Hacker Court

1
Hacker Court
Carole Fennelly, Jonathan Klein, Richard Salgado,
Jesse Kornblum, Don Cavender, Rebecca Bace,
William Tafoya, Richard Thieme, Jennifer Granick,
Brian Martin, Kevin Manson, Simple Nomad Jack
Holleran
2
Jonathan Klein Defense Expert Witness Jennifer
Granick Counsel for the Defendant Richard
Thieme The owner of one of the victims,
Richards Air Transport Company Brian Martin
The Defendant Jack Holleran Oscar J. Simpson,
senior system administrator for RATCOM Jesse
Kornblum Special Agent for the Air Force Office
of Special Investigations Don Cavender
investigative special agent from the FBI Richard
Salgado represents the people Rebecca Bace
Judge Judith Chamberlain Wapner (presiding judge)
3
(No Transcript)
4
ass (ejones) bank
(lgeorge) bite (ddrago) boy
(rjones) bye (mjones) cat
(rthieme) chair (rbottom) creep
(pklutz) cross (pprop) cry
(kkruk) date (kstern) day
(kkluk) dog (asmith) eat
(lchan) fade
(ldoor) friend (fsmith) gate
(cchan) gin (mstein) girl
(lsmith) goat (tjones) got
(pstein) green (mschwartz)
5
Nov 15 1607 2001 FLIGHTPROD SQL
results from auditlog_flight_dump.sql Time 2028
- 0128 Page
1 Action USERNAME Hostname Audit_Date_And_Time
OLD_DATA NEW_DATA ------ --------
-------- ------------------------ -----------
-------- I dbo TOWER Oct 23 2001
202916 Null VALUE 346827 I dbo
TOWER Oct 23 2001 203817 0
13088 I dbo TOWER Oct 23 2001
204918 D I dbo TOWER
Oct 23 2001 210218 Y I
dbo TOWER Oct 23 2001 210518
2840 I dbo TOWER Oct 23
2001 213918 0 258 I dbo
TOWER Oct 23 2001 214918 0
14 D dbo TOWER Oct 23 2001
224738 RATCO D dbo TOWER
Oct 23 2001 224917 RATCOM U
dbo TOWER Oct 23 2001 225118
01/01/1900 04/01/2002 I dbo TOWER
Oct 23 2001 225218 01/01/1900
03/15/2021 I dbo TOWER Oct 23 2001
225918 01/01/1900 05/15/2002 I dbo
TOWER Oct 23 2001 230918
V I dbo TOWER Oct 23 2001 231323
USD I dbo TOWER
Oct 23 2001 231418 USD U
dbo TOWER Oct 23 2001 231537
01/01/1900 12/15/2035 U dbo TOWER
Oct 23 2001 231641 01/01/1900
08/01/2001
6
D dbo TOWER Oct 23 2001 231702
RATCO D dbo TOWER Oct 23
2001 231917 RATCOM U dbo
TOWER Oct 23 2001 232224
5005 U dbo TOWER Oct 23 2001
232321 AX I dbo TOWER
Oct 23 2001 233821 Y I
dbo TOWER Oct 23 2001 233921 U
dbo TOWER Oct 23 2001 234122 -1
60640 U dbo TOWER Oct 23 2001
234226 D P U msimpson
TOWER Oct 23 2001 234319 0
13 U ojsimpson TOWER Oct
23 2001 234428 Z D
dbo TOWER Oct 23 2001 234738 RATCO
D dbo TOWER
Oct 23 2001 234917 RATCOM
U ojsimpson TOWER Oct 23 2001
235328 01/01/1900 11/15/2035 I
ojsimpson TOWER Oct 24 2001 000223
N I ojsimpson TOWER Oct
24 2001 000730 0 10 U
acook TOWER Oct 24 2001 000904
60 I acook TOWER XCSP Oct 24 2001
001503 71243 71240 U msimpson
TOWER Oct 24 2001 001651 0.000000
0.709000 D dbo TOWER Oct 24 2001
001738 RATCO D dbo
