Inside Eugene’s Gibson (EC-Council, Part II)

Mess with the best, die like the rest, amirite?

Mess with the best, die like the rest, amirite?

(Note: Earlier this week, I presented evidence of a Finnish individual by the name Julius Kivimaki being the perpetrator behind the EC-Council hack over the weekend. You should read that post first, if you haven’t already.)

tl;dr: Last weekend, a person using the nickname ‘Eugene Belford’ took over the DNS for the EC-Council, an organization that certifies “Ethical Hackers”, and pointed it to his server, where he displayed a picture of Edward Snowden’s US passport.

Last night, our team obtained access to the server used in the EC-Council hack. Somebody asked for, and received from Julius, a shell on his server for the purposes of sending spam and phishing emails. This person turned the shell over to us, we then elevated to root access, and had a look around. Here’s a small list of what we uncovered:

  • httpd logs of 5 different sites Mr. Kivimaki redirected to his server
  • Entire database dumps from the Linode breach mentioned in the last post
  • A 16MB file containing nothing but credit cards from the Target breach
  • Employee ID badges from Metro Bank
  • XMPP logs from Julius discussing stolen cards with another individual
  • Over 300MB of compromised email, PayPal, and bank accounts
  • A 400MB database dump from a large French real estate company
  • And possibly the most damning crime of all, lots and lots of copyright infringement
Copyright infringement is serious business, Julius!

MC Double Def DP’s gunna get you, Julius!

(Still think he’s just a misguided young lad, trying to do the right thing by exposing EC-Council’s poor security?)

I would very much like to make available to you an entire dump of his server, but unfortunately, due to the illicit nature of pretty much all of the material present, I had to manually pick and choose things to share with the public. Everything else has already been turned over to federal law enforcement.

When I mentioned on Twitter the presence of httpd logs on this server, somebody found a few other sites Mr. Kivimaki has redirected to this box:

This, in my opinion, is the single best way for me to prove that this server was involved in the breach, besides the IP address for it being in EC-Council’s DNS. If you visited at any time between 22 February at 23:25:17 and 23 February at 06:25:01 (The logs rotated, unfortunately), your IP address and user agent will be in that file. That said, here are a list of websites “hosted” at Mr. Kivimaki’s server, that we have logs for. The access logs are gzipped, due to their size. – Access / Error – Access / Error – Access / Error (Also the server general log) – Access / Error – Access / Error
All 10 files – .tar.gz / .zip

Also found was a chat log between him and another individual at the Jabber/XMPP address [email protected], who has close ties with Mr. Kivimaki. You can view it here, however, I had to redact some database dumps and personal information. In the chat log, Kivimaki and f0x share lists of PayPal account email addresses and their corresponding passwords, and a bash script for bulk retrieving PayPal account history for these accounts.

And some smaller things we found:

A chat log between Kivimaki and ‘hann’, wherein hann begs Kivimaki for resources
Fuhosin, a PHP shell that Kivimaki uses to bypass web server security, written by HTP
The story of somebody who was SWATed by Kivimaki, presumably kept by him as a trophy
A Python “shell” used by Kivimaki to gain access to a server, in order to compromise it further
A script made by Kivimaki to use parts of Fuhosin in an effort to DDoS “League of Legends”

I personally find it interesting that all of the tools that Mr. Kivimaki uses were written by the very group he was kicked out of. It’s almost like he still thinks he’s an HTP member. I suppose another way to put it, would be to point out that Julius writes none of his own tricks. He is, thus, the very definition of a script kiddie. Picking up a telephone isn’t hacking, and social engineering doesn’t take very much skill at all.

Finally, once Kivimaki learned that we were inside his machine, we made a few creative changes to it that outright prevents it from starting up. Mr. Kivimaki’s choices to recover his server are either reformatting it, losing all of his work, or paying Ecatel hundreds if not thousands of dollars in ‘remote hands’ fees to diagnose and solve the problem. As of the writing of this post, his server is still in an unusable state, and the FBI has a copy of almost everything on the disk. RIP.

Addendum: SWATing calls

(1 March 2014 23:10) A few weeks ago, our team was able to record Julius Kivimaki and a friend (‘chF’, or Devin Bharath of Ontario, Canada) placing prank phone calls to 9-1-1 dispatch centers in an attempt to “SWAT” various targets, including the family of FBI Special Agent Ryan Brogan. It gets a little tricky, because Skype won’t allow 9-1-1 calls out. We’ve had to redact most of it to protect team member identities, but rest assured that the entire hour of recording is in the hands of law enforcement.

First, a call from chF, to a non-emergency dispatcher, claiming to be Ryan King
Second, a call from Kivimaki, to a dispatcher, pretending to be a suicidal individual
Lastly, we located another swatting call on Kivimaki’s old server (He had to reimage it. RIP.), but we aren’t quite sute it’s him. It just doesn’t have the right hint of retardation.

Bonus: Voicemail Frenzy!

To be perfectly honest, when an hour long recording hit the inbox, I thought for sure I’d be able to squeeze more than two calls out of it. Alas, the folks recording the SWAT calls were also trying to do multiple things at once, and ultimately weren’t able to record very many entire phone calls. To make it up to you guys, I was able to fish these recordings out of my voicemail. All three of them are from Julius Kivimaki. I guarantee you’ll love at least the last one. Especially if you still think he’s just a poor, innocent 16 year old.

The first message is a prank voice mail in which he offers to deliver pizzas to me.
Second, Julius vents romantic feelings for me, and serenades me with Rick Astley!
Finally, we have a message that is not safe for work. I guess he was mad about something.

Can you count all the F bombs?

9 comments on “Inside Eugene’s Gibson (EC-Council, Part II)

  1. Pingback: So Who Hacked EC-Council Three Times This Week? – InfoSec News

  2. I’m no expert, but doesn’t this whole post implicate you for unauthorized access to a protected system — namely USC 1030(a)(5)(A)?

    I mean, I doubt the government would prosecute you or your associates for going after Zeekill here, but that wasn’t very wise.

  3. I’m one of the guys involved in this attack on Zeekill and I’d argue that the access WAS authorized; he gave out an SSH account on the system. The exceeding of privilege was a single count of unauth. access to a system in the Netherlands. As far as I know, I think that would mean this is an extradition case if there’s any case at all, and last time I checked people don’t extradite people for breaking a criminal’s server. Not really worried.

  4. Thank you for this important work. It’s bringing a lot of insight in ways you may not realize. Please consider bring some more of these stolen files to security research groups and/or security related media outlets if you do not want to publicly release.

  5. Pingback: For EC-Council, Mum’s the word – InfoSec News

  6. Pingback: CEH site hacked - Page 6

  7. Last time I checked people don’t extradite people for breaking a criminal’s server. Not really worried.

    I don’t think they would, in Real World™ terms, but in Lawyerica there’s probably someone who would.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>