Tuesday, January 29, 2013

Booter.tw update

Earlier today, and old friend of mine approached me with quite a handful of interesting information. Before I get into the good stuff, I want to give you a bit of history about 'Askaa' and 'DaL33t', and why they're just plain bad people.

Askaa came into the scene in early 2012. He took over twBooter as owner, and actually was quite successful as far as booters go. After a while, he was unable to keep up with his "success". His user base used up more resources than Askaa was willing to provide, and soon the power dropped. This didn't stop his sales though, he continued to sell very expensive lifetime packages, when in reality he was getting ready to bail. Soon enough, that's exactly what he did, took the money and ran. He didn't go far though. He contacted our friend Orgy about restarting twBooter in Orgy's name, and having Orgy be the face while he continues to run things from behind the scenes. His plan was to drop all customers and start fresh. Orgy played along, then once he could piece together what he was doing, he showed it to everyone publicly. Askaa then disappeared for 6 months.

DaL33t did something similar. He ran another "successful booter" for a while, but again couldn't keep up with it. User base was too large, he bailed, let his servers go offline, except for the one allowing sales to be made. He continued to accept money for a non working, and yes, still illegal, product, for well over a month. He promised to resurrect the project, but bailed.

Now while our goal is to get rid of these tools in general, I took special interest in this one specifically due to the scumbags running the tool. I feel that's why my friend decided to do what he did; what you'll see below:

[12:45:47 PM] Friendly Insider: Where do we start?
[12:50:44 PM] BV1: Well
[12:50:49 PM] BV1: What'd DL do to you?
[12:51:42 PM] BV1: My history with him is he's always just had to have some sort of status. He'd fuck over friends in order to make himself look cooler.
[12:53:36 PM] Friendly Insider: Basically
[12:55:03 PM] Friendly Insider: ***Removed for his Privacy***
[12:56:27 PM] BV1: ah, gotcha
[12:56:51 PM] Friendly Insider: yer
[12:57:00 PM] Friendly Insider: You know his skype got "hacked" yeah?
[12:57:22 PM] BV1: sounds like you had something to do with it hah
[12:57:34 PM] Friendly Insider: indeed i did
[12:57:47 PM] Friendly Insider: twbooter leaks, the rm -rf on the backend box
[12:57:59 PM] Friendly Insider: guilty as charged ;)
[1:00:17 PM] Friendly Insider: I'd rather if you kept it between us for now
[1:02:36 PM] Friendly Insider: getting the info from LS was not hard ether
[1:02:37 PM] Friendly Insider: https://pastee.org/****