TOWER Oct 24 2001 001917 RATCOM
U msimpson TOWER Oct 24
2001 000451 M U
msimpson TOWER Oct 24 2001 000631
0.709000 0.709031 I msimpson TOWER
Oct 24 2001 002916 Null VALUE
46827 I msimpson TOWER Oct 24 2001
002918 AAA
7
U msimpson TOWER Oct 24 2001 002918
AAA U msimpson TOWER
Oct 24 2001 002930 AAA U
msimpson TOWER Oct 24 2001 002930
01/01/1900 04/04/2002 I msimpson
TOWER Oct 24 2001 002931
1 U acook TOWER Oct 24 2001
002601 CMBS I acook
TOWER Oct 24 2001 002740
Z U ojsimpson TOWER Oct 24
2001 003829 0 236 U
ojsimpson TOWER Oct 24 2001 003829
M D dbo TOWER Oct 24 2001
003738 RATCO D dbo
TOWER Oct 24 2001 003917 RATCOM
I ojsimpson TOWER Oct
24 2001 004229 KJR I
ojsimpson TOWER Oct 24 2001 004830
N/A I dba TOWER Oct 24
2001 005245 AAA U dba TOWER
Oct 24 2001 010235 AAA U
dba TOWER Oct 24 2001 010811 AAA U
dba TOWER Oct 24 2001 010932
AAA U dba TOWER
Oct 24 2001 011223 AAA U dba TOWER
Oct 24 2001 011355 AAA D
dbo TOWER Oct 24 2001 011738 RATCO
D dbo TOWER
Oct 24 2001 011917 RATCOM
U dba TOWER Oct 24 2001
012324 AAA U dba TOWER Oct 24
2001 012824 AAA
8
15 2 4 /usr/local/flight/db_backup 0 2
/usr/local/flight/maintenance.csh 15,45
/usr/local/flight/flightline_configuration_info.cs
h gt /dev/null 2gt1
9
isql -Usa -SDSQUERY -PPASSWD ltlt-! gtgt
LOG select _at__at_servername go .......... print "
" print "" print "DSQUERY
CONFIGURATIONS" print "" go s
p_configure go Roadblock 0wns U delete from
flightline where flight_no like "RATCO" print "
" print "" print
"DSQUERY sp_configure for Groups" print
"" go ....... END ...
.......
10
Oct 23 220828 guardian web-gw7361 permit
destination 63.251.224.177/8200
ID73617397555 Oct 23 220831 guardian
web-gw7371 permit hostnodnsquery/10.30.35.54
use of proxy ID73717407818 Oct 23 220834
guardian web-gw7371 permit destination
63.251.224.177/8200 ID73717407818 Oct 23
220935 guardian web-gw7371 exit
hostnodnsquery/10.30.35.18 cmds0, in95,
out91, duration0, modePacket
ID73717407817 Oct 23 220938 guardian
web-gw7360 permit hostnodnsquery/10.30.38.141
use of proxy ID73607252834 Oct 23 220940
guardian tn-gw1199 permit hostnodnsquery/140.3
0.33.15 use of proxy ID11995873597 Oct 23
220941 guardian web-gw7360 permit
destination 63.251.224.177/8200
ID73607252834 Oct 23 221044 guardian
web-gw7365 permit hostnodnsquery/10.30.37.223
use of proxy ID73657319948 Oct 23 221048
guardian web-gw7365 permit destination
63.251.224.177/8200 ID73657319948 Oct 23
221050 guardian web-gw7362 exit
hostnodnsquery/10.30.39.74 cmds0, in93,
out89, duration0, modePacket ID73627393319
11
Oct 23 225431 guardian web-gw7362 permit
hostnodnsquery/10.30.37.130 use of proxy
ID73627393326 Oct 23 225434 guardian
web-gw7362 permit destination
63.251.224.177/8200 ID73627393326 Oct 23
225435 guardian web-gw7362 exit
