SHARE
TWEET

Dear J. I miss you buddy. - Zero

a guest Jul 15th, 2013 1,780 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. [Insert Catchy Intro Here]
  2.  
  3. First:
  4.  
  5. This is no disrespect to J. I wish he would unblock me so we could have fine afternoon chats about security and our personal life. But, I understand if he doesn't like me cuz I can take down xbox live and he can't.
  6.  
  7. Background:
  8.  
  9. So @th3j35t3r is a hacker who performs mostly DoS attack from his tool he calls XerXes.
  10. He still claims the attack is NOT done via a layer 7 DoS attack and does NOT use amplification.
  11. So, I decided to make disproving this a little project.
  12.  
  13. First I noticed Jester was going to be targeting http://www.presidencia.gob.ve/
  14. He announced this via Twitter. https://twitter.com/th3j35t3r/status/353330504898064384 & http://gyazo.com/bd8c8538963d0b196e72799b7e5a19d2
  15.  
  16. So I decided to perform a "surprise adoption" on the website and server to check out some of the logs.
  17. I also posted the server details on the main page as proof. https://twitter.com/ChannelZeroYT/status/355373699525910528 & http://gyazo.com/4acaf2a090a8f468ef52a25eab135022
  18.  
  19. As I was viewing the logs I saw this:
  20.  
  21. 190.202.83.24 - - [06/Jul/2013:22:50:34 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - Jihad Down. TANGO DOWN
  22. 190.202.83.24 - - [06/Jul/2013:22:50:34 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - Jihad Down. TANGO DOWN
  23. 190.202.83.24 - - [06/Jul/2013:22:50:34 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - Jihad Down. TANGO DOWN
  24.  
  25. Well, the logs are from the same time Jester attack the site. Check his tweet http://gyazo.com/bd8c8538963d0b196e72799b7e5a19d2
  26.  
  27.  
  28. The HTTP request sends the info "XerXes" & "Jihad Down"
  29. Hmm... who do we know who would be that arrogant to put his tools name in the request and who hates Jihad?
  30. Oh yea.. Jester
  31.  
  32. And proof that 190.202.83.24 is the website:
  33. http://gyazo.com/b443c91fe1c4eb12af4735556fa272d7
  34.  
  35. Plus notice how 3 requests were sent at the very same second.
  36. A Layer 7 DoS attack is not a fast attack.
  37. So server logs should not have requests sent at that speed. Well unless...
  38. Jester is using multiple machines or other servers as amplification.
  39.  
  40. Conclusion:
  41.  
  42. So what have we learned?
  43.  
  44. Jester uses a Layer 7 DoS attack to send HTTP requests through an amplification technique.
  45. All of which he denies.
  46. Also IP logs reveled that he routes traffic through TOR and other servers such as host.146.ipoe3.subnets.khb.ttkdv.ru
  47.  
  48. PS: I'm not just Anon skid who should stay out of your way. If you would like to chat you can always unblock me.
  49. Or just keep chatting with my sock account. I enjoy that as well.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top