[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4b6ee9310606301001q49b4ebd1k21e614f7a378aa9a@mail.gmail.com>
Date: Fri Jun 30 19:30:59 2006
From: xploitable at gmail.com (n3td3v)
Subject: Advisory from AMIT concern BANTOWNE
On 6/30/06, AMIT SECURITY <amitsecurity@...il.com> wrote:
> HELLO, MY NAME AMIT. I SECURITY RESEARCH FROM ALL OVER WORLD AND
> CURRENTLY THIS MY FIRST ADVISORY TO ANYONE RESARCHING. I POST TO
> MAILING LIST IN INTEREST OF EXPULSION OF KNOWLEDGE.
>
> RECENTLY I HEAR OF FREENODE ATTACK AND SOME OPERATORS OWNED FROM
> SNIFFING OR SOMETHING LIKE THAT. THIS VERY BAD BUT IT HAPPEN IN MY
> COUNTRY ALL TIME. I SAY TO MYSELF, AMIT, YOU MUST HELP CATCH CRIMINAL
> WHO DO THIS TO NON-PROFIT ORGANISATION SO I SET OUT TO LEARN ALL THAT
> I CAN ABOUT THAT CRIMINAL. I FIND OUT TWO GROUP ARE MAY BE TO BLAME,
> GNNA AND BANTOWNE. GNNA STAND FOR "GAY NATIONAL NARCOTICS ALLEGIANCE"
> MY FRIEND FROM WORK SAY, BUT HE NOT KNOW WHAT BANTOWNE STAND FOR. I
> FIND NO INFO ON "GAY NATIONAL NARCOTICS ALLIANCE", AND MY INTUITION
> TELL ME BANTOWNE TO BLAME. SO THROUGH DEVIOUS MEANS I INFILTRATE
> BANTOWNE IRC CHANNEL WITH IS LOCATED AT IRC.BANTOWN.ORG (NOTE: IT
> MINUS THE "E") AND THE CHANNEL IS HIDDEN BUT STILL I FIND IT. IT
> CALLED #BANTOWN (MINUS THE "E" TOO).
>
> THIS IRC CHANNEL IS FULL OF THE BADDEST SCRIPT KIDDIE I HAVE SEEN IN A
> LONG WHILE, AND I WORK ON SECURITY FOR OVER 20 YEAR, EVEN BEFORE
> MODERN PC ARE COMMONPLACE AS USER. EVEN SOME PEOPLE IN CHANNEL KNOW
> PERL OR OTHER USEFUL LANGUAGE. I VERY IMPRESSED. SOME FRIENDLY PEOPLE
> IN CHANNEL, LOT OF THEM SAY "LOL" MOST TIME THEY SPEAK. SOME NOT SO
> FRIENDLY, SAY BAD WORD BUT THAT OK, THEY CRIMINAL SO WHO CARE. I
> PRESENT FRIENDLY APPEARANCE, THEY TALK FRIENDLY TO ME. THIS NIGHT OF
> FREENODE HACK NEWS AND THEY PISSED OFF AT "LILO", WHO SEEM TO BE SEMI
> TRUCK DRIVER AND LIVE IN BACK OF TRUCK IN TRUCK TRAILER, CAUSE THEY
> SAY HE LOTS OF BAD THINGS. SOME OF THEM BE VERY SKILLED PROFESSIONAL
> AT HACK. ONE GO BY "INCOG" AND HE MASTER OF CROSSED-SITE-SCRIPTING
> VULNERABILITY. HE SURF SITES LOOKING FOR VULNERABILITY ALL DAY LONG. I
> EXCERPT FROM CHANNEL:
>
> <incog> that reminds me... ill go find xss in fark.com
> <incog> k, i just found xss in imdb... but my memory is so bad that i
> dont know if this is new or i just rediscovered it
> <incog> just found xss in youtube
> <incog> i have xss on flickr
> <incog> xss on technocrati
> <incog> weev, i have xss on all turdpress blogs ever
> <lncog> i just found dailykos xss for rolloffle
> <whatcog> I have SA xss
> <whatcog> on secure.somethingawful.com
>
> THAT OVER FEW DAYS OF TALK. INCOG SEEM TO BE MOST BRUTAL SCRIPT-KIDDIE
> KNOWN TO MAN, BUT WE CHECK OUT ANOTHER PERSON HE CALLED "WEEV". HE
> BEEN AROUND THE BLOCK A LONG TIME AND HE HAVE MANY IDEA HOW TO CAUSE
> DAMAGE TO FREENODE AND A MAN NAME "LILO". AGAIN I EXCERPT FROM
> CHANNEL:
>
> <weev> okay guys
> <weev> i need you to find some mexican woman in houston
> <weev> and just relentlessly troll her
> <weev> call her up at all hours of the night
> <weev> screaming ROB LEVIN, ROB LEVIN
> <weev> and then we're going to say she's the nanny for his kids
>
> "WEEVE" ALSO ENCOURAGE "INGOC" TO HACKING ACTIVITIES, PROBABLY FOR HIS
> OWN USAGE LATER ON. I EXCERPT:
>
> <weev> incog: can you get flickr?
