|
|
| Red Faction : Lounge : RF Attacker Exposed (Sept 15 - Oct 6th) |
[Forum Rules] |
| Rol_k |
  Posted 19th Oct 2009 8:00am |
L4Y Member
Post 12 / 39
 |
First of all i'm going to apologize to everyone about taking soo long to make this post.
Second I wanted to present you guys with the person who was behind the attacks on the Red Faction Servers from September 15th, 2009 to October 6th, 2009.
The IP behind all the attacks was 24.214.153.9 aka Guitar.. see Here
Since I have already explained all the information of how I deduced this player to Guitars ISP in the form of an email, You can read the email Here.
In the above email I have stated I would provide the Packet Dump Files apon Request. This was because Knology (Guitar's ISP) disallows attachments to their abuse email address. Here are the packet dump files (for those who want to take a look themselves)
First Trap Server Packet Dump (Both Incomming and Outgoing Packets)
First Trap Server Packet Dump (Incoming Only)
Second Trap Server Packet Dump (Both Incomming and Outgoing Packets)
Second Trap Server Packet Dump (Incoming Only)
(You can open the above files in Wireshark or your favourite protocol analyzer)
For you who have chosen not to read the email I will briefly explain how I obtained the attackers IP.
1) I ran Wireshark to capture all packets
2) I setup a RF server that displayed its password in the Server name.
3) Using Cheat-Engine I changed both the Server password and the displayed server name every 3 - 15 minutes. Everytime i changed the server password I marked the packets in Wireshark. See the links below.
4) I waited till the server started getting flooded by the attacker.
5) I looked at all IP's that have grabbed the Server Name (and password) from the server, since the last password change until the server got flooded.
6) I repeated the above steps again to narrow down the list of IP's
First Trap Pictures see Here and Here and Here and Here and Here.
Here is the First Packet Dump with just Incoming Packets, Showing the last server password change and the first successful flood attack packet. IP's between the 2 markers are suspect.
Second Trap Pictures see Here and Here.
Here is the Second Packet Dump with just Incoming Packets, Showing the last server password change and the first successful flood attack packet. IP's between the 2 markers are suspect.
The First List of Suspect IP's was:
82.177.140.171
80.254.21.178
77.98.6.216
125.239.107.150
86.207.23.244
24.214.153.9
The Second List of Suspect IP's was:
84.137.119.241
24.214.153.9
There is only 1 IP address,that queried the server, that remained the same both times the servers were attacked. As you can see above this IP is 24.214.153.9.
Just to make sure I had the attackers IP and not some innocent persons IP, I setup a 3rd trap. I setup 2 servers, With different passwords, and blocked 24.214.153.9 from one of them using my Firewall. and Allowed 24.214.153.9 to access the other one.
You can see the results of that test Here.
As you can see from the picture. The one server that Guitar was firewalled off of was not attacked. The other server, which Guitar WAS allowed to access was attacked. I did this twice to make sure (running on different ports the second time) and the same thing occurred.
Since Guitar was unable to get the server name (and password) from the server he was unable to get the correct password to flood it.
After confirming it was Indeed Guitar that was executing these attacks, I sent the above abuse email to his ISP and escalated it to the head of the Network Operations Center.
On Friday, Oct 9th, 2009 I received a voicemail message from Knology. You can listen to it Here
I hope I haven't left out anything important, and if you have any questions feel free to post them or PM me.
GamerOnLinux / Rolph Klos |
|
|
Assaultman67  |
Posted 19th Oct 2009 8:38am |  |
Post 4071 / 4376
 |
| Quote | Just to make sure I had the attackers IP and not some innocent persons IP, I setup a 3rd trap. I setup 2 servers, With different passwords, and blocked 24.214.153.9 from one of them using my Firewall. and Allowed 24.214.153.9 to access the other one.
You can see the results of that test Here. |
How long did you have the servers up? ... is it possible that one server PW was cracked faster than the other one? |
|
|
| Rol_k |
Posted 19th Oct 2009 8:39am |
L4Y Member
Post 14 / 39
|
| Quoting Assaultman67 | | Quote | Just to make sure I had the attackers IP and not some innocent persons IP, I setup a 3rd trap. I setup 2 servers, With different passwords, and blocked 24.214.153.9 from one of them using my Firewall. and Allowed 24.214.153.9 to access the other one.
You can see the results of that test Here. |
How long did you have the servers up? ... is it possible that one server PW was cracked faster than the other one? |
about 14 hours. |
|
|
| Rol_k |
Posted 19th Oct 2009 8:54am |
L4Y Member
Post 15 / 39
|
| Quoting sweeper | | Quote | This user has assisted another hacker (originating netblock 121.72.0.0/14) in performing an attack against Red Faction
during September 2008. The users IP address during that time was 24.236.95.239 (also within Knology's Netblock). I
didn't bother sending Knology an abuse email back then because the attacks were small scale and I thought the user
had turned over a new leaf and had learned from his mistakes, but he continues to abuse his Internet Connection
causing major inconvenience and fiscal damages to server operators. |
1: Guitar has NEVER assisted me with any of the attacks I performed on R.F.
