Insurgency Mod Scum: cheaters, hackers, wallhackers, aimbotters, griefers, teamkillers, micspammers, spawncampers, exitcampers, and everything else Insurgency.
Blogger.com policy on personal information: Personal and confidential information: It's not ok to publish another person's personal and confidential information. For example, don't post someone else's credit card numbers, Social Security numbers, unlisted phone numbers, and driver's license numbers. Also, please keep in mind that in most cases, information that is already available elsewhere on the Internet or in public records is not considered to be private or confidential under our policies.
All information posted on Insurgency Mod Scum is publicly available.

th3j35t3r AKA The Jester Dox (Pastebin)

2011-08-25

http://pastebin.com/m74tyWuj
http://pastebin.com/raw.php?i=m74tyWuj

This is based on irc.2600.net chats in #jester using an CTCP finger to obtain an user name. The chance that this user is the actual Jester is very likely because of the following two things:

* The time of when I set the HoneyPot #jester was +i only.
* Server logs of attacks matches with his XerXes script

The user in target is:
wow, just read the whole localhost convo on here....it should be painfully obvious why th3j35t3r picks the targets he does...

The funny thing is after he quits from IRC he gives an sign out message + host mask of:
*** PashaPasta (~thejester@204.84.33.105) has left #jester

If you do a reverse IP of 204.84.33.105 it belongs to the "North Carolina Research and Education Network". An previous CTCP finger for the PashaPasta user name pointed it out to be "thejesterrace87". The "~" in the ident on IRC means two things, he is using SSH through work to tunnel into IRC.2600.NET or he is using HTTP proxy to connect to IRC.2600.NET.

A quick Google of the user finger revealed the following sites:

Google+: https://profiles.google.com/thejesterrace87/about
Name: Stephen Stone

Occupation
Computer Nerd
Employment

Wolfman Pizza
Computer Nerd, present

Education

Montreat College
present
Clemson University
Montreat College
Central Piedmont Community College

Places lived

Charlotte, NC
Charlotte, NC

Of which sparked some more interest, an internship for a government organization (North Carolina Research and Education Network) based in NC?? This is VERY interesting.... More google ssearches revealed the following:

*Personal blogger account from 2008 complaining about his sophmore Computer Science courses: http://pasha2009.blogspot.com/
*AOL messanger account: http://lstreamfeweb-mtc02.evip.aol.com/stream/thejesterrace87
* Defcon 19 attendence requesting songs: https://forum.defcon.org/archive/index.php/t-12045.html
-> thejesterrace87 (05-09-2011 - 10:14 PM) tastes like kevin bacon ~iwrestledabearonce
* Education forum: http://forums.randi.org/showthread.php?t=179627
-> thejesterrace87 -> "The rich have gotten too much? Do not forget that the top 10% of wealth in the US pays out over 60% of the total income tax in the country."

Here is what I then did. I set up a HoneyPot (hardened Apache with DDOS protection turn on). The site was "http://www.rjfront.info". On 28 August, 2011. I logged onto IRC.2600.NET channel #jester and requested that the "ANTI-JIHAD" site would be taken down. With-in 45 minutes, the server was hit with HTTP HEAD partial fragmentation attacks. The server was completly down in 3 minutes for up to 5 hours.

The Apache logs revealed the following headers:
209.236.66.108 - - [28/Aug/2011:14:05:34 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch. TANGO DOWN"
209.236.66.108 - - [28/Aug/2011:14:07:39 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch. TANGO DOWN"
209.236.66.108 - - [28/Aug/2011:14:10:50 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch. TANGO DOWN"

Also at the same time th3j35t3r posts on Twitter the following message "th3j35t3r Robin Sage - www.rjfront.info - TANGO DOWN. Temporarily. For online incitement to cause young muslims to carry out acts of violent jihad. 28 Aug"

What was interesting was the the sequence of IP's that were rotated. They were TOR exit relays. After doing a bit of research on the type of attack agaist te HoneyPot was an attacked called "Keep-Alive DoS Script": http://www.esrun.co.uk/blog/keep-alive-dos-script/. The CPU utilization on the Apache server was 95% throughout the attack.

Remember it is illegal to perform denial of service attacks agaist websites. The individual known as th3j35t3r needs to be held responsible for his actions. If you cannot do the crime, do not do the crime.

0 comments:

Post a Comment