Kicked Around

"Shit," Erik thought to himself. "This isn't a good sign. A dumb script kiddie probably wouldn't try to use something more anonymous like the ROT network. Whoever this is, he's smart enough to remove the logs and use a method of communication to disguise where he's located."

ROT was a network that attempts to conceal the identities of those using it. There are several "nodes" setup on the Internet all over the world. A user would connect to an entrance node, and the user's communication will be relayed through various other nodes on the network before it reaches an "exit node" and arrives at its final destination. This anonymizes the traffic, disguising where the original user is located. It isn't entirely anonymous, but for a regular person like Erik, it's extremely difficult (to nearly impossible) to discover the identity of the user.

Erik was able to find the binary executables on the file system that were initiating the connections to entrance nodes on the ROT network. He opened a hex editor and found that they were compiled using a popular software framework. So, Erik installed a decompiler for that framework to reverse engineer the source code.

Analyzing the source code, he saw that the executable compressed everything in the user's documents folder and uploaded it to a popular, free, file sharing site, unauthenticated. This upload creates a new URL link that could be used to download the files from the website by anyone who knew the URL. Afterward, the executable posted the newly created URL that linked to the uploaded files on the sharing site to a different web service that was used to share text online. The post to the text-sharing service used an API account. Finally, the executable opened a connection to the ROT network and logged into an IRC server (Internet Relay Chat) and entered a password protected channel, which was a public chat room, but without the password, you wouldn't be able to access the chat room.

"This is interesting," Erik thought. "It looks like Lara's computer has been turned into a bot for this guy's botnet." A botnet is a set of connected devices, usually computers, that can be controlled by the botnet owner using a "Command and Control" server. In this case, it appeared that the botnet was connecting to an IRC channel to receive its commands. The botnet owner could use the bot to do whatever the botnet owner wanted the bot to do: attack other servers on the internet, delete the contents of its own computer, spread the botnet software to other machines on the computer's network, etc.

Erik turned his attention back to the Documents folder of Lara's laptop and found all of Lara's school work. In addition, she had research papers, study guides, her class schedule, and more. She even had files that were copies of her financial aid documents complete with her home address, school address, and her social security number.

"Fuck," Erik thought. "Well, if this isn't how he got her stuff, he definitely has all of her information now. She's probably going to need to monitor her credit reports too." Erik took an image of the laptop's hard drive and copied it to a USB drive to backup all of Lara's files. Afterward, he started the process of reformatting the laptop and reinstalling the operating system.

"Now, let's look at the website," he thought. Erik booted his own laptop into a Penetration Testing Live CD. Erik had all the passwords for the VM provider so he logged in and started taking backups of the database and website code. Erik looked at the database users and found a list of new users that had access to the Admin area of the website:

marvin, marvin01, marvin02, marvin03, marvin04, etc...

There were thousands of accounts.

"Nice," Erik thought. "Left himself tons of ways to get back in. I'll have to delete all those."

In the plugins area, there was a new plugin called "reversesh." Erik opened the code and saw that it allowed the user to run commands on the VM instance itself.

"That's not good," Erik thought. "If he has shell access, he can probably see what I'm doing right now. I need to hurry." Erik knew that he needed to get everything off of the VM immediately and figure it out later. If the attacker saw Erik poking around, he could kick Erik out or possibly delete everything on the site, so it wasn't recoverable. Erik didn't sign up for the extra backup service at the VM provider, so this was all on him.

Erik added the site files to a single archive and compressed it. Then, he copied the files to his computer. Now he just needed to copy the settings from the web server configuration files, and then he would be ready to take down the server. Just then, he received a terminal message from another user on the machine:

marvin8893: Who R U?

Erik froze. "Erik, we have a problem," Erik thought to himself. "He's here. And he's probably watching me right now." Erik opened up a new shell to download the rest of the files. Then he turned back to his console.

root: Nobody

marvin8893: Y RU stealin my shit nobody?

root: Your shit? I don't think this server belongs to you

marvin8893: I pwnd it. U R mine

root: I think we are done here

marvin8893: IM DOXXIN YOUR SHIT RIGHT NOW.

