You should have read Hacked and Hacked II. If not, this will not make any sense.
On Monday I called both of the technical contacts from the two US site that had also been hacked and used as a launching point to attack my box. One tech had already discovered the break-in and was patching things up. The other tech was on his way to work and did not know of the break-in. He was very upset. I got both of their emails and forwarded my logs to them. When I eventually did talk to bboyice, I told him that the other site admins knew who he was, but I told him a little bit different version than what actually happened.
I was occupied with other things and didn't bother to go looking for bboyice on irc for several weeks, but when I did, it didn't take long to track him down. After I joined one of his irc servers I /whois 'ed him and found that he hung out on several channels.
BbOyIcE on #slackware #linux-ita #linux-free #zone-h #twotux #warezzomani
Well, he might be clever, but he isn't that clever; He hasn't set his nick to +i and all of his non +s channels show up. So he hangs out on three linux related channels, a warez channel, something called #twotux and #zone-h.
Let me digress a bit here. I can't overstate how much I despise the hipocracy of zone-h. They expound their virtues of tracking down pedofiles on the internet and catching those who trade child pornography (both admirable qualities), but then they maintain a web site so that hackers will have a place to put their "trophies" on display. Basically, once a hacker has defaced a site, he goes to zone-h and post the url with his name; another notch in the belt as it were. There is no doubt that one of the more compelling reason that hackers break into computers is for bragging right. And zone-h gives them a public forum. Isn't this the equivalent to a reward for the hackers illegal activities? Anyway, I digress too much.
I decide to join #twotux and idle for a while and see what's being said. Well, someone with the nick e4m immediately jumps on me. (I'm ssaass) Here's the log:
Session Start: Sat Dec 21 17:02:37 2002
Session Ident: #twotux
[17:02] *** Now talking in #twotux
[17:02] *** Topic is 'www.twotux.org ~ TwoTux cambia organizzazione. Si ipropongono i progetti e i collaboratori , DOMANI sera alle 21 discussione aperta , si prega di non mancare è importante. Lo staff -- P.S. chi si assenta è fuori in rincipio'
[17:02] *** Set by e4m on Sat Dec 21 06:48:58
[17:02] <@e4m> salve ssaass
[17:03] <+ssaass> Hi
OK! I wonder, why does he immediately address me with "slave ssaass"? He seems to be uncertain as to why I'm in this channel. In fact, I think that he KNOWS that I shouldn't be here. I suspect that this might be a den for boxes that have been owned and have a rouge irc client installed for the purpose of ddos.
I decide to /whois e4m:
[17:04] e4m is twotux@gnu.is.not.unix.tb.ngnet.it * e4m@autistici.org
[17:04] e4m on @#linux-free @#xalug @#bsd @#twotux @#slackware +#ondaquadra @#rotfl @#zone-h +#asm
[17:04] e4m using ngnet.azzurra.org Telecom Italia LAB IPV6 Server
[17:04] e4m has identified for this nick
[17:04] e4m End of /WHOIS list.
[17:04] <@e4m> are you italian ?
[17:04] <+ssaass> No
[17:04] <+ssaass> But I think that you are. :)
[17:04] <@e4m> yes
[17:05] <+ssaass> What is this chanel for?
[17:05] <@e4m> how you are arrived here :) ?
[17:05] <+ssaass> I just irc'ed in.
[17:05] <@e4m> azzurra is an italian network
[17:05] <+ssaass> irc.azzurra.org
[17:05] <+ssaass> I know
[17:05] <+ssaass> I am looking for someone.
[17:05] <@e4m> why #twotux ?
[17:06] <+ssaass> I'm looking for bboyice.
[17:06] <@e4m> ok
[17:06] <@e4m> it's here i hope
[17:06] <+ssaass> Are you a hacker?
[17:06] <@e4m> i dont
[17:06] <+ssaass> But bboyice is?
[17:06] <@e4m> yes
[17:07] <@e4m> i belive
[17:07] <+ssaass> I know
[17:07] <@e4m> why?
[17:07] <+ssaass> He defaced my site.
[17:07] <@e4m> he deface ?
[17:07] <@e4m> BbOyIcE: ??!?!?!
[17:07] <+ssaass> defaced == hacked
[17:07] <@e4m> yes.. but i dont konow that you do
[17:07] <@e4m> ops he
[17:07] <@e4m> BbOyIcE: bastard
[17:08] <+ssaass> I don't know that he's a bastard, but he isn't very nice.
[17:08] <@e4m> ssaass: .. sorry :(
[17:08] <+ssaass> That's ok.
[17:08] <+ssaass> You didn't do it.
[17:08] <@e4m> how old are you?
[17:08] <+ssaass> You speak English very well.
[17:09] <@e4m> what's your site ?
[17:09] <@e4m> rotfl
[17:09] <@e4m> BbOyIcE: che diamine hai combinato lamer!!!!
[17:09] <@e4m> BbOyIcE: porca troia
[17:09] <@e4m> ...
[17:09] <@e4m> ssaass: i belive that you MUST query he
[17:10] * @e4m esco ciao
[17:10] <@e4m> ssaass: good night.. and sorry again
[17:11] <+ssaass> Bye
[17:11] *** e4m sets mode: +v ssaass
[17:11] *** e4m (twotux@gnu.is.not.unix.tb.ngnet.it) Quit (Quit: linux twotux security developer - e4m@autistici.org)
Session Close: Sat Dec 21 17:12:21 2002
Well that was interesting. It wasn't the plan I had in mind, but now bboyice will know that I'm looking for him and he will know why. It was interesting to note how quicly bboyice's friend e4m gave him up when he was caught off guard.
I decide to make contact with bboyice the next day.
