Don't know how they got my email but apparently somebody is sending fake RIAA messages that look like this :


Dear registered user of the site What.cd,

We have recently been investigating the activities of the users of the
site http://www.what.cd/ and we have found that this site exists for the
sole purpose of music piracy.

Pirating music is a criminal offence and we believe it should be obvious
to you that the results outweigh the benefits - hard working artists
won't be rewarded for their work and will stop producing music,
ultimately leading to a severely reduced selection of music both in the
shops and for download.

The RIAA had hoped that the disabling by the police of the large illegal
music site, Oink.cd, would stop a lot of people from engaging in piracy,
as they don't want to be seen as criminals. However, this appears to
not be the case, as two large new sites have sprung up in its place.

This email is the final warning to all of you who were members of
Oink.cd and are current members of What.cd. If we find you to be
committing any more criminal acts of piracy then we will have to press
charges against you, as representatives of the major record companies of
America.

Yours Faithfully,
The RIAA


What.cd had this to say :


DAQ: These fake RIAA Emails are just that. Fake. http://pastebin.ca/770503 Read that.

My question is how did they get my email address ? The email that i used on what.cd is brand new never used, leaves me wondering....

(i got mine as well lol)

here's the follow up for that...



∼ The guys behind the attacks ∼ posted on Nov-13-07 by What

We highly suggest you change the email address associated with the account. We have no way of knowing what Richard has done with your email addresses. We apologize for this inconvenience

So, there's been a lot of speculation about who was behind the attacks on us. Waffles? RIAA? We've already come out and told you that it isn't the first. The waffles guys are cool, really. And the RIAA? Well, they don't redirect people to shock sites, as far as I know. So, who else would want to hack us? We've done our detective work, and located the two people. If you want to know who they are, skip to the end of the post. If you want to know who they are and why they hate us so much, read on in the ordinary up-down fashion.

When we first opened our public beta, we were temporarily hosted on the bitient.org server, which was owned by one of our admins (Noah). Noah also lent out hosting space to a few other people, and gave them shell access. When Noah granted us access to his server and IRC network, one of the owners to a site hosted on the server saw us as intruders, and felt a great deal of animosity towards us. This user's nick was 'P3T3R'. We left him alone, because it's never good to make enemies when you're running a site like this, but he seemed very intent on intimidating us. The following is from my IRC logs:

[Sat Nov 3 2007] [23:23:38] (P3T3R) btw, be prepared
[Sat Nov 3 2007] [23:23:42] (P3T3R) i'd watch it if I were you
[Sat Nov 3 2007] [23:24:02] (P3T3R) make the most of what you have while you have it
[Sat Nov 3 2007] [23:24:14] (P3T3R) cos you just might have it taken away from you...
[Sat Nov 3 2007] [23:24:37] (WhatMan) What the hell are you on about, P3T3R?
[Sat Nov 3 2007] [23:24:43] (P3T3R) i'm not quite sure
[Sat Nov 3 2007] [23:24:48] (P3T3R) or am I?

We suspect he was working with his brother 'biscuit', who has a reputation of being quite knowledgeable about linux, and 'hacking' in general.

Things were pretty normal for the next few days, but then we started seeing disturbing things appear in our database. Most of you guys know what these disturbing things were - redirects to shock sites, fake RIAA notices, etc. We initially thought that this was because of SQL injections - after all, TBSource comes with a load of exploits by default. So we went through the site, and patched up all the injection points (there were a lot of them). When we put the site back up, we immediately got hit by another attack. So we took it down again, and found and patched a couple more exploits. Then we put the site back up, and got hit by another attack.

After checking our database logs, it became painfully clear what had happened. The site and the database are hosted on separate servers. The attacker was connecting to the database server from the web server, but it didn't look at all like an SQL injection - none of our ordinary database calls accompanied the malicious queries. So, we decided that the attackers must have access to the web server, and since it was time to move from that temporary server anyways, we packed our bags and left.