> <incog> ill try
> <cstone> oh god flickr would be hilarious
> <incog> flickr uses yahoo id's
> <weev> not necessarily
> <weev> there are internal flickr ids too
> <weev> and it doesnt use the yahoo cookie
> <weev> basically you auth with your yahoo id
> <weev> and then it gives you a flickr cookie
> <weev> and from there its all flickr
>
> LIKE SAID, "WEEV" KNOW A LOT AND PROBABLY RINGLEADER, OR AS THEY SAID
> IN AMERICA, "MASTER OF PUPPETS". AND I DO THINK MANY PEOPLE ON THE
> CHANNEL PUPPETS. SOME VERY SCRIPT-KIDDIE LIKE. WELL, IT OBVIOUS ALL
> ARE SCRIPT KIDDIE, BUT SOME ARE VERY. VERY. MOST ALSO IRC KIDDIE. I
> EXCERPT:
>
> <tem> they unbelievers must be purged
> <tem> they unbelievers must be purged
> <tem> they unbelievers must be purged
> <tem> they unbelievers must be purged
> <tem> they unbelievers must be purged
> <tem> they unbelievers must be purged
> <bizzy> WHY IS SALAD SO GOOD?!!?!
> <bizzy> WHY IS SALAD SO GOOD?!!?!
> <bizzy> WHY IS SALAD SO GOOD?!!?!
>
> AS YOU CAN SEE, SOME VERY DUMB AND NOT UNDERSTAND IRC CLIENT PROPERLY.
> THERE MANY MORE EXAMPLE OF ABOVE EXCERPT, BUT I LIMIT TO THAT CAUSE IS
> ANNOYING. BUT WORSE IS YET TO COME, B/C "WEEAVE" POST PERSONAL
> INFOMATION OF "ROBERT LIVIN", OTHERWISE KNOWN AS "LELO" ON FREENODE
> NETWORK, THE TRUCK DRIVER, FOR PLANE VIEW OF ALL TO ABUSE. BANTOWN
> ALSO RESPONSIBLE FOR POST OF INFORMATION TO CRAIGLIST AND OTHER
> PLACES. I EXCERPT BUT MUST CENSOR SO THIS INFO IS NOT USED FOR CRIME:
>
> <weev> philsanchez: lilo's federal employer identification number is xx-xxxxxxx
> <weev> his federal identification number is xx-xxxxxxx
> <weev> the address officially listed for pdpc is 10100 main street #31
> houson tx 77025
> <weev> phone number for pdpc officially listed is 713-589-5863
> <weev> his ssn is xxx xx xxxx
> <weev> his dob is xx-xx-1955
> <weev> 11-digit texas state taxpayer number xxxxxxxxxxx
> <weev> ROBERT LEVIN
> <weev> 9212 BURDINE ST. #1005
> <weev> HOUSTON, TX 77096
> <weev> the last address is his apartment
> <weev> no, he doesnt live in a trailer
>
> MANY ON #BANTOON SPEAK HIGHLY OF "RUIN", WHICH IS SKRIPT-KIDDIE FOR
> CAUSE HAVOK ON IRC OR NETWORK OR SOME MAIL PROGRAMS. SOME ALSO EAT
> SALAD OR DISPLAY ANNOYING QUIRK WHERE THEY NOT MAKE SENSE FOR EXTENDED
> PERIOD OF TIME AND ACT LIKE IDIOT. MANY ALSO RACIST PRICKS, OR THINK
> IS CLEVER TO MAKE ANNOYING RACIST COMMENTS. THEY HAVE WAY TO DISPLAY
> ASCII ART ON MAIL PROGRAM REALLY PHENOMENAL. I SAY CUTTING-EDGE CAUSE
> NO ONE EVER DO THIS BEFORE. IS MASSIVE ATTACK OF HAVOK. ANYONE
> FAMILIAR WITH FULL-DISCLOSURE KNOW WHAT I MEAN. MOSTLY THEY POST
> SWASTIKA OR OTHER RACIST IMAGE. I DO NOT KNOW WHO THE ASCII ARTIST,
> BUT SOMEONE WITH MAJOR ASCII SKILL WORK FOR THEM AND DO ART GOOD IN
> SPARE TIME.
>
> BANTOWN PEOPLE ARE ALSO LIKE TO CAUSE TROUBLE ON DIGG DOT COM AND THUS
> POST MESSAGES THERE. SO MANY TIMES PEOPLE ON #BANTON LIKE TO ASK FOR
> DIGG HELP BECAUSE ARTICLE NEED TO BE UPPED. I EXCERPT:
>
> <theta> DIGG CENSORS!
