Public Pastes
SHARE
TWEET

Sabu

KillerCube Jun 22nd, 2011 44,935 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Hate to break some hearts but the Jester did not create this pastebin as so many claim.
  2. More Updates as 07/21
  3.  
  4. Emails show that Hugo sold the domain prvt.org to Xavier in 2009. Old whois on prvt.org shows:
  5. Domain ID:D87859570-LROR
  6. Domain Name:PRVT.ORG
  7. Created On:25-Jun-2002 16:38:43 UTC
  8. Last Updated On:26-Jun-2011 01:23:02 UTC
  9. Expiration Date:25-Jun-2012 16:43:58 UTC
  10. Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
  11. Status:CLIENT DELETE PROHIBITED
  12. Status:CLIENT RENEW PROHIBITED
  13. Status:CLIENT TRANSFER PROHIBITED
  14. Status:CLIENT UPDATE PROHIBITED
  15. Status:AUTORENEWPERIOD
  16. Registrant ID:CR25623846
  17. Registrant Name:hector monsegur
  18. Registrant Street1:90 avenue d #f
  19. Registrant Street2:
  20. Registrant Street3:
  21. Registrant City:new york
  22. Registrant State/Province:NY
  23. Registrant Postal Code:10009
  24. Registrant Country:US
  25. Registrant Phone:+1.9173889070
  26. Registrant Phone Ext.:
  27. Registrant FAX:
  28. Registrant FAX Ext.:
  29. Registrant Email:xavier@openplans.org
  30. Admin ID:CR25623848
  31. Admin Name:hector monsegur
  32. Admin Street1:90 avenue d #f
  33. Admin Street2:
  34. Admin Street3:
  35. Admin City:new york
  36. Admin State/Province:NY
  37. Admin Postal Code:10009
  38. Admin Country:US
  39. Admin Phone:+1.9173889070
  40. Admin Phone Ext.:
  41. Admin FAX:
  42. Admin FAX Ext.:
  43. Admin Email:xavier@openplans.org
  44. Tech ID:CR25623847
  45. Tech Name:hector monsegur
  46. Tech Street1:90 avenue d #f
  47. Tech Street2:
  48. Tech Street3:
  49. Tech City:new york
  50. Tech State/Province:NY
  51. Tech Postal Code:10009
  52. Tech Country:US
  53. Tech Phone:+1.9173889070
  54. Tech Phone Ext.:
  55. Tech FAX:
  56. Tech FAX Ext.:
  57. Tech Email:xavier@openplans.org
  58. Name Server:NS77.DOMAINCONTROL.COM
  59. Name Server:NS78.DOMAINCONTROL.COM
  60. Name Server:
  61. Name Server:
  62. Name Server:
  63. Name Server:
  64. Name Server:
  65. Name Server:
  66. Name Server:
  67. Name Server:
  68. Name Server:
  69. Name Server:
  70. Name Server:
  71. DNSSEC:Unsigned
  72.  
  73. The DNS server are not afraid.org like Xavier requested in the emails though.
  74. Newer whois information shows that they domain server are afraid.org
  75.  
  76. From http://k0s.org/hg/config/file/ae0ffe7c9040/.mutt/aliases
  77. we get
  78. author  k0s <k0scist@gmail.com>
  79. date    Mon Feb 15 20:42:02 2010 -0500 (17 months ago)
  80. parents         1e6a394db7ec
  81. 1 alias design topp-design-discussion@lists.openplans.org
  82. 2 alias dev opencore-dev@lists.openplans.org
  83. 3 alias it xavier@openplans.org, ladorval@gmail.com, rmarianski@openplans.org
  84. 4 alias ops operations-discussion@lists.openplans.org
  85. 5 alias ra Rob Miller <robm@openplans.org>
  86. 6 alias rm Rob Marianski <rmarianski@openplans.org>
  87. 7 alias ui opencore-ui@lists.openplans.org
  88. 8 alias wfh wfh@lists.openplans.org
  89.  
  90.  
  91.  