Session Start: Sun Dec 22 06:38:20 2002
Session Ident: BbOyIcE
[06:38] <+ssaass> Hi
bboyice is not responding and according to his /whois, he is idle. I run a script to monitor him and see when he returns to active irc. The script monitors his and finally replies:
[06:51] BbOyIcE has been idle 19secs, signed on Sun Dec 22 03:45:07
[06:51] <+ssaass> Hey!
[06:52] <+ssaass> Why are you ignoring me?
[06:52] <+ssaass> Are you afraid?
I continue to monitor him. He's isn't idle and is talking to someone else. My guess is that he's talking about me and what he's going to say.
[07:00] <+ssaass> Hey
[07:00] <+ssaass> I know you're here.
[07:01] <+ssaass> BbOyIcE has been idle 6secs,
[07:01] <+ssaass> Why do you ignore me?
[07:02] <+ssaass> I know who you are, Fedirico.
[07:02] <+ssaass> Why did you hack into my server?
[07:04] <+ssaass> Do you know how much damage you caused.
[07:05] <+ssaass> It wasn't very nice of you to do that.
[07:05] <+ssaass> Do you even care that you've harmed other people.
[07:05] <+ssaass> Are you just tied up in your own little world?
[07:06] <+ssaass> So much so that you can't even acknowledge how you've hurt someone else?
[07:07] <+BbOyIcE> hi
[07:07] <+ssaass> Ahhh
[07:07] <+ssaass> You speak.
[07:07] <+BbOyIcE> i don't speack english very well
[07:07] <+ssaass> OK
[07:07] <+ssaass> I don't speak Italian at all.
[07:08] <+BbOyIcE> ok
[07:08] <+ssaass> Why did you break into my computer?
[07:09] <+BbOyIcE> i've miss target
[07:10] <+ssaass> ?
[07:10] <+BbOyIcE> wrong target
[07:11] <+ssaass> Ahhh
[07:11] <+BbOyIcE> excuse me
[07:11] <+BbOyIcE> i can work for your security into system
[07:12] <+ssaass> Lei sa quanto danno che lei ha fatto?
[07:12] <+BbOyIcE> no
[07:12] <+BbOyIcE> how many?
[07:13] <+ssaass> Che lei ha sostituito scheda?
[07:13] <+BbOyIcE> what's card?
[07:13] <+ssaass> ???
[07:14] <+ssaass> Devo reinstallare il sistema di funzionamento e tutto iconfiguro.
[07:14] <+BbOyIcE> ok
[07:14] <+ssaass> But that's not good.
[07:14] <+ssaass> It will take me many hours to do this.
[07:14] <+BbOyIcE> i know
[07:16] <+BbOyIcE> where are you form?
[07:16] <+ssaass> USA
[07:16] <+BbOyIcE> city?
[07:16] <+ssaass> Ahh
[07:17] <+ssaass> Near Dallas
[07:17] <+BbOyIcE> i love america
[07:17] <+BbOyIcE> i will wont go in USA but i don't have money
[07:17] <+BbOyIcE> and im 17 years
[07:17] <+ssaass> Are you going to come here?
[07:18] <+BbOyIcE> where?
[07:18] <+ssaass> USA
[07:19] <+BbOyIcE> to work in your server?
[07:19] <+ssaass> hahaha
[07:19] <+ssaass> No
[07:19] <+ssaass> You've done enough damage there.
[07:20] <+ssaass> Some of the other computers you went through to get to my computer know you were there.
[07:20] <+ssaass> And they called me and ask what I knew about you.
[07:21] <+ssaass> I think they are trying to press charges.
[07:21] <+BbOyIcE> i'm a professionis in security administration
[07:21] <+ssaass> Theb why do you break into computers?
[07:21] <+ssaass> Then
[07:22] <+ssaass> Professionis does not do that.
[07:23] <+BbOyIcE> i'm a little researcher for security bug into OS
[07:23] <+ssaass> Ok
[07:23] <+BbOyIcE> i don't have the money to buy all system or big system and i experiment in other computer
[07:23] <+ssaass> But you replaced login, nologin, netstat
[07:24] <+ssaass> Researh is one thing , but putting in trojan files is bad.
[07:24] <+BbOyIcE> i don't remeamber your system
[07:24] <+ssaass> Oh
[07:24] <+BbOyIcE> ahhh
[07:25] <+BbOyIcE> have you got a FreeBSD?
[07:25] <+ssaass> You break into so many that you can't remember?
[07:25] <+BbOyIcE> how many large is your LAN?
[07:26] <+ssaass> It's just one server.
[07:27] <+BbOyIcE> i searched special library for BSD system
[07:27] <+ssaass> What were you searching for?
[07:28] <+BbOyIcE> i search for study BSD system and remote control of these
[07:28] <+BbOyIcE> the shell
[07:28] <+BbOyIcE> don't response
[07:28] <+BbOyIcE> for output very well
[07:29] <+BbOyIcE> i've modified my code
[07:29] <+ssaass> But don't you understand that you can't do that to other peoples computers without their permission?
[07:30] <+ssaass> Ma lei non capisce che lei non può fare che agli altri computer di persone senza il loro permesso?
[07:31] <+BbOyIcE> yes but if i find theyr permission...they don't put me it
[07:31] <+ssaass> But I didn't give you my permission.
[07:32] <+BbOyIcE> i know
[07:32] <+BbOyIcE> for this...i have breaked your computer
[07:32] <+ssaass> Yes, you did.
[07:32] <+ssaass> That is very bad.
Session Close: Sun Dec 22 07:36:29 2002
At this point my connection to the server died and I lost contact with bboyice. I had made my point and decided not to make further contact.