version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=w3m/0.5.3+git20210102 author=jrmu charset=UTF-8 csum= ctime=1597119585 host=38.87.162.8 name=Openbsd.Police rev=3 targets= text=(:redirect police/intro:)%0aHere are the rules:%0a%0a# Never break the law%0a# Avoid reporting to the police unless someone is in physical danger%0a# Don't do this from home: use a VPS, shell account, or bouncer%0a# Never reveal any personally identifiable information%0a# If you make a phone call, use a company phone to hide your number%0a# If you send an email, use a disposable email or company email%0a# If you visit a shady website, disable all javascript%0a%0aSetting up irssi to connect via tor:%0a%0a[@%0a$ tmux%0a$ doas pkg_add tor torsocks irssi%0a$ doas rcctl enable tor%0a$ doas rcctl start%0a$ torsocks irssi%0a%0a/set real_name %3crealname>%0a/set user_name %3cusername>%0a/set nick %3cnick>%0a/set ctcp_userinfo_reply mIRC 7.61%0a/set ctcp_version_reply mIRC 7.61%0a/set autolog on%0a/save%0a@]%0a%0aYou can use something besides mIRC 7.61 for the ctcp reply. Just pick something realistic looking besides irssi.%0a%0aIn order to infiltrate a criminal network, you will need to do some research. Figure out what they are interested in (ddos attacks, phishing, credit card fraud, spamming). Try to understand what language they speak, what they are passionate about, and see if you can strike up a conversation with them. This helps build trust so they will be willing to share more information.%0a%0aUse a little creativity. Don't commit any illegal crime, don't suggest they commit any crimes. However, feel free to chat with them, ask them how they are doing, what hobbies they enjoy etc. Try to ask them for information to learn more about them, but...be subtle, be subtle! I recommend you avoid lying. However, you are welcome to change your persona. Use a new dialect. If you normally chat using formal English, use lots of slang. Talk like someone their age. Spell things wrong on purpose if it helps you fit in. Go ahead and use bad grammar if it helps. Feel free to use Google translate for the conversation. Have fun!%0a%0aFirst, make sure you have proof they have committed a real crime. If there is no evidence, then stop collecting logs. If there is proof, then collect as much data as you can. Make sure you have logging turned on. Figure out what networks they join, what software they use, what servers are their hubs. Data you want to collect:%0a%0a# Real legal name%0a# Age, date of birth, phone number, home address, social media accounts%0a# Business, education background, what software they use (irc daemons, irc clients, irc bots)%0a# What crime networks they collect to. IP addresses, domain names%0a# Their criminal friends%0a# Source code of the software they use%0a%0aDocument everything.%0a%0aYour biggest tool is your brain. Look for clues. For example, use /list to figure out what are the channels inside the network. Join some of them and see who is around. Are there any bots? What are their IP addresses? Who hosts them? Type /who #channel to list all the users within a channel. Type /names to see all the users in a channel. Type /whois username to get more info about a user. However, be careful, as some ircds may notify the admin when a user runs the /whois command. It helps to hang around in a channel for a few weeks.%0a%0aFor example, suppose you found the IP 1.2.3.4 is hosting an IRC command and control botnet for crime. You can run:%0a%0a[@%0a$ whois 1.2.3.4%0aVPS Hosting Generic VPS-INC (NET-1.2.3.4) 1.2.3.0 - 1.2.6.0%0a@]%0a%0aThis tells you that the server is hosted with Generic VPS, inc. So, head over to Generic VPS's website and go to their abuse page and contact them. Send them an email to support@ or abuse@example.com, call their phone, chat with them on live chat, fill out a support ticket. Do whatever it takes to let them know that their customer is using the VPS for illegal purposes and needs to be shut down.