  92. Some new info:
  93. from http://net-square.com/httprint/signatures.txt
  94. we find:
  95. ## 04/04/04
  96. ## contributed by Xavier Kaotico: sabu-at-mad-dot-scientist-dot-com
  97. #GoGoGadgetWebserver/0.3
  98. #9E431BC86ED3C295811C9DC5811C9DC5811C9DC5505FCFE84276E4BB630A04DB
  99. #0D7645B5811C9DC5811C9DC5CD37187C811C9DC5811C9DC5811C9DC5811C9DC5
  100. #6ED3C295E2CE69236ED3C295811C9DC5E2CE69272576B7696ED3C2959E431BC8
  101. #6ED3C2956ED3C2952A200B4C68D17AAE68D17AAE6ED3C2956ED3C295E2CE6923
  102. #E2CE69236ED3C295811C9DC5E2CE6927E2CE6923
  103.  
  104. searching for sabu@mad.scientist.com we find
  105. http://www.sourcefiles.org/System/Administration/Networking/routekill-0.1b.tar.bz2.shtml
  106.  
  107. Xavier Monsegur (monsegur@mad.scientist.com) - NYC Python user - xavier@nycpug.org - hector?
  108. http://pastebin.com/JDJ45jGG -more great stuff here
  109.  
  110. domain  scientist.com.
  111. mad.scientist.com.      MX      15 mailin-01.mx.aol.com.
  112. mad.scientist.com.      MX      15 mailin-02.mx.aol.com.
  113. mad.scientist.com.      MX      15 mailin-03.mx.aol.com.
  114. mad.scientist.com.      MX      15 mailin-04.mx.aol.com.
  115.  
  116. from http://marc.info/?l=freshmeat-news&m=119041475103440&w=2
  117. we see that sabu has an acocunt at freshmeat http://freshmeat.net/users/Sabu02/
  118.  
  119. Also found http://developer.berlios.de/users/sabu/ when searching for Xavier Katico and Sabu.
  120.  
  121. Just found Rafael Xavier (Kaotico) from https://users.opensuse.org/users/browse?page=215
  122. Which helps us find http://www.myspace.com/rafael.xavier.lima
  123.  
  124. Google Group profile: http://groups.google.com/groups/profile?enc_user=_Flu6BMAAADLBp6cYldUPQJf0mUQ4OYWCrTwKYbraL2wE_wkV0bY1A
  125.  
  126. sabu «foo@adsl-68-126-128-176.dsl.scrm01.pacbell.net» is on [irc.blessed.net/0] - Other: Here - Name: foo
  127.  
  128. from 05/09/11 irc.botnet.biz #tr0ll Sabu makes an announcement about the start of LulzZec here
  129. [19:53]    kayla    also, word on the internet 306 fox.com employess passwords are getting leaked on http://twitter.com/#!/LulzSec soon after a destruction of many of their linkdins
  130. [20:19]    Sabu    http://twitter.com/#!/LulzSec
  131. [20:19]    Sabu    it begins
  132. [20:25]    Sabu    ecw sabu was a leet fuck
  133. [20:47]    -->|    Sabu (sabu@16170E25.B1424923.1A0A31BA.IP) has joined #tr0ll
  134. [23:33]    -->|    Sabu (sabu@bot-E5C834DD.recklesstheory.com) has joined #tr0ll
  135.  
  136. http://steamcommunity.com/id/sabu
  137.  
  138. From http://gfy.com/showthread.php?t=313680&page=2
  139. XSecurityAudit Posts:
  140. Went by 'Sabu'. Had lots of fun in pr's deadend, gd, mirageme (I miss MaXiMuM warez and all those guys). access, storm101 and so on. I met a lot of great people and they all disappeared with time. It's actually where I gained my interest in Security. sup to all those who have posted in here thus far from that era. (95-99)
  141.  
  142. The below info comes from http://pastebin.com/911rucP3
  143. This looks like more sabu info that was just dropped.  It looks
  144. credible. I am still going through it though.
  145.  
  146.  
  147. http://archives.neohapsis.com/archives/fulldisclosure/2005-12/1042.html
  148.  