hostnodnsquery/10.30.39.113 cmds0, in95,
out91, duration0, modePacket
ID73627393325 Oct 23 225538 guardian unix
securityalert tcp ifhme1 from 10.30.37.561545
to 168.100.195.42 on unserved port 110 Oct 23
225540 guardian web-gw7365 exit
hostnodnsquery/10.30.32.79 cmds0, in88,
out92, duration0, modePacket
ID73657319955 Oct 23 225540 guardian
tn-gw1199 exit hostnodnsquery/140.30.33.15
cmds0, in93, out89, duration0, modePacket
ID11995873597 Oct 23 225541 guardian
ftp-gw1199 exit hostnodnsquery/10.30.38.26
cmds0, in93, out89, duration0, modePacket
ID11995873816 Oct 23 225644 guardian
web-gw7360 permit hostnodnsquery/10.30.39.94
use of proxy ID73607252843 Oct 23 225648
guardian web-gw7360 permit destination
63.251.224.177/8200 ID73607252843 Oct 23
225650 guardian web-gw7371 permit
hostnodnsquery/10.30.32.129 use of proxy
ID73717407823
12
Oct 23 191452 tower su ID 366847 auth.notice
'su root' succeeded for msimpson on
/dev/pts/3 Oct 23 193453 tower login ID
728157 auth.notice msimpson authorized for
service Oct 23 201455 tower su ID 366847
auth.notice 'su root' succeeded for msimpson on
/dev/pts/4 Oct 23 202057 tower login ID
728157 auth.notice msimpson authorized for
service Oct 23 203758 tower su ID 366847
auth.notice 'su root' succeeded for msimpson on
/dev/pts/5 Oct 23 210401 tower login ID
728157 auth.notice acook authorized for
service Oct 23 211003 tower su ID 366847
auth.notice 'su root' succeeded for acook on
/dev/pts/4 Oct 23 211408 tower su ID 366847
auth.notice 'su root' succeeded for msimpson on
/dev/pts/3 Oct 23 221011 tower login ID
728157 auth.notice ojsimpson authorized for
service Oct 23 221114 tower su ID 366847
auth.notice 'su root' succeeded for ojsimpson on
/dev/pts/5 Oct 23 222418 tower login ID
728157 auth.notice msimpson authorized for
service Oct 23 222722 tower su ID 366847
auth.notice 'su root' succeeded for msimpson on
/dev/pts/3 Oct 23 222925 tower login ID
728157 auth.notice acook authorized for
service Oct 23 223428 tower su ID 366847
auth.notice 'su root' succeeded for acook on
/dev/pts/6 Oct 23 223631 tower login ID
728157 auth.notice msimpson authorized for
service
13
isql -Usa -SDSQUERY -PPASSWD ltlt-! gtgt
LOG select _at__at_servername go .......... print "
" print "" print "DSQUERY
CONFIGURATIONS" print "" go s
p_configure go Roadblock 0wns U delete from
flightline where flight_no like "RATCO" print "
" print "" print
"DSQUERY sp_configure for Groups" print
"" go ....... END ...
.......
14
Speed Bump Communications (NETBLK-SB-143-30)
1 Communcations Drive Reston, VA
US Netname SB-143-30 Netblock
143.30.0.0 - 143.30.255.255 Coordinator
Smith, John (JS2299-ARIN)
jsmith_at_WKEYS.COM (301) 555-9679
Record last updated on 16-Apr-1997.
Database last updated on 21-Jul-2002 200038
EDT.