%0a%0aSuppose you realize that the domain example.com is being used for the illegal botnet:%0a%0a[@%0a$ whois example.com%0aDomain Name: EXAMPLE.COM%0aRegistry Domain ID: D1234567890%0aRegistrar WHOIS Server:%0aRegistrar URL: http://www.genericregistrarexample.com%0aUpdated Date: 2020-05-06T00:41:36Z%0aCreation Date: 2018-04-15T05:08:12Z%0aRegistry Expiry Date: 2021-04-15T05:08:12Z%0aRegistrar Registration Expiration Date:%0aRegistrar: Generic Registrar Ltd%0aRegistrar IANA ID: 12345678%0aRegistrar Abuse Contact Email: feedback@genericregistrarexample.com%0aRegistrar Abuse Contact Phone: +1234567890%0aReseller:%0aDomain Status: ok https://icann.org/epp#ok%0aDomain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod%0aRegistrant Organization: Hacker Inc%0aRegistrant State/Province: CA%0aRegistrant Country: US%0aName Server: NS1.EXAMPLE.COM%0aName Server: NS2.EXAMPLE.COM%0aDNSSEC: unsigned%0aURL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)%0a>>> Last update of WHOIS database: 2020-05-07T13:23:58Z %3c%3c%3c%0a@]%0a%0aThis tells us that the domain example.com was registered by Hacker Inc with the registrar http://www.genericregistrarexample.com, and that abuse should be reported to feedback@genericregistrarexample.com. So, go to that website, file an abuse report, send them an email, go on live chat with them, make a phone call -- do whatever it takes to get their attention to take the server offline. In one particular case, I had to email the registrar 6 times, filed 6 tickets, made 3 phone calls, and went on live chat twice. It took me over two weeks. But finally the domain got suspended.%0a%0aSuppose you see one of the criminals joining like this:%0a%0a14:25 -!- hacker [thief@shell.example.com] has joined #illegal%0a%0aBased on his vhost mask, you can tell that he's connecting from shell.example.com . Use a browser with Javascript turned off (perhaps using noscript or umatrix) and visit the site on your web browser. You find out that this is a free shell hosting provider. So contact that shell provider's email, phone, and IRC until he closes the account. Make sure you notify him of the ident (in this case thief) and not just the nick (hacker). The ident is the word that comes right before the @ sign. If the shell provider doesn't respond, then you can do this:%0a%0a[@%0a$ dig shell.example.com%0a; %3c%3c>> DiG 9.4.2-P2 %3c%3c>> shell.example.com%0a;; global options: printcmd%0a;; Got answer:%0a;; ->>HEADER%3c%3c- opcode: QUERY, status: NOERROR, id: 39025%0a;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0%0a%0a;; QUESTION SECTION:%0a;shell.example.com. IN A%0a%0a;; ANSWER SECTION:%0ashell.example.com. 300 IN A 192.168.0.1%0a%0a;; Query time: 295 msec%0a;; SERVER: 127.0.0.1#53(127.0.0.1)%0a;; WHEN: Thu May 7 22:01:41 2020%0a;; MSG SIZE rcvd: 57%0a@]%0a%0aThis tells you that the IP address for the server is 192.168.0.1. So you then run:%0a%0a[@%0a$ whois 192.168.0.1%0aOrgName: Cloud%0aOrgId: CLD%0aAddress: 123 Nowhere St%0aCity: Nowhere%0aStateProv: NY%0aPostalCode: 12345%0aCountry: US%0aRegDate: 2008-04-24%0aUpdated: 2019-06-28%0aComment: http://www.completelyrandomcloudexample.com%0aRef: https://rdap.arin.net/registry/entity/LINOD%0aOrgNOCHandle: LN1234567-ARIN%0aOrgNOCName: Cloud Network Operations%0aOrgNOCPhone: +1-234-567-8900%0aOrgNOCEmail: support@completelyrandomcloudexample.com%0aOrgNOCRef: https://rdap.arin.net/registry/entity/LN1234567-ARIN%0a%0aOrgAbuseHandle: LAS1234567-ARIN %0aOrgAbuseName: Cloud Abuse Support%0aOrgAbusePhone: +1-234-567-8900%0aOrgAbuseEmail: abuse@completelyrandomcloudexample.com%0aOrgAbuseRef: https://rdap.arin.net/registry/entity/LAS12-ARIN%0a%0aOrgTechHandle: LNO1234567-ARIN%0aOrgTechName: Cloud Network Operations%0aOrgTechPhone: +1-234-567-8900%0aOrgTechEmail: support@completelyrandomcloudexample.com%0aOrgTechRef: https://rdap.arin.net/registry/entity/LNO21-ARIN%0a@]%0a%0aThis shell provider uses a Cloud VPS. So, contact Cloud's abuse and support email, phone number, and go to their IRC channel. I spent about two hours chatting over IRC and sent around 4 emails. Do what it takes to make sure Cloud and the shell provider close the guilty accounts.%0a%0aSometimes you have an IP but you don't know who owns it. You can run this:%0a%0a[@%0a$ dig -x 192.168.0.1%0a; %3c%3c>> DiG 9.4.2-P2 %3c%3c>> -x 192.168.0.1%0a;; global options: printcmd%0a;; Got answer:%0a;; ->>HEADER%3c%3c- opcode: QUERY, status: NOERROR, id: 6039%0a;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0%0a%0a;; QUESTION SECTION:%0a;1.0.168.192.in-addr.arpa. IN PTR%0a%0a;; ANSWER SECTION:%0a1.0.168.192.in-addr.arpa. 86400 IN PTR criminal.example.com.%0a%0a;; Query time: 4943 msec%0a;; SERVER: 127.0.0.1#53(127.0.0.1)%0a;; WHEN: Thu May 7 22:05:55 2020%0a;; MSG SIZE rcvd: 80%0a@]%0a%0aThis tells you that the domain name is criminal.example.com.%0a%0aOnce you get this basic information, use a search engine to gather more. Search their name, their network, their websites -- look for any software they might have written, anything about them that might be useful. Their nicknames might show up on old logs, they might have malware associated. This research is very important for proving someone is guilty of a crime.