Friday, October 28, 2016

Omniscient is the Biggest BooterDown Contributor EVER

Interesting day on HackForums.net. The site administrator, Omniscient, has stepped up and is doing the work we only wish we could accomplish our selves. This will be a massive hit to booters everywhere.


Good work, sweet prince.

Tuesday, January 29, 2013

Booter.tw update

Earlier today, and old friend of mine approached me with quite a handful of interesting information. Before I get into the good stuff, I want to give you a bit of history about 'Askaa' and 'DaL33t', and why they're just plain bad people.

Askaa came into the scene in early 2012. He took over twBooter as owner, and actually was quite successful as far as booters go. After a while, he was unable to keep up with his "success". His user base used up more resources than Askaa was willing to provide, and soon the power dropped. This didn't stop his sales though, he continued to sell very expensive lifetime packages, when in reality he was getting ready to bail. Soon enough, that's exactly what he did, took the money and ran. He didn't go far though. He contacted our friend Orgy about restarting twBooter in Orgy's name, and having Orgy be the face while he continues to run things from behind the scenes. His plan was to drop all customers and start fresh. Orgy played along, then once he could piece together what he was doing, he showed it to everyone publicly. Askaa then disappeared for 6 months.

DaL33t did something similar. He ran another "successful booter" for a while, but again couldn't keep up with it. User base was too large, he bailed, let his servers go offline, except for the one allowing sales to be made. He continued to accept money for a non working, and yes, still illegal, product, for well over a month. He promised to resurrect the project, but bailed.

Now while our goal is to get rid of these tools in general, I took special interest in this one specifically due to the scumbags running the tool. I feel that's why my friend decided to do what he did; what you'll see below:

[12:45:47 PM] Friendly Insider: Where do we start?
[12:50:44 PM] BV1: Well
[12:50:49 PM] BV1: What'd DL do to you?
[12:51:42 PM] BV1: My history with him is he's always just had to have some sort of status. He'd fuck over friends in order to make himself look cooler.
[12:53:36 PM] Friendly Insider: Basically
[12:55:03 PM] Friendly Insider: ***Removed for his Privacy***
[12:56:27 PM] BV1: ah, gotcha
[12:56:51 PM] Friendly Insider: yer
[12:57:00 PM] Friendly Insider: You know his skype got "hacked" yeah?
[12:57:22 PM] BV1: sounds like you had something to do with it hah
[12:57:34 PM] Friendly Insider: indeed i did
[12:57:47 PM] Friendly Insider: twbooter leaks, the rm -rf on the backend box
[12:57:59 PM] Friendly Insider: guilty as charged ;)
[1:00:17 PM] Friendly Insider: I'd rather if you kept it between us for now
[1:02:36 PM] Friendly Insider: getting the info from LS was not hard ether
[1:02:37 PM] Friendly Insider: https://pastee.org/****

