

World's worst hacker - ukdm
http://george.hedfors.com/content/worlds-worst-hacker

======
mcantor
Did anyone else start experiencing physical pain when the hacker accessed the
right file in the wrong place for the _hundredth_ time without typing "ls"
ONCE?

I had no idea the reflex was so strong, but I almost starting twitching. I
caught myself reaching for the keyboard to hammer out "ls -l". What a tragedy.

(I leave it as an exercise to the reader to determine whether the tragedy is
the hacker's incompetence or my reflexive neckbeard response to it.)

~~~
mannicken
Alias "ls -l" to "ll" in your .bash file, it helps :)

~~~
mcantor
I do; I expanded it to "ls -l" for the benefit of other hackers who might not
be familiar with the convention. :-)

------
cpr
This reminds me (uh-oh, another neckbeard old-timer story) of the very early
days of the ARPAnet when there about 20 nodes or so...

Back then there were free guest accounts on all the systems (mostly TOPS-10
and TENEX systems along with some wierd one-off machines like the UCSB
symbolic math system on a 360/65), and we (at HARV-10) had a hacker who'd come
in and mess things up.

So the sysadmin (Geoff Steckel) started a logging process that dumped all
suspicious incoming telnet connections input to a local TTY (yes, a physical
teletypewriter).

We used to gather around the TTY when it started chattering, to watch the
hacker at work. Geoff pretty quickly figured out what he was doing and patched
our TOPS-10 monitor source.

------
mfontani
For those who are interested in the honeypot part of it, have a look at
<https://code.google.com/p/kippo>.

If you're interested in the same and want to display stats about the
connection attempts, passwords tried etc. I have developed a "kippo stats"
webapp in Perl/Mojolicious, at <https://github.com/mfontani/kippo-stats>

------
chaosmachine
The site is slow to load for me, but here is the video:
<http://www.youtube.com/watch?v=oJagxe-Gvpw>

Also, this is pretty funny, and seems like it could be the same guy:
<http://kippo.rpg.fi/playlog/?l=20100316-233121-1847.log>

~~~
user24
See also: <http://www.youtube.com/watch?v=SXmv8quf_xM> (TracerT guy)

------
ambiate
-hacker +script kid. The most emotional part what when Perl was downloaded from the Microsoft site. An excellent display of how dangerous automated exploits can be in the wrong hands. Enabling emotions to run wild without assuming any risks at all. Yay, I got into a box with my script. Yay, I'm going to run a script to packet flood someone. Yay, that was meaningless.

I also enjoy how the tar had a file called "scam." Shows the generation gap in
what used to be in a swiss army tar. Bot nets and things of that nature aren't
fully utilized to terrorize the infected and targets! They can be used to
click ads, send emails, give website hits; oh endless possibilities for MONEY.

------
l0nwlf
He was definitely a script-kiddie though, but 'worst hacker' is kind of over-
statement.

~~~
tintin
Indeed. It sound more like the famous IRC log where a kiddie 'hacks' 127.0.0.1
and ends up with a disco.

~~~
rbanffy
Thanks for reminding me of this. I had a good laugh.

[http://themostboringblogintheworld.wordpress.com/2006/09/13/...](http://themostboringblogintheworld.wordpress.com/2006/09/13/worlds-
worst-hacker-irc-transcript/)

------
vampirical
Mirror:
[http://const.it/mirror/135e1a2a/george.hedfors.com/content/w...](http://const.it/mirror/135e1a2a/george.hedfors.com/content/worlds-
worst-hacker.html)

------
unicornporn
Bah! Ramzi is my main 1337 h4xX0r man!
<http://www.youtube.com/watch?v=fDFXaqDf8kk>

------
lachyg
Can someone translate what's happening for those that can't read this code? :)
Thanks

~~~
danielh
A script kiddie [1] hacks into a computer and goes out of its way to
demonstrate its ignorance by doing stupid things like downloading a file, but
being unable to locate it or downloading Windows Service Pack on what seems to
be a *nix system.