%0a%0aIn your email, make sure to document the crime clearly and provide clear evidence. Use screenshots, videos, chat logs, whatever is most effective.%0a%0aMake sure that any screenshots or videos you send do not contain any of your personal information! Double check for your own safety. If you want, you can first email to abuse@ircnow.org so our team can take a look.%0a%0aWhen you start filing reports, make sure you go in this order:%0a%0a# Take down domains%0a# Take down irc servers%0a# Take down shell accounts / bouncers used by admins/criminals%0a# Finally, take down stolen servers and bots used for stealing%0a%0aThere are reasons why we must follow this order. Many times, when you report abuse, the providers won't trust your logs and will want to verify the crime in person. If you take down the bots and IRC servers before the admin can log in, he will be unable to see any evidence and he may think you are lying. Therefore, you want to preserve as much evidence as possible until the last moment.%0a%0aThe reason we take down domains first is because it causes the most disruption while still allowing you to connect to the IRCd for further spying. Afterwards, we can cause netsplits by taking down the IRC servers, and then take down his shell accounts / bouncers to cause confusion. We save bots and stolen servers for last because this is your evidence. Once you take these down, you will be unable to do anything else.%0a time=1644521811 author:1644521811=jrmu diff:1644521811:1597120611:=1d0%0a%3c (:redirect police/intro:)%0a190c189%0a%3c The reason we take down domains first is because it causes the most disruption while still allowing you to connect to the IRCd for further spying. Afterwards, we can cause netsplits by taking down the IRC servers, and then take down his shell accounts / bouncers to cause confusion. We save bots and stolen servers for last because this is your evidence. Once you take these down, you will be unable to do anything else.%0a---%0a> The reason we take down domains first is because it causes the most disruption while still allowing you to connect to the IRCd for further spying. Afterwards, we can cause netsplits by taking down the IRC servers, and then take down his shell accounts / bouncers to cause confusion. We save bots and stolen servers for last because this is your evidence. Once you take these down, you will be unable to do anything else.%0a\ No newline at end of file%0a host:1644521811=38.87.162.8 author:1597120611=jrmu diff:1597120611:1597119585:=3,10c3,10%0a%3c # Never break the law%0a%3c # Avoid reporting to the police unless someone is in physical danger%0a%3c # Don't do this from home: use a VPS, shell account, or bouncer%0a%3c # Never reveal any personally identifiable information%0a%3c # If you make a phone call, use a company phone to hide your number%0a%3c # If you send an email, use a disposable email or company email%0a%3c # If you visit a shady website, disable all javascript%0a%3c %0a---%0a> - Never break the law%0a> - Avoid reporting to the police unless someone is in physical danger%0a> - Don't do this from home, use a VPS, shell account, or bouncer%0a> - Never reveal any personally identifiable information%0a> - If you make a phone call, use a company phone to hide your number%0a> - If you send an email, use a disposable email or company email%0a> - If you visit a shady website, disable all javascript%0a> %0a13c13%0a%3c [@%0a---%0a> %3ccode>%0a27,28c27,28%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a37,45c37,45%0a%3c # Real legal name%0a%3c # Age, date of birth, phone number, home address, social media accounts%0a%3c # Business, education background, what software they use (irc daemons, irc clients, irc bots)%0a%3c # What crime networks they collect to. IP addresses, domain names%0a%3c # Their criminal friends%0a%3c # Source code of the software they use%0a%3c %0a%3c Document everything.%0a%3c %0a---%0a> - Real legal name%0a> - Age, date of birth, phone number, home address, social media accounts%0a> - Business, education background, what software they use (irc daemons, irc clients, irc bots)%0a> - What crime networks they collect to. IP addresses, domain names%0a> - Their criminal friends%0a> - Source code of the software they use%0a> %0a> Document everything.