Scribd Logo
Upload

Welcome to Scribd!

  • THR34T Krew: ﺐﺷ ،ﻡﻭﺩ ﺯﻭﺭ: ﺖﺸﻬﺒﻳﺩﺭﺍ ﻝﻭﺍ ١٣٨٣: Cyrus Peikari, Seth Fogie

    Uploaded by

    api-3777069
    29 views10 pages
    The document discusses the author discovering an open IRC connection between a hacked server and an IRC server after analyzing traffic data. Upon connecting to the suspicious IRC server, the author realizes it is being used to coordinate trojan horse attacks rather than normal chat. Despite appearances, the author learns not to judge a server by its listed channels alone.

    Original Description:

    Original Title

    4

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses the author discovering an open IRC connection between a hacked server and an IRC server after analyzing traffic data. Upon connecting to the suspicious IRC server, the author realizes it is being used to coordinate trojan horse attacks rather than normal chat. Despite appearances, the author learns not to judge a server by its listed channels alone.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    29 views10 pages

    THR34T Krew: ﺐﺷ ،ﻡﻭﺩ ﺯﻭﺭ: ﺖﺸﻬﺒﻳﺩﺭﺍ ﻝﻭﺍ ١٣٨٣: Cyrus Peikari, Seth Fogie

    Uploaded by

    api-3777069
    The document discusses the author discovering an open IRC connection between a hacked server and an IRC server after analyzing traffic data. Upon connecting to the suspicious IRC server, the author realizes it is being used to coordinate trojan horse attacks rather than normal chat. Despite appearances, the author learns not to judge a server by its listed channels alone.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬


    ‫» ﻗﺴﻤﺖ ﺁﺧﺮ «‬
    ‫ﻣﺘﺮﺟﻢ ‪ :‬ﺭﺿﺎ ﻣﺪﺩﻱ‬
    ‫ﺗﺎﺭﻳﺦ ‪ :‬ﺍﻭﻝ ﺍﺭﺩﻳﺒﻬﺸﺖ ‪١٣٨٣‬‬
    ‫ﻧﻮﻳﺴﻨﺪﮔﺎﻥ ‪Cyrus Peikari, Seth Fogie :‬‬

    ‫‪ : THR34T Krew‬ﺭﻭﺯ ﺩﻭﻡ‪ ،‬ﺷﺐ‬


    ‫ﺑﻌـﺪ ﺍﺯ ﻳـﻚ ﺑﻌﺪﺍﺯﻇﻬـﺮ ﺯﻳـﺒﺎ ﺩﺭ ﻛﻨﺎﺭ ﺧﺎﻧﻮﺍﺩﻩ‪ ،‬ﺁﻣﺎﺩﻩ ﺣﻤﻠﻪ ﺑﻪ ﻓﺎﻳﻞ ﺗﻮﺩﻩ )ﻓﺎﻳﻠﻲ ﻛﻪ ﺩﺭ ﺳﺎﻳﺖ ﺍﺯ‬
    ‫ﺍﻃﻼﻋـﺎﺕ ﺟﻤﻊ ﺁﻭﺭﻱ ﺷﺪﻩ ﺑﻮﺩ( ﺷﺪﻡ‪ .‬ﺗﻮﺳﻂ ﻳﻚ ﻓﻴﻠﺘﺮ‪ ،‬ﻓﺎﻳﻞ ﺭﺍ ﻃﻮﺭﻱ ‪ Load‬ﻛﺮﺩﻡ ﻛﻪ ﻓﻘﻂ ﺍﻃﻼﻋﺎﺗﻲ ﺭﺍ‬
    ‫ﻧﺸـﺎﻥ ﺩﻫﺪ ﻛﻪ ﻳﺎ ﺑﻪ ﺁﺩﺭﺱ ‪ IP‬ﺳﺮﻭﺭ ﻫﻚ ﺷﺪﻩ ﺭﻓﺘﻪ ﻭ ﻳﺎ ﺍﺯ ﺁﻥ ﺑﺮﮔﺸﺘﻪ ﺑﺎﺷﻨﺪ‪ .‬ﻫﻤﻴﻨﻜﻪ ﻓﺎﻳﻞ ‪ Load‬ﺷﺪ‬
    ‫)ﻭ ﺍﻳـﻦ ﻋﻤـﻞ ﺩﻗﺎﻳﻘـﻲ ﺑﻪ ﻃﻮﻝ ﺍﻧﺠﺎﻣﻴﺪ( ﺳﺮﻳﻌﺎ ﺗﺮﺍﻓﻴﻚ ‪ IRC‬ﺭﺍ ﻣﻮﺭﺩ ﻧﻈﺮ ﻗﺮﺍﺭ ﺩﺍﺩﻡ‪ .‬ﻃﺒﻖ ﺣﺪﺳﻬﺎﻳﻲ ﻛﻪ‬
    ‫ﺯﺩﻩ ﺑﻮﺩﻡ ﻣﻄﻤﺌﻨﺎ ﻧﺸﺴﺘﻲ ﺑﻴﻦ ﻳﻚ ﺳﺮﻭﺭ ‪ IRC‬ﻭ ﺳﺮﻭﺭ ﻫﻚ ﺷﺪﻩ ﺑﺎﺯ ﺷﺪﻩ ﺑﻮﺩ‪ .‬ﻫﻤﺎﻧﻄﻮﺭ ﻛﻪ ﺩﺭ ﺷﻜﻞ ‪٣‬‬
    ‫ﻧﺸـﺎﻥ ﺩﺍﺩﻩ ﺷـﺪﻩ ﺍﺳـﺖ‪ ،‬ﺷـﻨﺎﺧﺖ ﻧﺎﻡ ﺍﺗﺎﻕ ﻭ ﻧﻮﻉ ﻋﻤﻮﻣﻲ ﻓﻌﺎﻟﻴﺘﻲ ﻛﻪ ﺑﻪ ﻧﻈﺮ‪ ،‬ﺩﺍﻳﻤﻮﻥ ‪ IRC‬ﺍﺳﺐ ﺗﺮﻭﺍ‬
    ‫ﺑﺮﺍﻱ ﺍﺭﺳﺎﻝ ﻭ ﺩﺭﻳﺎﻓﺖ ﺍﻧﺠﺎﻡ ﺩﺍﺩﻩ ﺑﻮﺩ‪ ،‬ﺑﺮﺍﺣﺘﻲ ﻗﺎﺑﻞ ﺷﻨﺎﺧﺖ ﺑﻮﺩﻧﺪ‪.‬‬

    ‫‪1‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﺷﻜﻞ ‪٣‬‬
    ‫ﺑﺴﺘﻪﻫﺎﻱ ‪ IRC‬ﺿﺒﻂ ﺷﺪﻩ‬