With that, Erik disconnected. He was breathing heavy from the encounter. "Does he know who I am?" Erik thought. "He couldn't. There's no way. He's got to be talking about Lara." Erik continued to stare at the screen, waiting for something to happen. His heart was pounding, anticipating something dreadful. As time went on, his breathing slowed, and his heart rate returned to normal. He snapped out of his anxious state and back to the task at hand.

Erik logged into the VM provider's customer panel and shutdown the VM. Next, he deleted the VM instance and added a brand new one. After the VM was created, Erik applied a fresh Operating System and reset the master password. Erik logged into the server and began the process of restoring the site. Erik applied the database backup and an older version of the code that he had saved. He loaded the site up in a browser. It was back up and running. Erik logged into the website and received a warning that the Content Management System he was using was out of date.

Erik navigated to the Admin update section and attempted to update. But it kept failing. The website provided a link to download the file and install it manually. Erik clicked the link to install it. The linked file was a Binary file type for a different operating system. "This is really strange," Erik thought. "Something is wrong."

Erik opened a new browser tab and navigated directly to the Content Management System's website. There, he downloaded the appropriate files and installed them on Lara's VM server as an upgrade to her website. But, when Erik went back to the Admin area of Lara's site, it still said that it needed to upgrade and it still downloaded the incorrect binary. Erik viewed the source of the website and found that the link to the binary was not from the Content Management System's website. Instead, the URL was a random URL shortened link using a popular free URL shortening service. Erik went to the URL shortening website and entered the link he found. This returned the full website of the link, which Erik found pointed back to an upload on Lara's website. Basically, Lara's website kept telling the administrator that it needed to update itself and tried to have the administrator install something on their own computer that was stored on the same website in order to update the website. This was not good and made no sense.

"What the fuck," Erik said under his breath. Erik's heart started racing. "I missed something. He's still here. What the fuck. How did he get back in? This doesn't make any sense." Erik's mind continues to race. "Did he hack my machine? Does he know who I am? Is he watching me?" Erik stared at his laptop. Then closed the lid with a sudden snap and paced in his room. Suddenly, there was knock at the door. Erik froze. Erik's heart was pounding. He stared at the door in suspense. There was another knock at the door. Erik didn't move. He didn't blink. He just stared.

"Yo, Erik," Bret said. "C'mon man it's Monday night, time for some 1-on-1." Erik closed his eyes and sighed in relief as his head bent down. He looked at the time and realized that he'd been working on this for several hours. He missed class and dinner. Erik took a deep breath, lifted his head and walked to the door. Erik turned the doorknob and opened the door to see Bret and Steve in the hallway. "C'mon man, it's time to ball.," said Bret. Steve stared at Erik, expressionless.

"I can't," Erik said. "I've got some stuff for work... I gotta do."

"Work???" Bret said. "Fuck that. Put your dumbass, nerd shit down and let's go do this. You and bigs are first tonight, and I'll take winner."

"I'm sorry," Erik said. "There was... I have to work on Lara's website."

"Ohhhh," Bret said as both he and Steve began to walk into Erik's room. "The porn chick is back? Then you have some very important things to attend to. That free account doesn't work anymore, so Ogre and I will sit here." Bret held his hands up open and made an hourglass shape in the air. "And we'll watch the new, features, you are working on. Just umm... Don't pull your dick out or anything like that. Save that shit for when you're alone."

Erik shook his head. "You don't understand," Erik started. "Her website got hacked by some guy. I wiped everything and started over, but he's back. I don't know how he did it. This is going to take awhile to figure out."

"So, you're not going to be watching her new shit?" Bret asked. "Fuck this..." Bret and Steve got up to walk out. "C'mon he-man, let's go start up the game. It's probably going to have to download updates again. Fucking bullshit takes forever.." Bret and Steve walk out of the room and Erik shuts the door behind them.

