* endellion.me.uk

 

 

The Things They Do in China...

A few weeks ago, someone from China "broke in" to Server2K3 using the weak password supplied for user "test", of course with full administrative privileges as you would find on any old unattended production server. They made a new user called "wwwadmin" but nothing at all happened to it until now. The revisit saw two more user names being made: "jack" and "wwwadmin2" conveniently both with the same password.

The following day there was a return visit, and this time they came to do business. First off, a visit to

http://blog.tianya.cn/blogger/view_blog.asp?BlogName=fm8930 (*)

I was thrilled at the thought that here we had an example of the fabled chinese anti-governmental bloggers seeking to black-mouth their leaders and circumventing the censorship they face. Well, I can't read Chinese at all, but one look at this page showed that it has absolutely nothing to do with anything other than gambling and casinos. What a disappointment, but never mind.

At 02:46 hrs (GMT) the Chinese gambler downloaded and installed "Captain Cooks Casino" game. This he followed by the creation of a Moneybookers account in the name of "Harlow Wilcox" from Warrington, born 6th March 1987. Where do they get their inspiration from? I can't imagine a single soul by that name residing in Warrington, though a bit of searching with the Famous Engine reveals there was at least one person with this name. Not from Warrington though.

Harlow Wilcox

But I digress. The address matches with the postal code he gives. I won't ring the phone number, but my BT Phone Book Companion tells me the number is indeed in Warrington. It's all so realistic that I have to redo the whois query:

inetnum: 116.224.0.0 - 116.239.255.255
netname: CHINANET-SH
descr: CHINANET Shanghai province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: WWQ4-AP
tech-c: WWQ4-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-SH
mnt-routes: MAINT-CHINANET-SH

When completed, the account is empty, but that is soon amended. (Actually, there is a 1 1/2-hour delay here.) Using a different computer (as in, there are no records for him doing it here), he deposits $233 using another shady yahoo email account.

moneybookers balance sheet

Next is a transfer of $180 to Captain Cooks Casino, and he's good to go at 4:00 A.M. exactly.

casino

Twenty minutes later he's finished with the game. Has he lost all his money or doubled it? I can't tell from the screen shots. He deletes the game from the computer, and that was that.

Curiously, there was also a login from a server in the United States, in whose clipboard was the same username and password as were made up by the person from China. Are they by any chance related?

(*) Not a link! Because ever since this blasted site was visited I have been bombarded by their nameservers?!? ns1.tyania.cn and ns2.tyania.cn. Why?!?

 

Update

I was clearly born in the days of pink clouds and happy elves dancing on toadstools.

Gambling in casinos with online accounts is a way of white-washing money obtained from e-crime. The idea is as follows: the proceeeds of your crime are in, say, account A and your legitimate account is B. Now you log into the casino through one computer as player A with account A, and on another computer B with account B. Player A then proceeds to lose big against player B. Continue until account A is depleted, and account B the proud owner of legally acquired lolly.

Crafty. No wonder Harlow was so cross when I changed the password on his egold account ("Account A" in the above analogy). "Please tell me drive the password of moneybookers that you steal, anyway you are too useless.If there is demand pleasing to contact with me." he wrote in an email.