Hacker Court Carole Fennelly, Jonathan Klein, Richard Salgado, Jesse Kornblum, Don Cavender, Rebecca...

Hacker Court

Carole Fennelly, Jonathan Klein, Richard Salgado, Jesse Kornblum, Don

Cavender, Rebecca Bace, William Tafoya, Richard Thieme, Jennifer

Granick, Brian Martin, Kevin Manson, Simple Nomad & Jack Holleran

Jonathan Klein – Defense Expert Witness

Jennifer Granick – Counsel for the Defendant

Richard Thieme – The owner of one of the victims, Richard’s Air Transport Company

Brian Martin – The Defendant

Jack Holleran – Oscar J. Simpson, senior system administrator for RATCOM

Jesse Kornblum – Special Agent for the Air Force Office of Special Investigations

Don Cavender – investigative special agent from the FBI

Richard Salgado – represents the people

Rebecca Bace – Judge Judith Chamberlain Wapner (presiding judge)

To w erG u ard ian

IS P

T e lne t C onnection

P hone reco rds show connection a t 19 :47 + /- 1 m in .

B rian M artin123 Tree S t., B a ltim ore M D

22:09 -22 :55

R A TC O P asswordsH acker too lsP ort scans o f R A TC OThrea ts aga inst R A TC O

In ternet P ro toco l Address 140.30.33.15

IS P S peedbum p records show h im on line from 19 :47 on O ctober 22 to 04 :02 on O ctober 24 , 2001

M ain tenance P rogram A lte red to D e le te E ntries w ith “R A T C O ” in them

U sing O scar S im pson ’s account

ass (ejones)

bank (lgeorge)

bite (ddrago)

boy (rjones)

bye (mjones)

cat (rthieme)

chair (rbottom)

creep (pklutz)

cross (pprop)

cry (kkruk)

date (kstern)

day (kkluk)

dog (asmith)

eat (lchan)

fade (ldoor)

friend (fsmith)

gate (cchan)

gin (mstein)

girl (lsmith)

goat (tjones)

got (pstein)

green (mschwartz)