15
rthiemeeoVxrmzba5gNw11891 asmithmoUziW.7K
MLSY11891 tjonesto0lDYzyyt0Bs11891
hgray0pz7sFqJ/goAY11891 fsmith8p9Cjr.7iiC
kM11891 bsmithGpQ5yKAO4vOPg11891 lg
eorgeNpY8j4/wdYySI11891 mjonesVphC2rx/zWL
S211891 bmartingpi7/g9RtoOZY11891 k
leeop1halJd55/6w11891 mlutherzpT8i8yMXt2O
s11891 kdean4qcPnfVzgAHNk11891 rjon
esBqsGoQ6ff18JQ11891 lsmithHqDHnSLTSOddk
11891 ksternPqqkz2L6M610k11891 rbott
omWq1Nms2iF/jrM11891 prusselllqhscgRuHeUO
M11891 lgraysonsqCXT83jP9UtY11891 c
spot.r.mhB1lBq3Gs11891 ddrago5rgt1SQRwR3X
o11891 aleeCr14mfLo/2J1211891 mlamb
Kr24wQM19ESxk11891
16
rthiemex100010Richard Thieme/opt/local/dragon
/bin/ksh asmithx100110Angela
Smith/opt/local/dragon/bin/ksh tjonesx100210
Tom Jones/opt/local/dragon/bin/ksh hgrayx1003
10Nenry Gray/opt/local/dragon/bin/ksh fsmithx
100410Frank Smith/opt/local/dragon/bin/ksh bsm
ithx100510Barbara Smith/opt/local/dragon/bin
/ksh lgeorgex100610Larry George/opt/local/dra
gon/bin/ksh mjonesx100710Marcus
Jones/opt/local/dragon/bin/ksh bmartinx100810
Brian Martin/opt/local/dragon/bin/ksh kleex10
0910Ken Lee/opt/local/dragon/bin/ksh mlutherx
101010Martin Luther/opt/local/dragon/bin/ksh
kdeanx101110Kathleen Dean/opt/local/dragon/b
in/ksh rjonesx101210Roberta
Jones/opt/local/dragon/bin/ksh lsmithx101310
Lance Smith/opt/local/dragon/bin/ksh ksternx10
1410Kevin Stern/opt/local/dragon/bin/ksh rbott
omx101510Robert Bottom/opt/local/dragon/bin/
ksh prussellx101610Peter Russell/opt/local/dr
agon/bin/ksh lgraysonx101710Lydia
Grayson/opt/local/dragon/bin/ksh cspotx101810
Charles Spot/opt/local/dragon/bin/ksh ddragox
101910Darren Drago/opt/local/dragon/bin/ksh al
eex102010Alex Lee/opt/local/dragon/bin/ksh m
lambx102110Michael Lamb/opt/local/dragon/bin
/ksh
17
tryvyhZxCk206ass NpY8j4/wdYySIbank 5rgt1SQRwR3Xo
bite BqsGoQ6ff18JQboy VphC2rx/zWLS2bye eoVxrmzb
a5gNwcat Wq1Nms2iF/jrMchair 8spzQjq6/V9WAcreep
irR72to9aPs4Ucross bs.8w7gez5Z7kcry Pqqkz2L6M610
kdate puLAs1ayn1djQday moUziW.7KMLSYdog ZuDddu9
uepsF6eat gtgjyxL8bJBAMfade 8p9Cjr.7iiCkMfriend
RuO7.RU.n0juEgate psF.DEeQIgTTIgin HqDHnSLTSOdd
kgirl to0lDYzyyt0Bsgoat hsvRfcLuhR2sogot vt4dRC
FbPxodkgreen
18
ass (ejones) bank
(lgeorge) bite (ddrago) boy
(rjones) bye (mjones) cat
(rthieme) chair (rbottom) creep
(pklutz) cross (pprop) cry
(kkruk) date (kstern) day
(kkluk) dog (asmith) eat
(lchan) fade
(ldoor) friend (fsmith) gate
(cchan) gin (mstein) girl
(lsmith) goat (tjones) got
(pstein) green (mschwartz)
19
Session begins 22-Oct-2001 214502 fbot
(fbot_at_shell.dhp.com) has joined channel
hakchat ltrblockgt hey fbot squido
(squidsy_at_c216-92-122-84.md1.cablespeed.com) has
joined channel hakchat ltsquidogt rar hi
all ltrblockgt hey squido ltsephyrothgt hi
squido ltgranthorgt hey bitz ltsquidogt how
goes? ltrblockgt sucks bigtime ltsquidogt
why?! ltrblockgt work! that asshole richard fire me
and won't give me my last paycheck ltgranthorgt
doh! ltsquidogt jeez, why not? isnt that
illegal? ltrblockgt he claims i didn't give back
the fucking emergency pager even tho i gave it to
his secretary. bitch lost it or
something ltrblockgt so now im out a lot of money
and i just got a new car ltsquidogt isnt there
something you can do?