%0a> %0a48,62c48,63%0a%3c For example, suppose you found the IP 1.2.3.4 is hosting an IRC command and control botnet for crime. You can run:%0a%3c %0a%3c [@%0a%3c $ whois 1.2.3.4%0a%3c VPS Hosting Generic VPS-INC (NET-1.2.3.4) 1.2.3.0 - 1.2.6.0%0a%3c @]%0a%3c %0a%3c This tells you that the server is hosted with Generic VPS, inc. So, head over to Generic VPS's website and go to their abuse page and contact them. Send them an email to support@ or abuse@example.com, call their phone, chat with them on live chat, fill out a support ticket. Do whatever it takes to let them know that their customer is using the VPS for illegal purposes and needs to be shut down.%0a%3c %0a%3c Suppose you realize that the domain example.com is being used for the illegal botnet:%0a%3c %0a%3c [@%0a%3c $ whois example.com%0a%3c Domain Name: EXAMPLE.COM%0a%3c Registry Domain ID: D1234567890%0a---%0a> For example, suppose you found the IP 70.39.99.207 is hosting an IRC command and control botnet for crime. You can run:%0a> %0a> %3ccode>%0a> $ whois 70.39.99.207%0a> Sharktech SHARKTECH-INC (NET-70-39-64-0-1) 70.39.64.0 - 70.39.127.255%0a> Sharktech ST-DEN (NET-70-39-64-0-2) 70.39.64.0 - 70.39.127.255%0a> %3c/code>%0a> %0a> This tells you that the server is hosted with Sharktech. So, you head over to [[https://sharktech.net|Sharktech's website]] and go to their abuse page and contact them. Send them an email to support@ or abuse@sharktech.net, call their phone, chat with them on live chat, fill out a support ticket. Do whatever it takes to let them know that their customer is using the VPS for illegal purposes and needs to be shut down.%0a> %0a> Suppose you realize that the domain merantau.org is being used for the illegal botnet:%0a> %0a> %3ccode>%0a> $ whois merantau.org%0a> Domain Name: MERANTAU.ORG%0a> Registry Domain ID: D402200000005816262-LROR%0a64c65%0a%3c Registrar URL: http://www.genericregistrarexample.com%0a---%0a> Registrar URL: http://www.planetdomain.com.au%0a69,72c70,73%0a%3c Registrar: Generic Registrar Ltd%0a%3c Registrar IANA ID: 12345678%0a%3c Registrar Abuse Contact Email: feedback@genericregistrarexample.com%0a%3c Registrar Abuse Contact Phone: +1234567890%0a---%0a> Registrar: PlanetDomain Pty Ltd%0a> Registrar IANA ID: 240%0a> Registrar Abuse Contact Email: feedback@netregistry.com.au%0a> Registrar Abuse Contact Phone: +61.299340501%0a76,80c77,81%0a%3c Registrant Organization: Hacker Inc%0a%3c Registrant State/Province: CA%0a%3c Registrant Country: US%0a%3c Name Server: NS1.EXAMPLE.COM%0a%3c Name Server: NS2.EXAMPLE.COM%0a---%0a> Registrant Organization: sem%0a> Registrant State/Province: samarinda%0a> Registrant Country: ID%0a> Name Server: NS1.NETREGISTRY.NET%0a> Name Server: NS2.NETREGISTRY.NET%0a84,87c85,88%0a%3c @]%0a%3c %0a%3c This tells us that the domain example.com was registered by Hacker Inc with the registrar http://www.genericregistrarexample.com, and that abuse should be reported to feedback@genericregistrarexample.com. So, go to that website, file an abuse report, send them an email, go on live chat with them, make a phone call -- do whatever it takes to get their attention to take the server offline. In one particular case, I had to email the registrar 6 times, filed 6 tickets, made 3 phone calls, and went on live chat twice. It took me over two weeks. But finally the domain got suspended.%0a%3c %0a---%0a> %3c/code>%0a> %0a> This tells us that the domain merantau.org was registered by sem with the registrar http://www.planetdomain.com.au, and that abuse should be reported to feedback@netregistry.com.au. So, go to that website, file an abuse report, send them an email, go on live chat with them, make a phone call -- do whatever it takes to get their attention to take the server offline. In this particular case, I had to email the registrar 6 times, filed 6 tickets, made 3 phone calls, and went on live chat twice. It took me over two weeks. But finally the domain got suspended.%0a> %0a90,96c91,97%0a%3c 14:25 -!- hacker [thief@shell.example.com] has joined #illegal%0a%3c %0a%3c Based on his vhost mask, you can tell that he's connecting from shell.example.com . Use a browser with Javascript turned off (perhaps using noscript or umatrix) and visit the site on your web browser. You find out that this is a free shell hosting provider. So contact that shell provider's email, phone, and IRC until he closes the account. Make sure you notify him of the ident (in this case thief) and not just the nick (hacker). The ident is the word that comes right before the @ sign. If the shell provider doesn't respond, then you can do this:%0a%3c %0a%3c [@%0a%3c $ dig shell.example.com%0a%3c ; %3c%3c>> DiG 9.4.2-P2 %3c%3c>> shell.example.com%0a---%0a> 14:25 -!