(Finally: the return of the videos. Click here to go straight to them)
This guy broke into the vulnerable VNC server and created himself a user on Server 2003. Cannily he called himself “admin” (password “lhandar”) as if I, as “Administrator” would not be able to tell the difference?
The remote desktop protocol Microsoft uses gave me a bit of a headache as no amount of googling has resolved the problem of reconstructing sessions. I have therefore had to cheat a little, and have monitoring software running on the hacked computer itself. This is dodgy, of course, because it could be stopped, or, with modified TCP/IP stacks, traffic could fly under my radar, and whatnot. First off, I enhanced Server’s auditing so that all opening of files is logged. Secondly, I have installed a trial version of “KGB Employee Monitor”, which does key logging and screenshots. (To see what beautiful reports this program produces, click this link)
As luck would have it, Mr Hacker doesn’t really care much about other software running on the PC, as long as he gets his own going. He starts off looking to see if he can spend his stolen credit cards. No luck with this because https (port 443) is blocked. His next project involves spamming, to which end he installs Mass Sender on the computer. This is a brilliant move, because he keeps the Mass Sender on an ftp server to which he has now given me the user name and password. The plan with the sender is phishing. He has a list with 130.000 e-mail addresses which are going to get it in the neck. He has a domain called “paypalcontact.com” which he wants to be in the email headers, but alas, unbeknownst to him, port 25 is blocked as well. I had a go trying to set up a proxy mail server but in the timespan allotted I could not get it going, so I don’t know what he was going to spam exactly, but phishing is phishing really.
Hackerdude thinks maybe port 25 is blocked by my ISP, so he tries using their mail server, but there is no joy to be had. Quite clever, though. I think he’s dealt with this before.
Mr Hacker thinks the problem is with his version of the Mass Sender so he googles around for more of these programs, and downloads several. Two hours later none of them have worked and he gives up.
He has a new idea: he installs uTorrent and sets some (six!) movies for download. I have no idea how he managed to get the speeds he got, but he did, so before I could stop him he’s already got one movie in and three nearing completion. I tried to block the downloads with judicious port closing and the such but I seem to mainly be stopping his uploading which I dare say he is not overly interested in anyway. As a last resort I wrote a batch script which exits uTorrent every time it starts, and this seems to do the trick. All his movies are in french unfortunately, and the completed one is a cam version of “Fred Claus” which gives the impression of having been entirely taped on a mobile phone.
Time to have a look at his ftp server. This is a goldmine! He has some folders there called “inbox” and “inbox2″ in which he keeps photo pictures and movie clips taken on a mobile phone. Mr Hacker is prancing around with his mates, in the car, on the lake in a pedal boat, jamming in the streets…
Just look at these cool dudes. I can only imagine that the guy on the left in the pictures, and the picture on the top, is my hacker dude. Look at him there, in the Cyber Caff, looking just ever so slightly guilty… (Should you wish to examine the entire portfolio, this link will take you to a folder with the whole caboodle in it. VLC media player is heartily recommended to play the movie clips). It is very exciting to have a hacker with a face (not to mention car number plates). Shame I don’t have his name, but there is something about the recurrence of the word “lhandar” as a password that makes me think this has something to do with it.
Failing his Mass Sender and his BitTorrent, he proceeds to download code from Milw0rm and starts the computer off scanning for further weak VNCs. Shame these ports are blocked as well…
Next on his wishlist is Skype. Again there the problem is the secure sign-in, he can’t do it.
He thinks the problem might lie within Server itself, and he has a look at the policies. Not that there’s any joy to be had there.
I find it quite odd that he doesn’t do any traceroutes, or indeed any attempt at finding out what sort of a network he’s in. The only thing he wanted to know was the external IP address.
Can’t resist, here’s another piccie: taken in the same Cyber cafe at the same desk but from another angle. Plus the guilty look has gone now.
Hacker observation on the coffee table in my living room
P.S. HACKERDUDE! If this is about you, and you have misadvertently stumbled upon this page, before you start raving & such, just think how kind I was not putting your ftp server addresses, user names and passwords on this page. I think you’ve come off well compared to my neighbours.