14yo Script Kiddie Sends What.CD Users Bogus RIAA Warning Letter

Disgruntled kid apparently thought a shared web server wasn’t big enough for the both of them.

I was unpleasantly surprised this morning to find that “the RIAA” had sent me a warning letter from [email protected] for being a registered user of the new What.CD BitTorrent tracker site. I immediately figured it had to be fake, but still, fake or not, I don’t like being threatened so early in the day. Apparently I wasn’t alone in receiving what’s’ turned out to be an obviously bogus warning, with every registered user of the site getting a similar e-mail, and it seems that a disgruntled 14yo UK hacker with a site hosted on the same web server is to blame.

The letter reads:

Dear registered user of the site What.cd,

We have recently been investigating the activities of the users of the site http://www.what.cd/ and we have found that this site exists for the sole purpose of music piracy.

Pirating music is a criminal offence and we believe it should be obvious to you that the results outweigh the benefits – hard working artists won’t be rewarded for their work and will stop producing music, ultimately leading to a severely reduced selection of music both in the shops and for download.

The RIAA had hoped that the disabling by the police of the large illegal music site, Oink.cd, would stop a lot of people from engaging in piracy, as they don’t want to be seen as criminals. However, this appears to not be the case, as two large new sites have sprung up in its place.

This email is the final warning to all of you who were members of Oink.cd and are current members of What.cd. If we find you to be committing any more criminal acts of piracy then we will have to press charges against you, as representatives of the major record companies of America.

Yours Faithfully,

The RIAA

According to a post up on What.CD’s homepage the kid, who uses the nickname “P3T3R,” is one of the owners of a site hosted on the same server who saw them as intruders and felt a “great deal of animosity towards” them. Right from the start they could tell that there was bad blood between them, but they decided to leave him alone “…because it’s never good to make enemies when you’re running a site like this, but he seemed very intent on intimidating us.”

From their IRC logs:

[Sat Nov 3 2007] [23:23:38] (P3T3R) btw, be prepared
[Sat Nov 3 2007] [23:23:42] (P3T3R) i’d watch it if I were you
[Sat Nov 3 2007] [23:24:02] (P3T3R) make the most of what you have while you have it
[Sat Nov 3 2007] [23:24:14] (P3T3R) cos you just might have it taken away from you…
[Sat Nov 3 2007] [23:24:37] (WhatMan) What the hell are you on about, P3T3R?
[Sat Nov 3 2007] [23:24:43] (P3T3R) i’m not quite sure
[Sat Nov 3 2007] [23:24:48] (P3T3R) or am I?

After a few days had passed on the new server, What.CD then started to see “disturbing things” appear in their database. It included “redirects to shock sites, fake RIAA notices, etc.” They initially thought that this was because of SQL injections since TBSource comes with a load of exploits by default. So they went through the site, and patched up all the injection points. When they put the site back up, they immediately got hit by another attack. So they took it down again, found and patched a couple more exploits, only to receive the same fate when they put the site back up – another attack.

After checking their database logs, they discovered what had happened. The site and the database are apparently hosted on separate servers. The attacker was connecting to the database server from the web server, but it didn’t look at all like a typical SQL injection. This meant that the hacker must have had access to the web server, and since it was time to leave their temporary server anyways, they simply decided to hasten the move.

The SQL attacks immediately stopped soon thereafter.

Angered with the loss of his playtoy, P3T3R then switched to good old fashioned DDoS attacks. They were initially at loss to discover the identity of the attacker or attackers that is, until fake RIAA e-mails started appearing in the inboxes of What.CD users. The emails were spoofed using the Dutch offices of the RIAA.as the originating IP address, but not all of the e-mails sent out were so cleverly masked. A number of them were sent from “[email protected],” the same server that used to host them until recently.

A few hours after the fake RIAA e-mails went out every user of the site then received a CTCP-Version request from a user called “biscuit.”

In the words of What.CD’s admin, “This is where it gets cool.”

Sending version requests to everyone in a channel is the sort of thing script kiddies looking for someone to hack would do. As a good sysadmin, I tracked down biscuit’s IP address:

[22:17] [Whois] biscuit is [email protected] (Biscuit)
[22:17] [379] biscuit is using modes +wrxt
[22:17] [378] biscuit is connecting from *@*********.bb.sky.com **.***.**.**
And searched for it on the site – I came up with this account:

He then discovered that “biscuit” has the same IP address as “P3T3R,” the same kid who warned them to “be prepared.” They both hate us, and p3t3r has openly threatened to take our site down.

So who are “biscuit” and “P3T3R” you ask?

P3T3R is 14 years old, and biscuit is apparently his brother. They both hail from Yorkshire in the UK. In a bit of humorous sibling discord, a fight between the two was observed on the bitient.org’s IRC channel.

[22:37] (Noah) BISCUIT!
[22:37] (Noah) You’d better not have been the one sending those fake RIAA emails!
[22:37] (P3T3R) :O
[22:37] (Noah) And you most certainly have better not have been the one behind the hack
[22:37] (Noah) the emails CAME FOMR MY IP!
[22:37] (P3T3R) hack?
[22:37] (Noah) FROM THIS F—–G SERVER

Now things are back to normal on What.CD for the time being it seems, but somewhere in Yorkshire two brothers are having what I’m sure will be a very long day.

NOTE:

For registered users of the site, it’s been recommended that you change the email address associated with your account since they have no way of knowing what the guy has has done with them.