I just caught a hacker!

[spazntwich1]

I noticed I had a virus on my computer, iexpiore.exe. This just slightly annoyed me at first. Then, I noticed that this virus had made me part of a large Denial of Service attack! This personally pissed me off!

I then used Zonealarm to find out that this specific virus connects me to a DALnet server, to await instructions. Using windump (TCPdump for windows), I found out which nick the trojan tries to send messages to. Now, I'm just waiting for this guy to log on so I can get his IP. Once I've got that, this guy's ISP, as well as his local police are getting reported.

It's worth noting that when I used this guys nickname for several seconds, I got literally hundreds of messages from infected computers, so everyone, be on the lookout for "iexpiore.exe" showing in your task manager.

This script kiddie is going down! And before you ask, I DO want a cookie.

 

[pulse8]

<< And before you ask, I DO want a cookie. >>



Well, you deserve one! Good work!

 

[Czar]

notify Ashcroft, this guy will be trailed at a militery court on the grounds of being a terrorist


care to share his nick? .. and what dalnet server?

 

[pulse8]

Yeah, nothing like almost 80,000 people there to give the guy a little crap.

 

[MajesticMoose]

good job

*applaudes


considering that i run opera, it would be very odd for me to see anything that looks like iexplore in my task manager.

m00se

 

[Linux23]

good detective work there, unfortunately the police won't care.

 

[spazntwich1]

<< care to share his nick? .. and what dalnet server? >>



I'll hand out his nick if notifying his ISP doesn't do any good. Believe me, I relish the thought of letting loose the hordes of Anandtech on him .

As for which dalnet server, it seems to be different every time it connects, so I'm guessing it just connects to dal.net and is assigned a server.

 

[stev0]

haha, nice work man

stev0 <- dbcrossfire in hiding!!

 

[TheVrolok]

haha.. get them script kiddies!

 

[Renob]

Good JOB!

 

[Mrburns2007]

<< I'll hand out his nick if notifying his ISP doesn't do any good. >>



ISP's don't give a crap so long as he pays his bills.

 

[spazntwich1]

<<

<< I'll hand out his nick if notifying his ISP doesn't do any good. >>



ISP's don't give a crap so long as he pays his bills. >>



Then believe me, everyone and their brother will get all the information I can dig up on this dude. Email address, ip address. It might even be worth a shot to turn all of his zombies against him.

 

[Pepsi90919]

The only thing the IP address is good for at this point is finding out who the ISP is...which you already know.

 

[spazntwich1]

<< The only thing the IP address is good for at this point is finding out who the ISP is...which you already know. >>



No, I don't know HIS IP address. That's why I need to wait for him to sign on to IRC.

 

[yakko]

So what did you do to infect yourself?

 

[cerebusPu]

maybe this thing is like FBI's magic lantern.

 

[nd]

<< I noticed I had a virus on my computer, iexpiore.exe. This just slightly annoyed me at first. Then, I noticed that this virus had made me part of a large Denial of Service attack! This personally pissed me off!

I then used Zonealarm to find out that this specific virus connects me to a DALnet server, to await instructions. Using windump (TCPdump for windows), I found out which nick the trojan tries to send messages to. Now, I'm just waiting for this guy to log on so I can get his IP. Once I've got that, this guy's ISP, as well as his local police are getting reported.

It's worth noting that when I used this guys nickname for several seconds, I got literally hundreds of messages from infected computers, so everyone, be on the lookout for "iexpiore.exe" showing in your task manager.
>>

Sorry to burst your bubble, but there's no way to know that whoever uses that nick is responsible for compromising your computer. For all you know it's yet another bot, or if by chance it *IS* the person, there's no way to know if that person is actually using IRC from his PC or by proxy through someone else's compromised machine.

Pretty much forget revenge -- chalk it up to experience and try to be more defensively intelligent in the future.

 

[Speedy3D!]

I hate kids who waste their time hacking

 

[spazntwich1]

<< So what did you do to infect yourself? >>



I have a feeling I got it from an AIM password "grabber". I had forgotten the password I used on one of my AIM screen names because I logged in with it so long ago, but I thought the password might still be stored somewhere on my computer.

Needless to say, I grabbed the first program I found off of Morpheus, which was a major mistake. I noticed that, in the notices I was getting from the infected computers, most of them seemed to have a "Server Name" exactly like the program that had used to infected themselves. Some of the names I noticed besides "AIM Password Grabber" were "Office XP - Keygen", "Quicktime Keygen", "Macromedia Keygen", and "Adult Check".

Doesn't look like it pays to pirate things, kids.

 

[yakko]

<<

<< So what did you do to infect yourself? >>



I have a feeling I got it from an AIM password "grabber". I had forgotten the password I used on one of my AIM screen names because I logged in with it so long ago, but I thought the password might still be stored somewhere on my computer.

Needless to say, I grabbed the first program I found off of Morpheus, which was a major mistake. I noticed that, in the notices I was getting from the infected computers, most of them seemed to have a "Server Name" exactly like the program that had used to infected themselves. Some of the names I noticed besides "AIM Password Grabber" were "Office XP - Keygen", "Quicktime Keygen", "Macromedia Keygen", and "Adult Check".

Doesn't look like it pays to pirate things, kids. >>

hahahahahahahahahaha!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! I have never been infected by software I downloaded legal or otherwise.

 

[puffpio]

Exactly. If I was a hacker I would never connect to IRC directly, but go through several hops of compromised machines.



<< Sorry to burst your bubble, but there's no way to know that whoever uses that nick is responsible for compromising your computer. For all you know it's yet another bot, or if by chance it *IS* the person, there's no way to know if that person is actually using IRC from his PC or by proxy through someone else's compromised machine.
>>

 

[spazntwich1]

<< Sorry to burst your bubble, but there's no way to know that whoever uses that nick is responsible for compromising your computer. For all you know it's yet another bot, or if by chance it *IS* the person, there's no way to know if that person is actually using IRC from his PC or by proxy through someone else's compromised machine.

Pretty much forget revenge -- chalk it up to experience and try to be more defensively intelligent in the future. >>



I know what you're saying, but this looks like a very sloppy job. I'm banking on the likelihood that this kid is just as sloppy about logging onto IRC. Upon more research, he's used "mini oblivian" to create this, so he hasn't even written his own program. I also noticed an AOL account trying to access my computer on port 6667. It might be a stolen AOL account, but he might just be another 13 year old AOLer.

Oh, and I'm almost POSITIVE the nick he uses isn't a bot. I've talked to several people on servers other than DALnet who remember talking to this guy, with this exact same nick, on DALnet.

 

[KBrinks]

Task Manager says im running IEXPLORER.EXE

but when i end it.. it just cloes internet explorer... <confused>

 

[tallest1]

I say you wait for the guy to come online, get his IP address and then have all the computers in the channel do a Denial of Service attack on HIM.

You better make sure to hide afterwards.

 

[yakko]

<< Task Manager says im running IEXPLORER.EXE

but when i end it.. it just cloes internet explorer... <confused> >>

I would be too since Internet Explorer is IEXPLORE.EXE.