2: I had no association with Guitar back when I was attacking R.F.
What the hell are you talking about?
L. Sweeper |
hmm... I never mentioned HOW guitar helped you. He helped you by vouching for your "honest rebirth" back into RF and getting you unfirewalled / unbanned from servers. |
|
|
| Rol_k |
Posted 19th Oct 2009 9:58am |
L4Y Member
Post 16 / 39
|
| Quoting sweeper |
1: Guitar has NEVER assisted me at all.
2: What attack? I did NOT perform any attack.
3: Guitar did NOTHING else; he got me unfirewalled/unbanned from ZERO more servers.
4: I did not attack the Voltz CTF server after this; the only thing I did was use my auto-aim rarely.
If you think that me occasionally using my auto-aim is an attack, then you are a complete idiot (not surprising).
Feel free to correct me or to reply with something that is not complete tripe (you will not, however). 
|
1) Read Above Post.
2) Who said anything about you attacking RF lately? (rhetorical question..)
3) Guitar didnt technically get you unblocked from any server. LuckyFrag was a vote..
4) Again.. Same as #2 ...Who said anything about you attacking RF lately? (rhetorical question..)
and on a side note..
| Quoting sweeper |
Yes, Guitar vouched for me (only) on the Lucky Frag forums, but even if he did not, I still would have been unfirewalled/unbanned from the Voltz CTF server. |
I was the server host for both Dinner is Served and Voltz. You would only be firewalled or unfirewalled from either of those servers if it was MY doing. Soo you wouldn't have been unbanned from one and not the other and vice versa
and on a further note;
This thread is not about you. You were not even mentioned in the email (the Netblock i provided covers 262,142 IP addresses. ) If YOU want to discuss something or argue with me either keep it to the PM's or add me to MSN (GamerOnLinux@gmail.com). |
| |
Modified Oct 19th, 09:59am by Rol_k |
|
| Assaultman67 |
Posted 19th Oct 2009 10:13am | |
Post 4072 / 4376
|
I just want to add a little factoid to this ...
Out of curiosity i just looked up Guitar's IPs on the site to see if they coincide with the ones listed and found this:
Other users with this IP
And i thought to myself "Ohh thats interesting ..." because if anybody remembers a while back, that user was the same person who posted this ... Origional Post ... in this thread
So he admitted to it! 
I am soo close to calling his service provider myself ...
(sorry for the links ... the forum was distorting the long images ...) |
| |
Modified Oct 19th, 10:16am by Assaultman67 |
|
| Assaultman67 |
Posted 19th Oct 2009 10:54am | |
Post 4073 / 4376
|
Dude, I really was a skeptic ... and im not really not the type to jump to conclusions ... but when I saw that crap  ... you totally did it ...
LOL! this is freakin' hilarious ...
Its too bad i dunno what to do with you  ... (i wonder if admin action is justified in this kinda scenario  ...) |
|
|
| NotRED-FROG |
Posted 19th Oct 2009 11:22am |
L4Y Member
Post 94 / 119
 |
Guitar you loser. |
|
|
| Beatonator |
Posted 19th Oct 2009 12:55pm |
Post 3239 / 3716
 |
Hmmmm....
btw, anyone dis-believing Assaultman's image, I can vouch for it to be accurate as I just checked it. |
Trying to find old players. Anyone about? Drop me a PM or reply to this thread:
>Link< (or head over to RFrun.net's comment section!) |
|
|
| Beatonator |
Posted 19th Oct 2009 5:27pm |
Post 3241 / 3716
|
| Quoting .Guitar |
Proof, please.
I didn't post that. One little tiny screenshot that could be edited in MSPaint in about 30 seconds isn't proof. |
If I post a screenshot of the IP logs, it would easily be able to say "Thatz fotosh0pped!" No point. |
Trying to find old players. Anyone about? Drop me a PM or reply to this thread:
>Link< (or head over to RFrun.net's comment section!) |
|
|
| Assaultman67 |
Posted 19th Oct 2009 6:25pm | |
Post 4074 / 4376
|
| Quoting .Guitar | | Quoting Assaultman67 | Dude, I really was a skeptic ... and im not really not the type to jump to conclusions ... but when I saw that crap ... you totally did it ...
LOL! this is freakin' hilarious ...