===============================================================
============Contents of Pastee.org in case of removal===========
===============================================================
[22/01/2013 01:04:34] DaL33T:here?
[22/01/2013 01:04:45] LiteSpeed:yes
[22/01/2013 01:04:57] DaL33T:what was the backend ip for tw again?
[22/01/2013 01:05:08] LiteSpeed:72.9.154.18
[22/01/2013 01:11:37] DaL33T:did you change the pass?
[22/01/2013 01:11:54] DaL33T:i cant get on it
[22/01/2013 01:12:10] LiteSpeed:Jollibee13377
[22/01/2013 01:54:52] DaL33T:could you send me the attack scripts so i can setup a private server
[22/01/2013 01:54:52] DaL33T:?
[22/01/2013 02:19:01] LiteSpeed:yea
[22/01/2013 02:19:02] LiteSpeed:i guess
[22/01/2013 02:19:08] LiteSpeed:tell biasa to wake up
[22/01/2013 02:19:13] LiteSpeed:im tired of this shit
[22/01/2013 02:19:15] LiteSpeed:he is never here
[22/01/2013 02:19:19] LiteSpeed:and our site is down
[22/01/2013 02:19:30] DaL33T:i noticed
[22/01/2013 02:19:39] LiteSpeed:somehow
[22/01/2013 02:19:40] LiteSpeed:some way
[22/01/2013 02:19:46] LiteSpeed:someone got our backend
[22/01/2013 02:19:52] LiteSpeed:and is syn flooding it on port 80
[22/01/2013 02:20:09] LiteSpeed:i moved the site to 8080 for right now
[22/01/2013 02:20:15] LiteSpeed:but askaa needs to get another ip
[22/01/2013 02:21:24] LiteSpeed:its getting a 60k pps flood
[22/01/2013 02:21:28] DaL33T:fuck
[22/01/2013 02:21:39] LiteSpeed:and best of all
[22/01/2013 02:21:46] LiteSpeed:biasa has school work and does not care!
[22/01/2013 02:23:28] DaL33T:he is up
[22/01/2013 02:23:53] DaL33T:send me scripts
[22/01/2013 02:47:49] DaL33T:you there?
[22/01/2013 02:47:59] LiteSpeed:yea
[22/01/2013 02:48:07] LiteSpeed:working on biasa stuff
[22/01/2013 02:48:09] LiteSpeed:one min
[22/01/2013 02:48:15] DaL33T:ok
[22/01/2013 02:51:32] DaL33T:what is it you are doing biasa?
[22/01/2013 02:57:18] DaL33T:can you send them, got to go in 5 mins
[22/01/2013 02:57:24] LiteSpeed:ok
[22/01/2013 03:03:48] DaL33T:dude
[22/01/2013 03:04:17] DaL33T:really need them
[22/01/2013 03:04:44] LiteSpeed:Sent file "twBooter2.rar
[22/01/2013 03:08:56] DaL33T:wheres the ESSYN?
[22/01/2013 03:09:05] LiteSpeed:ssyn
[22/01/2013 03:09:09] LiteSpeed:i never renamed it
[22/01/2013 03:09:11] LiteSpeed:after i updated it
[22/01/2013 03:09:12] DaL33T:oh right
===============================================================
===============================================================
===============================================================

[1:24:34 PM] BV1: hahaha...
[1:24:42 PM] Friendly Insider: you want attack server ips?
[1:25:18 PM] BV1: I believe I was the cause of the attack they mentioned in that convo
[1:25:34 PM] BV1: they left ********** unprotected
[1:25:40 PM] Friendly Insider: who gave you that?
[1:25:41 PM] Friendly Insider: orgy
[1:25:43 PM] Friendly Insider: nvm
[1:25:48 PM] Friendly Insider: I gave it to orgy lol
[1:25:53 PM] BV1: ah only makes sense you're responsible for us getting it hah
[1:25:50 PM] Friendly Insider: orderid | ip

18:03:73:3f:b5:6c | 67.222.156.241
l7v2 | 72.9.144.80
b18s26 | 89.248.172.97
b18s24 | 89.248.172.96
a06s32 | 89.248.172.201
b11s08 | 93.174.93.30
b18s28 | 89.248.169.53
a06s36 | 89.248.172.205
b13s13 | 94.102.49.76


