt we’ll ever know his real name.

Over the next hour I didn’t notice anything in my access logs to suggest any attempt at hacking or DDoS, but I wasn’t really looking hard as the site is behind cloudflare and I designed the backend in such a way that all user-input is canned to reduce the surface for web based attacks. Ofcourse if he somehow did managed to get into my server, there is no bot source or botnet for him to steal, so he’s going to be very disappointed. Although there was no clear evidence of any attacks, I did however notice I’d been very busy sending myself emails.

Quite interestingly gmail doesn’t mark spoofed emails from myself as spam, despite the fact that my email address uses DKIM and the spoofed emails were obviously not authenticated. Usually I’m very overzealous with writing regex rules for emails (sending me an email containing phrase such as “I await your reply”, “first page of google” and “Mobile App Development” will result in instant deletion of said mail and all subsequent emails from that address), but in this case all the emails were grouped into a single thread so I could delete with one click, making it not really worth it to log in to the server and add a new rule.

The hosting service he was using to “bumb” me kept killing the flood due to failures, so my inbox was hardly being overwhelmed by the volume. After about an hour of the world’s lamest email flood, it ceased and i received another few mails from our friendly neighborhood hacker.

I checked out the link out on a VM through Tor hoping it would be some kind of exploit or IP logger, but it was just a login page for what we can assume is the shell he was offering me.

It’s quite common for colleges and universities to allocate official sub-domains for different faculties and delegate management to faculty staff and even students, resulting in them often getting hacked. This specific sub-domain seems to have been accessed by various different hackers and the directories are full of strange files (I’m not really sure who to contact about the shell, so if you’re associated with Harvard feel free to email from an official mail for the full link or contact the site administrator.).

Based on the shell link, I had already figured what his next threat would be and had saved some screenshots of the emails and link just in case; sure enough after another hour I received these two emails around 5 minutes apart. | | |—| | Damn it Paul, stop chmodding your directory to 777 |

Creating a sub-page in a sub-directory of a sub-domain of a sub-domain, wow this MalwareTech guy really knows his stuff…

As of writing this the deface page is still up, but that’s not really a surprised seeming as it’s not even an index page or in an actively used directory.

I was also able to find publicly accessible logs from a cookie stealer running on the same sub-domain and according to a discussion in one of my tweet threads, this could potentially be high risks as sub-domains have the ability to read certain cookies set using the parent domain, i.e .harvard.eu.

But wait! The fun didn’t even stop there: before I went to bed I received a few more threats.

What is option 2? I must known! Also notice indexx.php as I assume index wasn’t writable.

This is the point where he realized I’d been live tweeting the whole thing and decided to instead blackmail me into deleting my tweets (because obviously blackmailing me had gone well for him so far?).

I then received one final email before he gave up with the threats (or at least I assume he did).

Now as a not entirely incompetent webmaster, I instantly noticed that IP is not in any of my provider’s IP ranges, so I decided to look it up.

lol, gg.