Plausibility checks

April 28, 2008

Before I get to the actual topic of this post I want to write some sentences about some user reactions to my last post. I was asked why I called the hacker a professional one, as thats what he does is not complicated or cutting edge. That’s true, but he makes a living with it and that defines professional for me in this case.

So now to the plausibility checks I already talked about. Soon after I posted the link for the blog post to the hacker in the query I got an access to the page from the IP address 75.125.44.xxx, which I believe is the VPN gateway he talked about. This server seems to be a hacked dedicated at US ISP The Planet. This IP address accessed my blog the first time in the last weeks so thats a dead end. But I found something else, the browser agent variable “Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14”. OK thats the newest Firefox version but the other stuff doesn’t sound that common (e.g. the language). So I did a check in my logfiles and found following:

Users with the same User agent did access following files at the provided times:

  • 84.215.58.xxx [22. Apr. 2008 21:55:54 +0200] “/wp-content/uploads/2008/03/perl_bot.pl"
  • 84.215.58.xxx [26. Apr. 2008 18:56:07 +0200] “/44/a-tale-of-searching-for-a-hacker-and-his-supporter-the-idiot-programmer/”
  • 195.219.156.xxx [23. Apr. 2008 17:36:36 +0200] “/wp-content/uploads/2008/03/perl_bot.pl”

Both IP addresses did not access anything else in the last 2 weeks, thats really unusual. The first of the above addresses is an IP address from the Norwegian ISP Get AS. Hmm … could that be the real IP the hacker uses? The first access was before the DDOS and the second time it was under 30min after I talked with the hacker. Thats too much for coincidence.

But lets take a look at the other IP address. The reverse lookup of that IP points to a mail server, which looks like a hacked server as the 75.125.44.xxx address did. So the second server with Norwegian browser installed even if it is not located in that country. So even more coincidences, specially as the access happened minutes before the DDOS attack started.

But there is still more. This time the browser provided even attentional information. The reference entry: http://www.google.no/search?hl=no&q=%40SqlTable%2BxeQt&btnG=S%C3%B8k&meta=""
And what do we see? “@SqlTable+xeQt” is the search term … would that not be the name of the hacker?

Now I can say it – I don’t believe him. He lied about no knowing my blog and as he accesses it minutes before the attack happened. I believe he attacked my blog! But why? only for posting the source of his malware?

PS: If you ask yourself why I didn’t post the full IP addresses. Thats because it is only a guess (a good one, but still a guess) and it could be someone indecent behind a given address. And even if it’s the hacker and he said the truth about his internet connection, that IP would lead only to a neighbor of himself.

1 Comment »

RSS feed for comments on this post. TrackBack URI

  1. […] Robert Penz Blog » Plausibility checks […]

    Pingback by Interesting Bits - April 29th, 2008 « Infosec Ramblings — April 29, 2008 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 36 queries. 0.056 seconds.