e-mail spammer pwned!!

[MD1032]

This story was posted on an IGN community forum by the user canadianrabbit and is the best story I've read in a long time.

Quote:

I have a rather complex network sat up in my house, consisting of various OS'es, computer configurations, multiple subnets, etc. All of this is connected to a single Linksys swiching router, itself connected to the cable modem.

My PCs are set up for individual tasks. Two function as all-purpose PCs for internet, E-mail, and gaming. One is my Linux development box, one is my Art PC, and yet another, DEFcon, connectes itself to the network at 5am every morning to make backups of every connected hard drive, before disconnecting and going into stand-by.

I know my LAN inside and out, and I know when something isn't right.

The other night I was coming back from the bathroom, and noticed the activity light on the cable modem going crazy, as if someone was playing an online game or downloading a large file. I checked the PC in my room, Entity2, and ensured that it was in standby with no programs running.

Since Meesha was asleep, or was suppose to be, I checked the router to see from which PC the activity was coming from.

DEFcon. Strange. It shouldn't be connected to the network at this hour.

In just my boxers, I went down into the chilly basement, carrying a small 13-inch monitor that I usually use to test other peoples problem PCs, and hooked it up. The Windows 2000 Server screen came up, but there appeared to be no active programs.

I tried to bring up the network usage screen, but I just got the hour-glass, with the screen never coming up.

I carefully went through the list of kernal processes, and found one I didn't recognize. REDIX.EXE.

A search for REDIX.EXE found the culprid buried deep within the System32 folder. I copied this file to a CDRW, physically unplugged the computer from the network, and sat the disk aside.

The next day, I loaded it into my Linux box, and with a C++ compiler, started looking at the code. I couldn't figure out what it was at first, until I saw the Outlook hook.

Someone was using my computer to send SPAM.

DEFcon is only connected to the network for about an hour each day, as it copies the /Windows, /System, and /System32 files of all windows machines on the network, and the relevant folders of my Linux machine. Although it never actively connects to the external network (internet), it has access to such by proxy of the other machines.

I checked each machine, and finally found one with the REDIX.EXE file...Meeshas. There it sat, buried again within the /System32 folder. DEFcon had become infected by means of copying this folder. The file was inactive on Meeshas WinXP Pro machine, as she did not have Outlook installed (only Outlook Express), but somehow, once on the backup disk of DEFcon, it had jumped to the master HDD and became active.

Ingenious.

I cleared the file from her machine, and then went downstairs to clear it from DEFcon. But then I got a better idea.

With a big grin on my face, I decompiled the code and searched for all strings that may point to a file that contained E-mail addresses. After a few hours of no luck, I found what I was looking for. It wasn't the expected .txt file, but rather an internet address.

I went to the address, and for the next hour my computer, on a high-speed, 3mbps line, downloaded a text-only .htm file of nothing but addresses. Millions of them. Checking WHOIS, I found the server hosting the addresses to be in Croatia, outside of U.S. jurisdiction.

Doesn't matter, I had a better idea.

I moved DEFcon to a position behind my Linux box, and monitored by eye all incoming connections. Finally, one popped up that triggered the SPAMing. I grabbed the IP address and went to work.

It was from an ISP in Arizona. I tracked down the support number for the ISP and gave them a call. After half an hour of explaining, the support tech simply sighed and said "Not much I can do, since the SPAM is coming from your end."

No matter, I still had a better idea.

The next night, last night, I sat up again waiting for the incoming connection. I had the IP address and was all ready to go. As soon as I saw the incoming active, I hit ENTER on my Linux box, and found myself in the attackers root. OMG, HE'S USING LINUX!

No matter.

After just a few minutes, I found his E-mail address.

I re-wrote the target of his beloved REDIX.EXE to include one address...his. Then I added a loop variable. Then I reburnt the file to the CDRW, and went downstairs to replace the origial REDIX.EXE with my altered copy.

And all through the night, a total of 721,416 E-mail messages were sent to a single address. His.

Then his ISP called me about an twelve hours ago, complaining of SPAM sent from my IP address. I explained the whole situation, clarifying that I had not sent the spam, and was only a proxy of his actions. I recalled my earlier conversation with, complete with ticket number, with one of their support reps. I even E-mailed them both the original REDIX.EXE and my altered one.