> <lucas> 15 diggs so far
> <sloth> http://digg.com/linux_unix/Freenode_Hacking_Fallout_Has_lilo_lied_to_us
> <sloth> digg digg digg
> <theta> drop a url, it gets like 75 diggs, nicely spaced out, at
> random intervals
> <theta> from a pool of 200-400 available diggbots
> <theta> for manipulating digg :)
> <tehdely> ok i am finally regging for digg
> <theta> man, I need a fake email that I can use to signup with digg
> <tehdely> commented lol
> http://digg.com/linux_unix/Freenode_Hacking_Fallout_Has_lilo_lied_to_us#c2088070
> <tehdely> n e more diggs
> <chroot> 21 diggs now
> <spo> like the phoenix the diggs will climb
> <theta> http://digg.com/linux_unix/Freenode_Hacking_Fallout_Has_lilo_lied_to_us#c2088199
> <-- my comment
> <weev> several hundred diggs
> <theta> the story needs more diggs
> <revmischa> i digged it
> <kash> someone make a php/perl/tcl script that uses tor to digg :|
>
> BANTOWN NOT CONTENT WHEN PEOPLE JOIN CHANNEL AND NEED TO BE KICKED.
> THEY GO FULL MEASURE AND USE "KILL". SOMETIME PEOPLE GET KILL BECAUSE
> THEY SUPPOSED HOMOSEXUAL, THIS FURTHER INTOLERANCE OF BANTOWN. THIS
> TOTAL CRIMINAL ACTIVITY AND FURTHER EVIDENCE FOR SCRIPT-KIDDY
> ACTIVITY.
>
> BANTOEN HAVE LEET SCRIPT REPOSITORY AND 0-DAY-CODE THAT THEY SHARE
> WITH NO ONE. THROUGH MANY ENTANGLES I GAIN ACCESS TO REPOSITORY. IT
> TURN OUT USER "REGULATE" HAVE OPEN FTP SERVER ON NEARBY SYSTEM THAT
> PROVIDE ME ALL ACCESS I NEED. I LIKE USING HACKER TRICK AGAINST
> CRIMINALS. SO ATTACHED TO THIS MESSAGE I BEAR YOU "FDJPEGART" WHICH IS
> WHAT BANTOWNE USE TO DO MOST OF THEIR MAILING LIST RUINING. THIS LEET
> SCRIPT YOU WILL NOT FIND ANYWHERE ELSE. SO THAT NO ONE ELSE WILL USE
> IT FOR EVIL I HAVE CHANGED MINI SMALL PARTS SO THAT IT CANNOT RUIN.
>
> THIS SUM UP MY ADVISORY. MY HEART EXTENDED TO "LIVO" AND THE
> OPEN-SOURCE COMMUNITY WHO BEEN HURT BECAUSE OF THE SCRIPT KIDDY
> ACTIVITIES OF BANTOWN. MORE ABOUT BANTOWN0 YOU CAN FIND HERE:
>
> PEOPLE WHO KNOW WHAT THEY ARE DOING AND LOOK OUT FOR THEM!:
>
> WEEVE
> INGOC
> REGULATE
> JMEX
> DAN
> MDL
> CURVE
>
> PEOPLE WHO DO NOT KNOW NOTHING AND ARE MOST "SHEEP" AS YOU SAY IN
> AMERICA:
>
> HEP
> T12
> RUBBERDIC
> REV MISCH
> FEEM
> BIZY
>
> THERE ARE ALSO OTHER POSERS IN THE BANTOWN BUT I DO NOT HAVE TIME TO
> NAME THEM ALL, AND THEY DON'T NOT MERIT IT TOO. THEY ARE SCRIPT
> KIDDIES AND I AM DONE HERE BUT I THOUGHT THAT I SHOULD WARN.
>
> THIS HAS BEEN AN ADVISORY FROM AMIT. FROM ALL OVER THE WORLD.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
Hiya AMIT SECURITY,
Thanks for your concern over Bantown
They are currently known to the authorities and have been monitored on
the international wide area network for sometime.
This follows high profile hacks reported that Bantown have been
claiming responsibility.
Bantown was originally formed as a #hackphreak splinter channel of
users who have been banned from #hackphreak and other high profile
channels.
What we generally are seeing here is a hybrid group of both rookie and
experienced users coordinating attacks on targets for Bantown
attention.
Essentially the body of the Bantown communications network at
irc.bantown is made on of a script kiddie artitecture, however through
heavy monitoring of the channel, we've found individuals with vested
interests to hack, with the skill set capabilities to hack.
These people within the Bantown community don't do random attacks,
like your average 13 to 30 age group crowd, but are targeting specific
vendor names, for self recognition of bantown peers and that of the
wider security community.
Powered by blists - more mailing lists