===============================================================
============Contents of Pastee.org in case of removal===========
===============================================================
[22/01/2013 01:04:34] DaL33T:here?
[22/01/2013 01:04:45] LiteSpeed:yes
[22/01/2013 01:04:57] DaL33T:what was the backend ip for tw again?
[22/01/2013 01:05:08] LiteSpeed:72.9.154.18
[22/01/2013 01:11:37] DaL33T:did you change the pass?
[22/01/2013 01:11:54] DaL33T:i cant get on it
[22/01/2013 01:12:10] LiteSpeed:Jollibee13377
[22/01/2013 01:54:52] DaL33T:could you send me the attack scripts so i can setup a private server
[22/01/2013 01:54:52] DaL33T:?
[22/01/2013 02:19:01] LiteSpeed:yea
[22/01/2013 02:19:02] LiteSpeed:i guess
[22/01/2013 02:19:08] LiteSpeed:tell biasa to wake up
[22/01/2013 02:19:13] LiteSpeed:im tired of this shit
[22/01/2013 02:19:15] LiteSpeed:he is never here
[22/01/2013 02:19:19] LiteSpeed:and our site is down
[22/01/2013 02:19:30] DaL33T:i noticed
[22/01/2013 02:19:39] LiteSpeed:somehow
[22/01/2013 02:19:40] LiteSpeed:some way
[22/01/2013 02:19:46] LiteSpeed:someone got our backend
[22/01/2013 02:19:52] LiteSpeed:and is syn flooding it on port 80
[22/01/2013 02:20:09] LiteSpeed:i moved the site to 8080 for right now
[22/01/2013 02:20:15] LiteSpeed:but askaa needs to get another ip
[22/01/2013 02:21:24] LiteSpeed:its getting a 60k pps flood
[22/01/2013 02:21:28] DaL33T:fuck
[22/01/2013 02:21:39] LiteSpeed:and best of all
[22/01/2013 02:21:46] LiteSpeed:biasa has school work and does not care!
[22/01/2013 02:23:28] DaL33T:he is up
[22/01/2013 02:23:53] DaL33T:send me scripts
[22/01/2013 02:47:49] DaL33T:you there?
[22/01/2013 02:47:59] LiteSpeed:yea
[22/01/2013 02:48:07] LiteSpeed:working on biasa stuff
[22/01/2013 02:48:09] LiteSpeed:one min
[22/01/2013 02:48:15] DaL33T:ok
[22/01/2013 02:51:32] DaL33T:what is it you are doing biasa?
[22/01/2013 02:57:18] DaL33T:can you send them, got to go in 5 mins
[22/01/2013 02:57:24] LiteSpeed:ok
[22/01/2013 03:03:48] DaL33T:dude
[22/01/2013 03:04:17] DaL33T:really need them
[22/01/2013 03:04:44] LiteSpeed:Sent file "twBooter2.rar
[22/01/2013 03:08:56] DaL33T:wheres the ESSYN?
[22/01/2013 03:09:05] LiteSpeed:ssyn
[22/01/2013 03:09:09] LiteSpeed:i never renamed it
[22/01/2013 03:09:11] LiteSpeed:after i updated it
[22/01/2013 03:09:12] DaL33T:oh right
===============================================================
===============================================================
===============================================================

[1:24:34 PM] BV1: hahaha...
[1:24:42 PM] Friendly Insider: you want attack server ips?
[1:25:18 PM] BV1: I believe I was the cause of the attack they mentioned in that convo
[1:25:34 PM] BV1: they left ********** unprotected
[1:25:40 PM] Friendly Insider: who gave you that?
[1:25:41 PM] Friendly Insider: orgy
[1:25:43 PM] Friendly Insider: nvm
[1:25:48 PM] Friendly Insider: I gave it to orgy lol
[1:25:53 PM] BV1: ah only makes sense you're responsible for us getting it hah
[1:25:50 PM] Friendly Insider: orderid | ip

18:03:73:3f:b5:6c | 67.222.156.241
l7v2 | 72.9.144.80
b18s26 | 89.248.172.97
b18s24 | 89.248.172.96
a06s32 | 89.248.172.201
b11s08 | 93.174.93.30
b18s28 | 89.248.169.53
a06s36 | 89.248.172.205
b13s13 | 94.102.49.76


