:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : The Dox : :All information in this document has been cited to provide beyond a reasonable: : doubt that such information is wholly truthful and accurate. Information that: : could be confirmed quickly and efficiently through traditional communications: : channels has been confirmed. : : : : Information provided herein is to be used for solicitation and harassment : : purposes only. Any legal use of this document is not of our concern. : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : The Following Was Obtained From Bell Canada : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Name : Devin Bharath : : Street : 1765 Lawrence Avenue East #310 : : City : Toronto : : District: Scarborough : : Zip Code: M1R 2X8 : : Province: Ontario : : Country : Canada : : Phone : (647)-779-7927 (Mobile) : : : (647)-476-4910 (Old Number) : : Known Aliases: Chf, Chief, Thought, ThoughtTheGod, Devo, DevoZX : : Known IPs: 174.95.129.149 AS577 174.95.128.0/22 Sympatico HSE : : 174.95.131.93 : : 65.95.174.188 AS57765. 95.172.0/22 Sympatico HSE : : : : Current IP: 174.95.129.149 3/10/2014: : : Police Dept. Number: +14168082222 : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Family : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Immediate Family: : : Omatie Pathay Mother : : (Couva Savannah Village, Caroni, Trinidad And Tobago) : : Nickey Pathay Half-Sister : : Daryll Pathay Half-Brother (416-998-9135) : : Samoondar Great-Grandfather : : (No last name, died at the age of 101, Indian slave) : : Extended Family: : : Nisa Ali Cousin : : Sheldon Mundoo Cousin : : Tenisa Sawh Cousin : : Rajesh Maharaj Mother's Cousin : : http://www.news.gov.tt/archive//E-Gazette/Gazette%202000/G%20235.pdf : : http://facebook.com/maharajahh : : : : Devin's step-father, Oma's late husband, died of cancer. : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Accounts : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Twitter : ChFtheCat | https://twitter.com/chFtheCat : : : (DM's Accessed) | http://illegal.hacked.jp/dms.txt : : Facebook : devin.bharath (Jacked) | https://www.facebook.com/devin.bharath: : : shoobly (Jacked) | https://www.facebook.com/shoobly : : Skype : e.v.o.l.v.e | : : : h.o.m.o.s.e.x.u.a.l | : : : chftheantichrist | : : : steadmanthecat | : : : theshoobly | : : : devozzorz | : : ClubPenguin : Devo12345 | : : AIM : Devo12345t, chart | Buddy list for chart available at : : (chart jacked) | http://illegal.hacked.jp/blist.xml : : HackForums : DevoZX | http://www.hackforums.net/member.php? : : : UID: 1312370 | action=profile&uid=1312370 : : LeakForums : Thought (12347) | http://leak.sx/user-12347 : : IGN Blog : DevoZX | http://www.ign.com/boards/members/ : : | devozx.4398736/ : : Playstation : DevoZZX | https://i.imgur.com/alM1OK2.png : : Minecraft : DevoZX | : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Emails : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : devinbharath@hotmail.com | Mirrored http://illegal.hacked.jp/chfemail.tgz : : devinbharath@rocketmail.com | Expired : : devinbharath@gmail.com | Mirrored http://illegal.hacked.jp/chfgmail.zip : : devin@fbi.al | Jacked, Still owned. : : devozx@gmail.com | Accessed, Nothing of Value : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Passwords : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Bharath (Very Secure) : : Bharath1 (Sometimes a number is required I guess) : : Bharath12 (I am starting to see a pattern... Root PW and most commonly used) : : Bharath1. (Curveball! Symbol requirement detected) : : loldongs123 : : loldongs1234 : : hackers1234 : : : : Secret Questions & Answers : : Father's Hometown | Toronto : : Your Hometown | Toronto : : First Pet's Name | Tyson : : All other Questions | poop : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Roto-Rooted Hemi-Weekly : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : For all Devin's claims to his friends of being a 'computer genius' and a : : 'hacker' it was surprisingly simple to root his