- jasad [jasad@gprs1.telecom.ronsor.pw] has joined #meRANTAU%0a> %0a> Based on his vhost mask, you can tell that he's connecting from gprs1.telecom.ronsor.pw . Use a browser with Javascript turned off (perhaps using noscript or umatrix) and visit the site on your web browser. You find out that this is a free shell hosting provider. So contact that shell provider's email, phone, and IRC until he closes the account. Make sure you notify him of the ident (in this case jasad) and not just the nick. The ident is the word that comes right before the @ sign. If the shell provider doesn't respond, then you can do this:%0a> %0a> %3ccode>%0a> $ dig gprs1.telecom.ronsor.pw%0a> ; %3c%3c>> DiG 9.4.2-P2 %3c%3c>> gprs1.telecom.ronsor.pw%0a103,104c104,105%0a%3c ;shell.example.com. IN A%0a%3c %0a---%0a> ;gprs1.telecom.ronsor.pw. IN A%0a> %0a106,107c107,108%0a%3c shell.example.com. 300 IN A 192.168.0.1%0a%3c %0a---%0a> gprs1.telecom.ronsor.pw. 300 IN A 45.79.78.155%0a> %0a112,138c113,139%0a%3c @]%0a%3c %0a%3c This tells you that the IP address for the server is 192.168.0.1. So you then run:%0a%3c %0a%3c [@%0a%3c $ whois 192.168.0.1%0a%3c OrgName: Cloud%0a%3c OrgId: CLD%0a%3c Address: 123 Nowhere St%0a%3c City: Nowhere%0a%3c StateProv: NY%0a%3c PostalCode: 12345%0a%3c Country: US%0a%3c RegDate: 2008-04-24%0a%3c Updated: 2019-06-28%0a%3c Comment: http://www.completelyrandomcloudexample.com%0a%3c Ref: https://rdap.arin.net/registry/entity/LINOD%0a%3c OrgNOCHandle: LN1234567-ARIN%0a%3c OrgNOCName: Cloud Network Operations%0a%3c OrgNOCPhone: +1-234-567-8900%0a%3c OrgNOCEmail: support@completelyrandomcloudexample.com%0a%3c OrgNOCRef: https://rdap.arin.net/registry/entity/LN1234567-ARIN%0a%3c %0a%3c OrgAbuseHandle: LAS1234567-ARIN %0a%3c OrgAbuseName: Cloud Abuse Support%0a%3c OrgAbusePhone: +1-234-567-8900%0a%3c OrgAbuseEmail: abuse@completelyrandomcloudexample.com%0a---%0a> %3c/code>%0a> %0a> This tells you that the IP address for the server is 45.79.78.155. So you then run:%0a> %0a> %3ccode>%0a> $ whois 45.79.78.155%0a> OrgName: Linode%0a> OrgId: LINOD%0a> Address: 249 Arch St %0a> City: Philadelphia %0a> StateProv: PA %0a> PostalCode: 19106 %0a> Country: US %0a> RegDate: 2008-04-24 %0a> Updated: 2019-06-28 %0a> Comment: http://www.linode.com %0a> Ref: https://rdap.arin.net/registry/entity/LINOD %0a> OrgNOCHandle: LNO21-ARIN %0a> OrgNOCName: Linode Network Operations %0a> OrgNOCPhone: +1-609-380-7304 %0a> OrgNOCEmail: support@linode.com %0a> OrgNOCRef: https://rdap.arin.net/registry/entity/LNO21-ARIN %0a> %0a> OrgAbuseHandle: LAS12-ARIN %0a> OrgAbuseName: Linode Abuse Support%0a> OrgAbusePhone: +1-609-380-7100%0a> OrgAbuseEmail: abuse@linode.com%0a141,144c142,145%0a%3c OrgTechHandle: LNO1234567-ARIN%0a%3c OrgTechName: Cloud Network Operations%0a%3c OrgTechPhone: +1-234-567-8900%0a%3c OrgTechEmail: support@completelyrandomcloudexample.com%0a---%0a> OrgTechHandle: LNO21-ARIN%0a> OrgTechName: Linode Network Operations%0a> OrgTechPhone: +1-609-380-7304%0a> OrgTechEmail: support@linode.com%0a146,149c147,150%0a%3c @]%0a%3c %0a%3c This shell provider uses a Cloud VPS. So, contact Cloud's abuse and support email, phone number, and go to their IRC channel. I spent about two hours chatting over IRC and sent around 4 emails. Do what it takes to make sure Cloud and the shell provider close the guilty accounts.%0a%3c %0a---%0a> %3c/code>%0a> %0a> This shell provider uses a Linode VPS. So, contact Linode's abuse and support email, phone number, and go to their IRC channel. I spent about two hours chatting over IRC and sent around 4 emails. Do what it takes to make sure Linode and the shell provider close the guilty accounts.%0a> %0a152,154c153,155%0a%3c [@%0a%3c $ dig -x 192.168.0.1%0a%3c ; %3c%3c>> DiG 9.4.2-P2 %3c%3c>> -x 192.168.0.1%0a---%0a> %3ccode>%0a> $ dig -x 45.79.78.155%0a> ; %3c%3c>> DiG 9.4.2-P2 %3c%3c>> -x 45.79.78.155%0a161,162c162,163%0a%3c ;1.0.168.192.in-addr.arpa. IN PTR%0a%3c %0a---%0a> ;155.78.79.45.in-addr.arpa. IN PTR%0a> %0a164,165c165,166%0a%3c 1.0.168.192.in-addr.arpa. 86400 IN PTR criminal.example.com.%0a%3c %0a---%0a> 155.78.79.45.in-addr.arpa. 86400 IN PTR gprs1.telecom.ronsor.pw.%0a> %0a170,173c171,174%0a%3c @]%0a%3c %0a%3c This tells you that the domain name is criminal.example.com.%0a%3c %0a---%0a> %3c/code>%0a> %0a> This tells you that the domain name is gprs1.telecom.ronsor.pw.%0a> %0a178,179c179,180%0a%3c Make sure that any screenshots or videos you send do not contain any of your personal information! Double check for your own safety. If you want, you can first email to abuse@ircnow.org so our team can take a look.