The End of an Era

Posted in Uncategorized on May 15, 2012 by reapersec

What a weekend.

Let’s recap, shall we? With one post found here, a buzz was started that wouldn’t stop for the next 48 hours. It was a slow buzz, but a buzz nonetheless. The response to the blog came a while later and was in the form of threatening tweets and a short, yet to the point, blog written by the hacktivist known as th3j35t3r.

These tweets and blog post have since been removed but can still be found here thanks to SanguineRose.

Later on in the day, Mother’s Day, 2012, a series of tweets from a persona named @cubespherical on Twitter began to poke very hard at th3j35t3r

And this image of screen caps was tweeted out by cubespherical later that evening. These are allegedly DMs between th3j35t3r and cubespherical.

Then there was a great hush from th3j35t3r.

Blog posts started disappearing from http://th3j35t3r.wordpress.com as you can see. As of late evening, May 14th, 2012, the blog is empty.

The story first broke at the Illuminate Blog with updates through out the day.

Some time before noon Eastern Standard Time, http://twitter.com/th3j35t3r was deactivated, and just like that, th3j35t3r was off the air.

But no, things don’t stop there. Many speculations started to arise from this quick but harsh little war. A post by @pr0f_srs on Pastebin spun one of the most believable theories yet.

Other posts started coming out like this Pastebay Post of a PM with th3j35t3r. In this log it is clear that th3j35t3r prides himself on “2 and a half years in with a high profile.”

Then there was what could be considered the coup de grace. A post from Chongelong on Twitter.

Were these famous last words, or was this just another intricate detail in a secret operation conducted by those who are behind the th3j35t3r persona?

While we’re waiting on the Saladin Full Disclosure…

Posted in Uncategorized on May 13, 2012 by CryptKper

It seems th3j35t3r has taken some offense to our last post. So much so he feels the need to make ReaperSec his next target. ReaperSec is made up of some of the former channel operators from th3j35t3r’s IRC channel on 2600 (#jester). These former channel operators are myself (CryptKper), AnonymousDown, NyteAngel, Sonar_Guy, Sonar_Gal, tyrdr0p, Kalypto, chifmevious, kevin_flynn, and formerly bluesoul120.

So let me clarify a couple things as why th3j35t3r hates ReaperSec so much. But before I do that let me answer the question of why we left 2600. Simply put, we got tired of cleaning up his mess after him tweeting for the world that he’s on IRC and to come chat with him. Just as soon as the trolls or anyone with at least  a 5th grade education came around asking him questions he would bail. Second, he loves to take credit for things he didn’t do.

  • Modified LOIC to expose users IP – Never happened, unknowing users where exposed by default.
  • Infected DHN.zip distributed to AnonymousNever happend, AnonymousDown found the file, th3j35t3r asked Tyrkoil to write his blog post claiming that he (th3j35t3r) had modified the file.
  • Anonops Anope Services dumpDidn’t directly take credit, but did refuse to give credit to individual who performed the hack. Originally performed by HackThePlanet if I recall.
  • DoS’d LulzSec’s Server – Again, never happened, this was later confirmed by Matthew Prince, CEO of Cloudflare, during Defcon 19.
  • Tripoli Post hack – Used a known vulnerability as XSS (Cross-site scripting) to inject a photo that looked similar to an actual article. (Target Site | Image Source | XSS Effect) This will only work if you use the link he provided. No, he didn’t actually hack into the Tripoli Post web servers.

This wasn’t so much of a problem until th3j35t3r requested use of the information ReaperSec acquired in his upcoming blog post ‘If I am Wrong… I’ll say I’m Wrong. Here’s my apology.‘ The only thing ReaperSec requested was that he give us credit for the work. At that time he did give us credit, however this was later removed when the story broke about Sabu being arrested and turned informant. By the way, props to Backtrace Security for tagging Sabu.

So why does he hate us, simply put, because we’re calling him out on his own actions. Questioning hacks, theories, and explanations he’s providing. Dox? We could careless who he is, he is well aware that if ever caught he will have to answer for his actions.

Why does ReaperSec have a grudge against th3j35t3r? Simply put,we don’t, just him taking credit for things he didn’t do.

th3j35t3r: Want us stop? Stop taking credit for things you didn’t do, start giving credit where credit is due, and we’ll shut up. I still consider you a friend, though if you wish to label me as an enemy as you did on your blog, then so be it.

‘The worst enemy a person can aquire, is the enemy he once considered a friend.’ – th3j35t3r

Peace.

-CK

th3j35t3r’s Saladin Tool Exposed

Posted in Uncategorized on May 12, 2012 by sanguinariousrose

Greetings my children, it appears as I have stated many times before about th3j35t3r being a charlatan feeding off a fan base of those who do not know better gets more confirmations. I am sure if you are reading this you are aware of th3j35t3r’s new tool “Saladin” that appears to a layman inexperienced with the workings of the internet to have taken down various domains. As I have also stated anyone who knows something, in this case basic knowledge of hosting and domains, would notice a few things I shall outline. I shall start with the 4 obvious ones and how “Saladin” did nothing to take them down progressing to the few left I can only speculate on.


