Tuesday, January 29, 2013

Booter.tw update

Earlier today, and old friend of mine approached me with quite a handful of interesting information. Before I get into the good stuff, I want to give you a bit of history about 'Askaa' and 'DaL33t', and why they're just plain bad people.

Askaa came into the scene in early 2012. He took over twBooter as owner, and actually was quite successful as far as booters go. After a while, he was unable to keep up with his "success". His user base used up more resources than Askaa was willing to provide, and soon the power dropped. This didn't stop his sales though, he continued to sell very expensive lifetime packages, when in reality he was getting ready to bail. Soon enough, that's exactly what he did, took the money and ran. He didn't go far though. He contacted our friend Orgy about restarting twBooter in Orgy's name, and having Orgy be the face while he continues to run things from behind the scenes. His plan was to drop all customers and start fresh. Orgy played along, then once he could piece together what he was doing, he showed it to everyone publicly. Askaa then disappeared for 6 months.

DaL33t did something similar. He ran another "successful booter" for a while, but again couldn't keep up with it. User base was too large, he bailed, let his servers go offline, except for the one allowing sales to be made. He continued to accept money for a non working, and yes, still illegal, product, for well over a month. He promised to resurrect the project, but bailed.

Now while our goal is to get rid of these tools in general, I took special interest in this one specifically due to the scumbags running the tool. I feel that's why my friend decided to do what he did; what you'll see below:

[12:45:47 PM] Friendly Insider: Where do we start?
[12:50:44 PM] BV1: Well
[12:50:49 PM] BV1: What'd DL do to you?
[12:51:42 PM] BV1: My history with him is he's always just had to have some sort of status. He'd fuck over friends in order to make himself look cooler.
[12:53:36 PM] Friendly Insider: Basically
[12:55:03 PM] Friendly Insider: ***Removed for his Privacy***
[12:56:27 PM] BV1: ah, gotcha
[12:56:51 PM] Friendly Insider: yer
[12:57:00 PM] Friendly Insider: You know his skype got "hacked" yeah?
[12:57:22 PM] BV1: sounds like you had something to do with it hah
[12:57:34 PM] Friendly Insider: indeed i did
[12:57:47 PM] Friendly Insider: twbooter leaks, the rm -rf on the backend box
[12:57:59 PM] Friendly Insider: guilty as charged ;)
[1:00:17 PM] Friendly Insider: I'd rather if you kept it between us for now
[1:02:36 PM] Friendly Insider: getting the info from LS was not hard ether
[1:02:37 PM] Friendly Insider: https://pastee.org/****

===============================================================
============Contents of Pastee.org in case of removal===========
===============================================================
[22/01/2013 01:04:34] DaL33T:here?
[22/01/2013 01:04:45] LiteSpeed:yes
[22/01/2013 01:04:57] DaL33T:what was the backend ip for tw again?
[22/01/2013 01:05:08] LiteSpeed:72.9.154.18
[22/01/2013 01:11:37] DaL33T:did you change the pass?
[22/01/2013 01:11:54] DaL33T:i cant get on it
[22/01/2013 01:12:10] LiteSpeed:Jollibee13377
[22/01/2013 01:54:52] DaL33T:could you send me the attack scripts so i can setup a private server
[22/01/2013 01:54:52] DaL33T:?
[22/01/2013 02:19:01] LiteSpeed:yea
[22/01/2013 02:19:02] LiteSpeed:i guess
[22/01/2013 02:19:08] LiteSpeed:tell biasa to wake up
[22/01/2013 02:19:13] LiteSpeed:im tired of this shit
[22/01/2013 02:19:15] LiteSpeed:he is never here
[22/01/2013 02:19:19] LiteSpeed:and our site is down
[22/01/2013 02:19:30] DaL33T:i noticed
[22/01/2013 02:19:39] LiteSpeed:somehow
[22/01/2013 02:19:40] LiteSpeed:some way
[22/01/2013 02:19:46] LiteSpeed:someone got our backend
[22/01/2013 02:19:52] LiteSpeed:and is syn flooding it on port 80
[22/01/2013 02:20:09] LiteSpeed:i moved the site to 8080 for right now
[22/01/2013 02:20:15] LiteSpeed:but askaa needs to get another ip
[22/01/2013 02:21:24] LiteSpeed:its getting a 60k pps flood
[22/01/2013 02:21:28] DaL33T:fuck
[22/01/2013 02:21:39] LiteSpeed:and best of all
[22/01/2013 02:21:46] LiteSpeed:biasa has school work and does not care!
[22/01/2013 02:23:28] DaL33T:he is up
[22/01/2013 02:23:53] DaL33T:send me scripts
[22/01/2013 02:47:49] DaL33T:you there?
[22/01/2013 02:47:59] LiteSpeed:yea
[22/01/2013 02:48:07] LiteSpeed:working on biasa stuff
[22/01/2013 02:48:09] LiteSpeed:one min
[22/01/2013 02:48:15] DaL33T:ok
[22/01/2013 02:51:32] DaL33T:what is it you are doing biasa?
[22/01/2013 02:57:18] DaL33T:can you send them, got to go in 5 mins
[22/01/2013 02:57:24] LiteSpeed:ok
[22/01/2013 03:03:48] DaL33T:dude
[22/01/2013 03:04:17] DaL33T:really need them
[22/01/2013 03:04:44] LiteSpeed:Sent file "twBooter2.rar
[22/01/2013 03:08:56] DaL33T:wheres the ESSYN?
[22/01/2013 03:09:05] LiteSpeed:ssyn
[22/01/2013 03:09:09] LiteSpeed:i never renamed it
[22/01/2013 03:09:11] LiteSpeed:after i updated it
[22/01/2013 03:09:12] DaL33T:oh right
===============================================================
===============================================================
===============================================================