  149. Leads to email address: compromise@gmail.com
  150. Skype account alias is "defekt.tm","mujahadeen_bu"
  151. Skype account profile picture is same as that of anonymousabu on Twitter
  152.  
  153. Flickr: http://www.flickr.com/photos/38442511@N00
  154. Flickr alias is Xavsec - in line with Xavier's security blog.
  155.  
  156. See http://www.networksecurityarchive.org/html/FullDisclosure/2006-07/msg01304.html
  157. From: Xavier <compromise@gmail.com>
  158. Author: Xavier de Leon - xavier@tigerteam.se
  159.  
  160. Also, see x@confinement.org. Alias:"xsecurityaudit"
  161. Go Google this: [xsecurityaudit site:gfy.com] and spend some time with
  162. the cached results
  163. On here he mentions "expect mail from xavier@"
  164. Regularly ending sentences with "mate" as in Twitter feed. Mentions NYC.
  165. Porn related site.
  166.  
  167. From here down comes from an anonymous source with some modifications by me. Good work btw :)
  168.  
  169.  
  170.  
  171. Here's the research and the path followed so that everyone else can start digging too:
  172.  
  173. Nicknames: Sabu, leon, Xavier
  174.  
  175. We have to consider that Sabu may be borrowing any and all names he's using, including Xavier de Leon and Xavier Kaotico.
  176.  
  177. Knowns:
  178. - The nickname Sabu
  179. - The channel #pure-elite on LulzSec's private IRC network.
  180.  
  181. A search for sabu and pure-elite yields this:
  182. http://darkmoondesigns.livejournal.com/17146.html
  183. with a comment by Sabu's then-girlfriend as follows:
  184. "t-- email xavier (sabu@pure-elite.org) and tell him whats up, maybe he can figure it out for you. he builds his own computers and such, he's awesome with hardware."
  185.  
  186. The comment dates from 2003-02-13 06:06 am UTC, which is well before LulzSec, so the information is probably correct.
  187.  
  188. From:
  189. http://bytes.com/topic/python/answers/19521-gathering-variable-names-within-function
  190.  
  191. We can again see that Sabu is using the name Xavier with the account sabu@pure-elite.org. He also likes Python.
  192.  
  193. Looking for Xavier and Sabu, we now come across the site:
  194. http://sentinix.berlios.de/develteam.shtml
  195.  
  196. Which gives the name Xavier Kaotico, the website sabu.net, and the email address xavier@sentinix.org. Also, looking at the sentinix main page, we see a mention of TigerTeam.se (this comes later).
  197.  
  198. Briefly, searching on the email address tells us that the AOL Instant Messenger name "Encryption" is registered to xavier@sentinix.org.
  199.  
  200. Looking at sabu.net, we see that there's confirmation of involvement in Sentinix and something called #pure-elite, which Sabu refers to as "My child; My birth; My manifestation."
  201.  
  202. Now we look up Xavier de Leon of TigerTeam security and find all of the following:
  203.  
  204. http://osvdb.org/browse/by_creditee_name?letter=X
  205. - See Xavier de Leon of TigerTeam security
  206.  
  207. http://www.blogger.com/profile/00785855826635701771
  208. - Blogger profile of Xavier de Leon, includes a blog on the now-defunct confinement.org, if anyone wants to purchase a domain whois history report for confinement.org there is no telling what interesting information that may provide. Written with Tia Marie and B.
  209.  
  210. http://xavsec.blogspot.com/
  211. - Xavier's security blog
  212.  
  213. http://web.archive.org/web/20070208195048/http://tigerteam.se/profiles_en.shtml
  214. - A now defunct security team of which Xavier was a part.
  215.  
  216. An Introduction to Shellcoding by TigerTeam
  217. https://docs.google.com/viewer?a=v&q=cache:4NUqKnj6u3oJ:www.rootsecure.net/content/downloads/pdf/intro_to_shellcoding.pdf+xavier%40sentinix.org&hl=en&gl=uk&pid=bl&srcid=ADGEESgyv3_eDZoPeqLT7DzLKymRsLg2BNNvoMya4lFANwvb-eRSzqPYUjgMLJGgfEjigKN1AurFXoKV8OClnSetafgapyx0M8HCWu_ccFSp-R7mdcJMiDDIU8YGaVIY86N0Cq8Ogtb8&sig=AHIEtbSOQIk71B4M9nmyRNDLIPaVihVi6Q
  218.  