As you can see falojaa.net appears to not “exist” and one may ask why is that? Was there in fact some kind of super secret magickal tool in possession by this “patriotic hacker” or was it something else… Is it some secret line of code once pointed at a domain that makes it “non-existence” to every DNS server around the world? Is it transcendental manipulation of the internet using the pure Force Of American Patriotism to will the Islam away? Perhaps as rjacksix being an avid baptist is he praying the Islam away with the power of eJesus and his sidekick Saint XerXes?

It could be very much so that the Elder Gods exist that Lovecraft wrote so much of. I propose that in explanation th3j35t3r has made contact with the Elder Things from that Nameless City forged of stone with help from the Shoggoths. These workers under th3j35t3r’s control worked tirelessly through the aeons with knowledge of common computers in the present to fulfill such a request having been seen from the timeless void.

Or it could really have been this.

“9. EXPIRATION OF DOMAIN NAME REGISTRATIONS. You agree that we may, but are not obligated to, allow you to renew your domain name after its expiration date has passed. Should you choose not to renew your domain name during any applicable grace period (up to 40 days after domain expiration), you agree that we may at any time during such grace period, in our sole discretion, delete the domain registration, renew the registration or transfer the domain name to a third party on your behalf (the “Transfer”). In the event we are able to identify such a third party (“Third Party”) and effectuate such a Transfer, we will notify you via email after the transaction is completed (“Transfer Notification”). You acknowledge and agree that the Transfer may be facilitated through a single Third Party, or through an auction involving one or more parties interested in your domain name. You agree that we shall have no obligation to pay you, and you shall have no right to receive, any percentage of the proceeds of the Transfer. We cannot guarantee, and we make no representation or promise, that any Transfer will occur with respect to your domain name.”Internic – Main Terms And Conditions


As you can see those domains have expired as the owners have chosen not to renew them. Now I shall go on to the next two not so obvious ones.

It appears “islamicink.com” url redirection services have been discontinued for “ http://www.muslimdefenseforce.islamicink.com “. When you try to visit any of their previous redirection urls there is no DNS record however when you visit “islamiclink.com” it redirects to “islamicnature.com”. I would more conclude they have stopped offering url redirection services rather then anything else of a malicious nature.

The next one on the short list is “www.atahadi.0vr.net” which is hosted on 0vr.net url redirection service which redirects to this link “www.atahadi.com/vb/” which is the 5th domain now so far that has expired rather then being renewed by the owners. Now we shall explore the remaining few that are not a result of domain expiration.

Next up are the last ones that I have no real definite answer on which are “mtj.tw” which shows a default apache page (which currently is running an exploitable setup) and “modawanati.com” which is now up again as of this writing and redirects to “www.blogaraby.com/” (it was previously nulled routed or offline in some way). The domain “fatwa1.com” appears to be down due to the DNS servers for the domain are currently not accepting requests.

So in conclusion I would seriously doubt this is the work of some kind of unknown exploit due to I can account for 5 of the 9 with infallible explanations for them being down due to domain expiration unless Saladin has power over the fabric of time somehow. We have one which is a url redirection service that has stopped offering redirection services which I would seriously doubt is related to Saladin. There is “fatwa1.com” DNS servers being down which appears to be the result of technical difficulties for the hosting provider. I only see two of the targets “mtj.tw” and “modawanati.com” as even being remotely possible but given the explanations for the other targets I would say Saladin even existing is in question. I would say Saladin is nothing more then claiming credit where is not due to boost the ego and th3j35t3r impressing his fanbase.

So #whatdidyoudotodayscotty saying of th3j35t3r has reached epic irony due to the taking credit for actions he never committed. I can say I have never seen “scotty” lying or trying impress people bragging about how high profile he is. I would suggest taking a visit to these links written by krypt3ia concerning th3j35t3r Here and Here.

th3j35t3r and QR Exploits Exposed Part 2

Posted in Uncategorized on April 28, 2012 by sanguinariousrose

So I just seen this tweet and it further proves that jester has failed. To explain this better to people unfamiliar with exploits as th3j35t3r is showing, when you do a buffer overflow you are forcing a vulnerable program to execute a small piece of assembled bit-code for that specific processor architect and Operation System. This is refereed to as shell code because it often spawns a shell on the target, and then it either connects to a specific target refereed to as reverse connect, or listens for incoming connections on a specific port. This can be considered to be like a very very small program of around 100 bytes of processor instructions which are specific to Operating System as well as the architecture of the processor.  The only purpose this tool th3j35t3r mentioned could serve is to keep access to a device, and even then, he could not have used netcat on his server like he said to manage that many exploited devices efficiently without loosing potential intel as pointed out previously.