[1:24:34 PM] BV1: hahaha...
[1:24:42 PM] Friendly Insider: you want attack server ips?
[1:25:18 PM] BV1: I believe I was the cause of the attack they mentioned in that convo
[1:25:34 PM] BV1: they left ********** unprotected
[1:25:40 PM] Friendly Insider: who gave you that?
[1:25:41 PM] Friendly Insider: orgy
[1:25:43 PM] Friendly Insider: nvm
[1:25:48 PM] Friendly Insider: I gave it to orgy lol
[1:25:53 PM] BV1: ah only makes sense you're responsible for us getting it hah
[1:25:50 PM] Friendly Insider: orderid | ip

18:03:73:3f:b5:6c | 67.222.156.241
l7v2 | 72.9.144.80
b18s26 | 89.248.172.97
b18s24 | 89.248.172.96
a06s32 | 89.248.172.201
b11s08 | 93.174.93.30
b18s28 | 89.248.169.53
a06s36 | 89.248.172.205
b13s13 | 94.102.49.76


[1:26:17 PM] BV1: amazing
[1:26:33 PM] Friendly Insider: I have the full mysql database
[1:26:43 PM] BV1: you genuinely fucked them up
[1:26:50 PM] Friendly Insider: Yeah
[1:27:01 PM] Friendly Insider: I don't plan on being finished yet
[1:27:19 PM] BV1: and LiteSpeed...
[1:27:24 PM] BV1: He more or less gave you everything
[1:27:25 PM] BV1: That's hilarious
[1:27:29 PM] Friendly Insider: ikr
[1:27:40 PM] Friendly Insider: this is why they released the attack scripts
[1:27:43 PM] Friendly Insider: before I did it
[1:28:02 PM] BV1: Makes sense now. They knew it was inevitable hah.
[1:28:08 PM] Friendly Insider: you know the mega link floating around with the source?
[1:28:27 PM] Friendly Insider: that would be my mega account :3
[1:28:27 PM] BV1: yea
[1:28:30 PM] BV1: haha nice
[1:28:44 PM] BV1: yeah, once I downloaded it, mega started going slow for me
[1:28:50 PM] BV1: so I have it mirrored all over the place now
[1:29:00 PM] Friendly Insider: haha
[1:29:19 PM] Friendly Insider: Out of 242 users, I have the plaintext pass for 142 of them
[1:29:32 PM] BV1: how? were they not protected?
[1:29:46 PM] Friendly Insider: they are sha256
[1:29:53 PM] Friendly Insider: most are in rainbow tables
[1:29:58 PM] BV1: gotcha
[1:30:12 PM] Friendly Insider: i found a hole in the IPN as well
[1:30:20 PM] Friendly Insider: could generate giftcodes
[1:30:28 PM] Friendly Insider: until they renamed the ipn
[1:30:34 PM] Friendly Insider: ***Removed for his Privacy***
[1:30:40 PM] Friendly Insider: ***Removed for his Privacy***
[1:32:46 PM] Friendly Insider: Is there anything that I may have that would be useful to you? :3
[1:41:34 PM] BV1: sorry was afk for a sec
[1:42:11 PM] Friendly Insider: mk
[1:42:49 PM] BV1: Well, how private do you want this information to be, is there any way I can make you into a god on a booterdown article?
[1:43:26 PM] BV1: like, if you want to stay on the down low, I'll probably just reveal their servers
[1:43:43 PM] BV1: if you don't mind me talking you up on my site, I'll make a bunch of this info public, and attack their shit
[1:43:47 PM] BV1: credited to you
[1:43:49 PM] Friendly Insider: Do what ever you want, just do not mention my name
[1:43:53 PM] BV1: ok
[1:44:13 PM] Friendly Insider: What ever it takes to fuck them over
[1:47:50 PM] BV1: gonna write up an article tonight
[1:47:56 PM] Friendly Insider: sure
[1:48:02 PM] BV1: ***Removed for his Privacy***
[1:48:06 PM] Friendly Insider: nope
[1:48:08 PM] BV1: lol
[1:48:18 PM] Friendly Insider: ***Removed for his Privacy***
[1:48:35 PM] Friendly Insider: ***Removed for his Privacy***
[1:48:40 PM] Friendly Insider: Ya digg? :3
[1:49:02 PM] BV1: yep yep
[1:49:13 PM] BV1: will make sure I don't do anything to jepordize that
[1:49:56 PM] Friendly Insider: ***Removed for his Privacy***
[1:50:12 PM] Friendly Insider: ***Removed for his Privacy***
[1:53:10 PM] Friendly Insider: ***Removed for his Privacy***
[1:54:20 PM] BV1: understood


Alright.... Sick! This mystery gentleman, he just completely revealed everything to me.
You can match up all the IP's above to the picture below:

The DFW Datacenter is Tailor Made Servers.



67.222.156.241 - Tailor Made Servers
72.9.144.80 - Tailor Made Servers
89.248.172.97 - Ecatel
89.248.172.96 - Ecatel
89.248.172.201 - Ecatel
93.174.93.30 - Ecatel
89.248.169.53 - Ecatel
89.248.172.205 - Ecatel
94.102.49.76 - Ecatel

abuse@tailoredservers.com
abuse@ecatel.net

4 comments:

  1. A very good read indeed, keep 'em coming.

    ReplyDelete
  2. Any retard with a hexeditor can see that MFJC leaked the stuff.

    No need to replace his name

    ReplyDelete
  3. Oh this idiot MFJC is still around? I forgot all about him, wasn't he suppose to be releasing some booter that's capable of hitting off any website online.............

    ReplyDelete