[1:26:17 PM] BV1: amazing
[1:26:33 PM] Friendly Insider: I have the full mysql database
[1:26:43 PM] BV1: you genuinely fucked them up
[1:26:50 PM] Friendly Insider: Yeah
[1:27:01 PM] Friendly Insider: I don't plan on being finished yet
[1:27:19 PM] BV1: and LiteSpeed...
[1:27:24 PM] BV1: He more or less gave you everything
[1:27:25 PM] BV1: That's hilarious
[1:27:29 PM] Friendly Insider: ikr
[1:27:40 PM] Friendly Insider: this is why they released the attack scripts
[1:27:43 PM] Friendly Insider: before I did it
[1:28:02 PM] BV1: Makes sense now. They knew it was inevitable hah.
[1:28:08 PM] Friendly Insider: you know the mega link floating around with the source?
[1:28:27 PM] Friendly Insider: that would be my mega account :3
[1:28:27 PM] BV1: yea
[1:28:30 PM] BV1: haha nice
[1:28:44 PM] BV1: yeah, once I downloaded it, mega started going slow for me
[1:28:50 PM] BV1: so I have it mirrored all over the place now
[1:29:00 PM] Friendly Insider: haha
[1:29:19 PM] Friendly Insider: Out of 242 users, I have the plaintext pass for 142 of them
[1:29:32 PM] BV1: how? were they not protected?
[1:29:46 PM] Friendly Insider: they are sha256
[1:29:53 PM] Friendly Insider: most are in rainbow tables
[1:29:58 PM] BV1: gotcha
[1:30:12 PM] Friendly Insider: i found a hole in the IPN as well
[1:30:20 PM] Friendly Insider: could generate giftcodes
[1:30:28 PM] Friendly Insider: until they renamed the ipn
[1:30:34 PM] Friendly Insider: ***Removed for his Privacy***
[1:30:40 PM] Friendly Insider: ***Removed for his Privacy***
[1:32:46 PM] Friendly Insider: Is there anything that I may have that would be useful to you? :3
[1:41:34 PM] BV1: sorry was afk for a sec
[1:42:11 PM] Friendly Insider: mk
[1:42:49 PM] BV1: Well, how private do you want this information to be, is there any way I can make you into a god on a booterdown article?
[1:43:26 PM] BV1: like, if you want to stay on the down low, I'll probably just reveal their servers
[1:43:43 PM] BV1: if you don't mind me talking you up on my site, I'll make a bunch of this info public, and attack their shit
[1:43:47 PM] BV1: credited to you
[1:43:49 PM] Friendly Insider: Do what ever you want, just do not mention my name
[1:43:53 PM] BV1: ok
[1:44:13 PM] Friendly Insider: What ever it takes to fuck them over
[1:47:50 PM] BV1: gonna write up an article tonight
[1:47:56 PM] Friendly Insider: sure
[1:48:02 PM] BV1: ***Removed for his Privacy***
[1:48:06 PM] Friendly Insider: nope
[1:48:08 PM] BV1: lol
[1:48:18 PM] Friendly Insider: ***Removed for his Privacy***
[1:48:35 PM] Friendly Insider: ***Removed for his Privacy***
[1:48:40 PM] Friendly Insider: Ya digg? :3
[1:49:02 PM] BV1: yep yep
[1:49:13 PM] BV1: will make sure I don't do anything to jepordize that
[1:49:56 PM] Friendly Insider: ***Removed for his Privacy***
[1:50:12 PM] Friendly Insider: ***Removed for his Privacy***
[1:53:10 PM] Friendly Insider: ***Removed for his Privacy***
[1:54:20 PM] BV1: understood


Alright.... Sick! This mystery gentleman, he just completely revealed everything to me.
You can match up all the IP's above to the picture below:

The DFW Datacenter is Tailor Made Servers.



67.222.156.241 - Tailor Made Servers
72.9.144.80 - Tailor Made Servers
89.248.172.97 - Ecatel
89.248.172.96 - Ecatel
89.248.172.201 - Ecatel
93.174.93.30 - Ecatel
89.248.169.53 - Ecatel
89.248.172.205 - Ecatel
94.102.49.76 - Ecatel

abuse@tailoredservers.com
abuse@ecatel.net

Tuesday, January 8, 2013

Gonna clean up the site a bit, ensure any 'blackhat' affiliations stay dropped, and do this from the most legit perspective possible. In the past we allowed our supporters to get a bit too far out of line, leaking databases and putting individuals at risk. We do not want this to happen. Our goal is to remove the illegal tools off the internet, not put the miscreants using them at risk.

Wednesday, January 2, 2013

booter.tw - Goes by twBooter

Earlier today, the mark of the New Year, we were graced by the return of twBooter and Askaa. Why is he back though you may ask? Last we heard, he had taken off with everyone's money from twBooter, then created a very fake and very expensive Form Grabber, took pre-orders, then bailed with the money. Surely any scammer would know to stay away, just as any well knowing community would not accept such a scammer back. Good thing we're on HF, where normal is abnormal. Rather than banking on the cash he earned scamming HF, Askaa tried to return. First claiming he was arrested, which was proven false. He then tried to return through Orgy, using Orgy as his 'face' so he could work, and scam, behind the scenes. Once Orgy had enough dirty info on the kid, he turned on him, posted it, and drove Askaa away from HF. I guess over time people forgot about this, albeit only 6 months, and now we're here.