"Alright," Erik thought. "How could he have done this? It keeps asking to upgrade each time. He probably modified the code, but I pulled an older version prior to the hack. But the database is the same. And the database holds... The version number... Fuck... The database has gotta be it. But what the fuck else did he put in there? Could be anything. Maybe..."

Erik opened a command line terminal and searched the files for a version function. He found one in a file that was called by the main index controller file. Erik opened the file in a text editor and found the function. The function had a database query that checked the version in a table. The version was reported as 48.9770333,-102.155491. "That's a strange version number," Erik thought. He opened a new web browser tab and navigated to the Content Management System website. They were using version 6.4.2. "They don't even look close. Maybe it's some sort of an extra build number."

Erik downloaded the Content Management System from the website and installed it on his own system. The version number in the table was: 6.4.2. "What the fuck..."

Erik opened the file that ran the version check function. The function checked the version stored in the database against a version returned from a website that was stored in another table. Erik checked the table and saw that the website was another URL shortened link. Erik opened the link in a browser. The website returned the same binary executable file to upgrade the website. Erik checked the code again. Erik found that if the version in the database doesn't match the version returned in one of the header fields of the response from the request that is made to the URL stored in the version table, then the URL stored in the version table became the link to download the upgraded version.

However, the binary that it was downloading was not what the CMS code was expecting. Updates to the CMS are initiated by an Administrator of the website, so when this condition was hit, instead of returning an error, it would return the file directly to the user to download. "What fucking dumbass wrote this piece of shit!!!" Erik thought. "Why would someone do this? It was a bug, Erik." Sometimes, Erik would speak to himself in the third person, especially when he tried to quote something and wanted to interject himself into the quote.

Erik concluded that this "Marvin" found a software flaw in the application that was used to build Lara's site and he used this flaw to hack Lara's laptop. Marvin did this by updating the version link in the database so that the Content Management System would keep prompting the user to run the exploit code on their machine. Erik concluded that whatever was in the executable was probably some rootkit that allowed Marvin to take control of Lara's laptop. "Well, Marvin's not stupid," Erik thought. "If he put this in, he might have put in some backdoors, too. I can't trust the database now. I'll have to start from the last backup I took. That's weeks behind with all the new shit she uploaded... Plus the new users that signed up... And I have to be careful that one of them isn't this little fuckhead..."

This conclusion explained how Marvin probably hacked Lara's laptop. But, it doesn't explain how Marvin hacked the website to begin with. Erik then shifted back to his initial question. "How did he hack the website?" Erik thought. "He's really good at keeping himself in the system, but what did he exploit so that he could do this in the first place?" Erik racked his brain trying to think. He knew he was missing something, but couldn't figure out what it was.

"It's going to be a long week... If I ever find this asshole, I'm going to kick his balls up through his fucking throat."

Chapter 20

Erik jolted awake the next morning to his alarm. He was exhausted from the late night before. After his significant discovery, he kept thinking about how Marvin hacked Lara's website. Erik was extremely tired by the time he concluded how Lara's laptop was compromised, so he wasn't able to research much more. Erik checked some of the server logs that he copied down and noticed that they were blank too. After that dead end, Erik was too drained to keep looking. He was too tired to do anything except collapse in his bed and fall asleep.

When he woke up, he was still wearing the same clothes from the night before. He had a raging erection that was bulging from his shorts. Erik undressed, wrapped himself in a towel, and walked to the bathroom with his shower caddie. Erik masturbated in the shower, thinking of one of the BDSM porn videos that he watched recently.

Erik imagined slapping his cock up against the mouth of the girl in the video as he smacked it against his hand in the shower. He forcefully rammed his cock into her mouth, and she choked on it. Erik called her a bitch and told her that she looked like a dirty slut. "Beg me for my cum, whore," he said in his fantasy. "Beg me. You fucking slut." Erik smacked her across the mouth and then grabbed her head, thrusting himself into her mouth, so that his cock reached the back of her throat. She choked some more before she pushed him out. Erik came all over her face and mouth. He rubbed his cock all over her face, pushing the cum into her mouth. The girl then pushed it out of her mouth, letting it run down her lips and chin.