Luckily, the hacked computer wasn't a real computer but a honey pot [2] and
everything the script kiddie does is recorded for our amusement.

It's a bit like watching a bank robber sporting a big gun without knowing
which way to point it.

[1] <http://en.wikipedia.org/wiki/Script_kiddie> [2]
<http://en.wikipedia.org/wiki/Honeypot_%28computing%29>

~~~
uxp
Downloading the Windows Service Pack wasn't pointless, it was to speedtest the
machine to see if it was worth continuing the attack.

~~~
danielh
That makes sense, as there was no attempt to run it.

I guess one should be really careful before calling someones actions stupid.
Lesson learned.

------
jefe78
That was pathetic. He seemed incapable of even remembering the syntax for
'cd'...kids!

I found it curious that he was copy/pasting those wget links so quickly
though. THAT part nearly seemed automated. Strange behaviour.

~~~
markessien
I'd assume the recording process cut out all instances where nothing changed
on the screen. All the thinking pauses seem cut out.

------
rograndom
There's a replay via telnet that is easier to follow:

telnet 94.255.168.108

------
leandroico
Isn't that obvious this is some sort of macro being executed? That makes
totally sense for me and explains a lot of things, like:

1) not doing ls commands

2) having rescue plans like trying different directories in case a directory
doesn't exist

3) doing instant URL pastes

4) doing stuff in loop

5) acting similarly to a robot

6) [feel free to add more here]

~~~
JonnieCache
It is not a script, because he mistypes things and hits backspace. Not to
mention all the commands that are downright invalid, eg. cd ". "

A script sophisticated enough to replicate the behaviour of a real user at a
shell like this would likely actually achieve something.

Anyone clever enough to write a script that does this, wouldn't, because
they'd also be clever enough to realise that it's utterly pointless.

The win2k service pack was likely filling the role of "a big file from a fast
CDN," for the purposes of testing the machine's connection.

~~~
jeffcoat
'cd ". "' is valid; it means "set the current directory to the one named
[dot][space]".

I assumed it was something he'd seen as a way to sortof-conceal a directory,
since it's both hidden and looks a lot like the [dot] directory that you'd
expect to find everywhere.

------
othello
Still, this leaves you wondering how someone with such little knowledge of
even the most basic Linux commands could ssh in there in the first place. Any
idea ?

~~~
shortlived
It was probably via a script just like everything else.

~~~
jyanez
Or a disguised-kiddie which gets very cleverly in but then does very stupid
things in order to get caught and get a couple of things:

1\. Get others involved by leaving fake tracks. 2\. Distract attention. 3\.
Make you think your honey pot is doing right while some other heavy duty
scripts are running on the 'right' direction.

~~~
ldh
Seems fairly unlikely. I'm gonna go with Occam's Razor on this one.

------
iwwr
Apparently, the 'hacker's web hosting account : <http://ely.uv.ro/> was
suspended.

Edit: Another would-be hacker: <http://www.youtube.com/watch?v=fPypZSZiF3g>

------
jsm386
He's got nothing on the _World's #1 Hacker,_ Gregory D. Evans. His e-book is
awesome. <http://www.theregister.co.uk/2010/06/22/worlds_no_1_hacker/>

------
famousactress
Serious bonus points for the musical score. Anyone know what it is?

~~~
IgorPartola
It was played at the end of Portal
(<http://en.wikipedia.org/wiki/Portal_(video_game)>). It's also available as a
song in Rockband.

------
rix0r
I like the "history -c" before logging out, while leaving downloaded files and
extracted archives all over the place.

Oh yeah, he's really covered his tracks now...

------
snorkel
Wow. That system is locked down tight! You can't even cd into C:\

------
mnml_
this guy is tryin' hard !

------
bane
Oh Russians...

I could just here the steam start to build.