This is when the SQL attacks stopped.

As we've already stated, the attackers then turned to brute force. The DDoS attack was well done, which made us think that the attackers were more than bored kids - but then, they sent out a shitload of fake RIAA emails, which looked like the work of a 14 year old. It was these emails that allowed us to track down the attackers.

The emails were well spoofed - the "originating IP" belonged to Dutch offices owned by the RIAA. However, they made a serious fuckup - a load of them were sent from riaa@bitient.org. This is not the case of a hacked mail script, as we never had a mail script - this was the case of someone trying poorly to hide their identity. A couple hours after these emails were sent out, every user in #what.cd received a CTCP-Version request from a user called 'biscuit'.

This is where it gets cool.

Sending version requests to everyone in a channel is the sort of thing script kiddies looking for someone to hack would do. As a good sysadmin, I tracked down biscuit's IP address:

[22:17] [Whois] biscuit is biscuit@b.i.s.c.u.i.t.1.3.3.7.h.a.x.0.r.r.o.o.t.NE T (Biscuit)
[22:17] [379] biscuit is using modes +wrxt
[22:17] [378] biscuit is connecting from *@*********.bb.sky.com **.***.**.**
And searched for it on the site - I came up with this account: http://what.cd/userdetails.php?id=1106

So, p3t3r and biscuit are on the same IP address. They both hate us, and p3t3r has openly threatened to take our site down. P3T3R has an account on the site, that logs into frequently, but never uses to upload or download. They both have shell access to our original server, so they could get into the database. Biscuit, the "1337 hax0r", sends a version request to everyone on IRC, a couple hours after scam emails have been sent out from a server they have access to. A little more research shows that P3T3R is 14 years old, and biscuit is his brother. It all sounds pretty conclusive to me. I go on to the bitient.org IRC channel to see what I can find. What do I find?

[22:37] (Noah) BISCUIT!
[22:37] (Noah) You'd better not have been the one sending those fake RIAA emails!
[22:37] (P3T3R) :O
[22:37] (Noah) And you most certainly have better not have been the one behind the hack
[22:37] (Noah) the emails CAME FOMR MY IP!
[22:37] (P3T3R) hack?
[22:37] (Noah) FROM THIS FUCKING SERVER

This pretty much convinced me that these two (especially P3T3R) were the ones behind the attacks. So, I'm sure you're all curious as to who these people are.

We only went so far as to find out info on P3T3R. His name is Peter Cole, and he lives in Yorkshire, in the UK. His email addreses are *****@p3t3r.co.uk and *****@gmail.com (the second one is also his MSN). His AIM is *****, and his Yahoo messenger username is *****. He has a personal web site (hosted on the bitient.org server) at p3t3r.co.uk - sadly, his home address and phone number are hidden from the whois. There's a shitload of information on him, easily accessible via google.

Neither I nor the rest of the staff is going to do anything to him - we just thought you'd like to know who the dickhead with your email address is. You can do with this information what you please.

EDIT: I had a nice chat with Noah earlier - apparently, P3T3R isn't the asshole, his brother is. His brother's name is Richard Cole, uses the email address b@iscuit.co.uk and owns the domain iheist.com - and the whois information for that isn't kept a secret. This is their address and phone number:

Administrative Contact:
Cole, Richard @googlemail.com
### ****
Halifax, Other ### ###
UK
+.######### Fax: +.########

We also got a load more proof from Noah - he read their history file. It is available online here: http://pastebin.ca/770838 The cool shit starts at command 491 (a DOS attack). You can also see biscuit hacking our database, etc.

I've removed his email from the news post for the day, at Noah's request - he wants to flame him without his email getting lost in piles of spam. I'll re-post it when Noah's done.


Pretty fucking lame...

thanks for the update... fookn bastards

http://torrentfreak.com/14-year-old-hacker-threatens-whatcd-071112/