  219. Which includes the text "In mid 2004 tigerteam.se opened up – my own consultancy firm in
  220. cooperation with Xavier de Leon (a security expert in New York City)." This is dated information, but we can assume from it that at some point, Sabu did indeed live in NYC.
  221.  
  222. Looking for social networking profiles reveals only the following, registered to xavier@pure-elite.org:
  223. http://profiles.friendster.com/582074
  224.  
  225. Which says that Sabu is 30, in a relationship, and living in New York, NY. Again, with the exception of the age, all of the information is dated.  It also lists his occupation and interests:
  226.  
  227. Occupation:
  228. Independent Consultant
  229. What I enjoy doing:
  230. Python programming, Network and System security, Speed Chess, Intellectual Conversations, and techie geek stuff.
  231.  
  232. All of which is consistent with previously gathered information.
  233.  
  234. Summary at this point:
  235. Name(s): Xavier Kaotico, Xavier de Leon
  236. Email: sabu@pure-elite.org, xavier@pure-elite.org, xavier@sentinix.org, xavier@tigerteam.se
  237. Age: 30 as of 2011-06-21
  238. Location: Possibly New York City, NY (has lived there)
  239. Websites: sabu.net, pure-elite.org, confinement.org
  240. Profession: Independent IT consultant
  241. Interests: Python programming, Linux, network security, exploit development
  242.  
  243. Sabu is also purported to be ex-Hackweiser--an old website defacement group. If this is true, the defacement of chickenchoker.com includes a rant about Puerto Rico and describes Sabu as a Puerto Rican. See: http://web.archive.org/web/200102020250/http://chickenchoker.com/
  244.  
  245. "Hello, i am "Sabu", no one special for now...lately i've been seeing ALOT of Brazilian and asian defacers just come out a leash their skills, i didn't see any Puerto Rican hacker's, or well: "defacer's", show up, so i guess i'll be your Puerto Rican defacer for now huh? elite... "
  246.  
  247. Now for some bonus research, looking at pure-elite.org, we see that there is also a member called "aries". aries is referred to as the leader of pure-elite.
  248.  
  249. http://othersidemod.hyperboards.com/index.php?action=view_topic&topic_id=10&start=1
  250.  
  251. "Ok, i work at a place called pure-elite..pure-elite.org for the website. I am in their cs clan which consists of artists coders and dj's so you can email me at plagu3@pure-elite.org or bioslippery@hotmail.com and the boss of pure-elite is aries@exalted.org. Tell aries that i told you to email him an explain that you could use some help our mirc is irc.pure-elite.org and #pure-elite ok peace"
  252.  
  253. http://web.archive.org/web/20011026084425/http://www.pure-elite.org/projects.html
  254.  
  255. Additionally, on pure-elite.org, we see that aries is also a Python and PHP programmer, having written a CMS called Lotus. Everything indicates that aries and Sabu are not the same person, HOWEVER... Let's look up aries just to be sure.
  256.  
  257. aries has a DeviantArt at http://aries.deviantart.com and his AIM name is "kill aries". The first comment is by mindwerks:
  258.  
  259. "~mindwerks Jun 15, 2006
  260. well i didn't leave the name "aries" my email was out of date and i forgot the password so i have no way to access it ... don't play with the computer much anymore anyways ><"
  261.  
  262. Now we visit mindwerks' DeviantArt and discover that he lives in New York. So Sabu and mindwerks/aries both live(d) in New York, were in a Counter-Strike clan together, and coded together in pure-elite.
  263.  
  264. BIG REVEAL: I'm betting they knew one another in real life.
RAW Paste Data
Pastebin PRO Summer Special!
Get 60% OFF on Pastebin PRO accounts!
Top