That being said, I suppose it is only fair that we take a look at things since Askaa's already claiming top dog.




Your average HF sales thread, flashy and only discusses what HF users understand, more than enough to bank off of us all. He however makes a lot of claims and makes up new words/methods to try to sound advanced. Can't wait until Enhanced Super Spoofed SYN Rampage Annihilator attacks come out. The more adjectives, the better the attack is, obviously. Also, does no one else get annoyed that he very clearly admits to his past scams, and to make you feel more secure he no longer offers lifetime accounts? "I know I scammed you guys for a lot, but look, now I can't scam for as much, I must be legit!" Moving on...


I guess I won't comment on the new and fully custom source, as I haven't seen the back end. But from the looks of things, they took Orgy's source, turned it green, and called it their own. Good work guys, that really shows your development. Claim custom source -> Use someone elses front end.

I'm really curious regarding these partnerships Askaa is claiming he has with his hosts. It's fair to point out that Askaa (The money) and DaL33t (The developer (how?)) are both underaged, and both foreigners. Do I even need to explain why no one is going to take them seriously? I'm not sure where he hosts his attack servers yet, but I've been paying attention to what he's been doing with his front end.


July 17th, 2012
Domain was Registered to the following contact
Domain Name: booter.tw
Registrant: Magnus Madsen 
Email: magnusden17@gmail.com
Phone: +45.27576800
Address:
      sønderstrede 36, 
      københavn v, Denmark
     

December 6th, 2012
Domain: booter.tw
NS1: ns1cmt.name.com
NS2: ns2clp.name.com
IP: 184.172.60.183    



December 23rd, 2012
Domain: booter.tw
NS1: dana.ns.cloudflare.com
NS2: noah.ns.cloudflare.com


January 2nd, 2013
ping-mail.booter.tw-199.195.251.148 - Awknet
ping-booter.tw- 199.27.134.63 - CloudFlare
ping-direct.booter.tw-67.215.65.132 - OpenDNS
ping-direct-connect.booter.tw-67.215.65.132 - OpenDNS
ping-ftp.booter.tw-67.215.65.132 - OpenDNS
ping-email.booter.tw-67.215.65.132 - OpenDNS


January 10th, 2013
mail.booter.tw - 108.162.194.85 - CloudFlare

 

Once his sales get going a bit, I'll grab an account and figure out who's hosting his attack servers.

Alright, like I said, I'd grab an account and figure out who's hosting their attack servers.

I purchased an account, the set up failed. Idk, just found his "That's a lie." statement humorous.

First thing I did was get a little PHP script written up that would not only log connecting IP's, but would unmask them for me if they were using a proxy of some sorts. I hopped on my newly created twBooter account, connected to my webserver, and launched a 300 second 'post flood' at a dummy webpage I created containing the IP logging script. The results are as follows: http://pastebin.com/ZJ7cHwyK
Basically what you see is a shit ton of proxies attempting to flood my site. Unmask these proxies, and they all lead back to the same IP: 67.222.156.241

 IP: 67.222.156.241
Loc: Dallas, Texas

They don't offer an easy way for me to contact them regarding abuse, so I'll look into them more a bit tomorrow.

--Important Update--

Got a tip from a friend to check out the IP: 72.9.154.18
They stated it would lead directly back to booter.tw, so we did some poking around:

IP: 72.9.154.18
Loc: Dallas, Texas

Seems like everything is tying back to Tailor Made Servers. To make sure, I contacted a friend of mine from an underground forum and had him run a 5 minute test DDOS attack on the IP. The results:


So looks like we knocked something offline on one of their back end servers. Shortly after, Incapsula DDOS protection kicked in, blocked any connecting IPs. Basically, we're going to need to write up reports to Tailor Made Servers, CloudFlare, and Incapsula at this point. If they refuse to handle it, we'll post the reports on WHT and other related forums.