His ISP called my ISP, who then called me. My ISP asked me not for the original REDIX.EXE, but for my altered copy. Asked what their intentions with the file was, the Level3 tech support rep laughed and said "We're gonna use it. You've shut his ISP down and they want to blame you. They refuse to take action against the purpetrator, and there's little we can do. Basically what I'm trying to say is, if they will not take action against this user, we're going to see that, by this users actions, they remain in a state of non-functionality. Since he is the one triggering the mailings, there are no legal ramifications on our part."

Thirty minutes ago, my ISP again called me. The users ISP is joining my ISP in a lawsuit against the spammer for theft of bandwidth, illegal use of propriatery networks, electronic tresspassing, and distorubution of an electronic virus with intent to profit. Maximum fine allowed by law: $1,500 per message.

Ahhhh...a job well done.

Completely pwned!!!

[Droppyale]

bhahahahhahahaha this is great...

[ShawnD1]

That is truly inspirational. This guy who pwned the spammer should get some sort of award.

[ben-the-slacker]

[CraigK]

he is kind of getting an award. he has the personal pleasure of knowing he beat a "get-rich-quick guy."

Well... that and knowing the @$$ will potentially have to pay

Quote:

"$1,500 per message sent"

[Siliconjunkie]

If you actually read the story its pure BS:

Quote:

DEFcon, connectes itself to the network at 5am every morning to make backups of every connected hard drive, before disconnecting and going into stand-by

2000 Server doesn't have standby.

Quote:

carrying a small 13-inch monitor

He such a wiz, but doesn't know about terminal services?

Quote:

I tried to bring up the network usage screen

Another non-existant item in 2000 Server

Quote:

I loaded it into my Linux box, and with a C++ compiler, started looking at the code.

A C++ compiler won't let you view source of a compiled binary.

Quote:

DEFcon is only connected to the network for about an hour each day

So, he unplugs it the rest of the time?

Quote:

as she did not have Outlook installed (only Outlook Express)

But he had Outlook/Office on his "server", yeah, hes a real wiz!

Quote:

As soon as I saw the incoming active, I hit ENTER on my Linux box

This guy has been watching WAY too many movies. First, earlier he said he had a Linksys, so unless he had ports forwarded they could not communicate directly with any of the boxes. Second, we all know that all it takes to root a box is the ENTER key.

Quote:

"Not much I can do, since the SPAM is coming from your end."

True, he was the one spamming, but someone on their network had hacked his box (which doesnt sound like a big feat)

Quote:

Then his ISP called me about an twelve hours ago, complaining of SPAM sent from my IP address

Um, how did they arrive at him? I seriously doubt he shows up as the netblock owner and ISPs arent in the habit of giving out user info.

Quote:

"We're gonna use it. You've shut his ISP down and they want to blame you. They refuse to take action against the purpetrator, and there's little we can do. Basically what I'm trying to say is, if they will not take action against this user, we're going to see that, by this users actions, they remain in a state of non-functionality. Since he is the one triggering the mailings, there are no legal ramifications on our part."

There are 2 things in this. 1st) ISPs dont deal with things like this by shooting spam back at them. They use acl's to control it. Doing some stunt like this costs bandwidth and that means money. 2nd) He shut them down? With his big ole 3mbs (at most) line? What is the other ISP using ISDN? Get real. About the only thing you can DOS with cable is a dialup user.


Nice bit of fiction, but thats all it is.

lol Siliconjunkie

Quote:

I hit ENTER on my Linux box, and found myself in the attackers root.

So much for linux being more secure than windows eh?

[SiliconJon]

[sounds of BIG gun fire]

[sound of plane coming down]

[crash]

And the story posted by a guy who uses a p instead of an o is revoked.

[Mntsnow]

Whew...Glad I kept reading and saw your post Sjunkie...I was prepared to blow the story out of the water as well but you caught one I missed which was the C++ part. Since I'm not a programmer I would have accepted that statement.

Anyways the story does bring a smile to a anti-spammers face

[Mickwish]

Wonder if this one will achieve Urban Myth status?

Can't believe all you read in community forums, folks!

Cheers
Mick