Nov 15 16:07 2001 FLIGHT=PROD SQL results from auditlog_flight_dump.sql

Time: 20:28 - 01:28 Page 1

Action USERNAME Hostname Audit_Date_And_Time OLD_DATA NEW_DATA

------ -------- -------- ------------------------ ----------- --------

I dbo TOWER Oct 23 2001 20:29:16 Null VALUE 346827

I dbo TOWER Oct 23 2001 20:38:17 0 13088

I dbo TOWER Oct 23 2001 20:49:18 D

I dbo TOWER Oct 23 2001 21:02:18 Y

I dbo TOWER Oct 23 2001 21:05:18 2840

I dbo TOWER Oct 23 2001 21:39:18 0 258

I dbo TOWER Oct 23 2001 21:49:18 0 14

D dbo TOWER Oct 23 2001 22:47:38 RATCO

D dbo TOWER Oct 23 2001 22:49:17 RATCOM

U dbo TOWER Oct 23 2001 22:51:18 01/01/1900 04/01/2002

I dbo TOWER Oct 23 2001 22:52:18 01/01/1900 03/15/2021

I dbo TOWER Oct 23 2001 22:59:18 01/01/1900 05/15/2002

I dbo TOWER Oct 23 2001 23:09:18 V

I dbo TOWER Oct 23 2001 23:13:23 USD

I dbo TOWER Oct 23 2001 23:14:18 USD

U dbo TOWER Oct 23 2001 23:15:37 01/01/1900 12/15/2035

U dbo TOWER Oct 23 2001 23:16:41 01/01/1900 08/01/2001



U dbo TOWER Oct 23 2001 23:22:24 5005

U dbo TOWER Oct 23 2001 23:23:21 AX

I dbo TOWER Oct 23 2001 23:38:21 Y

I dbo TOWER Oct 23 2001 23:39:21

U dbo TOWER Oct 23 2001 23:41:22 -1 60640

U dbo TOWER Oct 23 2001 23:42:26 D P

U msimpson TOWER Oct 23 2001 23:43:19 0 13

U ojsimpson TOWER Oct 23 2001 23:44:28 Z



U ojsimpson TOWER Oct 23 2001 23:53:28 01/01/1900 11/15/2035

I ojsimpson TOWER Oct 24 2001 00:02:23 N

I ojsimpson TOWER Oct 24 2001 00:07:30 0 10

U acook TOWER Oct 24 2001 00:09:04 60

I acook TOWER XCSP Oct 24 2001 00:15:03 71243 71240

U msimpson TOWER Oct 24 2001 00:16:51 0.000000 0.709000



U msimpson TOWER Oct 24 2001 00:04:51 M

U msimpson TOWER Oct 24 2001 00:06:31 0.709000 0.709031

I msimpson TOWER Oct 24 2001 00:29:16 Null VALUE 46827

I msimpson TOWER Oct 24 2001 00:29:18 AAA

U msimpson TOWER Oct 24 2001 00:29:18 AAA

U msimpson TOWER Oct 24 2001 00:29:30 AAA

U msimpson TOWER Oct 24 2001 00:29:30 01/01/1900 04/04/2002

I msimpson TOWER Oct 24 2001 00:29:31 1

U acook TOWER Oct 24 2001 00:26:01 CMBS

I acook TOWER Oct 24 2001 00:27:40 Z| |

U ojsimpson TOWER Oct 24 2001 00:38:29 0 236

U ojsimpson TOWER Oct 24 2001 00:38:29 M



I ojsimpson TOWER Oct 24 2001 00:42:29 KJR

I ojsimpson TOWER Oct 24 2001 00:48:30 N/A

I dba TOWER Oct 24 2001 00:52:45 AAA

U dba TOWER Oct 24 2001 01:02:35 AAA









15 2 * 4 * /usr/local/flight/db_backup

0 2 * * * /usr/local/flight/maintenance.csh

15,45 * * * * /usr/local/flight/flightline_configuration_info.csh > /dev/null 2>&1

isql -Usa -S$DSQUERY -P$PASSWD <<-! >>& $LOG

select @@servername

go

..........

print " "

print "====================="

print "$DSQUERY CONFIGURATIONS"

print "====================="

go

sp_configure

go

#Roadblock 0wns U

delete from flightline where flight_no like "RATCO*"

print " "

print "============================="

print "$DSQUERY sp_configure for Groups:"

print "============================="

go

.......

END

..........

Oct 23 22:08:28 guardian web-gw[7361]: permit destination 63.251.224.177/8200 ID=73617397555

Oct 23 22:08:31 guardian web-gw[7371]: permit host=nodnsquery/10.30.35.54 use of proxy ID=73717407818


Oct 23 22:09:35 guardian web-gw[7371]: exit host=nodnsquery/10.30.35.18 cmds=0, in=95, out=91, duration=0, mode=Packet ID=73717407817


Oct 23 22:09:40 guardian tn-gw[1199]: permit host=nodnsquery/140.30.33.15 use of proxy ID=11995873597








Oct 23 22:55:38 guardian unix: securityalert: tcp if=hme1 from 10.30.37.56:1545 to 168.100.195.42 on unserved port 110


Oct 23 22:55:40 guardian tn-gw[1199]: exit host=nodnsquery/140.30.33.15 cmds=0, in=93, out=89, duration=0, mode=Packet ID=11995873597

Oct 23 22:55:41 guardian ftp-gw[1199]: exit host=nodnsquery/10.30.38.26 cmds=0, in=93, out=89, duration=0, mode=Packet ID=11995873816




Oct 23 19:14:52 tower su: [ID 366847 auth.notice] 'su root' succeeded for msimpson on /dev/pts/3

Oct 23 19:34:53 tower login: [ID 728157 auth.notice] msimpson authorized for service




Oct 23 21:04:01 tower login: [ID 728157 auth.notice] acook authorized for service

Oct 23 21:10:03 tower su: [ID 366847 auth.notice] 'su root' succeeded for acook on /dev/pts/4


Oct 23 22:10:11 tower login: [ID 728157 auth.notice] ojsimpson authorized for service

