"Operation Payback" Probe nets a rooted server!

Thu, 30th December 2010, 20:42

Federal investigators appear to be following the trail of those allegedly responsible for launching a denial of service attack against PayPal earlier this month. The attack was instigated by a loosely bound Anonymous collective in response to Paypal decision to freeze an account used by WikiLeaks.

An affidavit obtained by the Smoking Gun contains testimony by federal agents convinced that systems at Texan hosting firm Tailor Made Servers are likely to contain clues in the hunt for the hackivists.

The affidavit shows that on December 9, PayPal provided FBI agents with eight IP addresses that were hosting an “Anonymous” Internet Relay Chat (IRC) site that was being used to organize denial of service attacks. The unidentified administrators of this IRC “then acted as the command and control” of a botnet army of computers that was used to attack target web sites.

One IP address was initially traced to Host Europe, a Germany-based Internet service provider. A search warrant executed by the German Federal Criminal Police revealed that the “server at issue” belonged to a man from France. A closer analysis of the server showed that “root-level access” to the machine “appeared to come from an administrator logging in from” another IP address....the server appears to have been hacked!

“Log files showed that the commands to execute the DDoS on PayPal actually came from a server at co-location facility provider Tailor Made Servers. It is being reported that agents copied two hard drives inside the targeted server on December 16, although there are no public court records detailing what was found on those drives, nor whether the information led to a suspect or, a continuing electronic trail.

A second IP address used by “Anonymous” was traced to FranTech Solutions, a VPS hosting provider out of British Columbia, Canada. Investigators with the Royal Canadian Mounted Police determined that the Canadian firm’s “virtual” server was actually housed at Hurricane Electric, a California firm offering “co-location, web hosting, and dedicated servers. The affidavit provides little details on any information that may have been gleamed from analyzing the server.

It is not uncommon for rooted severs to provide irc chatroom type environments. As seen with the recent activity, hackivists can utilize facebook, twitter, as well as numerous other methods of social media to relay communications...