th3j35t3r aka the Jester dox

1. This is based on irc.2600.net chats in #jester using an CTCP finger to obtain an user name. The chance that this user is the actual Jester is very likely because of the following two things:
2.  
3. * The time of when I set the HoneyPot #jester was +i only.
4. * Server logs of attacks matches with his XerXes script
5.  
6. The user in target is:
7. <PashaPasta> wow, just read the whole localhost convo on here....it should be painfully obvious why th3j35t3r picks the targets he does...
8.  
9. The funny thing is after he quits from IRC he gives an sign out message + host mask of:
10. *** PashaPasta (~thejester@204.84.33.105) has left #jester
11.  
12. If you do a reverse IP of 204.84.33.105 it belongs to the "North Carolina Research and Education Network". An previous CTCP finger for the PashaPasta user name pointed it out to be "thejesterrace87". The "~" in the ident on IRC means two things, he is using SSH through work to tunnel into IRC.2600.NET or he is using HTTP proxy to connect to IRC.2600.NET.
13.  
14. A quick Google of the user finger revealed the following sites:
15.  
16. Google+: https://profiles.google.com/thejesterrace87/about
17. Name: Stephen Stone
18.  
19. Occupation
20. Computer Nerd
21. Employment
22.  
23. Wolfman Pizza
24. Computer Nerd, present
25.  
26. Education
27.  
28. Montreat College
29. present
30. Clemson University
31. Montreat College
32. Central Piedmont Community College
33.  
34. Places lived
35.  
36. Charlotte, NC
37. Charlotte, NC
38.  
39. Of which sparked some more interest, an internship for a government organization (North Carolina Research and Education Network) based in NC?? This is VERY interesting.... More google ssearches revealed the following:
40.  
41. *Personal blogger account from 2008 complaining about his sophmore Computer Science courses: http://pasha2009.blogspot.com/
42. *AOL messanger account: http://lstreamfeweb-mtc02.evip.aol.com/stream/thejesterrace87
43. * Defcon 19 attendence requesting songs: https://forum.defcon.org/archive/index.php/t-12045.html
44. -> thejesterrace87 (05-09-2011 - 10:14 PM) tastes like kevin bacon ~iwrestledabearonce
45. * Education forum: http://forums.randi.org/showthread.php?t=179627
46. -> thejesterrace87 -> "The rich have gotten too much? Do not forget that the top 10% of wealth in the US pays out over 60% of the total income tax in the country."
47.  
48. Here is what I then did. I set up a HoneyPot (hardened Apache with DDOS protection turn on). The site was "http://www.rjfront.info". On 28 August, 2011. I logged onto IRC.2600.NET channel #jester and requested that the "ANTI-JIHAD" site would be taken down. With-in 45 minutes, the server was hit with HTTP HEAD partial fragmentation attacks. The server was completly down in 3 minutes for up to 5 hours.
49.  
50. The Apache logs revealed the following headers:
51. 209.236.66.108 - - [28/Aug/2011:14:05:34 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch. TANGO DOWN"
52. 209.236.66.108 - - [28/Aug/2011:14:07:39 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch. TANGO DOWN"
53. 209.236.66.108 - - [28/Aug/2011:14:10:50 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch. TANGO DOWN"
54.  
55. Also at the same time th3j35t3r posts on Twitter the following message "th3j35t3r Robin Sage - www.rjfront.info - TANGO DOWN. Temporarily. For online incitement to cause young muslims to carry out acts of violent jihad. 28 Aug"
56.  
57. What was interesting was the the sequence of IP's that were rotated. They were TOR exit relays. After doing a bit of research on the type of attack agaist te HoneyPot was an attacked called "Keep-Alive DoS Script": http://www.esrun.co.uk/blog/keep-alive-dos-script/. The CPU utilization on the Apache server was 95% throughout the attack.
58.  
59. Remember it is illegal to perform denial of service attacks agaist websites. The individual known as th3j35t3r needs to be held responsible for his actions. If you cannot do the crime, do not do the crime.
60.  
61. -