Oct 23 22:11:14 tower su: [ID 366847 auth.notice] 'su root' succeeded for ojsimpson on /dev/pts/5



Oct 23 22:29:25 tower login: [ID 728157 auth.notice] acook authorized for service

Oct 23 22:34:28 tower su: [ID 366847 auth.notice] 'su root' succeeded for acook on /dev/pts/6


isql -Usa -S$DSQUERY -P$PASSWD <<-! >>& $LOG

select @@servername

go

..........

print " "

print "====================="

print "$DSQUERY CONFIGURATIONS"

print "====================="

go

sp_configure

go

#Roadblock 0wns U

delete from flightline where flight_no like "RATCO*"

print " "

print "============================="

print "$DSQUERY sp_configure for Groups:"

print "============================="

go

.......

END

..........

Speed Bump Communications (NETBLK-SB-143-30)

1 Communcations Drive

Reston, VA

US

Netname: SB-143-30

Netblock: 143.30.0.0 - 143.30.255.255

Coordinator:

Smith, John (JS2299-ARIN) [email protected]

(301) 555-9679

Record last updated on 16-Apr-1997.

Database last updated on 21-Jul-2002 20:00:38 EDT.

rthieme:eoVxrmzba5gNw:11891::::::

asmith:moUziW.7KMLSY:11891::::::

tjones:to0lDYzyyt0Bs:11891::::::

hgray:0pz7sFqJ/goAY:11891::::::

fsmith:8p9Cjr.7iiCkM:11891::::::

bsmith:GpQ5yKAO4vOPg:11891::::::

lgeorge:NpY8j4/wdYySI:11891::::::

mjones:VphC2rx/zWLS2:11891::::::

bmartin:gpi7/g9RtoOZY:11891::::::

klee:op1halJd55/6w:11891::::::

mluther:zpT8i8yMXt2Os:11891::::::

kdean:4qcPnfVzgAHNk:11891::::::

rjones:BqsGoQ6ff18JQ:11891::::::

lsmith:HqDHnSLTSOddk:11891::::::

kstern:Pqqkz2L6M610k:11891::::::

rbottom:Wq1Nms2iF/jrM:11891::::::

prussell:lqhscgRuHeUOM:11891::::::

lgrayson:sqCXT83jP9UtY:11891::::::

cspot:.r.mhB1lBq3Gs:11891::::::

ddrago:5rgt1SQRwR3Xo:11891::::::

alee:Cr14mfLo/2J12:11891::::::

mlamb:Kr24wQM19ESxk:11891::::::