20
munge(vesicant_at_forced.attrition.org)
howdy ltrblockgt not like the courts will believe
me. everyone would believe a big company over
me ltsquidogt why'd he fire you anyway? ltrblockgt i
was bored, portscanning some systems to see what
was running. nothing bad or anything ltrblockgt
didnt give me a warning, just canned me the same
day ltsquidogt lame ( ltrblockgt yeah, he'll pay for
it one way or another ltrblockgt afk brb ltsquidogt
?? ltrblockgt richard knows jack about security and
never gave us time to fix the network ltrblockgt
he's still running vulnerable cgi's on the apache
server, still has a few vulnerable RPC servers
that are net accessable ltrblockgt he's just
begging to get hacked hint cough ltgranthorgt
man, dont get in more trouble. feds come down
hard on you for that shit. FBI are complete
assclowns ltrblockgt i know, i'm just saying...
could happen ltrblockgt gotta run ltgranthorgt
hasta ltsquidogt doh stepped afk, see ya rblock
21
Session begins 25-Oct-2001 110015 squido
(squidsy_at_c216-92-122-93.md1.cablespeed.com) has
joined channel ltrblockgt hey squido! ltsquidogt rar
hi all ltsquidogt hey rblock ) ltrblockgt hehehe
check this out ltrblockgt richard (ex boss
dickhead) mysteriously got hacked gt) ltsquidogt
... stalkin (Stalkin_at_12-254-9-118.client.attbi
.com) has joined channel ltsquidogt tell me you
didn't! ltrblockgt oh err uhm, i didnt! ltstalkingt
didn't what? ltsquidogt why don't i believe
you... ltrblockgt lt-- innocent! hehehe ltrblockgt i
just heard through the grapevine ole richard ran
into a lot of problems. apparently one of his
servers ran into problems.... or so i
hear ltstalkingt lt- lost in this conversation ltsquid
ogt evil evil man! ltrblockgt lt-- innocent! snicker
22
Session begins 18-Jun-2001 110320 ltrblockgt gah
i'm tired of work shit ltsquidogt why now? ltrblockgt
i'm tired of these little script kiddie
assholes ltrblockgt day in and day out they run the
most inane crap against my network ltprymategt
bitch all you want, but they know more than you
often and they keep yer ass employed ltrblockgt
stfu prymate, quit defending your script kiddy
brethren ltprymategt d00d you know shit, you are
shit ltrblockgt /yawn, when you hit puberty feel
free to come knocking, until then keep working on
your wet dreams kid ltprymategt this coming from a
l4m3r admin who been owned be4 ltrblockgt sure
sure, and your impressive advisories on russian
CGI packages used by four people worldwide sure
qualify you as a security expert ltprymategt d00d
fuck u and stfu or ill 0wn u hard ltrblockgt i
think you'd have a hard time owning mommy and
daddy at a PTA meeting kid ltprymategt remember
this asshole Signoff prymate (f u rblock)
23
Oct 23 224522 guardian web-gw7371 exit
hostnodnsquery/10.30.39.35 cmds0, in96,
out92, duration0, modePacket
ID73717407821 Oct 23 224525 guardian
web-gw7370 permit hostnodnsquery/10.30.35.72
use of proxy ID73707279039 Oct 23 224628
guardian web-gw7370 permit destination
63.251.224.177/8200 ID73707279039 Oct 23
224631 guardian web-gw7362 exit
hostnodnsquery/10.30.34.142 cmds0, in85,
out89, duration0, modePacket
ID73627393323 Oct 23 224634 guardian
web-gw7362 exit hostnodnsquery/10.30.32.71
cmds0, in93, out89, duration0, modePacket
ID73627393324 Oct 23 224735 guardian unix
securityalert tcp ifhme1 from 10.30.37.561545
to 168.100.195.42 on unserved port 110 Oct 23
224738 guardian web-gw7360 permit
hostnodnsquery/10.30.34.120 use of proxy
ID73607252842wq Oct 23 224740 guardian
web-gw7360 permit destination
63.251.224.177/8200 ID73607252842 Oct 23
224841 guardian web-gw7365 permit
hostnodnsquery/10.30.32.60 use of proxy
ID73657319954
24
Oct 23 010955 guardian tn-gw1199 permit
hostnodnsquery/140.30.22.100 use of proxy
ID11995873597 Oct 23 021452 guardian
tn-gw1199 exit hostnodnsquery/140.30.22.100
cmds0, in93, out89, duration0, modePacket
ID11995873597 Oct 23 032148 guardian
tn-gw1199 permit hostnodnsquery/140.30.22.100
use of proxy ID11995873597 Oct 23 041841
guardian tn-gw1199 exit hostnodnsquery/140.30.