    ‫ﺩﺭ ﻫﻨﮕﺎﻣـﻲ ﻛﻪ ﻣﻦ ﺍﻣﻴﺪﻭﺍﺭ ﺑﻮﺩﻡ ﺗﺎ ﺍﻃﻼﻋﺎﺕ ﺑﻴﺸﺘﺮﻱ ﺍﺯ ﻗﺒﻴﻞ ﻛﻠﻤﺎﺕ ﺷﻨﺎﺳﻪ ﻭ ﻋﺒﻮﺭ ﻣﻮﺭﺩ ﻧﻴﺎﺯ‬
    ‫ﺑﺮﺍﻱ ﻓﻌﺎﻝ ﻛﺮﺩﻥ ﺍﺳﺐﻫﺎﻱ ﺗﺮﻭﺍﻱ ﺑﺮ ﺭﻭﻱ ﺳﺮﻭﺭ ﺑﺪﺳﺖ ﺁﻭﺭﻡ‪ ،‬ﻓﺎﻳﻞ ﺗﻮﺩﻩﺍﻱ ﻛﻪ ﺗﻬﻴﻪ ﻛﺮﺩﻩ ﺑﻮﺩﻡ‪ ،‬ﺗﻬﻲ ﺍﺯ‬
    ‫ﻫـﺮﮔﻮﻧﻪ ﺍﻃﻼﻋﺎﺕ ﻣﻔﻴﺪ ﻭ ﺍﺭﺯﺷﻤﻨﺪﻱ ﺷﺪﻩ ﺑﻮﺩ‪ ،‬ﺑﻨﺎﺑﺮﺍﻳﻦ ﻣﻦ ‪ mIRC‬ﺭﺍ ﺍﺟﺮﺍ ﻛﺮﺩﻩ ﻭ ﺁﻥ ﺭﺍ ﻃﻮﺭﻱ ﺗﻨﻈﻴﻢ‬
    ‫ﻛـﺮﺩﻡ ﻛـﻪ ﺑـﻪ ﺳـﺮﻭﺭ ‪ IRC‬ﻣﺸـﻜﻮﻙ ﻣﺘﺼـﻞ ﺷﻮﺩ‪ .‬ﻫﻨﮕﺎﻣﻲ ﻛﻪ ﺍﺗﺼﺎﻝ ﺑﺮﻗﺮﺍﺭ ﺷﺪ‪ ،‬ﻣﺸﺨﺺ ﺷﺪ ﻛﻪ ﺍﻳﻦ‬
    ‫ﺳـﺮﻭﺭ‪ ،‬ﻳﻚ ﺳﺮﻭﺭ ﻋﺎﺩﻱ ﻭ ﻣﻌﻤﻮﻝ ﭼﺖ ﻧﻴﺴﺖ‪ .‬ﺍﻭﻟﻴﻦ ﻧﻈﺮ ﻣﻦ ﺍﻳﻦ ﺑﻮﺩ ﻛﻪ ﺍﻳﻦ ﺳﺮﻭﺭ‪ ،‬ﻳﻚ ﺳﺮﻭﺭ ‪ IRC‬ﺍﺯ‬
    ‫ﻧـﻮﻉ ‪ warez‬ﺑـﻮﺩﻩ ﻭ ﺩﺭ ﺣﻘﻴﻘـﺖ ﺑـﻪ ﻃﻮﺭ ﻣﻌﻤﻮﻝ ﺑﻪ ﻋﻨﻮﺍﻥ ﻳﻚ ﻧﺮﻡ ﺍﻓﺰﺍﺭ ﺗﺤﺖ ﺍﻳﻨﺘﺮﻧﺖ ﺑﺮﺍﻱ ﺗﻌﻮﻳﺾ‬
    ‫ﺍﺗـﺎﻕﻫـﺎ ﻣـﻮﺭﺩ ﺍﺳـﺘﻔﺎﺩﻩ ﻗﺮﺍﺭ ﻣﻲﮔﻴﺮﺩ‪ .‬ﺑﺎ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺩﺳﺘﻮﺭ ‪ /List‬ﻛﺎﻧﺎﻝﻫﺎﻱ ﻋﻤﻮﻣﻲ ﺭﺍ ﺑﺪﺳﺖ ﺁﻭﺭﺩﻡ‪.‬‬
    ‫ﻓﻬﺮﺳـﺖ ﮔـﻴﺮﻱ ﺍﺗﺎﻕ‪ ،‬ﻧﻈﺮﻡ ﺭﺍ ﺗﺎﻳﻴﺪ ﻣﻲﻛﺮﺩ‪ ،‬ﺍﻣﺎ ﻣﺎﻧﻨﺪ ﺧﻴﻠﻲ ﭼﻴﺰﻫﺎ ﺩﺭ ﺯﻧﺪﮔﻲ‪ ،‬ﺷﻤﺎ ﻧﻤﻲﺗﻮﺍﻧﻴﺪ ﺩﺭ ﻣﻮﺭﺩ‬
    ‫ﻛﺘﺎﺑﻲ ﺍﺯ ﺭﻭﻱ ﺟﻠﺪ ﺁﻥ ﻧﻈﺮ ﺩﻫﻴﺪ!‬

    ‫‪2‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﺑـﺎ ﺍﺳـﺘﻔﺎﺩﻩ ﺍﺯ ﺩﺍﺩﻩﻫـﺎﻱ ﺿﺒﻂ ﺷﺪﻩ‪ ،‬ﺍﺗــﺎﻗﻲ ﺭﺍ ﻛﻪ ﺑﻪ ﺩﻧﺒﺎﻝ ﺁﻥ ﺑﻮﺩﻡ‪ ،‬ﺷﻨﺎﺧﺘﻢ )‪، (#tkworld‬‬
    ‫ﺑﻨﺎﺑﺮﺍﻳـﻦ ﻋـﺒﺎﺭﺕ ‪ /join #tkworld‬ﺭﺍ ﺗﺎﻳـﭗ ﻛﺮﺩﻡ‪ ،‬ﺍﻣﺎ ﺑﻪ ﻣﻦ ﮔﻔﺘﻪ ﺷﺪ ﻛﻪ ﺑﻪ ﻳﻚ ﻛﻠﻤﻪ ﻋﺒﻮﺭ ﻧﻴﺎﺯ ﺩﺍﺭﻡ‪.‬‬
    ‫ﭼـﻨﺪ ﻛﻠﻤـﻪ ﻋـﺒﻮﺭ ﻭﺍﺿـﺢ ﻭ ﺑﺪﻳﻬﻲ ﺭﺍ ﺍﻣﺘﺤﺎﻥ ﻛﺮﺩﻡ‪ ،‬ﺍﻣﺎ ﺩﺭﺳﺖ ﻧﺒﻮﺩﻧﺪ‪ .‬ﺩﺭ ﻣﺮﺣﻠﻪ ﺑﻌﺪ ﺳﻌﻲ ﻛﺮﺩﻡ ﺗﺎ ﺑﻪ‬
    ‫‪ #tkworld1‬ﻛﻪ ﺁﻧﻬﻢ ﺩﺭ ﻓﺎﻳﻞ ﺗﻮﺩﻩ ﻧﺸﺎﻥ ﺩﺍﺩﻩ ﺷﺪﻩ ﺑﻮﺩ‪ ،‬ﻣﺘﺼﻞ ﺷﻮﻡ‪ .‬ﻛﺎﺭ ﻛﺮﺩ‪ .‬ﻣﻦ ﺩﺍﺧﻞ ﺷﺪﻩ ﺑﻮﺩﻡ!‬
    ‫ﻫﻤـﺎﻧﻄﻮﺭﻱ ﻛﻪ ﺍﺯ ﺷﺪﺕ ﻫﻴﺠﺎﻥ ﺧﻮﺷﺤﺎﻝ ﺑﻮﺩﻡ ﻭ ﺑﺎ ﺧﻮﺩﻡ ﻣﻲﺧﻨﺪﻳﺪﻡ‪ ،‬ﻫﻨﮕﺎﻣﻲ ﻛﻪ ﻟﻴﺴﺖ ﺍﻋﻀﺎﺀ‬
    ‫‪ Load‬ﺷـﺪ‪ ،‬ﺧـﻨﺪﻩ ﻣـﻦ ﺳـﺮﻳﻌﺎ ﺑـﻪ ﻳﻚ ﺁﻩ ﻛﻮﺗﺎﻩ )ﺍﺯ ﺭﻭﻱ ﺗﻌﺠﺐ( ﺗﺒﺪﻳﻞ ﺷﺪ‪ ،‬ﭼﺮﺍ ﻛﻪ ﻓﻬﻤﻴﺪﻡ ﺩﺭ ﺁﻥ ﺍﺗﺎﻕ‬
    ‫ﺻﺪﻫﺎ ﻭ ﺻﺪﻫﺎ ﻧﻔﺮ ﺍﺯ ﻣﺮﺩﻡ ﺩﻳﮕﺮ ﺑﻪ ﻫﻤﺮﺍﻩ ﻣﻦ ﻭﺟﻮﺩ ﺩﺍﺭﻧﺪ‪.‬‬
    ‫ﺑـﻪ ﺗﺪﺭﻳـﺞ ﺑـﺮ ﻣـﻦ ﻣﻌﻠـﻮﻡ ﺷـﺪﻩ ﺑﻮﺩ ﻛﻪ ﺳﺮﻭﺭ ﻣﺸﺘﺮﻱ ﻣﻦ ﺗﻨﻬﺎ ﻳﻜﻲ ﺍﺯ ﺻﺪﻫﺎ ﻭ ﺷﺎﻳﺪ ﻫﺰﺍﺭﺍﻥ‬
    ‫ﻛﺎﻣﭙـﻴﻮﺗﺮ ﺁﻟﻮﺩﻩﺍﻱ ﺑﻮﺩ ﻛﻪ ﺑﻪ ﺍﻳﻦ ﺍﺗﺎﻕ ﭼﺖ ﻣﺘﺼﻞ ﺷﺪﻩ ﺑﻮﺩﻧﺪ‪ .‬ﺷﻮﻛﻪ ﺷﺪﻩ ﺑﻮﺩﻡ‪ .‬ﺻﻔﺤﻪﻫﺎ ﻳﻜﻲ ﭘﺲ ﺍﺯ‬
    ‫ﺩﻳﮕـﺮﻱ ﭘـﺮ ﺑـﻮﺩ ﺍﺯ ﺷﻨﺎﺳﻪﻫﺎﻱ ﻋﺒﻮﺭ ﻛﻪ ﺍﺯ ﻣﻘﺎﺑﻞ ﭼﺸﻤﺎﻧﻢ ﻋﺒﻮﺭ ﻣﻲﻛﺮﺩﻧﺪ‪ .‬ﺑﻪ ﻫﻤﺮﺍﻩ ﻫﺮ ﺷﻨﺎﺳﻪ ﻋﺒﻮﺭ‬
    ‫ﻧﺎﻣﻲ ﻭﺟﻮﺩ ﺩﺍﺷﺖ ﻛﻪ ﺑﺎ ﻋﺒﺎﺭﺕ ‪ TK‬ﺁﻏﺎﺯ ﺷﺪﻩ ﻭ ﺑﺎ ﻳﻚ ﻋﺒﺎﺭﺕ ﺗﺮﻛﻴﺒﻲ ﺍﻓﺰﺍﻳﺸﻲ ﻣﻨﻈﻢ ﺍﺯ ﺣﺮﻭﻑ ﻭ ﺍﻋﺪﺍﺩ‬
    ‫ﺑـﻪ ﭘﺎﻳـﺎﻥ ﺭﺳﻴﺪﻩ ﺑﻮﺩ‪ .‬ﻛﻢ ﻛﻢ ﻓﻬﻤﻴﺪﻡ ﻛﻪ ﺳﺮﻭﺭ ﻫﻚ ﺷﺪﻩ ﻣﺸﺘﺮﻱ ﻣﻦ ﺍﺣﺘﻤﺎﻻ ﻳﻜﻲ ﺍﺯ ﺍﻭﻟﻴﻦ ﻗﺮﺑﺎﻧﻴﺎﻥ ﻳﻚ‬
    ‫ﻛﺮﻡ ﺟﺪﻳﺪ ﺍﺳﺖ‪.‬‬
    ‫ﻫﻨﮕﺎﻣـﻲ ﻛـﻪ ﻫﻤﭽـﻨﺎﻥ ﺩﺭ ﺍﺗﺎﻕ ﺑﻮﺩﻡ ﺷﺮﻭﻉ ﺑﻪ ﻧﮕﺎﻩ ﻛﺮﺩﻥ ﺑﻪ ﺍﻃﻼﻋﺎﺕ ﻛﺎﺭﺑﺮﻱ ﻛﺮﺩﻡ ﺗﺎ ﺷﺎﻳﺪ ﺍﺯ‬
    ‫ﺁﻧﻬـﺎ ﭼـﻴﺰ ﺟﺪﻳـﺪﻱ ﺑﺪﺳـﺖ ﺑﻴﺎﻭﺭﻡ‪ .‬ﻫﻤﺎﻧﻄﻮﺭﻱ ﻛﻪ ﺩﺭ ﺷﻜﻞ ‪ ٤‬ﻣﻲﺑﻴﻨﻴﺪ‪ ،‬ﺍﻃﻼﻋﺎﺕ ﻛﺎﺭﺑﺮﻱ ﺑﻄﻮﺭ ﺍﺳﺎﺳﻲ‬
    ‫ﻧﺸـﺎﻥ ﻣـﻲﺩﻫـﺪ ﻛـﻪ ﻫـﺮ ﻛﺴـﻲ ﻛﻪ ﺑﺎ ﭼﻨﻴﻦ ﺍﺳﺐ ﺗﺮﻭﺍﻱ ‪ IRC‬ﺁﻟﻮﺩﻩ ﺷﺪﻩ ﺍﺳﺖ‪ ،‬ﺑﺎ ﻧﺎﻣﻲ ﺍﺯ ‪ ) Tkbot‬ﻳﺎ‬
    ‫‪ THR34T Krew's bot‬ﻛﻪ ﺑﺴﺘﮕﻲ ﺑﻪ ﭼﮕﻮﻧﮕﻲ ﻧﮕﺎﻩ ﺷﻤﺎ ﺑﻪ ﺁﻥ ﺩﺍﺭﺩ( ﺁﻭﺭﺩﻩ ﺷﺪﻩ ﺍﺳﺖ‪.‬‬

    ‫‪3‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﺷﻜﻞ ‪٤‬‬
    ‫ﺍﻃﻼﻋﺎﺕ ﻣﺸﺘﺮﻱ ‪IRC‬‬

    ‫ﺁﺧﺮ ﺷﺐ ﺟﻤﻌﻪ ﺑﺎ )‪[][][] |v| (DOOM‬‬


    ‫ﻫـﺮ ﭼـﻨﺪ ﻛـﻪ ﻣﻮﻓﻖ ﺷﺪﻩ ﺑﻮﺩﻡ ﻭﺍﺭﺩ ﻳﻚ ﺍﺗﺎﻕ ﭼﺖ ﺧﺼﻮﺻﻲ ﺷﻮﻡ‪ ،‬ﺍﻣﺎ ﻋﻤﺮ ﺍﻳﻦ ﭘﻴﺮﻭﺯﻱ ﺑﺴﻴﺎﺭ‬
    ‫ﻛﻮﺗﺎﻩ ﺑﻮﺩ‪ .‬ﺑﻴﺸﺘﺮ ﺍﺯ ﭘﻨﺞ ﺩﻗﻴﻘﻪ ﻧﮕﺬﺷﺘﻪ ﺑﻮﺩ ﻛﻪ ﺧﻮﺩ ﺭﺍ ﺍﺧﺮﺍﺝ ﺷﺪﻩ ﺍﺯ ‪ #tkworld1‬ﺩﻳﺪﻡ‪ .‬ﺳﻌﻲ ﻛﺮﺩﻡ ﺗﺎ‬
    ‫ﺩﻭﺑﺎﺭﻩ ﺑﻪ ﺩﺍﺧﻞ ﺍﺗﺎﻕ ﺑﺮﮔﺮﺩﻡ ﺍﻣﺎ ﺑﻪ ﻧﻈﺮ ﻣﻲﺭﺳﻴﺪ ﻛﻪ ﺍﺗﺎﻕ ﻗﻔﻞ ﺷﺪﻩ ﺍﺳﺖ‪ .‬ﺗﻼﺵ ﺧﻮﺩ ﺭﺍ ﺑﺮﺍﻱ ﭘﻴﺪﺍ ﻛﺮﺩﻥ‬
    ‫ﺭﺍﻫـﻲ ﺟﻬـﺖ ﻭﺭﻭﺩ ﺑﻪ ﺍﺗﺎﻕ ﺍﺩﺍﻣﻪ ﺩﺍﺩﻡ ﻭ ﺩﺭﻣﺎﻧﺪﻩ ﺷﺪﻩ ﺑﻮﺩﻡ‪ ،‬ﺍﻣﺎ ﻧﺎﮔﻬﺎﻥ ﻣﺘﻮﺟﻪ ﺷﺪﻡ ﻛﻪ ﻳﻚ ﺍﺗﺎﻕ ﺟﺪﻳﺪ ﺑﺎ‬
    ‫ﻧـﺎﻡ ‪ TK‬ﻇﺎﻫـﺮ ﺷﺪﻩ ﺍﺳﺖ‪ .‬ﺑﻪ ﺳﺮﻋﺖ ﺑﻪ ﺁﻥ ﺍﺗﺎﻕ ﻣﺘﺼﻞ ﺷﺪﻩ )ﻫﻴﭻ ﻛﻠﻤﻪ ﻋﺒﻮﺭﻱ ﻣﻮﺭﺩ ﻧﻴﺎﺯ ﻧﺒﻮﺩ( ﻭ ﺩﺭ‬
    ‫ﺁﻧﺠـﺎ ﻛﺎﺭﺑﺮﻱ ﺭﺍ ﺑﺎ ﻧﺎﻣﻲ ﻫﻜﺮﻱ ﻛﻪ ﺁﻥ ﻧﺎﻡ ﺭﺍ ﻫﻤﭽﻨﻴﻦ ﺩﺭ ﺍﺗﺎﻕ ‪ #tkwprld1‬ﻭ ﺩﺍﺧﻞ ﻓﺎﻳﻞ ﺗﻮﺩﻩ ﺩﻳﺪﻩ ﺑﻮﺩ‪،‬‬
    ‫ﭘـﻴﺪﺍ ﻛـﺮﺩﻡ )ﺷـﻜﻞ ﺷـﻤﺎﺭﻩ ‪ ٣‬ﺭﺍ ﺑﺒﻴﻨـﻴﺪ(‪ .‬ﺑـﺎ ﺍﻳﻦ ﻭﺟﻮﺩ‪ ،‬ﺍﺯ ﺁﻧﺠﺎﻳﻲ ﻛﻪ ﺍﺳﻢ‪ ،‬ﺭﻣﺰﻱ ﺑﻮﺩ‪ ،‬ﻧﺘﻮﺍﻧﺴﺘﻢ ﺍﺯ ﺁﻥ‬
    ‫ﻣﻄﻤﺌـﻦ ﺷﻮﻡ ﻛﻪ ﺍﻳﻦ ﺍﺳﻢ‪ ،‬ﻣﺘﻌﻠﻖ ﺑﻪ ﺷﺨﺼﻲ ﺣﻘﻴﻘﻲ ﺑﺎﺷﺪ‪ .‬ﻛﻤﻲ ﻋﺎﻣﻴﺎﻧﻪ ﺍﺑﺘﺪﺍ ﭘﻴﺎﻣﻲ ﺑﺮﺍﻱ ﺍﺗﺎﻕ ﻭ ﺳﭙﺲ‬

    ‫‪4‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﺑـﻪ ﻃـﻮﺭ ﻣﺴﺘﻘﻴﻢ ﺑﺮﺍﻱ ﺍﺳﻢ ﻣﻮﺭﺩ ﻧﻈﺮ ﻓﺮﺳﺘﺎﺩﻩ ﻭ ﺍﺯ ﺍﻭ ﭘﺮﺳﻴﺪﻡ ﻛﻪ ﺍﻭ ﺷﺨﺼﻲ ﺣﻘﻴﻘﻲ ﺍﺳﺖ ﻳﺎ ﻓﻘﻂ ﻳﻚ‬
    ‫‪ bot‬ﺩﻳﮕﺮ ﻣﻲﺑﺎﺷﺪ‪ .‬ﺩﺭ ﻛﻤﺎﻝ ﺗﻌﺠﺐ ﻋﺒﺎﺭﺕ |‪ [][][]|v‬ﺑﻪ ﻋﻨﻮﺍﻥ ﭘﺎﺳﺦ ﻓﺮﺳﺘﺎﺩﻩ ﺷﺪ‪.‬‬
    ‫ﺑـﺮﺍﻱ ﺧﻼﺻـﻪ ﻛـﺮﺩﻥ ﺍﻳـﻦ ﺩﺍﺳـﺘﺎﻥ ﻃﻮﻻﻧﻲ ﺑﺎﻳﺪ ﺑﮕﻮﻳﻢ ﻛﻪ ﻣﻜﺎﻟﻤﻪ ﻣﺎ ﺩﺭ ﭼﻨﺪﻳﻦ ﻋﺮﺻﻪ ﺻﻮﺭﺕ‬
    ‫ﮔﺮﻓـﺖ‪ .‬ﺩﺭ ﺍﺑـﺘﺪﺍ ‪ DOOM‬ﺧﻴﻠـﻲ ﻛـﻨﺠﻜﺎﻭ ﺑـﻮﺩ ﺗﺎ ﺑﺪﺍﻧﺪ ﻛﻪ ﻣﻦ ﻛﻴﺴﺘﻢ‪ ،‬ﭼﮕﻮﻧﻪ ﺁﻧﺠﺎ ﻫﺴﺘﻢ ﻭ ﭼﻪ ﭼﻴﺰﻱ‬
    ‫ﺭﺍﺟـﻊ ﺑﻪ ‪ #tkworld‬ﻣﻲﺩﺍﻧﻢ‪ .‬ﻣﻦ ﺑﻪ ﻋﻨﻮﺍﻥ ﭘﺎﺳﺦ‪ ،‬ﻧﺴﺨﻪ ﻛﻮﺗﺎﻫﻲ ﺍﺯ ﺁﻧﭽﻪ ﺗﺎ ﺑﻪ ﺣﺎﻝ ﮔﻔﺘﻪ ﺷﺪﻩ ﺭﺍ ﺑﺮﺍﻱ‬
    ‫ﺍﻭ ﮔﻔـﺘﻢ ﻭ ﺳﭙﺲ ﺍﺯ ﺍﻭ ﭘﺮﺳﻴﺪﻡ ﻛﻪ ﺍﻭ ﭼﻪ ﻣﻲﺩﺍﻧﺪ‪ .‬ﺑﺪﻭﻥ ﻫﻴﭻ ﺗﻌﺠﺒﻲ‪ ،‬ﺍﻭ ﺩﺭ ﭘﺎﺳﺦ ﺩﺍﺩﻥ ﺧﻴﻠﻲ ﻣﺒﻬﻢ ﺑﻮﺩ‪،‬‬
    ‫ﺍﻣﺎ ﭼﻨﺪﻳﻦ ﻟﻘﻤﻪ ﭼﺮﺏ ﻭ ﻧﺮﻡ ﺍﻃﻼﻋﺎﺗﻲ ﺟﺬﺍﺏ ﺭﺍ ﻫﺪﺭ ﺩﺍﺩ!‬
    ‫‪ -‬ﺍﻭ ﺳﺮﻭﺭ ﭼﺖ ﺭﺍ ﺑﺮﺍﻱ ﻳﻜﻲ ﺍﺯ »ﺩﻭﺳﺘﺎﻥ« ﻧﺼﺐ ﻛﺮﺩﻩ ﺑﻮﺩ‪.‬‬
    ‫‪ -‬ﻛﺮﻡ ‪ TK‬ﺑﻪ ﺗﺎﺯﮔﻲ ﺭﻫﺎ ﺷﺪﻩ ﻭ ﺳﺮﻭﺭ ﭼﺖ ﻓﻘﻂ ﺑﻪ ﻣﺪﺕ ﭼﻨﺪﻳﻦ ﺳﺎﻋﺖ ‪ online‬ﺑﻮﺩﻩ ﺍﺳﺖ‪.‬‬
    ‫‪ -‬ﻛﺮﻡ ‪ IRC‬ﺑﻪ ﺻﻮﺭﺕ ﻳﻚ ﺳﺮﻭﻳﺲ ﻧﺼﺐ ﺷﺪﻩ ﺍﺳﺖ‪.‬‬
    ‫‪ -‬ﺳﺎﺧﺘﺎﺭ ﻛﺮﻡ ﺑﺎ ﺑﻬﺮﻩﮔﻴﺮﻱ ﺿﻌﻔﻬﺎﻱ ‪ IIS‬ﺑﺎﻋﺚ ﮔﺴﺘﺮﺵ ﺁﻥ ﻣﻲﺷﻮﺩ‪.‬‬
    ‫‪ -‬ﺑﺮﻧﺎﻣﻪ ‪ IRC‬ﺍﻭ ﺑﺎ ﻋﻨﻮﺍﻥ ‪ THr34t IRC‬ﻧﺎﻣﮕﺬﺍﺭﻱ ﺷﺪﻩ ﺍﺳﺖ‪.‬‬
    ‫‪ -‬ﺍﻭ ﻫﻨﻮﺯ ﺩﺭ ﻣﺪﺭﺳﻪ ﺩﺭﺱ ﻣﻲﺧﻮﺍﻧﺪ ﻭ ﺩﺭ ﺍﻧﮕﻠﻴﺲ ﺯﻧﺪﮔﻲ ﻣﻲﻛﻨﺪ )ﺍﺣﺘﻤﺎﻻ ﺩﺭﻭﻍ ﺍﺳﺖ(‬
    ‫ﻣﻜﺎﻟﻤـﻪ ﺩﺭ ﺣـﺪﻭﺩ ﻧـﻴﻢ ﺳـﺎﻋﺖ ﺑـﻪ ﻫﻤﺮﺍﻩ ﺑﺤﺚ ﺑﺮ ﺳﺮ ﻣﻄﺎﻟﺐ ﮔﻮﻧﺎﮔﻮﻥ ﺑﻪ ﻃﻮﻝ ﺍﻧﺠﺎﻣﻴﺪ‪ ،‬ﺍﻣﺎ ﺩﺭ‬
    ‫ﻧﻬﺎﻳـﺖ ﺑﺎ ﺳﻮﺍﻟﻲ ﺍﺯ ﻃﺮﻑ ﻣﻦ ﺑﻪ ﺍﺗﻤﺎﻡ ﺭﺳﻴﺪ‪ .‬ﺳﻮﺍﻝ ﻣﻦ ﺍﻳﻦ ﺑﻮﺩ ﻛﻪ ﺁﻳﺎ ﻣﻦ ﻣﻲﺗﻮﺍﻧﻢ ﻳﻚ ﻛﭙﻲ ﺍﺯ ﻓﺎﻳﻞﻫﺎﻱ‬
    ‫ﺍﺳـﺐ ﺗﺮﻭﺍ ﺭﺍ ﺩﺭ ﺍﺧﺘﻴﺎﺭ ﺑﮕﻴﺮﻡ ﻭ ﺁﻳﺎ ﺍﻭ ﻣﻲﺗﻮﺍﻧﺪ ﻛﻠﻤﻪ ﻋﺒﻮﺭ ﺍﺗﺎﻕﻫﺎﻱ ‪ #tkworld‬ﺭﺍ ﺑﻪ ﻣﻦ ﺑﺪﻫﺪ؟ ﻫﺮ ﺩﻭ‬
    ‫ﭘﺎﺳـﺦ ﺑﻄـﻮﺭ ﻣﻮﺩﺑﺎﻧـﻪﺍﻱ ﺭﺩ ﺷﺪ ﺍﻣﺎ ﻣﻦ ﺍﻃﻼﻋﺎﺕ ﺯﻳﺎﺩﻱ ﺑﺪﺳﺖ ﺁﻭﺭﺩﻩ ﺑﻮﺩﻡ ﻭ ﻣﻲﺗﻮﺍﻧﺴﺘﻢ ﺑﻪ ﻛﻤﻚ ﺁﻧﻬﺎ‬
    ‫ﺟﺴﺘﺠﻮ ﺑﺮﺍﻱ ﺑﺪﺳﺖ ﺁﻭﺭﺩﻥ ﭘﺎﺳﺨﻬﺎﻳﻢ ﺭﺍ ﺷﺮﻭﻉ ﻛﻨﻢ‪ .‬ﺍﺯ ﺍﺗﺎﻕ ‪ Sign Off‬ﻛﺮﺩﻩ ﻭ ﺭﻓﺘﻢ ﺗﺎ ﻛﻤﻲ ﺑﺨﻮﺍﺑﻢ‪.‬‬

    ‫ﺁﻟﻮﺩﻩ ﺷﺪﻩ ﺑﺎ ‪ : TKbot‬ﺻﺒﺢ ﺷﻨﺒﻪ‬


    ‫ﺩﺭ ﺣﺎﻝ ﺣﺎﺿﺮ ﻣﻦ ﻳﻚ ﺧﻂ ﺳﻴﺮ ﺩﺍﺷﺘﻪ ﻭ ﻣﻲﺗﻮﺍﻧﻢ ﻣﺴﺘﻘﻴﻤﺎ ﺁﻧﭽﻪ ﺭﺍ ﻛﻪ ﺍﺳﺐ ﺗﺮﻭﺍ ﺍﻧﺠﺎﻡ ﻣﻲﺩﻫﺪ‪،‬‬
    ‫ﺑﺪﺳـﺖ ﺁﻭﺭﻡ‪ .‬ﺑﻨﺎﺑﺮﺍﻳـﻦ ‪ Windows 2000‬ﺭﺍ ﺩﺍﺧـﻞ ‪ VMWare‬ﺑـﺎﻻ ﺁﻭﺭﺩﻩ ﻭ ﻓـﺎﻳﻞ ‪ tk1.exe‬ﺭﺍ ﻛﻪ ﺍﺯ‬
    ‫ﻃﺮﻳﻖ ﺳﺮﻭﺭ ‪ Ftp‬ﺑﺪﺳﺖ ﺁﻭﺭﺩﻩﺍﻡ ﺭﺍ ﺑﺎﺭﮔﺬﺍﺭﻱ ﻣﻲﻛﻨﻢ‪ .‬ﻧﻔﺲ ﻋﻤﻴﻘﻲ ﻛﺸﻴﺪﻩ‪ ،‬ﺑﺮﻧﺎﻣﻪﻫﺎﻱ ﺿﺒﻂ ‪Screen‬‬
    ‫ﻭ ﻧﻈﺎﺭﺕ ﺑﺮ ﻓﺎﻳﻞ ﺭﺍ ﺁﻣﺎﺩﻩ ﻛﺮﺩﻩ ﻭ ﺑﺮ ﺭﻭﻱ ﻓﺎﻳﻞ ﺍﺳﺐ ﺗﺮﻭﺍ ﺩﻭﺑﺎﺭ ﻛﻠﻴﻚ ﻣﻲﻛﻨﻢ‪ .‬ﺩﺭ ﺍﺑﺘﺪﺍ ﻳﻚ ﺧﺮﻭﺝ ﻣﻮﻗﺖ‬
    ‫ﺩﺭ ‪) Windows‬ﺷـﻜﻞ ‪ (٥‬ﺭﺥ ﺩﺍﺩﻩ ﻭ ﺳـﭙﺲ ﺻﻔﺤﻪ ﺑﻪ ﺣﺎﻟﺖ ﻃﺒﻴﻌﻲ ﺑﺎﺯﻣﻲﮔﺮﺩﺩ‪ .‬ﻳﻚ ‪ NetStat‬ﺳﺮﻳﻊ ﻭ‬
    ‫ﺑﺮﺭﺳﻲ ‪ Task List‬ﻧﺸﺎﻥ ﻣﻲﺩﻫﺪ ﻛﻪ ﻣﻦ ﺩﺭ ﺣﺎﻝ ﺣﺎﺿﺮ ﻳﻜﻲ ﺍﺯ ﻗﺮﺑﺎﻧﻴﺎﻥ ﻛﺮﻡ ‪THR34t Krew's IRC‬‬
    ‫ﻣﻲﺑﺎﺷﻢ‪.‬‬

    ‫‪5‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﺷﻜﻞ ‪٥‬‬
    ‫ﻧﻤﺎﻳﺶ ﺻﻔﺤﻪ ﺍﺯ ﻧﺼﺐ ﻓﺎﻳﻞ ‪TK1.exe‬‬

    ‫ﺑﻌـﺪ ﺍﺯ ﺑﺮﺭﺳـﻲ ﺳﻴﺴﺘﻢ ﺑﺮﺍﻱ ﭘﻲ ﺑﺮﺩﻥ ﺑﻪ ﺗﻐﻴﻴﺮﺍﺕ‪ ،‬ﻣﺘﻮﺟﻪ ﺷﺪﻡ ﻛﻪ ﺑﺎ ﻳﻜﺒﺎﺭ ﺍﺟﺮﺍﻱ ﻓﺎﻳﻞ‪ ،‬ﻓﺎﻳﻞ‬
    ‫ﻣـﺰﺑﻮﺭ ﺑـﻪ ‪ ٣٠‬ﻓـﺎﻳﻞ ﺗـﺒﺪﻳﻞ ﺷـﺪﻩ ﻭ ﺑﺮﻧﺎﻣﻪﻫﺎ‪ ،‬ﺗﻨﻈﻴﻤﺎﺕ ﻭ ﺳﺮﻭﻳﺲﻫﺎﻳﻲ ﻛﻪ ﺑﺎ ﻛﺎﻣﭙﻴﻮﺗﺮ ﺷﺮﻭﻉ ﺑﻪ ﻛﺎﺭ‬
    ‫ﻣـﻲﻛﻨـﻨﺪ ﺭﺍ ﺩﺭ ﺑـﺮ ﮔﺮﻓـﺘﻪ ﺍﺳﺖ‪ .‬ﺍﻳﻦ ﺳﺮﻭﻳﺲﻫﺎ ﻳﻚ ﺑﺮﻧﺎﻣﻪ ‪ mIRC‬ﺗﻨﻈﻴﻢ ﺷﺪﻩ‪ ،‬ﻳﻚ ﺳﺮﻭﺭ ‪ Ftp‬ﻭ ﻳﻚ‬
    ‫ﺍﺳﻜﺮﻳﭙﺖ ﭘﻴﭽﻴﺪﻩ ‪ IRC‬ﺭﺍ ﺷﺎﻣﻞ ﻣﻲﺷﻮﻧﺪ‪ .‬ﻫﻨﮕﺎﻣﻲ ﻛﻪ ﻣﻦ ﻓﺎﻳﻞﻫﺎ ﺭﺍ ﻛﻤﻲ ﺩﻗﻴﻖﺗﺮ ﺩﺭ ﺑﺮﻧﺎﻣﻪ ‪NotePad‬‬
    ‫ﺑﺮﺭﺳـﻲ ﻛـﺮﺩﻡ‪ ،‬ﻣـﺘﻮﺟﻪ ﺷـﺪﻡ ﻛـﻪ ﺑﺴـﻴﺎﺭﻱ ﺍﺯ ﻓـﺎﻳﻞ ﺑﺼـﻮﺭﺕ ﻣﺘـﻦ ﺳـﺎﺩﻩ ﻭ ﺁﺷـﻜﺎﺭ ﻧﻮﺷﺘﻪ ﺷﺪﻩﺍﻧﺪ‪.‬‬
    ‫ﺧﻮﺷﺒﺨﺘﺎﻧﻪ ﺩﺭ ﺩﺍﺧﻞ ﻣﺘﻦﻫﺎ ﺑﺴﺮﻋﺖ ﭼﻨﺪﻳﻦ ﻛﻠﻤﻪ ﺭﻣﺰ ﺭﺍ ﺗﺸﺨﻴﺺ ﺩﺍﺩﻡ‪.‬‬
    ‫ﻣـﺮﺣﻠﻪ ﺑﻌـﺪﻱ ﻛـﺎﺭﻡ ﺗﺴـﺖ ﻛـﺮﺩﻥ ﻛﻠﻤـﺎﺕ ﻋـﺒﻮﺭ ﺑـﻮﺩ‪ ،‬ﺑﻨﺎﺑﺮﺍﻳـﻦ ﺑـﻪ ﺳـﺮﻭﺭ ﭼﺖ ﺑﺎﺯﮔﺸﺘﻢ‪ .‬ﺑﺎ‬
    ‫ﺧـﻮﺵﺷﺎﻧﺴـﻲ‪ ،‬ﻳﻜﻲ ﺍﺯ ﻛﻤﺎﺕ ﺭﻣﺰ )ﺧﺼﻮﺻﻲ( ﻛﺎﺭ ﻛﺮﺩ ﻭ ﻣﻦ ﺗﻮﺍﻧﺴﺘﻢ ﺑﻪ ﺍﺗﺎﻕ ﭼﺖ ﻭﺍﺭﺩ ﺷﻮﻡ‪ .‬ﻫﻨﮕﺎﻣﻲ‬
    ‫ﻛـﻪ ﻭﺍﺭﺩ ﺷـﺪﻡ‪ ،‬ﻓـﻮﺭﺍ ﺍﺳـﻢ ﻣﺴـﺘﻌﺎﺭ ﺧـﻮﺩ ﺭﺍ ﺗﻐﻴﻴﺮ ﺩﺍﺩﻡ ﺗﺎ ﺷﺒﻴﻪ ﺍﺳﻢﻫﺎﻱ ﺩﻳﮕﺮ ﻛﻪ ﺑﺮ ﺍﺳﺎﺱ ﺍﻟﮕﻮﺭﻳﺘﻢ‬
    ‫ﺳـﺎﺧﺘﻪ ﺷـﺪﻩ ﺑﻮﺩﻧـﺪ ﺑﺎﺷـﺪ )ﻣﺎﻧـﻨﺪ ‪ TK^8376‬ﻭ ‪ .(TK-=-887‬ﺳـﭙﺲ ﺷﺮﻭﻉ ﺑﻪ ﺑﺮﺭﺳﻲ ﺍﺗﺎﻕ ﭼﺖ ﻭ‬
    ‫ﻣﺤﺘﻮﻳﺎﺕ ﺁﻥ ﻧﻤﻮﺩﻡ ﺗﺎ ﺫﺭﻩﺍﻱ ﺍﻃﻼﻋﺎﺕ ﺑﺪﺳﺖ ﺑﻴﺎﻭﺭﻡ‪.‬‬
    ‫ﭘـﺲ ﺍﺯ ﭼﻨﺪﻳـﻦ ﺩﻗـﻴﻘﻪ‪ ،‬ﻣـﺘﻮﺟﻪ ﺷـﺪﻡ ﻛـﻪ ﺗـﻼﺵﻫﺎﻳﻢ ﺑﻴﻬﻮﺩﻩ ﺍﺳﺖ‪ .‬ﺑﺎ ﺁﻧﻜﻪ ﻣﻲﺗﻮﺍﻧﺴﺘﻢ ﺳﺎﻳﺮ‬
    ‫‪ handle‬ﻫﺎ ﺭﺍ ﺑﺮﺍﻱ ﺑﺪﺳﺖ ﺁﻭﺭﺩﻥ ﺍﻃﻼﻋﺎﺕ ﻣﻮﺭﺩ ﻛﻨﻜﺎﺵ ﻗﺮﺍﺭ ﺩﻫﻢ ﻭ ﺣﺘﻲ ﻣﻲﺗﻮﺍﻧﺴﺘﻢ ﺁﺩﺭﺱ ‪ IP‬ﺁﻧﻬﺎ ﺭﺍ‬

    ‫‪6‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﺑـﻪ ﻛﻤـﻚ ﺍﺳﻜﻦ ﭘﻮﺭﺕ ‪ Subnet‬ﺁﻧﻬﺎ ﺑﺮ ﺭﻭﻱ ﭘﻮﺭﺕ ‪) 1297‬ﭘﻮﺭﺕ ﺍﺳﺐ ﺗﺮﻭﺍ( ﺑﻪ ﺩﺳﺖ ﺁﻭﺭﻡ‪ ،‬ﺍﻣﺎ ﻗﺎﺩﺭ ﺑﻪ‬
    ‫ﺩﺭﻳﺎﻓﺖ ﻫﻴﭻ ﭘﺎﺳﺨﻲ ﺍﺯ ﺍﺗﺎﻕ ﻧﺒﻮﺩﻡ‪ .‬ﮔﺎﻡ ﺑﻌﺪﻱ ﺑﺎﺯﮔﺸﺖ ﺑﻪ ﺳﻴﺴﺘﻢ ﻭﻳﻨﺪﻭﺯ ‪ ٢٠٠٠‬ﺁﻟﻮﺩﻩﺍﻡ ﺑﺮﺍﻱ ﺑﺮﺭﺳﻲ‬
    ‫ﻓﺎﻳﻠﻬﺎﻱ ﺑﻴﺸﺘﺮﻱ ﺑﻮﺩ ‪.‬‬
    ‫ﺑﺎ ﻓﺎﻳﻠﻲ ﻛﻪ ﺍﺳﻜﺮﻳﭙﺖ ‪ IRC‬ﺭﺍ ﺩﺭﺑﺮﮔﺮﻓﺘﻪ ﺑﻮﺩ ﻭ ﺑﻪ ﺗﺼﻮﺭ ﻣﻦ ‪ bot‬ﻫﺎﻱ ‪ IRC‬ﺭﺍ ﻛﻨﺘﺮﻝ ﻣﻲﻛﺮﺩ‪،‬‬
    ‫ﺷـﺮﻭﻉ ﻛـﺮﺩﻡ‪ .‬ﺍﺳـﻜﺮﻳﭙﺖ ﺭﺍ ﺍﺳﻜﻦ ﻛﺮﺩﻩ ﻭ ﺑﻪ ﺍﻳﻦ ﻧﺘﻴﺠﻪ ﺭﺳﻴﺪﻡ ﻛﻪ ﺍﺳﻜﺮﻳﭙﺖ ﻭ ﻳﻚ ﺳﺮﻭﺭ ﺗﻘﻮﻳﺖﻛﻨﻨﺪﻩ‬
    ‫‪ IRC‬ﻛـﻪ ﺑـﺮ ﺭﻭﻱ ﭘـﻮﺭﺕ ‪ 1297‬ﺑﺎﺯ ﺷﺪﻩ ﺍﺳﺖ‪ ،‬ﻣﺘﻬﻢ ﺍﺻﻠﻲ ‪ IRC bot‬ﻣﻲﺑﺎﺷﻨﺪ‪ .‬ﺑﺮﺍﻱ ﺍﺛﺒﺎﺕ ﺍﻳﻦ ﻧﻈﺮ‪،‬‬
    ‫ﺑﺮﺭﺳـﻲ ﺍﺳﻜﺮﻳﭙﺖ ﺭﺍ ﺑﺎ ﺩﺳﺘﻮﺭﻱ ﺷﺮﻭﻉ ﻛﺮﺩﻡ ﻛﻪ ﻣﻲﺗﻮﺍﻧﺴﺘﻢ ﺍﺯ ﺁﻥ ﺑﺮﺍﻱ ﺗﺴﺖ ﺳﺎﻳﺮ ‪ Tkbot‬ﻫﺎﻳﻲ ﻛﻪ‬
    ‫ﺩﺭ ﺍﺗﺎﻕ ﭼﺖ ﻣﺤﺮﻣﺎﻧﻪ ﺑﺎ ﻣﻦ ﺑﻮﺩﻧﺪ‪ ،‬ﺍﺳﺘﻔﺎﺩﻩ ﻛﻨﻢ‪ .‬ﺩﺭ ﻛﻤﺎﻝ ﺩﻟﺴﺮﺩﻱ ﺧﻂ ﺯﻳﺮ ﺭﺍ ﺩﺭ ﺩﺳﺘﻮﺭﺍﺕ ﭘﻴﺪﺍ ﻛﺮﺩﻡ‪.‬‬
    ‫} ‪if ($level($address($nick,9)) != 100) { halt‬‬

    ‫ﺑـﻪ ﻋـﺒﺎﺭﺕ ﺩﻳﮕـﺮ ﺗـﺎ ﺯﻣﺎﻧـﻲ ﻛـﻪ ﻣﻦ ﺍﭘﺮﺍﺗﻮﺭﻱ ﺍﺯ ﺳﺮﻭﺭ ﺑﻮﺩﻡ‪ ،‬ﺍﺯ ﻗﺪﺭﺕ ﻓﺮﻣﺎﻥ ﺩﺍﺩﻥ ﺑﻪ ‪ bot‬ﻫﺎ‬
    ‫ﺑـﺮﺧﻮﺭﺩﺍﺭ ﻧـﺒﻮﺩﻡ‪ .‬ﮔـﺮﭼﻪ ﺍﻳـﻦ ﻛﻤـﻲ ﺑﺪﺷﺎﻧﺴﻲ ﺑﺮﺍﻱ ﻣﻦ ﺑﻮﺩ‪ ،‬ﺍﻣﺎ ﺑﺎﻳﺪ ﻣﻲﭘﺬﻳﺮﻓﺘﻢ ﻛﻪ ﺍﻳﻦ ﻛﺎﺭ ﺗﺼﻤﻴﻤﻲ‬
    ‫ﻋﺎﻗﻼﻧـﻪ ﺍﺯ ﺟﺎﻧـﺐ ﻧﻮﻳﺴـﻨﺪﻩ ﺍﺳـﻜﺮﻳﭙﺖ ﺑـﻮﺩﻩ ﺍﺳـﺖ‪ .‬ﻣﻨﻈﻮﺭﻡ ﺍﻳﻦ ﺍﺳﺖ ﻛﻪ ﺩﺭ ﻧﺒﻮﺩ ﭼﻨﻴﻦ ﺩﺳﺘﻮﺭﻱ ﺩﺭ‬
    ‫ﺻﻮﺭﺗﻲ ﻛﻪ ﻣﻦ ﺻﺎﺣﺐ ‪ ١٠٠٠‬ﻛﺎﻣﭙﻴﻮﺗﺮ ﺑﻮﺩﻡ‪ ،‬ﻣﻲﺗﻮﺍﻧﺴﺘﻢ ﺍﻧﻮﺍﻉ ﺑﺴﻴﺎﺭ ﺯﻳﺎﺩﻱ ﺍﺯ ﻣﺸﻜﻼﺕ ﺭﺍ ﻓﺮﺍﻫﻢ ﻛﻨﻢ‪.‬‬
    ‫ﺑـﺎ ﻫﻤـﻪ ﺍﻳـﻦ ﺍﺣـﻮﺍﻝ‪ ،‬ﺩﺭ ﺍﺩﺍﻣـﻪ ﺗﺼـﻤﻴﻢ ﮔﺮﻓﺘﻢ ﺗﺎ ﻗﺪﺭﺕ ﺍﺳﻜﺮﻳﭙﺖ ﺭﺍ ﺩﺭ ﻳﻚ ﻣﺤﻴﻂ ﻛﻨﺘﺮﻝ ﺷﺪﻩ‬
    ‫ﺑﺮﺭﺳﻲ ﻛﻨﻢ‪ .‬ﺑﺮﺍﻱ ﺍﻧﺠﺎﻡ ﺍﻳﻦ ﻛﺎﺭ‪ ،‬ﺍﺳﻜﺮﻳﭙﺖ ﺭﺍ ﺩﺭ ‪ mIRC‬ﺑﺎﻻ ﺁﻭﺭﺩﻩ‪ ،‬ﺗﻤﺎﻡ ﻣﺤﺪﻭﺩﻳﺖﻫﺎ ﺭﺍ ﻭﻳﺮﺍﻳﺶ ﻛﺮﺩﻩ‬
    ‫ﻭ ﺩﺳـﺘﻮﺭﺍﺕ ﺧـﻮﺩ ﺭﺍ ﺟﺎﻳﮕﺰﻳـﻦ ﺁﻧﻬـﺎ ﻛـﺮﺩﻡ‪ .‬ﻫﻨﮕﺎﻣﻲ ﻛﻪ ﺍﺳﻜﺮﻳﭙﺖ ﺭﺍ ﺍﺟﺮﺍ ﻛﺮﺩﻡ ﺑﻪ ﺳﺮﻭﺭ ‪ IRC‬ﺩﻳﮕﺮﻱ‬
    ‫ﻣﺘﺼﻞ ﺷﺪﻩ ﻭ ﺍﺗﺎﻕ ﭼﺖ ﺷﺨﺼﻲ ﺧﻮﺩ ﺭﺍ ﺑﻮﺟﻮﺩ ﺁﻭﺭﺩﻡ‪.‬‬
    ‫ﺑﻌﺪ ﺍﺯ ﭼﻨﺪﻳﻦ ﺩﻗﻴﻘﻪ ﺍﺷﻜﺎﻝ ﺯﺩﺍﻳﻲ ﺍﺳﻜﺮﻳﭙﺖ ﻣﻦ ﺍﻳﺠﺎﺩ ﺷﺪﻩ ﺑﻮﺩ‪.‬‬

    ‫ﺩﺭ ﻃـﻲ ﺍﻳـﻦ ﻛﻨﻜﺎﺵ ﻣﺘﻮﺟﻪ ﺷﺪﻡ ﻛﻪ ﺳﺎﺯﻧﺪﻩ ﺍﺳﻜﺮﻳﭙﺖ ﺍﻳﻦ ﺍﺳﺐ ﺗﺮﻭﺍ‪ ،‬ﻛﺎﺭﻱ ﺑﺴﻴﺎﺭ ﻋﺎﻟﻲ ﺑﺮﺍﻱ‬
    ‫ﺗﻮﻟﻴﺪ ﻋﻤﺪﻩ ﻳﻚ ﺑﺮﻧﺎﻣﻪ ﺑﺴﻴﺎﺭ ﻗﺪﺭﺗﻤﻨﺪ ﻛﻨﺘﺮﻝ ﺍﺯ ﺭﺍﻩ ﺩﻭﺭ ﺍﻧﺠﺎﻡ ﺩﺍﺩﻩ ﺍﺳﺖ‪ .‬ﺑﺎ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺩﺳﺘﻮﺭﺍﺕ ﺳﺎﺩﻩ‬
    ‫ﻳـﻚ ﺗﺎ ﭼﻬﺎﺭ ﺣﺮﻓﻲ‪ ،‬ﻳﻚ ﺷﺨﺺ ﻗﺎﺩﺭ ﺷﺪﻩ ﺍﺳﺖ ﻛﻪ ﻳﻚ ﻛﺎﻣﭙﻴﻮﺗﺮ ﺭﺍ ﺑﺮﺍﻱ ﺑﺪﺳﺖ ﺁﻭﺭﺩﻥ ﺍﻃﻼﻋﺎﺕ ﺁﻣﺎﺭﻱ‪،‬‬
    ‫‪ Upload‬ﻭ ‪ Download‬ﻛـﺮﺩﻥ ﻓـﺎﻳﻞﻫـﺎ‪ ،‬ﺍﺟـﺮﺍﻱ ﺑـﺮﻧﺎﻣﻪﻫـﺎ ﺑﺮ ﺭﻭﻱ ﺳﺮﻭﺭﻫﺎﻱ ﺩﺭ ﺣﺎﻝ ﻛﻨﺘﺮﻝ ﻭ ﺣﺘﻲ‬
    ‫ﻓـﺮﻣﺎﻥﺩﻫـﻲ ﺑـﻪ ﺳـﺮﻭﺭ ﺑﺮﺍﻱ ﺟﺴﺘﺠﻮﻱ ﺍﻳﻨﺘﺮﻧﺖ ﺟﻬﺖ ﭘﻴﺪﺍ ﻛﺮﺩﻥ ﺳﺎﻳﺮ ﻛﺎﻣﭙﻴﻮﺗﺮﻫﺎﻱ ﺁﺳﻴﺐﭘﺬﻳﺮ ﻣﻮﺭﺩ‬
    ‫ﻛﺎﻭﺵ ﻗﺮﺍﺭ ﺩﻫﺪ‪.‬‬
    ‫ﺁﻧﭽﻪ ﺩﺭ ﺍﺩﺍﻣﻪ ﻣﻲﺁﻳﺪ ﺩﺳﺘﻮﺭ ﻭ ﻧﺎﻡ ﻣﺴﺘﻌﺎﺭﻱ ﺍﺳﺖ ﻛﻪ ﺳﺮﻋﺖ ﺗﺨﻤﻴﻨﻲ ﺷﺒﻜﻪﺍﻱ ﺭﺍ ﻛﻪ ﺳﺮﻭﺭ ﺩﺭ‬
    ‫ﺁﻥ ﻣﻲﺑﺎﺷﺪ‪ ،‬ﺑﺪﺳﺖ ﻣﻲﺁﻭﺭﺩ‪:‬‬
    ‫} ‪if ($1 == !netspeed) { netspeed‬‬

    ‫{ ‪alias netspeed‬‬
    ‫‪set %nsp $nc‬‬
    ‫‪write -c netst.bat netstat -e >stt.tx‬‬
    ‫‪run netst.bat‬‬
    ‫}‪.timer -m 1 9950 once‬‬

    ‫‪7‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﺍﻭﻟﻴـﻦ ﺧـﻂ ﺷـﺎﻣﻞ ﻓﻴﻠـﺘﺮﻱ ﺍﺳﺖ ﻛﻪ ﻣﺘﻦ ﻭﺍﺭﺩ ﺷﺪﻩ ﺗﻮﺳﻂ ﺍﭘﺮﺍﺗﻮﺭ ﻛﺎﻧﺎﻝ ﺭﺍ ﺿﺒﻂ ﻣﻲﻛﻨﺪ‪ .‬ﺍﮔﺮ‬
    ‫ﺍﭘـﺮﺍﺗﻮﺭ ﻛﻠﻤﻪ ‪ !netspeed‬ﺭﺍ ﺗﺎﻳﭗ ﻛﻨﺪ‪ ،‬ﺍﻳﻦ ﺧﻂ ﻛﺪ ﺩﺍﺧﻞ ‪ alias netspeed‬ﺭﺍ ﺍﺟﺮﺍ ﻣﻲﻛﻨﺪ‪ .‬ﺍﻳﻦ ﻛﺪ ﺷﺎﻣﻞ‬
    ‫ﻛﺪﻫﺎﻳﻲ ﺍﺳﺖ ﻛﻪ ‪ NetStat‬ﺭﺍ ﺍﺟﺮﺍ ﻛﺮﺩﻩ ﻭ ﻧﺘﺎﻳﺞ ﺭﺍ ﺩﺭ ﻳﻚ ﻓﺎﻳﻞ ﺍﻧﺒﺎﺷﺘﻪ ﻣﻲﻛﻨﻨﺪ‪ ،‬ﺳﭙﺲ ﻓﺎﻳﻞ ﺭﺍ ﺑﻪ ﺍﺗﺎﻕ‬
    ‫ﭼﺖ ‪ IRC‬ﺑﺎﺯﻣﻲﮔﺮﺩﺍﻧﻨﺪ‪.‬‬
    ‫ﻟﻴﺴﺖ ﻛﺎﺭﻫﺎﻳﻲ ﻛﻪ ﺍﻳﻦ ﺩﺳﺘﻮﺭﺍﺕ ﺍﻧﺠﺎﻡ ﻣﻲﺩﻫﻨﺪ ﺩﺭ ﺍﺩﺍﻣﻪ ﺁﻣﺪﻩ ﺍﺳﺖ‪:‬‬
    ‫‪ -‬ﺍﺟﺮﺍﻱ ﺳﻴﻞ ‪UDP‬‬
    ‫‪ -‬ﺍﺟﺮﺍﻱ ﻓﺎﻳﻞ‬
    ‫‪ -‬ﺟﻤﻊﺁﻭﺭﻱ ﺍﻃﻼﻋﺎﺕ ﺁﻣﺎﺭﻱ ‪Hard Drive‬‬
    ‫‪ -‬ﺍﺟﺮﺍﻱ ﻳﻚ ﺣﻤﻠﻪ ﺳﻴﻞ ﺁﺳﺎ ﺑﻪ ‪Web Site‬‬
    ‫‪ -‬ﺍﻳﺠﺎﺩ ‪Server lag‬‬
    ‫‪ -‬ﺍﺟﺮﺍﻱ ﺩﺳﺘﻮﺭﺍﺕ ‪IRC‬‬
    ‫‪ -‬ﻧﺎﺑﻮﺩ ﻛﺮﺩﻥ ﺳﺮﻭﺭ‬
    ‫‪ -‬ﺍﺟﺮﺍﻱ ﻳﻚ ﭘﺮﺱ ﻭ ﺟﻮﻱ ﭘﻮﺭﺕ ﺑﺎﺯ‬
    ‫‪ -‬ﻛﻨﺘﺮﻝ ﻛﺮﺩﻥ ‪) BNC‬ﺍﺳﺐ ﺗﺮﻭﺍﻱ ﻧﺼﺐ ﺷﺪﻩ ﺑﺮ ﭘﻮﺭﺕ ‪(1297‬‬
    ‫‪ -‬ﺍﺟﺮﺍﻱ ﭘﻮﻳﺶ ﻛﺎﻣﭙﻴﻮﺗﺮﻫﺎﻱ ﺁﺳﻴﺐ ﭘﺬﻳﺮ‬
    ‫‪ -‬ﺍﺟﺮﺍﻱ ﺩﺳﺘﻮﺭﺍﺕ ‪ Download‬ﻭ ‪Upload‬‬

    ‫‪ : Th34t‬ﺭﻭﺯ ﺳﻮﻡ‪ ،‬ﺷﺐ‬


    ‫ﺑـﻴﺎﻥ ﻗـﺪﺭﺕ ﺍﻳـﻦ ﺍﺳـﻜﺮﻳﭙﺖ ‪ IRC‬ﻓﺮﺍﺗـﺮ ﺍﺯ ﻫﺪﻑ ﻭ ﻣﻨﻈﻮﺭ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﻣﻲﺑﺎﺷﺪ‪ .‬ﺩﺭ ﺻﻮﺭﺗﻲ ﻛﻪ‬
    ‫ﺧﻮﺍﻧـﻨﺪﻩ ﻫـﺎ ﺑـﻪ ﻣﻄﻠﺐ ﻗﺪﺭﺕ ﺍﺳﻜﺮﻳﭙﺖﻧﻮﻳﺴﻲ ‪ IRC‬ﻋﻼﻗﻤﻨﺪ ﻫﺴﺘﻨﺪ‪ ،‬ﻟﻄﻔﺎ ﺁﻧﺮﺍ ﺑﻴﺎﻥ ﻛﻨﻨﺪ ﻭ ﻣﻦ ﺍﺣﺘﻤﺎﻻ‬
    ‫ﻣﻘﺎﻟﻪﺍﻱ ﻣﺮﺑﻮﻁ ﺑﻪ ﺁﻥ ﻣﻮﺿﻮﻉ ﺗﻬﻴﻪ ﺧﻮﺍﻫﻢ ﻛﺮﺩ‪.‬‬
    ‫ﺩﺭ ﻃـﻲ ﺯﻣﺎﻧـﻲ ﻛـﻪ ﻣـﻦ ﻗـﺪﺭﺕ ﺍﺳـﻜﺮﻳﭙﺖ ‪ TK‬ﺭﺍ ﺑﺮﺭﺳـﻲ ﻭ ﺍﻣـﺘﺤﺎﻥ ﻣﻲﻛﺮﺩﻡ‪ ،‬ﻫﻨﻮﺯ ﺩﺭ ﻛﺎﻧﺎﻝ‬
    ‫‪ #tkworld‬ﺑﺎﻗـﻲ ﺑـﻮﺩﻡ‪ .‬ﻗﺼـﺪﻡ ﺑﻄﻮﺭ ﺳﺎﺩﻩ ﺛﺒﺖ ﻛﺮﺩﻥ ﻫﺮﮔﻮﻧﻪ ﻓﻌﺎﻟﻴﺘﻲ ﻭ ﺍﻓﺮﺍﺩﻱ ﻛﻪ ﺩﺍﺧﻞ ﻳﺎ ﻭﺍﺭﺩ ﺁﻥ‬
    ‫ﻣﻲﺷﻮﻧﺪ‪ ،‬ﺑﻮﺩ‪ .‬ﺩﺭ ﻃﻲ ﺯﻣﺎﻧﻲ ﻛﻪ ﻣﻦ ﻣﺘﺼﻞ ﺑﻮﺩﻡ‪ ،‬ﻣﺘﻮﺟﻪ ﺷﺪﻡ ﻛﻪ ﺑﻌﺪ ﺍﺯ ﭼﻨﺪﻳﻦ ﺳﺎﻋﺖ ﺗﻌﺪﺍﺩ ‪ Tkbot‬ﻫﺎ‬
    ‫ﺭﻭ ﺑـﻪ ﻛـﺎﻫﺶ ﮔﺬﺍﺷـﺘﻪ ﺍﺳـﺖ‪ .‬ﺩﺭ ﺑﻴﻦ ﻗﻄﻊﺍﺭﺗﺒﺎﻁ ﺷﺪﻩﻫﺎ ﻣﺘﻮﺟﻪ ﻓﺮﺩﻱ ﺑﺎ ﻧﺎﻡ ‪ DiCise‬ﺷﺪﻡ ﻛﻪ ﺍﺭﺗﺒﺎﻁ‬
    ‫ﺍﻳﺠـﺎﺩ ﻛﺮﺩﻩ ﻭ ﺳﭙﺲ ﺍﺭﺗﺒﺎﻁ ﺭﺍ ﻗﻄﻊ ﻛﺮﺩﻩ ﺑﻮﺩ‪ .‬ﻧﻜﺘﻪ ﺟﺎﻟﺐ ﺩﺭ ﻣﻮﺭﺩ ﺍﻳﻦ ﻓﺮﺩ ﺁﻥ ﺑﻮﺩ ﻛﻪ ﺩﺭ ﺑﺮﻧﺎﻣﻪ ‪IRC‬‬
    ‫ﺧﻮﺩ‪ ،‬ﭘﻴﺎﻡ ﻗﻄﻊ ﺍﺭﺗﺒﺎﻁ ﺧﻮﺩ ﺭﺍ ﺑﮕﻮﻧﻪﺍﻱ ﺗﻨﻈﻴﻢ ﻛﺮﺩﻩ ﺑﻮﺩ ﻛﻪ ﭘﻴﺎﻡ ﺯﻳﺮ ﻓﺮﺳﺘﺎﺩﻩ ﺷﺪﻩ ﺑﻮﺩ‪:‬‬
    ‫"‪"Can j00 f33l tha THR34T? I g0t th3 p0w3r 0f r3wt‬‬
    ‫ﺍﻭﻟﻴـﻦ ﭼـﻴﺰﻱ ﻛـﻪ ﺩﺭ ﭘـﻴﺎﻡ ﺗﻮﺟـﻪ ﻣﻦ ﺭﺍ ﺟﻠﺐ ﻛﺮﺩ ﻛﻠﻤﻪ ﺑﺴﻴﺎﺭ ﻣﺎﻧﻮﺱ ‪ THR34T‬ﺑﻮﺩ‪ .‬ﻫﻤﺎﻧﻨﺪ‬
    ‫ﺿﺮﺑﻪﺍﻱ ﺩﺭ ﺗﺎﺭﻳﻜﻲ‪ ،‬ﺳﺮﻳﻌﺎ ﺳﺎﻳﺖ ‪ www.google.com‬ﺭﺍ ﺑﺎﺯ ﻛﺮﺩﻩ ﻭ ﺟﺴﺘﺠﻮﻳﻲ ﺭﺍ ﺩﺭ ﻣﻮﺭﺩ ