th3j35t3r AKA The Jester Dox (Pastebin)
http://pastebin.com/raw.php?i=m74tyWuj
This is based on irc.2600.net chats in #jester using an CTCP finger to obtain an user name. The chance that this user is the actual Jester is very likely because of the following two things:
* The time of when I set the HoneyPot #jester was +i only.
* Server logs of attacks matches with his XerXes script
The user in target is:
wow, just read the whole localhost convo on here....it should be painfully obvious why th3j35t3r picks the targets he does...
The funny thing is after he quits from IRC he gives an sign out message + host mask of:
*** PashaPasta (~thejester@204.84.33.105) has left #jester
If you do a reverse IP of 204.84.33.105 it belongs to the "North Carolina Research and Education Network". An previous CTCP finger for the PashaPasta user name pointed it out to be "thejesterrace87". The "~" in the ident on IRC means two things, he is using SSH through work to tunnel into IRC.2600.NET or he is using HTTP proxy to connect to IRC.2600.NET.
A quick Google of the user finger revealed the following sites:
Google+: https://profiles.google.com/thejesterrace87/about
Name: Stephen Stone
Occupation
Computer Nerd
Employment
Wolfman Pizza
Computer Nerd, present
Education
Montreat College
present
Clemson University
Montreat College
Central Piedmont Community College
Places lived
Charlotte, NC
Charlotte, NC
Of which sparked some more interest, an internship for a government organization (North Carolina Research and Education Network) based in NC?? This is VERY interesting.... More google ssearches revealed the following:
*Personal blogger account from 2008 complaining about his sophmore Computer Science courses: http://pasha2009.blogspot.com/
*AOL messanger account: http://lstreamfeweb-mtc02.evip.aol.com/stream/thejesterrace87
* Defcon 19 attendence requesting songs: https://forum.defcon.org/archive/index.php/t-12045.html
-> thejesterrace87 (05-09-2011 - 10:14 PM) tastes like kevin bacon ~iwrestledabearonce
* Education forum: http://forums.randi.org/showthread.php?t=179627
-> thejesterrace87 -> "The rich have gotten too much? Do not forget that the top 10% of wealth in the US pays out over 60% of the total income tax in the country."
Here is what I then did. I set up a HoneyPot (hardened Apache with DDOS protection turn on). The site was "http://www.rjfront.info". On 28 August, 2011. I logged onto IRC.2600.NET channel #jester and requested that the "ANTI-JIHAD" site would be taken down. With-in 45 minutes, the server was hit with HTTP HEAD partial fragmentation attacks. The server was completly down in 3 minutes for up to 5 hours.
The Apache logs revealed the following headers:
209.236.66.108 - - [28/Aug/2011:14:05:34 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch. TANGO DOWN"
209.236.66.108 - - [28/Aug/2011:14:07:39 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch. TANGO DOWN"
209.236.66.108 - - [28/Aug/2011:14:10:50 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch. TANGO DOWN"
Also at the same time th3j35t3r posts on Twitter the following message "th3j35t3r Robin Sage - www.rjfront.info - TANGO DOWN. Temporarily. For online incitement to cause young muslims to carry out acts of violent jihad. 28 Aug"
What was interesting was the the sequence of IP's that were rotated. They were TOR exit relays. After doing a bit of research on the type of attack agaist te HoneyPot was an attacked called "Keep-Alive DoS Script": http://www.esrun.co.uk/blog/keep-alive-dos-script/. The CPU utilization on the Apache server was 95% throughout the attack.
Remember it is illegal to perform denial of service attacks agaist websites. The individual known as th3j35t3r needs to be held responsible for his actions. If you cannot do the crime, do not do the crime.
IMSID9AFA8CA035A4DFDB020B4D518B12A01AD7971D45