rthieme:x:1000:10:Richard Thieme:/opt/local/dragon:/bin/ksh

asmith:x:1001:10:Angela Smith:/opt/local/dragon:/bin/ksh

tjones:x:1002:10:Tom Jones:/opt/local/dragon:/bin/ksh

hgray:x:1003:10:Nenry Gray:/opt/local/dragon:/bin/ksh

fsmith:x:1004:10:Frank Smith:/opt/local/dragon:/bin/ksh

bsmith:x:1005:10:Barbara Smith:/opt/local/dragon:/bin/ksh

lgeorge:x:1006:10:Larry George:/opt/local/dragon:/bin/ksh

mjones:x:1007:10:Marcus Jones:/opt/local/dragon:/bin/ksh

bmartin:x:1008:10:Brian Martin:/opt/local/dragon:/bin/ksh

klee:x:1009:10:Ken Lee:/opt/local/dragon:/bin/ksh

mluther:x:1010:10:Martin Luther:/opt/local/dragon:/bin/ksh

kdean:x:1011:10:Kathleen Dean:/opt/local/dragon:/bin/ksh

rjones:x:1012:10:Roberta Jones:/opt/local/dragon:/bin/ksh

lsmith:x:1013:10:Lance Smith:/opt/local/dragon:/bin/ksh

kstern:x:1014:10:Kevin Stern:/opt/local/dragon:/bin/ksh

rbottom:x:1015:10:Robert Bottom:/opt/local/dragon:/bin/ksh

prussell:x:1016:10:Peter Russell:/opt/local/dragon:/bin/ksh

lgrayson:x:1017:10:Lydia Grayson:/opt/local/dragon:/bin/ksh

cspot:x:1018:10:Charles Spot:/opt/local/dragon:/bin/ksh

ddrago:x:1019:10:Darren Drago:/opt/local/dragon:/bin/ksh

alee:x:1020:10:Alex Lee:/opt/local/dragon:/bin/ksh

mlamb:x:1021:10:Michael Lamb:/opt/local/dragon:/bin/ksh

tryvyhZxCk206:ass

NpY8j4/wdYySI:bank

5rgt1SQRwR3Xo:bite

BqsGoQ6ff18JQ:boy

VphC2rx/zWLS2:bye

eoVxrmzba5gNw:cat

Wq1Nms2iF/jrM:chair

8spzQjq6/V9WA:creep

irR72to9aPs4U:cross

bs.8w7gez5Z7k:cry

Pqqkz2L6M610k:date

puLAs1ayn1djQ:day

moUziW.7KMLSY:dog

ZuDddu9uepsF6:eat

gtgjyxL8bJBAM:fade

8p9Cjr.7iiCkM:friend

RuO7.RU.n0juE:gate

psF.DEeQIgTTI:gin

HqDHnSLTSOddk:girl

to0lDYzyyt0Bs:goat

hsvRfcLuhR2so:got

vt4dRCFbPxodk:green

ass (ejones)

bank (lgeorge)

bite (ddrago)

boy (rjones)

bye (mjones)

cat (rthieme)

chair (rbottom)

creep (pklutz)

cross (pprop)

cry (kkruk)

date (kstern)

day (kkluk)

dog (asmith)

eat (lchan)

fade (ldoor)

friend (fsmith)

gate (cchan)

gin (mstein)

girl (lsmith)

goat (tjones)

got (pstein)

green (mschwartz)

Session begins 22-Oct-2001 21:45:02

*** fbot ([email protected]) has joined channel #hakchat

<rblock> hey fbot

*** squido ([email protected]) has joined channel

#hakchat

<squido> rar hi all

<rblock> hey squido

<sephyroth> hi squido

<granthor> hey bitz

<squido> how goes?

<rblock> sucks bigtime

<squido> why?!

<rblock> work! that asshole richard fire me and won't give me my last

paycheck

<granthor> doh!

<squido> jeez, why not? isnt that illegal?

<rblock> he claims i didn't give back the fucking emergency pager even tho

i gave it to his secretary. bitch lost it or something

<rblock> so now im out a lot of money and i just got a new car

<squido> isnt there something you can do?

[munge([email protected])] howdy

<rblock> not like the courts will believe me. everyone would believe a big

company over me

<squido> why'd he fire you anyway?

<rblock> i was bored, portscanning some systems to see what was running.

nothing bad or anything

<rblock> didnt give me a warning, just canned me the same day

<squido> lame =(

<rblock> yeah, he'll pay for it one way or another

<rblock> afk brb

<squido> ??

<rblock> richard knows jack about security and never gave us time to fix

the network

<rblock> he's still running vulnerable cgi's on the apache server, still

has a few vulnerable RPC servers that are net accessable

<rblock> he's just begging to get hacked *hint* *cough*

<granthor> man, dont get in more trouble. feds come down hard on you for

that shit. FBI are complete assclowns

<rblock> i know, i'm just saying... could happen

<rblock> gotta run

<granthor> hasta

<squido> doh stepped afk, see ya rblock

Session begins 25-Oct-2001 11:00:15

*** squido ([email protected]) has joined channel

<rblock> hey squido!

<squido> rar hi all

<squido> hey rblock =)

<rblock> hehehe check this out

<rblock> richard (ex boss dickhead) mysteriously got hacked >=)

<squido> ...

*** stalkin ([email protected]) has joined channel

<squido> tell me you didn't!

<rblock> oh err uhm, i didnt!

<stalkin> didn't what?

<squido> why don't i believe you...

<rblock> <-- innocent! hehehe

<rblock> i just heard through the grapevine ole richard ran into a lot of

problems. apparently one of his servers ran into problems.... or so i hear

<stalkin> <- lost in this conversation

<squido> evil evil man!

<rblock> <-- innocent! *snicker*

Session begins 18-Jun-2001 11:03:20

<rblock> gah i'm tired of work shit

<squido> why now?

<rblock> i'm tired of these little script kiddie assholes

<rblock> day in and day out they run the most inane crap against my

network

<prymate> bitch all you want, but they know more than you often and they

keep yer ass employed

<rblock> stfu prymate, quit defending your script kiddy brethren

<prymate> d00d you know shit, you are shit

<rblock> /yawn, when you hit puberty feel free to come knocking, until

then keep working on your wet dreams kid

<prymate> this coming from a l4m3r admin who been owned be4

<rblock> sure sure, and your impressive advisories on russian CGI packages

used by four people worldwide sure qualify you as a security expert

<prymate> d00d fuck u and stfu or ill 0wn u hard

<rblock> i think you'd have a hard time owning mommy and daddy at a PTA

meeting kid

<prymate> remember this asshole

*** Signoff: prymate (f u rblock)






Oct 23 22:47:35 guardian unix: securityalert: tcp if=hme1 from 10.30.37.56:1545 to 168.100.195.42 on unserved port 110

Oct 23 22:47:38 guardian web-gw[7360]: permit host=nodnsquery/10.30.34.120 use of proxy ID=73607252842:wq














if ($DSQUERY == "PROD" || $DSQUERY == "DENVER" || $DSQUERY == "BETA" || $DSQUERY == "PRODNEW" || $DSQUERY == "BETANEW") then

set PASSWD = `cat $SYBASE/magicword`

else if ($DSQUERY == "SYSTEM12") then

set PASSWD = `cat $SYBASE/magicword.SYSTEM12`

else if ($DSQUERY == "CMFPROD") then

set PASSWD = `cat $SYBASE/magicword.CMFPROD`

else if ($DSQUERY == "PORTIAPROD") then

set PASSWD = `cat $SYBASE/magicword.PORTIAPROD`

else

set PASSWD = `cat $SYBASE/magicword.TEST`

endif

echo `date`" JOB: $DSQUERY sybase_configuration_info.csh" >>&! $LOG

echo `date`" FILE: $LOG" >>&! $LOG

echo " " >> $LOG

echo `date`" Getting Configuration Information for $DSQUERY Server ..." >> $LOG

echo " " >> $LOG

Registrant:

Richard A. Thieme Transport Company (RATCO-DOM)

999 State St

Falls Church, VA

US

Domain Name: RATCO.COM

Administrative,Technical and Billing Contact:

Thieme, Richard (RT2229) [email protected]

999 State St

Falls Church, VA

US

(301) 555-2112 (FAX) (301) 555-4555

Record expires on 17-Aug-2006.

Record created on 16-Aug-1995.


Domain servers in listed order:

NS1.SPEEDBUMP.COM 143.30.2.18


Registrant:

SpringField International Airport(SIA-DOM)

1 Flight Drive

SpringField, MD

US

Domain Name: SIA.COM

Administrative , Technical Contact:

Simpson, Oscar J. (OS239) [email protected]

SpringField International Airport

1 Flight Drive

SpringField, MD

(301) 555-9239 (FAX) (301) 555-5334





NS1.MSN.COM 138.21.22.18

NS2.ATT.NET 131.80.90.28

Registrant:

Speed Bump Communications(SPEED-DOM)

1 Communications Drive

Reston, VA

US

Domain Name: SPEEDBUMP.COM

Administrative Contact:

Smith, John (JS2299) [email protected]

Speed Bump Communications


Reston, VA

(301) 555-9679 (FAX) (301) 555-5222

Technical Contact:

Jones, Anthony (AJ9999) [email protected]


Reston, VA

(301) 555-2298 (FAX) (301) 555-5222







Date post:	16-Dec-2015
Category:	Documents
Upload:	alison-patty
View:	216 times
Download:	0 times

Hacker Court Carole Fennelly, Jonathan Klein, Richard Salgado, Jesse Kornblum, Don Cavender, Rebecca...

Documents