Erik opened his eyes and watched the cum roll down the back wall of the shower. He threw water on the back wall to wash it down. Then, he made sure that the cum washed down the drain. Erik finished showering and went to class. The swelling in his nose was very minor now, and he was starting to look normal again.

Erik entered the classroom and took a seat. Jessica entered and looked angry. She didn't say anything, just sat down in front of him and stared straight ahead. Erik stared at her, wondering what the problem was. Jessica didn't turn around, just watched the wall, straight ahead.

Eventually, class started, and Professor Hand gave Erik his midterm. Erik got a C+. "Fuck," Erik thought. "I thought I did better than that." Erik noticed that the class had thinned out. Only about ⅔ of the students were there. Erik also saw that Bob was gone.

After handing back the midterm to Erik, Professor Hand made reference that some of the students did so poorly on the exam that there was no chance that they would pass the class. Those students had taken it upon themselves to drop the class. "If Jessica dumped Dave and Bob failed the class, are these fuckers really gone?" Erik thought. "Is it over?"

After class, Erik and Jessica got on the bus. She looked very upset. Erik wanted to say something to her, but he just didn't know if it was safe... yet. In addition, he was still preoccupied with the work he had ahead of him. When the bus arrived back at the dorms, Erik rushed up to his room to continue his research. Everything was just as Erik had left it when he passed out the night prior. Erik started back at tracking down how "Marvin" hacked Lara's website.

Erik decided that he should investigate the Botnet. He connected to the ROT network and then connected to the IRC server that he found in the decompiled executable from Lara's computer. Erik joined the IRC channel where he saw hundreds of other users with names that began with "martian." Starting with "martian01" and continuing to "martian99". Then, the numbers restarted with the prefix "martia100" and continued on. The highest number was "martian593". There were two operators of the channel: "marvin01" and "marvin02". Upon joining the channel, he was kicked and banned. This prevented Erik from rejoining the channel.

Erik reconnected to the ROT network so that it would change his IP address. Then, he rejoined the IRC network. This time, he changed his IRC handle to "martia601" and joined the IRC channel. Upon joining the channel, he received a direct message from "marvin02" that stated: "initiate_auth." Erik stared at the message, trying to think what he should enter. He entered the password to the IRC channel and sent it. Immediately, he was kicked and banned again from the IRC channel.

Erik realized that if he wanted to continue investigating the IRC channel, he would need to thoroughly analyze the decompiled executable that was running on Lara's laptop to reverse engineer the communication protocols that the Botnet was utilizing. Erik decided that was going to take too long, so he decided to look at the API account information for the text sharing service that was used to post the URL of the file upload. Erik reviewed the API documentation of the text sharing service to see what he could do with the API account information.

Erik found that there were API functions to return all the submissions that were made to the text-sharing site using the API account. Erik made the request and found hundreds of links returned that spanned three years. Erik opened the first one in a browser. The link contained a URL to the same file sharing web service that had Lara's files posted. Erik clicked the link, and the file sharing web service responded with the message "Link expired." Erik navigated to the file-sharing website's FAQ (Frequently Asked Questions). He read that unauthenticated submissions were only available for 30 days. After that, they were removed.

Erik tried the most recent URL returned from the text-sharing site, and it contained another link to the file sharing service. Erik downloaded the file attached to the link and opened it. The file was comprised of the contents of Lara's hard drive. "Well, that sucks," Erik said. "At least it's only going to be available for 30 days, and you need to have the direct link to access it."

Erik continued to research the other API functions from the text-sharing site. There was another API function that could be used to retrieve the API account owner's information and settings. Erik made the request, and it returned back an email address. Erik took the email address and did a web search for it. Nothing came up. Then, Erik opened a "Deep Web" search site on the ROT network and searched for the email. There was a result for a site that was only available when using the ROT network.