%0a%3c %0a---%0a> Make sure that any screenshots or videos you send do not contain any of your personal information! Double check for your own safety. If you want, you can first email to rahab@ircnow.org so our team can take a look.%0a> %0a182,189c183,190%0a%3c # Take down domains%0a%3c # Take down irc servers%0a%3c # Take down shell accounts / bouncers used by admins/criminals%0a%3c # Finally, take down stolen servers and bots used for stealing%0a%3c %0a%3c There are reasons why we must follow this order. Many times, when you report abuse, the providers won't trust your logs and will want to verify the crime in person. If you take down the bots and IRC servers before the admin can log in, he will be unable to see any evidence and he may think you are lying. Therefore, you want to preserve as much evidence as possible until the last moment.%0a%3c %0a%3c The reason we take down domains first is because it causes the most disruption while still allowing you to connect to the IRCd for further spying. Afterwards, we can cause netsplits by taking down the IRC servers, and then take down his shell accounts / bouncers to cause confusion. We save bots and stolen servers for last because this is your evidence. Once you take these down, you will be unable to do anything else.%0a\ No newline at end of file%0a---%0a> - Take down domains%0a> - Take down irc servers%0a> - Take down shell accounts / bouncers used by admins/criminals%0a> - Finally, take down stolen servers and bots used for stealing%0a> %0a> There are reasons why we must follow this order. Many times, when you report abuse, the providers won't trust your logs and will want to verify the crime in person. If you take down the bots and irc servers before the admin can log in, he will be unable to see any evidence and he may think you are lying. Therefore, you want to preserve as much evidence as possible until the last moment.%0a> %0a> The reason we take down domains first is because it causes the most disruption while still allowing you to connect to the ircd for further spying. Afterwards, we can cause netsplits by taking down the irc servers, and then take down his shell accounts / bouncers to cause confusion. We save bots and stolen servers for last because this is your evidence. Once you take these down, you will be unable to do anything else.%0a\ No newline at end of file%0a host:1597120611=38.81.163.143 author:1597119585=jrmu diff:1597119585:1597119585:=1,190d0%0a%3c Here are the rules:%0a%3c %0a%3c - Never break the law%0a%3c - Avoid reporting to the police unless someone is in physical danger%0a%3c - Don't do this from home, use a VPS, shell account, or bouncer%0a%3c - Never reveal any personally identifiable information%0a%3c - If you make a phone call, use a company phone to hide your number%0a%3c - If you send an email, use a disposable email or company email%0a%3c - If you visit a shady website, disable all javascript%0a%3c %0a%3c Setting up irssi to connect via tor:%0a%3c %0a%3c %3ccode>%0a%3c $ tmux%0a%3c $ doas pkg_add tor torsocks irssi%0a%3c $ doas rcctl enable tor%0a%3c $ doas rcctl start%0a%3c $ torsocks irssi%0a%3c %0a%3c /set real_name %3crealname>%0a%3c /set user_name %3cusername>%0a%3c /set nick %3cnick>%0a%3c /set ctcp_userinfo_reply mIRC 7.61%0a%3c /set ctcp_version_reply mIRC 7.61%0a%3c /set autolog on%0a%3c /save%0a%3c %3c/code>%0a%3c %0a%3c You can use something besides mIRC 7.61 for the ctcp reply. Just pick something realistic looking besides irssi.%0a%3c %0a%3c In order to infiltrate a criminal network, you will need to do some research. Figure out what they are interested in (ddos attacks, phishing, credit card fraud, spamming). Try to understand what language they speak, what they are passionate about, and see if you can strike up a conversation with them. This helps build trust so they will be willing to share more information.%0a%3c %0a%3c Use a little creativity. Don't commit any illegal crime, don't suggest they commit any crimes. However, feel free to chat with them, ask them how they are doing, what hobbies they enjoy etc. Try to ask them for information to learn more about them, but...be subtle, be subtle! I recommend you avoid lying. However, you are welcome to change your persona. Use a new dialect. If you normally chat using formal English, use lots of slang. Talk like someone their age. Spell things wrong on purpose if it helps you fit in. Go ahead and use bad grammar if it helps. Feel free to use Google translate for the conversation. Have fun!