[1:26:17 PM] BV1: amazing
[1:26:33 PM] Friendly Insider: I have the full mysql database
[1:26:43 PM] BV1: you genuinely fucked them up
[1:26:50 PM] Friendly Insider: Yeah
[1:27:01 PM] Friendly Insider: I don't plan on being finished yet
[1:27:19 PM] BV1: and LiteSpeed...
[1:27:24 PM] BV1: He more or less gave you everything
[1:27:25 PM] BV1: That's hilarious
[1:27:29 PM] Friendly Insider: ikr
[1:27:40 PM] Friendly Insider: this is why they released the attack scripts
[1:27:43 PM] Friendly Insider: before I did it
[1:28:02 PM] BV1: Makes sense now. They knew it was inevitable hah.
[1:28:08 PM] Friendly Insider: you know the mega link floating around with the source?
[1:28:27 PM] Friendly Insider: that would be my mega account :3
[1:28:27 PM] BV1: yea
[1:28:30 PM] BV1: haha nice
[1:28:44 PM] BV1: yeah, once I downloaded it, mega started going slow for me
[1:28:50 PM] BV1: so I have it mirrored all over the place now
[1:29:00 PM] Friendly Insider: haha
[1:29:19 PM] Friendly Insider: Out of 242 users, I have the plaintext pass for 142 of them
[1:29:32 PM] BV1: how? were they not protected?
[1:29:46 PM] Friendly Insider: they are sha256
[1:29:53 PM] Friendly Insider: most are in rainbow tables
[1:29:58 PM] BV1: gotcha
[1:30:12 PM] Friendly Insider: i found a hole in the IPN as well
[1:30:20 PM] Friendly Insider: could generate giftcodes
[1:30:28 PM] Friendly Insider: until they renamed the ipn
[1:30:34 PM] Friendly Insider: ***Removed for his Privacy***
[1:30:40 PM] Friendly Insider: ***Removed for his Privacy***
[1:32:46 PM] Friendly Insider: Is there anything that I may have that would be useful to you? :3
[1:41:34 PM] BV1: sorry was afk for a sec
[1:42:11 PM] Friendly Insider: mk
[1:42:49 PM] BV1: Well, how private do you want this information to be, is there any way I can make you into a god on a booterdown article?
[1:43:26 PM] BV1: like, if you want to stay on the down low, I'll probably just reveal their servers
[1:43:43 PM] BV1: if you don't mind me talking you up on my site, I'll make a bunch of this info public, and attack their shit
[1:43:47 PM] BV1: credited to you
[1:43:49 PM] Friendly Insider: Do what ever you want, just do not mention my name
[1:43:53 PM] BV1: ok
[1:44:13 PM] Friendly Insider: What ever it takes to fuck them over
[1:47:50 PM] BV1: gonna write up an article tonight
[1:47:56 PM] Friendly Insider: sure
[1:48:02 PM] BV1: ***Removed for his Privacy***
[1:48:06 PM] Friendly Insider: nope
[1:48:08 PM] BV1: lol
[1:48:18 PM] Friendly Insider: ***Removed for his Privacy***
[1:48:35 PM] Friendly Insider: ***Removed for his Privacy***
[1:48:40 PM] Friendly Insider: Ya digg? :3
[1:49:02 PM] BV1: yep yep
[1:49:13 PM] BV1: will make sure I don't do anything to jepordize that
[1:49:56 PM] Friendly Insider: ***Removed for his Privacy***
[1:50:12 PM] Friendly Insider: ***Removed for his Privacy***
[1:53:10 PM] Friendly Insider: ***Removed for his Privacy***
[1:54:20 PM] BV1: understood


Alright.... Sick! This mystery gentleman, he just completely revealed everything to me.
You can match up all the IP's above to the picture below:

The DFW Datacenter is Tailor Made Servers.



67.222.156.241 - Tailor Made Servers
72.9.144.80 - Tailor Made Servers
89.248.172.97 - Ecatel
89.248.172.96 - Ecatel
89.248.172.201 - Ecatel
93.174.93.30 - Ecatel
89.248.169.53 - Ecatel
89.248.172.205 - Ecatel
94.102.49.76 - Ecatel

abuse@tailoredservers.com
abuse@ecatel.net

Tuesday, January 8, 2013

Gonna clean up the site a bit, ensure any 'blackhat' affiliations stay dropped, and do this from the most legit perspective possible. In the past we allowed our supporters to get a bit too far out of line, leaking databases and putting individuals at risk. We do not want this to happen. Our goal is to remove the illegal tools off the internet, not put the miscreants using them at risk.

Wednesday, January 2, 2013

booter.tw - Goes by twBooter

Earlier today, the mark of the New Year, we were graced by the return of twBooter and Askaa. Why is he back though you may ask? Last we heard, he had taken off with everyone's money from twBooter, then created a very fake and very expensive Form Grabber, took pre-orders, then bailed with the money. Surely any scammer would know to stay away, just as any well knowing community would not accept such a scammer back. Good thing we're on HF, where normal is abnormal. Rather than banking on the cash he earned scamming HF, Askaa tried to return. First claiming he was arrested, which was proven false. He then tried to return through Orgy, using Orgy as his 'face' so he could work, and scam, behind the scenes. Once Orgy had enough dirty info on the kid, he turned on him, posted it, and drove Askaa away from HF. I guess over time people forgot about this, albeit only 6 months, and now we're here.