Its too bad i dunno what to do with you ... (i wonder if admin action is justified in this kinda scenario ...) |
Do whatever the Censored you want man, I really couldn't care less. |
Im not going to do anything (well ... probably nothing ... you haven't really done anything on the site to warrant it other than being a CENSORED ... you should try to avoid the cussing though ... im not going to do anything about the previous cursing because you're understandably pissed ...)
| Quoting .Guitar | Apparently, you think I'm smart enough to pull off something like this, but too dumb to have used a proxy to post something like that?
Your logic sucks. |
Apparently you are ... IP logs just don't lie ... and the odds of the actual person responsible and you sharing the same IP address (as if it was reassigned) are astronomical ... which is kinda what blew me away 
By itself, anyone here would of wrote it off as just a joke ... Infact, I pretty much did when i read it... |
| |
Modified Oct 19th, 06:28pm by Assaultman67 |
|
| crazyjack1994 |
Posted 19th Oct 2009 6:57pm | |
L4Y Member
Post 454 / 483
 |
just by looking at this conversation i'm starting to laugh, Red Faction is extremely easy to 'hack' or 'Crash' servers with, you believe someone else won't try this method of crashing servers just by reporting someone to their isp? Lol douchebags,
if you want the problem completely fixed go to talk the guys who don't give a CENSORED THQ |
|
|
NoClanFrank  |
Posted 20th Oct 2009 1:39am | |
Post 5287 / 5840
 |
| Quoting inf3rnus | | An administrative decision to ban someone from the website based on accusations would be wrong. |
This is why you are not admin.
| Quoting .Guitar | | I didn't post that. One little tiny screen shot that could be edited in MS Paint in about 30 seconds isn't proof. |
Well somebody did and you both shared the same IP address. Still doesn't prove it was you but it might prove the person who did it lives near you or has HACKED YOUR COMPUTER!. Do you know of anybody that could have implanted something in your computer to control it?
In your other thread, I did take the liberty to check the IPs you use to post in these threads. Assaultman67 is not lying. You also share an IP with another "member" that rarely posted anything here.  The only way to prove it is to give you access to the site and that ain't going to happen any time soon. |
| >Click Here< If You Don't Have a Social Life :/ |
Modified Oct 20th, 01:42am by NoClanFrank |
|
| Assaultman67 |
Posted 20th Oct 2009 3:04am | |
Post 4077 / 4376
|
| Quoting noclanfrank | | Quoting inf3rnus | | An administrative decision to ban someone from the website based on accusations would be wrong. |
This is why you are not admin. |
I seriously considered taking action ... I sincerely believe he did it after seeing that for myself ... people who do stuff like this can't seem to keep their mouth shut, thus they make posts anonymously on some forum gloating about it ...
I honestly think someone needs to kick the guy in the balls for this ... actions like this need to be punished severely to make a good example to others that you can get caught, and can be punished ... otherwise people will just continue to do this kinda stuff more frequently ...
But It's simply out of my jurisdiction ... I don't even staff this section, let alone have the authority to take justice into my own hands for what happens in RF ...
Someone should show these packets captures and screen caps to Volition ... maybe they'll pursue the matter (hopefully they still care about RF )
Untill then, let's just ban guitar from all the servers ... |
| |
Modified Oct 20th, 03:12am by Assaultman67 |
|
| Rol_k |
Posted 20th Oct 2009 4:46am |
L4Y Member
Post 17 / 39
|
I wouldnt be soo hasty about banning him. There is a chance his computer was used as a drone for another hacker. Just because his computer is the Source of the attacks doesnt mean he was aware of them. (for example a botnet) .. but you have to go further than that and think who else :
1) knows enough about operating system design to exploit Guitars PC
2) plays RF
3) has an interest in hurting RF
4) was aware guitar's ISP didnt block forged packets,
If his PC was a drone and he didnt knowingly commit the attacks , the real hacker may still be at large...
BUT is that situation realistic? Probably not but its still a possibility. |
|
|
| Assaultman67 |
Posted 20th Oct 2009 5:47am | |
Post 4078 / 4376
|
I think the odds of him being used as a bot are pretty darn slim ...
If his computer was being used as a bot, the person who was really behind the curtains would of had to have access to his computer and/or the person would had to of been someone he trusted (open files sent from them) ... which to be honest, make it more motivation for him to find and crack down on that person
Also, if someone had set his computer up as a bot ... they probably didn't like him so why bother forging the packets? and why use such a low level attack when there are other more severe ones possible especially for people experienced enough to create a bot-net?
This is an attack on a couple of game servers, not an attack on a corporate company ... he's just some kid who thought he wouldn't get caught ...
And im not sure if im remembering correctly, but i think he has had a history of doing malevolent stuff in RF in the past ... |
| |
Modified Oct 20th, 05:52am by Assaultman67 |
|
Page 1
Multiple Page Topic : 1 2 3 4 5 6 7 |
    |
|
|
|