%0a%3c %0a%3c First, make sure you have proof they have committed a real crime. If there is no evidence, then stop collecting logs. If there is proof, then collect as much data as you can. Make sure you have logging turned on. Figure out what networks they join, what software they use, what servers are their hubs. Data you want to collect:%0a%3c %0a%3c - Real legal name%0a%3c - Age, date of birth, phone number, home address, social media accounts%0a%3c - Business, education background, what software they use (irc daemons, irc clients, irc bots)%0a%3c - What crime networks they collect to. IP addresses, domain names%0a%3c - Their criminal friends%0a%3c - Source code of the software they use%0a%3c %0a%3c Document everything.%0a%3c %0a%3c Your biggest tool is your brain. Look for clues. For example, use /list to figure out what are the channels inside the network. Join some of them and see who is around. Are there any bots? What are their IP addresses? Who hosts them? Type /who #channel to list all the users within a channel. Type /names to see all the users in a channel. Type /whois username to get more info about a user. However, be careful, as some ircds may notify the admin when a user runs the /whois command. It helps to hang around in a channel for a few weeks.%0a%3c %0a%3c For example, suppose you found the IP 70.39.99.207 is hosting an IRC command and control botnet for crime. You can run:%0a%3c %0a%3c %3ccode>%0a%3c $ whois 70.39.99.207%0a%3c Sharktech SHARKTECH-INC (NET-70-39-64-0-1) 70.39.64.0 - 70.39.127.255%0a%3c Sharktech ST-DEN (NET-70-39-64-0-2) 70.39.64.0 - 70.39.127.255%0a%3c %3c/code>%0a%3c %0a%3c This tells you that the server is hosted with Sharktech. So, you head over to [[https://sharktech.net|Sharktech's website]] and go to their abuse page and contact them. Send them an email to support@ or abuse@sharktech.net, call their phone, chat with them on live chat, fill out a support ticket. Do whatever it takes to let them know that their customer is using the VPS for illegal purposes and needs to be shut down.%0a%3c %0a%3c Suppose you realize that the domain merantau.org is being used for the illegal botnet:%0a%3c %0a%3c %3ccode>%0a%3c $ whois merantau.org%0a%3c Domain Name: MERANTAU.ORG%0a%3c Registry Domain ID: D402200000005816262-LROR%0a%3c Registrar WHOIS Server:%0a%3c Registrar URL: http://www.planetdomain.com.au%0a%3c Updated Date: 2020-05-06T00:41:36Z%0a%3c Creation Date: 2018-04-15T05:08:12Z%0a%3c Registry Expiry Date: 2021-04-15T05:08:12Z%0a%3c Registrar Registration Expiration Date:%0a%3c Registrar: PlanetDomain Pty Ltd%0a%3c Registrar IANA ID: 240%0a%3c Registrar Abuse Contact Email: feedback@netregistry.com.au%0a%3c Registrar Abuse Contact Phone: +61.299340501%0a%3c Reseller:%0a%3c Domain Status: ok https://icann.org/epp#ok%0a%3c Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod%0a%3c Registrant Organization: sem%0a%3c Registrant State/Province: samarinda%0a%3c Registrant Country: ID%0a%3c Name Server: NS1.NETREGISTRY.NET%0a%3c Name Server: NS2.NETREGISTRY.NET%0a%3c DNSSEC: unsigned%0a%3c URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)%0a%3c >>> Last update of WHOIS database: 2020-05-07T13:23:58Z %3c%3c%3c%0a%3c %3c/code>%0a%3c %0a%3c This tells us that the domain merantau.org was registered by sem with the registrar http://www.planetdomain.com.au, and that abuse should be reported to feedback@netregistry.com.au. So, go to that website, file an abuse report, send them an email, go on live chat with them, make a phone call -- do whatever it takes to get their attention to take the server offline. In this particular case, I had to email the registrar 6 times, filed 6 tickets, made 3 phone calls, and went on live chat twice. It took me over two weeks. But finally the domain got suspended.%0a%3c %0a%3c Suppose you see one of the criminals joining like this:%0a%3c %0a%3c 14:25 -!- jasad [jasad@gprs1.telecom.ronsor.pw] has joined #meRANTAU%0a%3c %0a%3c Based on his vhost mask, you can tell that he's connecting from gprs1.telecom.ronsor.pw . Use a browser with Javascript turned off (perhaps using noscript or umatrix) and visit the site on your web browser. You find out that this is a free shell hosting provider. So contact that shell provider's email, phone, and IRC until he closes the account. Make sure you notify him of the ident (in this case jasad) and not just the nick. The ident is the word that comes right before the @ sign. If the shell provider doesn't respond, then you can do this:%0a%3c %0a%3c %3ccode>%0a%3c $ dig gprs1.telecom.ronsor.pw%0a%3c ; %3c%3c>> DiG 9.4.2-P2 %3c%3c>> gprs1.telecom.ronsor.pw%0a%3c ;; global options: printcmd%0a%3c ;; Got answer:%0a%3c ;; ->>HEADER%3c%3c- opcode: QUERY, status: NOERROR, id: 39025%0a%3c ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0%0a%3c %0a%3c ;; QUESTION SECTION:%0a%3c ;gprs1.telecom.ronsor.pw. IN A%0a%3c %0a%3c ;; ANSWER SECTION:%0a%3c gprs1.telecom.ronsor.pw. 300 IN A 45.79.78.155%0a%3c %0a%3c ;; Query time: 295 msec%0a%3c ;; SERVER: 127.0.0.1#53(127.0.0.1)%0a%3c ;; WHEN: Thu May 7 22:01:41 2020%0a%3c ;; MSG SIZE rcvd: 57%0a%3c %3c/code>%0a%3c %0a%3c This tells you that the IP address for the server is 45.79.78.155. So you then run:%0a%3c %0a%3c %3ccode>%0a%3c $ whois 45.79.78.155%0a%3c OrgName: Linode%0a%3c OrgId: LINOD%0a%3c Address: 249 Arch St %0a%3c City: Philadelphia %0a%3c StateProv: PA %0a%3c PostalCode: 19106 %0a%3c Country: US %0a%3c RegDate: 2008-04-24 %0a%3c Updated: 2019-06-28 %0a%3c Comment: http://www.linode.com %0a%3c Ref: https://rdap.arin.net/registry/entity/LINOD %0a%3c OrgNOCHandle: LNO21-ARIN %0a%3c OrgNOCName: Linode Network Operations %0a%3c OrgNOCPhone: +1-609-380-7304 %0a%3c OrgNOCEmail: support@linode.com %0a%3c OrgNOCRef: https://rdap.arin.net/registry/entity/LNO21-ARIN %0a%3c %0a%3c OrgAbuseHandle: LAS12-ARIN %0a%3c OrgAbuseName: Linode Abuse Support%0a%3c OrgAbusePhone: +1-609-380-7100%0a%3c OrgAbuseEmail: abuse@linode.com%0a%3c OrgAbuseRef: https://rdap.arin.net/registry/entity/LAS12-ARIN%0a%3c %0a%3c OrgTechHandle: LNO21-ARIN%0a%3c OrgTechName: Linode Network Operations%0a%3c OrgTechPhone: +1-609-380-7304%0a%3c OrgTechEmail: support@linode.com%0a%3c OrgTechRef: https://rdap.arin.net/registry/entity/LNO21-ARIN%0a%3c %3c/code>%0a%3c %0a%3c This shell provider uses a Linode VPS. So, contact Linode's abuse and support email, phone number, and go to their IRC channel. I spent about two hours chatting over IRC and sent around 4 emails. Do what it takes to make sure Linode and the shell provider close the guilty accounts.%0a%3c %0a%3c Sometimes you have an IP but you don't know who owns it. You can run this:%0a%3c %0a%3c %3ccode>%0a%3c $ dig -x 45.79.78.155%0a%3c ; %3c%3c>> DiG 9.4.2-P2 %3c%3c>> -x 45.79.78.155%0a%3c ;; global options: printcmd%0a%3c ;; Got answer:%0a%3c ;; ->>HEADER%3c%3c- opcode: QUERY, status: NOERROR, id: 6039%0a%3c ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0%0a%3c %0a%3c ;; QUESTION SECTION:%0a%3c ;155.78.79.45.in-addr.arpa. IN PTR%0a%3c %0a%3c ;; ANSWER SECTION:%0a%3c 155.78.79.45.in-addr.arpa. 86400 IN PTR gprs1.telecom.ronsor.pw.%0a%3c %0a%3c ;; Query time: 4943 msec%0a%3c ;; SERVER: 127.0.0.1#53(127.0.0.1)%0a%3c ;; WHEN: Thu May 7 22:05:55 2020%0a%3c ;; MSG SIZE rcvd: 80%0a%3c %3c/code>%0a%3c %0a%3c This tells you that the domain name is gprs1.telecom.ronsor.pw.%0a%3c %0a%3c Once you get this basic information, use a search engine to gather more. Search their name, their network, their websites -- look for any software they might have written, anything about them that might be useful. Their nicknames might show up on old logs, they might have malware associated. This research is very important for proving someone is guilty of a crime.%0a%3c %0a%3c In your email, make sure to document the crime clearly and provide clear evidence. Use screenshots, videos, chat logs, whatever is most effective.%0a%3c %0a%3c Make sure that any screenshots or videos you send do not contain any of your personal information! Double check for your own safety. If you want, you can first email to rahab@ircnow.org so our team can take a look.%0a%3c %0a%3c When you start filing reports, make sure you go in this order:%0a%3c %0a%3c - Take down domains%0a%3c - Take down irc servers%0a%3c - Take down shell accounts / bouncers used by admins/criminals%0a%3c - Finally, take down stolen servers and bots used for stealing%0a%3c %0a%3c There are reasons why we must follow this order. Many times, when you report abuse, the providers won't trust your logs and will want to verify the crime in person. If you take down the bots and irc servers before the admin can log in, he will be unable to see any evidence and he may think you are lying. Therefore, you want to preserve as much evidence as possible until the last moment.%0a%3c %0a%3c The reason we take down domains first is because it causes the most disruption while still allowing you to connect to the ircd for further spying. Afterwards, we can cause netsplits by taking down the irc servers, and then take down his shell accounts / bouncers to cause confusion. We save bots and stolen servers for last because this is your evidence. Once you take these down, you will be unable to do anything else.%0a\ No newline at end of file%0a host:1597119585=38.81.163.143