22.100 cmds0, in93, out89, duration0,
modePacket ID11995873597 Oct 23 050438
guardian tn-gw1199 permit hostnodnsquery/140.3
0.22.200 use of proxy ID11995873597 Oct 23
052734 guardian tn-gw1199 exit
hostnodnsquery/140.30.22.200 cmds0, in93,
out89, duration0, modePacket
ID11995873597 Oct 23 055028 guardian
tn-gw1199 permit hostnodnsquery/140.30.30.39
use of proxy ID11995873597 Oct 23 061222
guardian tn-gw1199 exit hostnodnsquery/140.30.
30.39 cmds0, in93, out89, duration0,
modePacket ID11995873597 Oct 23 063514
guardian tn-gw1199 permit hostnodnsquery/140.3
0.33.39 use of proxy ID11995873597 Oct 23
070008 guardian tn-gw1199 exit
hostnodnsquery/140.30.33.39 cmds0, in93,
out89, duration0, modePacket
ID11995873597 Oct 23 080601 guardian
tn-gw1199 permit hostnodnsquery/140.30.18.123
use of proxy ID11995873597
25
if (DSQUERY "PROD" DSQUERY "DENVER"
DSQUERY "BETA" DSQUERY "PRODNEW"
DSQUERY "BETANEW") then set PASSWD cat
SYBASE/magicword else if (DSQUERY
"SYSTEM12") then set PASSWD cat
SYBASE/magicword.SYSTEM12 else if (DSQUERY
"CMFPROD") then set PASSWD cat
SYBASE/magicword.CMFPROD else if (DSQUERY
"PORTIAPROD") then set PASSWD cat
SYBASE/magicword.PORTIAPROD else set PASSWD
cat SYBASE/magicword.TEST endif echo date"
JOB DSQUERY sybase_configuration_info.csh" gtgt!
LOG echo date" FILE LOG" gtgt! LOG echo " "
gtgt LOG echo date" Getting Configuration
Information for DSQUERY Server ..." gtgt LOG echo
" " gtgt LOG
26
Registrant Richard A. Thieme Transport Company
(RATCO-DOM) 999 State St Falls Church, VA
US Domain Name RATCO.COM
Administrative,Technical and Billing Contact
Thieme, Richard (RT2229)
rthieme_at_RATCO.COM 999 State St
Falls Church, VA US (301) 555-2112
(FAX) (301) 555-4555 Record expires on
17-Aug-2006. Record created on 16-Aug-1995.
Database last updated on 22-Jul-2002 113320
EDT. Domain servers in listed order
NS1.SPEEDBUMP.COM 143.30.2.18
NS2.SPEEDBUMP.COM 143.30.9.18
27
Registrant SpringField International
Airport(SIA-DOM) 1 Flight Drive
SpringField, MD US Domain Name
SIA.COM Administrative , Technical Contact
Simpson, Oscar J. (OS239)
ojsimpson_at_SIA.COM SpringField
International Airport 1 Flight Drive
SpringField, MD (301) 555-9239 (FAX)
(301) 555-5334 Record expires on
17-Aug-2006. Record created on 16-Aug-1995.
Database last updated on 22-Jul-2002 113320
EDT. Domain servers in listed order
NS1.MSN.COM 138.21.22.18
NS2.ATT.NET 131.80.90.28
28
Registrant Speed Bump Communications(SPEED-DOM)
1 Communications Drive Reston, VA
US Domain Name SPEEDBUMP.COM
Administrative Contact Smith, John
(JS2299) jsmith_at_SPEEDBUMP.COM
Speed Bump Communications 1 Communications
Drive Reston, VA (301) 555-9679
(FAX) (301) 555-5222 Technical Contact
Jones, Anthony (AJ9999)
ajones_at_SPEEDBUMP.COM 1 Communications
Drive Reston, VA (301) 555-2298
(FAX) (301) 555-5222 Record expires on
17-Aug-2006. Record created on 16-Aug-1995.
Database last updated on 22-Jul-2002 113320
EDT. Domain servers in listed order
NS1.SPEEDBUMP.COM 143.30.2.18
NS2.SPEEDBUMP.COM 143.30.9.18