Topic: [joe is dead] http://findmeifyoucan.eu - page 5. (Read 7094 times)

Hey guys,

just got up (hint, hint). yawn.

You seem to have found some info on the VPS even I didn't know (couldn't care less where its located).

I think the basic concept is pretty sound: I'm using that VPS for everything: to host the page and as a proxy. I olny ever connected to it via tor (hopefully). So when the VPS is compromised, I should still be secure.

Things I've learned from you guys (and own thoughts) so far:

• reevaluate use of lastpass, it's a risk, lastpass inc. could be subpoenad or whatever into slipping me custom code or there already is a backdoor of sorts that could leak info, who knows
• isolate joe on the client system better (currently all I do is use a seperate user) and make sure the client can only connect through tor, maybe at the router or something. There's currently the chance that I might accidentally connect through the parent network and reveal my IP to the VPS. Maybe use a virtual machine. Protect it (or /home/joe at least) locally so your visitors or the people you live with don't accidentally find joe. Always unmount /home/joe, shutdown the Virtual Machine when leaving machine physically. Maybe put /home/joe or even a whole system on a usb stick or use an old laptop for joe so he's portable (some secure distro, suggestions?)
• Watch your language, always be very conscious who you are, don't post drunk, avoid using phrases/language the real me notoriously uses,...
• What MysteryMiner said: "The problem of staying hidden is not in the short term. In long run you get comfortable, relax on security, reuse the same address or e-mail or whatever [...]"

I'm upping the bounty to BTC 14 for now. I might lower it again at some point when I intentionally leak more info that'd make it easier.

All I need is a French-speaking lawyer?

Dear OVH France; Dear Patrick Strateman;

On or about 22:26 October 27 2012, my organization was slandered by a user connecting through IP address 188.165.73.235.
Please see the attached slander lawsuit and notice of pre-litigation subpoena for tortious activity demanding identification of and corroborating connections for any and all IP connections on or about this time originating from and connecting through the "Bitcoin Virtual Private Server" service momentovps.com corresponding with this access through your services.

imgur strips all exif data

Amazon has a big datacenter in Dublin, I guess he (she?) is using a virtual computer in a cloud to access net/keep the www-server up?  

[/quote]

Or, more likely, Ovh:
http://www.plotip.com/ip/188.165.73

https://www.ovh.co.uk/dedicated_servers/


But that does not lead us to him... unless we have an insider in ovh ;-)

One more trivial thing to do when hunting someone:
(note: this should be run from a non-consumer network connection; some of the ports are filtered by my ISP)
-----------------
xxx@xxx:~$ nmap -v -A 188.165.73.235

Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-28 09:13 EET
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 09:13
Scanning 188.165.73.235 [2 ports]
Completed Ping Scan at 09:13, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:13
Completed Parallel DNS resolution of 1 host. at 09:13, 0.01s elapsed
Initiating Connect Scan at 09:13
Scanning 188.165.73.235 [1000 ports]
Discovered open port 80/tcp on 188.165.73.235
Discovered open port 22/tcp on 188.165.73.235
Increasing send delay for 188.165.73.235 from 0 to 5 due to 13 out of 43 dropped probes since last increase.
Completed Connect Scan at 09:13, 16.00s elapsed (1000 total ports)
Initiating Service scan at 09:13
Scanning 2 services on 188.165.73.235
Completed Service scan at 09:13, 6.12s elapsed (2 services on 1 host)
NSE: Script scanning 188.165.73.235.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 09:13
Completed NSE at 09:13, 0.85s elapsed
NSE: Script Scanning completed.
Nmap scan report for 188.165.73.235
Host is up (0.056s latency).
Not shown: 988 closed ports
PORT     STATE    SERVICE         VERSION
22/tcp   open     ssh             OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 c9:7b:57:ea:06:c1:57:e6:51:ea:d5:8a:1a:aa:96:59 (DSA)
|_2048 22:d5:a9:44:18:b2:82:42:ef:58:57:07:1b:5d:d5:dd (RSA)
25/tcp   filtered smtp
80/tcp   open     http            nginx 1.1.19
|_html-title: find me if you can
445/tcp  filtered microsoft-ds
1723/tcp filtered pptp
6666/tcp filtered irc
6667/tcp filtered irc
7000/tcp filtered afs3-fileserver
7070/tcp filtered realserver
8000/tcp filtered http-alt
8001/tcp filtered unknown
8002/tcp filtered teradataordbms
Service Info: OS: Linux

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.21 seconds

----
Oh, I was a bit careless..
xxx@xxxx:~$ 188.165.73.235
-----------

On the screenshot he posted he has the payment he made for it. So yeah.

