.
Hacker..Case..Study
Since someone didn't believe us, here's a prime example of what we're talking about:
Received: from boza (bixmgr@bix.com [192.80.63.253]) by ra.backpack.com (8.6.12/8.6.9) with SMTP id UAA17101 for david; Sat, 12 Oct 1996 20:43:50 -0500 Date: Sat, 12 Oct 1996 20:43:50 -0500 From: me Message-Id: Apparently-To: david Content-Type: text Content-Length: 215 Status: RO X-Status: hey.. that hackers.html made me laugh :) you just can't trace me, but i won't try to prove it to you i mean... i better find someone with more money to bug with have fun, and ... wish you big incomes etc. Qwerty
But lets work backwards shall we, as we attempt to "do the impossible":
As logged by the HTTP daemon:
bix.com - - [12/Oct/1996:20:08:53 -0500] www.trolls.org "GET /tits.html HTTP/1.0 " 200 2121 bix.com - - [12/Oct/1996:20:33:29 -0500] www.one800.net "GET / HTTP/1.0" 200 784 1 bix.com - - [12/Oct/1996:20:34:00 -0500] www.one800.net "GET /1.800eMail.gif HTT P/1.0" 200 10910 bix.com - - [12/Oct/1996:20:34:06 -0500] www.one800.net "GET /multi-3.gif HTTP/1 .0" 200 6377 bix.com - - [12/Oct/1996:20:37:23 -0500] www.one800.net "GET /hackers.html HTTP/ 1.0" 200 2634(First thing to note is that the eMail was received about 6 minutes after accessing the hackers.html
And checking our other logs we find this little gem in our 1.800eMail Bouncer Logfile:
1996.10.12 20:36:19 : bouncer@one800.net 1996.10.12 20:36:19 : Return-To: Qwerty filip@arbornet.organd guess what? we found him, considering that the "Last login" shows a Delphi address, the same group he sent the bogus message from ("bix.com" is owned by Delphi)
...oh yeah, he even calls himself 'Qwerty' in his finger information
--1.800eMail SysAdmin
finger filip@arbornet.org
[arbornet.org]
Login: filip Name: Filip Petrov Dimitrov
Directory: /g/filip Shell: /bin/tcsh
Last login Fri Oct 11 22:33 (EDT) on ttype from bos1e.delphi.com
Project:
[Expletive Deleted] [Expletive Deleted] [Expletive Deleted] :-)
Plan:
full name: Filip Petrov Dimitrov
registered: Mon Mar 13 18:17:30 1995 on tty /dev/ttypa at speed 9600
address:
p.o.box : 123
Sofia - 1000
BULGARIA
telephone: ++359-2-458175
occupation:
Student...
computers:
Apple // e (Pravetz 8C)
2x140Kb FDD
2400 BPS ext. modem
birthdate: 07-JAN-79
sex: male
interests:
Music
Games
Parties
Girls
Found out about us from:
From a friend.
ok, something for me, i'm 16 years old hacker... yep you heard it wright
mister SysOp, i'm hacker... NO CARRIER :-) smile...
What is freedom ?!
it's like when you connect to some unix to see that :
login : root
last successfull login at FUCK on FUCK etc. :-)
welll, i like to hack unixes... especially if they are connected to SprintNet
and accept reverse charge calls :-) hahaha...
ok, i'll have to hack this unix too, so i'm little busy wright now.. :-)
see ya... and, btw, you all the girls from 12 to 17... write me...
i like talking (****ing etc.ing with girls ) almost as i like hacking..
chat ya..
Qwerty
addition written on 7th jan 1996 at 5am EET :
heh phunny yeah... if you are a compuserve member and would like to talk to me
you can check the Compu$erve CB simulator at general band, channel 13..
look for Qwerty
you can find me on the IRC too.. check #bulgaria
and some other mail adresses :
qwerty@UnGa.UnGaBuNgA.CoM
qwerty@.com dammit i'm paying for this one :PP
ok thanks for 'finger'ing me.. have fun.. and .. better be safe than sorry :P
oh.. and my pgp public key :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6
mQCNAy/cGvkAAAEEAORzApt3LIZ2OxIxF3YMlKamti7+QO86DKApmPPZps2QhXzX
QYW/oZZM+uH4nnIfaPQOuk02L32GskzG1YsHtabWhzpjqxOnKXieulWDwYyH4zT9
x7JaOpOo/R+aDAsKfljZqMGtB8NIpRhBciPjnD6W9WwOOEOklcg/YC2bs5DFAAUR
tClGaWxpcCBEaW1pdHJvdiA8ZmlsaXBAbS1uZXQuYXJib3JuZXQub3JnPg==
=AgdQ
-----END PGP PUBLIC KEY BLOCK-----
ok ok.. that's the end =)
bye bye dudes and dudettes.