box. Not once, not twice, but: : thrice it was rooted. What follows is a recounting of those events. : : : : Chief's Box: http://illegal.hacked.jp/chf-data.tar.gz : : : : The First Rooting: : : Through a bug in a ZNC service that Devin had set up for his friends, we : : were able to attain a shell. He handed out passwords to an admin account : : thinking it was only useful for creating/deleting other accounts, and : : found out shortly after that this was not the case. ZNC has this amazing : : thing called module loading, and an interesting "shell" module packed : : with it by default... I think you can see where we're going from here. : : Anyway, after this shell was gotten, we replaced his "su" binary with a : : bash function that logged his password, "Bharath12". From there, we just : : used the actual su and got root. : : : : The Second Rooting: : : Through a bug in gandi-agent, which is included in gandi's filesystem : : image on most of their servers; we opened up a socket on tcp/842 to : : trigger its execution. No need to escalate privilege level as we were : : already uid0. From there instead of zero'ing out the drive we overwrote : : the drive with the string 'faggot'. : : : : The Third Rooting: : : Through a remote chunked overflow exploit effecting Nginx+Apache/FastCGI, : : specific versions of Nginx are _NOT_ compiled with /GS flag which adds a : : cookie copied from the .data segment to the stack; and NX was handled : : by avoiding NX protected regions by jmp'ing from one part of the ROP : : chain to the next. The final payload was self-modifying (Polymorphic) : : After this, the su backdoor was used again to get uid0 : : : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Chief.cat Logins : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : root@litterbox:/home/admin# last -a && rm -rf /* # yellow : : admin pts/0 Sat Feb 15 18:09 still logged in : : bas2-toronto36-3096723353.dsl.bell.ca : : admin pts/0 Sat Feb 15 07:00 - 10:00 (03:00) se4x.mullvad.net : : admin pts/0 Sat Feb 15 01:27 - 06:44 (05:16) nl1x.mullvad.net : : reboot system boot Sat Feb 15 01:23 - 05:19 (1+03:55) : : 3.2.53-xenU-8869-x86_64 <--- the part where he finds out he's owned : : admin pts/0 Fri Jan 31 23:46 gone - no logout us2x.mullvad.net : : admin pts/0 Thu Jan 30 18:55 - 18:56 (00:01) 38.116.192.13 : : admin pts/0 Wed Jan 29 22:24 - 08:35 (10:11) us1x.mullvad.net : : admin pts/0 Wed Jan 29 05:24 - 08:34 (03:10) us1x.mullvad.net : : admin pts/0 Wed Jan 29 00:30 - 02:34 (02:04) us1x.mullvad.net : : admin pts/0 Tue Jan 28 21:54 - 22:25 (00:31) us1x.mullvad.net : : admin pts/0 Tue Jan 28 05:40 - 09:40 (03:59) us1x.mullvad.net : : admin pts/0 Sun Jan 26 22:37 - 09:49 (11:11) us1x.mullvad.net : : admin pts/0 Sat Jan 25 09:40 - 13:40 (03:59) us1x.mullvad.net : : admin pts/0 Sat Jan 25 08:14 - 08:18 (00:03) us1x.mullvad.net : : admin pts/0 Sat Jan 25 01:32 - 03:54 (02:22) us1x.mullvad.net : : admin pts/0 Fri Jan 24 06:56 - 10:15 (03:18) us1x.mullvad.net : : admin pts/0 Fri Jan 24 02:40 - 02:41 (00:00) us1x.mullvad.net : : admin pts/0 Thu Jan 23 19:31 - 20:40 (01:08) us1x.mullvad.net : : admin pts/0 Thu Jan 23 01:22 - 12:24 (11:02) us1x.mullvad.net : : admin pts/0 Wed Jan 22 19:50 - 00:07 (04:16) us1x.mullvad.net : : admin pts/0 Wed Jan 22 03:45 - 10:08 (06:22) us1x.mullvad.net : : admin pts/2 Wed Jan 22 01:17 - 05:29 (04:11) us1x.mullvad.net : : admin pts/0 Tue Jan 21 23:20 - 02:47 (03:26) us1x.mullvad.net : : admin pts/0 Sun Jan 19 23:50 - 06:01 (06:11) us1x.mullvad.net : : admin pts/0 Sun Jan 19 21:27 - 22:11 (00:44) us1x.mullvad.net : : admin pts/0 Sun Jan 19 05:03 - 13:14 (08:11) se4x.mullvad.net : : admin pts/0 Sun Jan 19 01:50 - 04:02 (02:12) nl5x.mullvad.net : : admin pts/0 Sat Jan 18 20:58 - 00:46 (03:48) nl5x.mullvad.net : : admin pts/0 Fri Jan 17 23:32 - 07:44 (08:11) de2x.mullvad.net : : admin pts/0 Thu Jan 16 18:30 - 19:41 (01:10) 38.116.192.13 : : admin pts/0 Thu Jan 16 15:57 - 15:58 (00:01) 38.116.192.13 : : admin pts/0 Wed Jan 15 22:34 - 01:44 (03:10) us1x.mullvad.net : : admin