Amazon has a big datacenter in Dublin, I guess he (she?) is using a virtual computer in a cloud to access net/keep the www-server up?  

Edit: Too new site for Wayback machine:
http://wayback.archive.org/web/*/http://findmeifyoucan.eu

Yeah there was a name on there too somewhere I ran across it Olav or something. Thats just the owner of the host though I think so kinda pointless.

Some information digged from findmeifyoucan.eu:
-IPaddress matches the address theymos releaved (188.165.73.235), ie he is running the www site on the computer he is using. Or he is using a proxy. Using a proxy would make the following go wrong:

-traceroute to that address would give a hint he might live in Frankfurth?
-http://www.iplocation.net/index.php says he lives in Dublin, Ireland. https://maps.google.com/maps?q=DUBLIN,,IE

Nite69
-----------------
xxx@xxxx:~$ dig findmeifyoucan.eu

; <<>> DiG 9.8.1-P1 <<>> findmeifyoucan.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20274
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 16

;; QUESTION SECTION:
;findmeifyoucan.eu.      IN   A

;; ANSWER SECTION:
findmeifyoucan.eu.   14241   IN   A   188.165.73.235

;; AUTHORITY SECTION:
findmeifyoucan.eu.   86240   IN   NS   ns1.domains4bitcoins.com.
findmeifyoucan.eu.   86240   IN   NS   ns2.domains4bitcoins.com.
findmeifyoucan.eu.   86240   IN   NS   ns3.domains4bitcoins.com.
findmeifyoucan.eu.   86240   IN   NS   ns4.domains4bitcoins.com.

;; ADDITIONAL SECTION:
ns1.domains4bitcoins.com. 28640   IN   A   50.23.136.173
ns1.domains4bitcoins.com. 28640   IN   A   50.23.136.174
ns1.domains4bitcoins.com. 28640   IN   A   50.23.136.229
ns1.domains4bitcoins.com. 28640   IN   A   50.23.136.230
ns2.domains4bitcoins.com. 28640   IN   A   50.23.75.96
ns2.domains4bitcoins.com. 28640   IN   A   50.23.75.97
ns2.domains4bitcoins.com. 28640   IN   A   50.23.75.44
ns2.domains4bitcoins.com. 28640   IN   A   50.23.75.45
ns3.domains4bitcoins.com. 28640   IN   A   67.15.47.188
ns3.domains4bitcoins.com. 28640   IN   A   67.15.47.189
ns3.domains4bitcoins.com. 28640   IN   A   67.15.253.219
ns3.domains4bitcoins.com. 28640   IN   A   67.15.253.220
ns4.domains4bitcoins.com. 28640   IN   A   184.173.150.58
ns4.domains4bitcoins.com. 28640   IN   A   184.173.149.221
ns4.domains4bitcoins.com. 28640   IN   A   184.173.149.222
ns4.domains4bitcoins.com. 28640   IN   A   184.173.150.57

;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Oct 28 08:30:11 2012
;; MSG SIZE  rcvd: 399
-----------------
xxx@xxx:~$ whois findmeifyoucan.eu
---clicketiclick---
Registrant:
   NOT DISCLOSED!
   Visit www.eurid.eu for webbased whois.

Registrar Technical Contacts:
   Name:   Domain Manager
   Organisation:   PublicDomainRegistry.com
   Language:   en
   Phone:   +1.2013775952
   Fax:   +1.3202105146
   Email:   [email protected]


Registrar:
   Name:    PDR Ltd.
   Website: www.publicdomainregistry.com
------------------
xxx@xxxx:~$ traceroute 188.165.73.235
traceroute to 188.165.73.235 (188.165.73.235), 30 hops max, 60 byte packets
----clicketiclick------

 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * ae-63-63.csw1.Frankfurt1.Level3.net (4.69.163.2)  45.509 ms ae-83-83.csw3.Frankfurt1.Level3.net (4.69.163.10)  51.131 ms
14  ae-2-70.edge5.Frankfurt1.Level3.net (4.69.154.73)  46.881 ms * *
15  * * *
16  * * *
17  vss-6a-6k.fr.eu (91.121.128.40)  62.731 ms  62.911 ms *
18  * * *
19  188.165.73.235 (188.165.73.235)  58.420 ms  58.759 ms  60.247 ms

-------------------------------

joesdc ? that one? I thought that was a bit obvious and discarded it lol.

Administrative Contact:
Morgan, Joe [email protected]
Joe's Datacenter, LLC
324 E. 11th St
Suite 2625
Kansas City, Missouri 64106
United States
+1.8167267615

thats what I found on that one, but that was a 2 second search.

Joe of Joe's Data Center in KC. Reason is obvious, couple with Joe DC also joining in the summer. The address is 324 East 11th Street, hence you using Joe23.

Good point, and the electrum server should be pretty safe. Things I have done to remain anon in the past. Go to a cloud desktop site and download onto that desktop a copy of vm. Most cloud sites only store the info for a hour or 2 then overwrite it.

So you would be on your PC > Cloud Desktop > VM > VM > TOR.

If you have to post any pics use screenshot so you dont bleed metadata. Also, when typing information online, I would actively focus on what you are saying, you can analyze a persons way of speaking to relate to other posts. Many people use the same phrases or references when talking about trivial subjects. Also, use separate anon services in case the gov got bold and seized servers, they would have to raid more than 1 place.

Edit: I failed to mention the obvious, use someone elses internet in case all else fails

The address in UK is address of VPS hosting service. Even if that server is compromised and monitored Joe will be connecting it with Tor.

DEA using blockexplorer to follow transactions on blockchain? I could train a monkey to click these addresses with equal success and receive government paycheck.

Probably using blockchain.info to see origination IP address of transaction can possibly lead at least to Electrum server. If the server is not running as .onion address.

sent some bitcents for your great effort so far.

Now for finding me through the blockchain: I cleaned the coins using SR. That means all inputs of transactions contributing positively to my balance are owned by SR.

I deposited a higher balance to SR from my private wallet than I withdrew to joes wallet to make same-amount-attacks a lot harder if not impossible. I waited between deposit and withdraw, making timing attacks harder, if not impossible. Safe?

1B15JZGtHg4BvbzGdPGKZi7aunR4cpN5jE

Is mine, I checked through everything, the site has 2 open ports but it looks they are both on a host who takes btc so pretty fully anon there. Traces to it bring up ireland which means nothing really. You do however use "joe" which is a commonly used shortened name used in the USA so I would be inclined to think you are here. There is a way I think to find you through the block chain (but would be a huge pain in the ass) I started to do it but then I saw you mixed it more than once and said screw it not worth it. But I could total up the transactions received on the mix, add the % for the mix to that then look for the originator of that balance. (I think thats how the DEA is following people on SR)

sent you some.

lastpass of course I use not only for VPS, but also domain name service and tormail.

Yes it have autofiller and such features. Take a look for KeePassX that is a Linux version. The plaintext file with passwords is usable but if someone gains access to computer it can steal all passwords.

Anyway this is not a scope of this thread. The thing we need to know is that Joe uses Lastpass to manage the logins for the VPS.

My address is 1Aiq9FYv12GQjM9LeBHoNq9c3FfFaA4GTA
Thank You!

MysteryMiner, I would like to give you a little token of appreciation for your great input. So if you want that, give me an address.

fuck wine . Does keepass help with filling login forms in the browser? If not, a text file is just as good, right?

Are there better alternatives to lastpass?

The classic 1.x version was tested on Wine and it worked. According the 2.x version works under Mono but I have not tested that. So it is not exclusive to Windows.Closed-source. You don't know if it works correctly or have no backdoors. It is suboptimal design for password storage. The synchronization is convenient but it is a tradeoff of security.