Wednesday, February 14, 2007

Exposing a Script Kiddie

I'm not a huge myspace fan. I had a profile for awhile, but recently bailed on the whole thing. A few days ago I was checking out the myspace page for Radio Discon and I noticed that a comment had just been made from a friend of the station that obviously was not real.



"Oh, my fault I must have gave you the wrong link then. The people I use to
make make money should be just go here (click here).
Well I hope it works for you this time, remember that
if the site is not up they are not excepting anyone else. I told you I'm making
about $900 a week and it's consistent. Just make sure that you take taxes into
consideration, it's a little different than that job your always complaining
about.LOL anyways that is funny about Laura, what else did
she say about it? I'm not even going to worry about it ya know? Oh well,
call me later or I'll catch you on here, see ya. "




My curiosity set in and I decided to do a little research on the nature of this beast. The click here link directed you to game-blast.net/paidetc.php. Before clicking on the link I headed over to the root of the domain. game-blast.net/. It was an Apache server directory listing;









By navigating to the admin folder, game-blast/admin you end up at at jumbled up web page that will happily generate errors for you when clicking on some of the different links. At this point I went ahead and clicked on one of the PHP pages. game-blast.net/scout2.php. The page redirects you to some online money making scam. Not bad, considering it does not appear to be infecting you with malware or anything of the sort. I checked out a couple of the other pages from directory listing, including the original link that came in the myspace comment. What really got this scavenger hunt going was when I noticed the affiliate account being passed in plain text in the address bar of the scout2.php redirect.




Now I had someone to look for, Ksruckman. I started off with a simple Google search. Within 20 minutes I felt like I knew ksruckman, or Ralph Ruckman as he's known to Uncle Sam. After seeing that his PHP scripts were nothing but redirects to cheesy money making sites, I began the profile of ksruckman as a low end Internet scammer, or to be nice, marketeer. Most of my initial information came from forum posts. For example, on one site in the fall of 2006 he had some serious issues with premissions on his wordress blog. Someone kindly explained to him the CHMOD command and he was back on track. This lead me to believe that he likely knows very little about the back ends of websites, html, and/ or FTP. At this point I had pretty much pinned him as a script kiddie. As I read through various forum posts and searched popular photo sharing sites my profile became more in depth. On one set of forums he boasted on recent earnings of a Craiglist scam and then about his earning mantra of three dollars per site within the first five days. It really makes me wonder how different the Internet would be with out all the junk sites. Who's to judge though I guess? Moving along, just a few pages in to the Google search I stumbled across another huge piece of the puzzle, Ralph's eBay profile. For the most part he was purchasing Xbox live cards and the like. One auction in particular brought the search full circle:






Yes that's right, he bought the script off EBay. For less than $20 none the less. I'd imagine that he probably made a pretty good little stash of cash off the exploit. At this point, I'm feeling pretty satisfied, although I do still have a few questions about the specific exploit.







!EDIT!
I decided enough was enough, your name has been removed. Google should be clear of it soon.
Sorry Bro It Had to Be Done.