Advertisements:


Thread Rating:
  • 2 Vote(s) - 4.5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
The investigation of Ijames
#1
whats happeneing?
  a user by the handle 'ijamesPHP' posted a chrom extension that could be a multitude of exploits and such
  also note he is a Rftechpony so there is a high possibilty of him trying to phish ect.


My verdict:
dont download this, along with a randi Rftechpony promoting it (possible multi), this could be an array of things like click hijack, phishing, or browser pwn. These are normally created in metasploit and uploaded to steal passwords and could lead to a backdoor.

I DONT RECOMMENT DL

i cant prove this because he could send modified source code and upload infected version
so gl guys

Evidence (so far)
note: also some of the things i mention could easly be disproven, this is just my opinion and what i found intresting.

too back up my theory he uses h4cker talk on his who.is
archive in case he changes: https://archive.is/8Blr6

he uses the term "your nan" which i only ever hear dox'rs hackers and general malicious people say is included in his who.is, this could be a mistake but read on

after getting backend i discovered some things

i scanned several ip ranges all linking to:

his webhost - https://www.orangelemon.nl/

It's based in netherlands, one of the most secure place for a server in the world atm because of their strong privacy laws protecting the information so tons of vpn's are based in the netherlands and every spookies server normally is based in the netherlands aswell. He could have chose this host because of its security and freedom to do malicious things (he didnt accedentally choose them or anything, he dosnt live in NL (cant confirm because he may have lied on who.is to avoid detection) so normally if you search webhost / vps host it comes up co.uk or .com ect)

the host orangelemon was also associated with hosting several vpn servers and reddit users have tried gathering info from the third dump of ashley madison hack which lead to .... orangelemon

https://www.reddit.com/r/ashleymadisonha..._websites/

Along with the associasion with known hackers his host has he mentioned it was a private vps not a shared host.

Why pay the expense of hosting a php file on a private vps? if your just uploading basic html, php, css files ect why not use shared hosting company like hostgator? its so much cheaper. (going back to backdoor) There is a possibility it uses a vps so it can connect the 'infected' to the vps protecting his ip from prosecution since its NL)

i quickly ran a port scan to see if there were any malicious ports on the vps, here are the results
[Image: 5y5CmAN.png]

There is the ssh port open which could be a port to allow the infected in but normally this port is open just to let the owner connect to the vps
so nothing too worry about there i dont belive


will update with more later

i could write a 7 page essay on how google is a backdoor Kappa
#2
Very nice and detailed investigation.
#3
is nsa someone ban gandalf before the feds take us down
#4
My host is: hostpresto.com
#5
(10-08-2015, 12:24 AM)iJamesPHP Wrote:  My host is: hostpresto.com

after reverse ip lookup on the ip coming from the site the entire ip range belong'd to that host,
also cant really trust a person im investigating
#6
A* detective work, almost too good.

Obvious fed.



cut this dude some slack though, investigation thread not needed kekekekkeek
#7
(10-08-2015, 12:27 AM)Gandalf Wrote:  
(10-08-2015, 12:24 AM)iJamesPHP Wrote:  My host is: hostpresto.com

after reverse ip lookup on the ip coming from the site the entire ip range belong'd to that host,
also cant really trust a person im investigating

might turn out hostpresto is a reseller of that orange hoster

i just wanted to start a fucking rep as a developer on raidforums by making a lightweight multi-tool using some free shit apis that took me less than 30 minutes and then i pay 5 fucking dollars to get it on chrome store and make some quick gfx and i get fucking ripped and get my site hit offline.

the script is gonna get moved to my vps tomorrow when i get home (like 3:20 gmt) so it can go up and you can inspect element and see nothing is wrong
#8
(10-08-2015, 12:33 AM)iJamesPHP Wrote:  
(10-08-2015, 12:27 AM)Gandalf Wrote:  
(10-08-2015, 12:24 AM)iJamesPHP Wrote:  My host is: hostpresto.com

after reverse ip lookup on the ip coming from the site the entire ip range belong'd to that host,
also cant really trust a person im investigating

might turn out hostpresto is a reseller of that orange hoster

i just wanted to start a fucking rep as a developer on raidforums by making a lightweight multi-tool using some free shit apis that took me less than 30 minutes and then i pay 5 fucking dollars to get it on chrome store and make some quick gfx and i get fucking ripped and get my site hit offline.

the script is gonna get moved to my vps tomorrow when i get home (like 3:20 gmt) so it can go up and you can inspect element and see nothing is wrong

>inspect elements
#9
Illuminati
#10
This extension was just too good to be real :(
#11
Was not too good to be real.......

I understand more the most how most things that you install can easily be malicious, but fucking hell, @[VIP] Gandalf don't be so determined, let him post SRC and then get it over with.
#12
(10-08-2015, 11:53 AM)Pytonia Wrote:  This extension was just too good to be real :(

It was like 100 lines of code, I'm releasing source code on the thread later.
 




Users browsing this thread: 1 Guest(s)