pts/0 Tue Jan 14 15:38 - 15:45 (00:06) 38.116.192.13 : : admin pts/0 Mon Jan 13 22:09 - 02:09 (03:59) us1x.mullvad.net : : admin pts/0 Mon Jan 13 07:02 - 09:14 (02:11) 70.51.113.87 : : admin pts/0 Mon Jan 13 02:24 - 02:27 (00:02) 70.51.113.87 : : admin pts/0 Sun Jan 12 02:15 - 09:15 (07:00) us1x.mullvad.net : : admin pts/0 Sat Jan 11 23:53 - 00:53 (01:00) : : bas6-toronto06-845459412.dsl.bell.ca : : admin pts/0 Sat Jan 11 04:42 - 09:52 (05:09) : : bas6-toronto06-845459412.dsl.bell.ca : : admin pts/0 Sat Jan 11 00:02 - 04:13 (04:11) 70.51.113.87 : : admin pts/0 Sat Jan 11 00:01 - 00:02 (00:00) 70.51.113.87 : : admin pts/0 Fri Jan 10 23:56 - 23:58 (00:02) 70.51.113.87 : : admin pts/0 Fri Jan 10 12:23 - 17:34 (05:11) 70.51.113.87 : : admin pts/0 Thu Jan 9 22:17 - 04:09 (05:52) 70.51.113.87 : : admin pts/0 Thu Jan 9 06:26 - 09:37 (03:11) 70.51.113.87 : : admin pts/0 Wed Jan 8 22:55 - 02:06 (03:11) 70.51.113.87 : : admin pts/2 Wed Jan 8 04:01 - 09:12 (05:10) 70.51.113.87 : : admin pts/0 Wed Jan 8 01:44 - 04:07 (02:22) 70.51.113.87 : : admin pts/0 Tue Jan 7 01:23 - 05:34 (04:11) 70.51.113.87 : : admin pts/0 Mon Jan 6 19:28 - 19:32 (00:04) 38.116.192.13 : : admin pts/0 Sun Jan 5 08:08 - 12:08 (04:00) nl9x.mullvad.net : : admin pts/0 Thu Jan 2 23:09 - 12:51 (13:41) : : bas2-toronto36-3096722477.dsl.bell.ca : : admin pts/2 Thu Jan 2 02:48 - 11:59 (09:11) : : bas2-toronto36-3096722477.dsl.bell.ca : : admin pts/0 Wed Jan 1 21:20 - 04:31 (07:11) : : bas2-toronto36-3096722904.dsl.bell.ca : : admin pts/3 Wed Jan 1 02:38 - 11:49 (09:11) : : bas2-toronto36-3096722904.dsl.bell.ca : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Access Logs From Shell on Rtainc's Server : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : rtaincin.rtaink.com:65.95.174.188 - - [03/Mar/2014:06:48:41 -0600] : :"POST /images/cgi/sh.xx HTTP/1.1" 200 6516 "http://rtainc.in/images/cgi/sh.xx": : "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) : : Chrome/33.0.1750.117 Safari/537.36" : : : : rtaincin.rtaink.com:65.95.174.188 - - [03/Mar/2014:06:48:49 -0600] : :"POST /images/cgi/sh.xx HTTP/1.1" 200 6652 "http://rtainc.in/images/cgi/sh.xx": : "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) : : Chrome/33.0.1750.117 Safari/537.36" : : : : rtaincin.rtaink.com:65.95.174.188 - - [03/Mar/2014:06:48:53 -0600] : :"POST /images/cgi/sh.xx HTTP/1.1" 200 6550 "http://rtainc.in/images/cgi/sh.xx": : "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) : : Chrome/33.0.1750.117 Safari/537.36" : : : : rtaincin.rtaink.com:65.95.174.188 - - [03/Mar/2014:06:48:57 -0600] : :"POST /images/cgi/sh.xx HTTP/1.1" 200 7421 "http://rtainc.in/images/cgi/sh.xx": : "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) : : Chrome/33.0.1750.117 Safari/537.36" : : : : rtaincin.rtaink.com:65.95.174.188 - - [03/Mar/2014:06:49:06 -0600] : :"POST /images/cgi/sh.xx HTTP/1.1" 200 6934 "http://rtainc.in/images/cgi/sh.xx": :"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) : : Chrome/33.0.1750.117 Safari/537.36" : : : : rtaincin.rtaink.com:65.95.174.188 - - [03/Mar/2014:06:49:12 -0600] : :"POST /images/cgi/sh.xx HTTP/1.1" 200 7422 "http://rtainc.in/images/cgi/sh.xx": :"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) : : Chrome/33.0.1750.117 Safari/537.36" : : : : rtaincin.rtaink.com:65.95.174.188 - - [03/Mar/2014:06:49:15 -0600] : :"POST /images/cgi/sh.xx HTTP/1.1" 200 6653 "http://rtainc.in/images/cgi/sh.xx": :"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) : : Chrome/33.0.1750.117 Safari/537.36" : : : : rtaincin.rtaink.com:65.95.174.188 - - [03/Mar/2014:06:49:48 -0600] : :"POST /images/cgi/sh.xx HTTP/1.1" 200 9617 "http://rtainc.in/images/cgi/sh.xx": :"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) : : Chrome/33.0.1750.117 Safari/537.36" : : : : rtaincin.rtaink.com:65.95.174.188 - - [03/Mar/2014:06:49:52 -0600] : :"POST /images/cgi/sh.xx HTTP/1.1" 200 6673 "http://rtainc.in/images/cgi/sh.xx": : "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) : : Chrome/33.0.1750.117 Safari/537.36" : : : : : : :