Tuesday, April 24, 2012

Going to get back into the swing of things again, using proper legal channels. Old supporters using illegal means to support the project will be asked to discuss their actions elsewhere.

Stay tuned.

--BV1

Tuesday, November 22, 2011

A plague on the internet


Haha, you see what I did there? Plague on the internet? Oh right, I haven't told you what booter it is, yet.

Today, Plague Booter went down.

Haha, you see now? Funny, right? No? :( You have no sense of humor.

Anyway, an anonymous supporter contacted us today. You may have heard of him. He goes by Codevade. I was joking about the anonymous part.


Just so you can click it more easily, here's that link.

Most of that shit isn't even shells. Look at it. He's got pastes and just random sites in there to make it look like he's got more shells than he does. What the hell?

Anyway, enjoy, and don't forget to thank Codevade!

Wednesday, November 9, 2011

Hello there, Green Booter


Today, I received a communique from a very nice anonymous supporter of ours.

He has informed me of greenbooter's URL. Not very hidden. It's as if they WANT to be found, so someone can shut them down and the owner can blame booter down and just run off with his customer's money.

Look how simple it is: http://greenbooter.com

Anyway, here's their list of shells. Do enjoy.
*Link Removed*

If your server(s) is/are on this list, you may want to look into finding out how he got in and patch up that hole.

Most likely it will be from a WebDAV exploit where you haven't changed the default user/pass.

Just skimming through his list, I see he adds multiple shells from the same server to make it seem like he has more shells.

http://63.229.71.9/webdav/clay94.php
http://63.229.71.9/webdav/clay83.php
http://63.229.71.9/webdav/clay84.php
http://63.229.71.9/webdav/clay85.php
http://63.229.71.9/webdav/clay86.php
http://63.229.71.9/webdav/clay87.php
http://63.229.71.9/webdav/clay88.php
http://63.229.71.9/webdav/clay89.php
http://63.229.71.9/webdav/clay90.php
http://63.229.71.9/webdav/clay91.php
http://63.229.71.9/webdav/clay92.php
Ripping off his customers

Here is his database: *Link Removed*

Do enjoy.

Sunday, October 16, 2011

You asked for it, here it is!

Lately we've been pretty inactive. I know... I apologize... Personally... I blame BV1. You should too! Or at least blame anyone that isn't me... I hate the blame :(

But have no fear! We're going to start working on some shit this week. We'll get back to reporting booters, and we're going to start compiling a new list of booters and hosts supporting these booters.

Also, we now have an official IRC channel, since a few of you demanded it.

To access it, irc.hackt.org #booterdown

Hope to see you there!

Tuesday, September 6, 2011

A look into Legion Booter


The other day, a new booter hit the market. They called themselves Legion Booter.

Hell, you don't even need to get into their cPanel or anything to get their database, as long as they've created a backup. Some pro security right here.




I also decided that I'd do a little bit of defacing. You know, cause we're big heckers.

Hopefully he's learned his lesson. Have a nice day.

Saturday, September 3, 2011

Booter List Updated!

This morning I went ahead and removed all the dead links from the booter list on the side, and added the live ones. I'm sure I've missed some still, so if you got some links, post 'em. BV1 and I will add them today.

Any booter name with a (?) beside it means that I wasn't sure about the name of it.

BV1 said he'll also be making a list of approved booters.

I may make a list of dead links, just to make sure that they can't come back with old links thinking we've forgotten about that URL.

Happy reporting!

Monday, August 29, 2011

Need Links to Booters using Prodigy's Source

May know of a way to exploit them, just need booters to test on.
Post links in comments.

Take em down

Modders Heaven Booter.
They are on a new host, they used to be on modders-heaven.com, now I believe they are here: http://173.212.200.164/login.php

They claim it's old.. so try to find out if it is. CoderCopy and paster gets mad on his thread here:

http://www.hackforums.net/showthread.php?tid=1664610