In th3j35t3r’s writeup he never mentioned using netcat on the phone itself, and if he did indeed use something other than a stock netcat he would write about it to boost his ego as he always does claiming such things. He has always done this in the past so it seems illogical for him to suddenly stop noting things he has done that makes him “l33t” so to speak. So, this further proves what I stated in my previous post that th3j35t3r has no clue what he is talking about and in fact the attack never happened as claimed. Even pointing out how it is wrong he keeps foot bullet himself and feeding on the ignorance of  his fanbase that doesn’t know any better. Grabbing a headline that says “Netcat-like Backdoor for IPhone” and running with it further proves my points and thoughts. Hacking and exploiting in real life situations is not like the movie Swordfish nor The Matrix and this is why everyone that knows something thinks th3j35t3r is a joke.

I will conclude with these words from an angry th3j35t3r fan when you question and prove his failings as an example of the ignorance.


Previous post “th3j35t3r and QR Exploits Exposed”

Posted in Uncategorized on April 19, 2012 by CryptKper

Ditto! Couldn’t have said it any better. Thanks Krypt3ia for allowing us to reblog this. Good read!

Krypt3ia

Ali didn’t go far enough so I will say it….

Yeah, I have seen the comments on the post Ali did on Island, and I have heard that there are some folks pestering him now online because of that post. Let me assure you that Ali is too nice of a guy and too caring in how he may be getting things across in a more, shall we say civil manner. Those are certainly not problems where I am concerned, so let me start off with a tirade, cool down a bit, then make a reasoned argument ok?

//RANT BEGINS

Listen up you morons, you are not doing ANY of us a favor with your antics. Taking down sites via DDoS or actually popping them and RM’ing them makes you NO BETTER THAN  LULZSEC OR ANTISEC (of the Sabu variety pre popping by the Feds) Your hamfisted attempts at self…

View original post 602 more words

th3j35t3r and QR exploits exposed

Posted in Uncategorized on March 13, 2012 by sanguinariousrose

Greetings my children, I have been watching this but it appears no one has commented on the grand th3j35t3r’s epic fails and mistakes in his blog post “claiming” he pwned terrorists. Now, I would like you to refer to this image while we embark on a magickal train ride of fail.

So, you start out with this “highly targeted and precise attack, against known bad guys, randoms were left totally unscathed.” which is rather laughable at best. It appears only terrorists use QR codes and no innocents at all would ever out of curiosity scan it and look? You go one to claim using the “CVE-2010-1807 “ exploit and this is where the epic fail just starts. CVE advisories are numbered first by the obvious CVE prefix, the year, and the exploit number for that given year. So without even checking the advisory, you are telling me you are using a 2 year old, well known by now, and patched exploit? Do you have that such a low opinion and under-estimation of “terrorists” that they are using such outdated software and/or firmware on their “devices”? Should I mention Android devices have the ability to do updates the same as iPhones (newer versions of both can do auto updates)?

Now you claim “iPhone or Android devices” as your “known and narrow vector to exploit”. You do realize that shellcode is OS dependent AND device specific? Right…? This is like trying to force an execution of a windows program on a Tandy TRS-80, it just isn’t going to work. From your post you mention no such device detection is in place, there is nothing in the POC for this, and it just seems frankly, to be made up combination of technical terms with minimalistic grasp.

“Now for the really clever bit…” I almost peed myself at what was next, this is just pure fail on levels I am personally unable to express in words, but we shall try, oh we shall try. Netcat is unable to handle multiple simultaneous connections and it is not in any way a automated tool. Honestly, it would be more believable if you coded your own automated tool to download the phone’s data than this story. Netcat is far from an optimal tool to pull this rather outlandish story that smells rather bad off.  So this is the magic command the shell code runs “nc -v -l -p 37337 -e “/bin/cat /etc/motd””. He implies he has a super secret script running in place of printing the motd command. This, as he gives as an example, but he obviously did not read his manual. This would require a “-L” for a persistent connection, assuming he didn’t do “while [1] do jester_elite_netcat_command done”, which he does seem to imply he used. This also assumes that he will not take too long downloading his data from the devices possibly missing some other probably innocent persons cell phone data. I am not knowledgeable as to how such data is stored on such devices, but I have doubts over coding such a script to do the performed functions. This would require extensive research into all the major twitter clients and associated software, not to mention the the email clients, etc.

There is also the issue of the information possibly being stored in binary data and the availability of text processing commands on a embedded device. Then there is how do you extract data from binary data on a restricted/embedded system… The only optimal solution is a native executable installed to the device to do the dirty work, and multiple versions for compatibility/architecture. Either way you look at it, this is a very non-optimized method, and is prone to intelligence being lost.

