Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

th3j35t3r aka the Jester dox

By: a guest on Aug 30th, 2011  |  syntax: None  |  size: 3.80 KB  |  views: 9,718  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. This is based on irc.2600.net chats in #jester using an CTCP finger to obtain an user name.  The chance that this user is the actual Jester is very likely because of the following two things:
  2.  
  3. * The time of when I set the HoneyPot #jester was +i only.  
  4. * Server logs of attacks matches with his XerXes script
  5.  
  6. The user in target is:  
  7. <PashaPasta> wow, just read the whole localhost convo on here....it should be painfully obvious why th3j35t3r picks the targets he does...
  8.  
  9. The funny thing is after he quits from IRC he gives an sign out message + host mask of:
  10. *** PashaPasta (~thejester@204.84.33.105) has left #jester
  11.  
  12. If you do a reverse IP of 204.84.33.105 it belongs to the "North Carolina Research and Education Network".  An previous CTCP finger for the PashaPasta user name pointed it out to be "thejesterrace87".  The "~" in the ident on IRC means two things, he is using SSH through work to tunnel into IRC.2600.NET or he is using HTTP proxy to connect to IRC.2600.NET.
  13.  
  14. A quick Google of the user finger revealed the following sites:
  15.  
  16. Google+: https://profiles.google.com/thejesterrace87/about
  17. Name: Stephen Stone
  18.  
  19. Occupation
  20. Computer Nerd
  21. Employment
  22.  
  23.     Wolfman Pizza
  24.     Computer Nerd, present
  25.  
  26. Education
  27.  
  28.     Montreat College
  29.     present
  30.     Clemson University
  31.     Montreat College
  32.     Central Piedmont Community College
  33.  
  34. Places lived
  35.  
  36.     Charlotte, NC
  37.     Charlotte, NC
  38.  
  39. Of which sparked some more interest, an internship for a government organization (North Carolina Research and Education Network) based in NC??  This is VERY interesting....  More google ssearches revealed the following:
  40.  
  41. *Personal blogger account from 2008 complaining about his sophmore Computer Science courses: http://pasha2009.blogspot.com/
  42. *AOL messanger account: http://lstreamfeweb-mtc02.evip.aol.com/stream/thejesterrace87
  43. * Defcon 19 attendence requesting songs: https://forum.defcon.org/archive/index.php/t-12045.html
  44.   -> thejesterrace87 (05-09-2011 - 10:14 PM) tastes like kevin bacon ~iwrestledabearonce
  45. * Education forum: http://forums.randi.org/showthread.php?t=179627
  46.   -> thejesterrace87 -> "The rich have gotten too much? Do not forget that the top 10% of wealth in the US pays out over 60% of the total income tax in the country."
  47.  
  48. Here is what I then did.  I set up a HoneyPot (hardened Apache with DDOS protection turn on).  The site was "http://www.rjfront.info".  On 28 August, 2011.  I logged onto IRC.2600.NET channel #jester and requested that the "ANTI-JIHAD" site would be taken down.  With-in 45 minutes, the server was hit with HTTP HEAD partial fragmentation attacks.  The server was completly down in 3 minutes for up to 5 hours.
  49.  
  50. The Apache logs revealed the following headers:
  51. 209.236.66.108 - - [28/Aug/2011:14:05:34 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch.  TANGO DOWN"
  52. 209.236.66.108 - - [28/Aug/2011:14:07:39 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch.  TANGO DOWN"
  53. 209.236.66.108 - - [28/Aug/2011:14:10:50 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch.  TANGO DOWN"
  54.  
  55. Also at the same time th3j35t3r posts on Twitter the following message "th3j35t3r Robin Sage - www.rjfront.info - TANGO DOWN. Temporarily. For online incitement to cause young muslims to carry out acts of violent jihad. 28 Aug"
  56.  
  57. What was interesting was the the sequence of IP's that were rotated.  They were TOR exit relays.  After doing a bit of research on the type of attack agaist te HoneyPot was an attacked called "Keep-Alive DoS Script": http://www.esrun.co.uk/blog/keep-alive-dos-script/.  The CPU utilization on the Apache server was 95% throughout the attack.  
  58.  
  59. Remember it is illegal to perform denial of service attacks agaist websites.  The individual known as th3j35t3r needs to be held responsible for his actions.  If you cannot do the crime, do not do the crime.
  60.  
  61. -