That being said, I suppose it is only fair that we take a look at things since Askaa's already claiming top dog.




Your average HF sales thread, flashy and only discusses what HF users understand, more than enough to bank off of us all. He however makes a lot of claims and makes up new words/methods to try to sound advanced. Can't wait until Enhanced Super Spoofed SYN Rampage Annihilator attacks come out. The more adjectives, the better the attack is, obviously. Also, does no one else get annoyed that he very clearly admits to his past scams, and to make you feel more secure he no longer offers lifetime accounts? "I know I scammed you guys for a lot, but look, now I can't scam for as much, I must be legit!" Moving on...


I guess I won't comment on the new and fully custom source, as I haven't seen the back end. But from the looks of things, they took Orgy's source, turned it green, and called it their own. Good work guys, that really shows your development. Claim custom source -> Use someone elses front end.

I'm really curious regarding these partnerships Askaa is claiming he has with his hosts. It's fair to point out that Askaa (The money) and DaL33t (The developer (how?)) are both underaged, and both foreigners. Do I even need to explain why no one is going to take them seriously? I'm not sure where he hosts his attack servers yet, but I've been paying attention to what he's been doing with his front end.


July 17th, 2012
Domain was Registered to the following contact
Domain Name: booter.tw
Registrant: Magnus Madsen 
Email: magnusden17@gmail.com
Phone: +45.27576800
Address:
      sønderstrede 36, 
      københavn v, Denmark
     

December 6th, 2012
Domain: booter.tw
NS1: ns1cmt.name.com
NS2: ns2clp.name.com
IP: 184.172.60.183    



December 23rd, 2012
Domain: booter.tw
NS1: dana.ns.cloudflare.com
NS2: noah.ns.cloudflare.com


January 2nd, 2013
ping-mail.booter.tw-199.195.251.148 - Awknet
ping-booter.tw- 199.27.134.63 - CloudFlare
ping-direct.booter.tw-67.215.65.132 - OpenDNS
ping-direct-connect.booter.tw-67.215.65.132 - OpenDNS
ping-ftp.booter.tw-67.215.65.132 - OpenDNS
ping-email.booter.tw-67.215.65.132 - OpenDNS


January 10th, 2013
mail.booter.tw - 108.162.194.85 - CloudFlare

 

Once his sales get going a bit, I'll grab an account and figure out who's hosting his attack servers.

Alright, like I said, I'd grab an account and figure out who's hosting their attack servers.

I purchased an account, the set up failed. Idk, just found his "That's a lie." statement humorous.

First thing I did was get a little PHP script written up that would not only log connecting IP's, but would unmask them for me if they were using a proxy of some sorts. I hopped on my newly created twBooter account, connected to my webserver, and launched a 300 second 'post flood' at a dummy webpage I created containing the IP logging script. The results are as follows: http://pastebin.com/ZJ7cHwyK
Basically what you see is a shit ton of proxies attempting to flood my site. Unmask these proxies, and they all lead back to the same IP: 67.222.156.241

 IP: 67.222.156.241
Loc: Dallas, Texas

They don't offer an easy way for me to contact them regarding abuse, so I'll look into them more a bit tomorrow.

--Important Update--

Got a tip from a friend to check out the IP: 72.9.154.18
They stated it would lead directly back to booter.tw, so we did some poking around:

IP: 72.9.154.18
Loc: Dallas, Texas

Seems like everything is tying back to Tailor Made Servers. To make sure, I contacted a friend of mine from an underground forum and had him run a 5 minute test DDOS attack on the IP. The results:


So looks like we knocked something offline on one of their back end servers. Shortly after, Incapsula DDOS protection kicked in, blocked any connecting IPs. Basically, we're going to need to write up reports to Tailor Made Servers, CloudFlare, and Incapsula at this point. If they refuse to handle it, we'll post the reports on WHT and other related forums.