“EVERYONE else without exception was left totally ‘untouched’ so to speak. This was a Proof of Concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world. “

I don’t really see the proof of concept taking a 2 year old CVE advisory, and exploiting people in mass with it. This rather reminds me of doing the same things the guys you claim fight would do, hypocritical much? How do you define the “bad guys”? How do you know they are “bad”? You seem to imply by listing “Anonymous Members” in the bunch that all anonymous people or related to “leak YOUR information , steal YOUR CC nums, and engage in terror plots around the world”. Are you that bigoted and single minded to classify all anons as credit card stealing terrorists? Granted I am not a fan or support anonymous but I not that full of blind bigoted hate.

The End of Lulz and Lies

Posted in Uncategorized on March 7, 2012 by xryujin

March 6, 2012 will be a day that will live in infosec history for quite some time. This is the day that it was made known to the world that the LulzSec/AntiSec/Anonymous hacker known as “Sabu” was indeed Hector Xavier Monsegur, something that many had believed for close to a year. This revelation came through a news story that was originally posted on FoxNews, and Sabu’s identity was just the tip of the iceberg. Not only had he been outed by a main stream news medium, the article also stated that he rolled on key players in the LulzSec group. A three part series with part one here, part two here, and part three here explained more about Sabu and his affiliation with Anonymous/LulzSec and his reasoning behind rolling on his friends online. (Not to mention you get to see the face of Sabu giving out the most love face of all internet glory, the duckface, as if to tell his friends to “kiss their asses goodbye.”)

One of the first mentions of Sabu being Hector was found in @backtracesec‘s file named namshub. This was posted in March of 2011. This was compliments of Hubris and Asherah, aka @fakegregghoush. This was broken FIRST by those in Backtrace Security, not from others, as many would have you believe.

This brings us to another point that we would like to make. Those who would have their garnered masses believe that they are something that they are really not. Today, which should have been a day of rejoicing for many, was tarnished a bit by one very egotistical hacktivist that we all know of by now named th3j35t3r.

th3j35t3r would tweet most of the morning, giving little snippets about how he “told everyone Sabu was the rotten apple” and that “he knew from the beginning that it was Hector,” etc. But that’s not the case. As seen in this blog post, th3j35t3r at one point thought that Sabu was a man by the name of Hugo. He stated that if he was wrong, he would apologize, which he did in this blog post. But oh wait. Something is wrong about this post. It’s not the original.

You see, th3j35t3r asked if he could use portions of a blog posted by x_ryujin_x for a post he was working on. It was agreed upon that he could use what he wished as long as he credited ReaperSec with the assist in information. But if you look at the above link as it is now, there is only one minor mention of don’t fear the Reaper(Sec). The original can be found right here. Notice there was more of a mention than what is currently up there. Pieces of his particular blog were taken from x_ryujin_x’s post written on November 17, 2011. th3j35t3r wrote his article on November 19, 2011. But th3j35t3r’s masses won’t know all of this, because it’s been long enough that things can get “fuzzy” in someone’s memory.

This isn’t the only thing that th3j35t3r has slipped upon. Stealing credit is minor compared to the all out lies that were written about LulzSec’s CloudFlare account. How would we know, you might be asking. Well, when it comes from the CEO of CloudFlare at a talk he gave at DefCon 19 stating that th3j35t3r was wrong, it’s kind of difficult to dodge the bullet on that one. Here’s the talk from Mathew Prince, part of Sam Bowne‘s presentation at DefCon 19.

Our advice to those following or keeping tabs on th3j35t3r: please take everything with a grain of salt and ask the anti-jihadist activist to show you undeniable proof of the things that he alleges.

Credit for calling it out first goes to Asherah and Hubris and Zud of BacktraceSec. They had the information before everyone else and gifted it to the world before everyone was ready to comprehend what was going on. Whether you agree with them, their methods, or their beliefs, it is without a shadow of a doubt that they said Sabu was Hector first.

For everyone else not trying to ride piggy back style on one of the biggest arrests in Anonymous’ history, remember that on June 7, 2011, Hector Xavier Monsegur was arrested and decided to begin cooperating with Federal Law Enforcement. At the peak of LulzSec’s hacks, understand that Sabu was already arrested quietly. Everything after that date was done as a lie. All the trash talking, all the hacks, all the direction given to Anonymous/AntiSec was seen by an FBI agent monitoring a government issued PC that was viewed remotely. Every thing that Sabu did from that point forward was seen by an agent. Every PM. Every DM. Every question, statement, or plan made was seen by an agent.

Sabu wasn’t the first to roll, and he won’t be the last. Get off of the boat, Anons, because it’s sinking fast and the good guys are winning. Are you wearing your floaties?

irc.reapersecurity.net port SSL 6697 #graveyard
@ReaperSecIRC

%d bloggers like this: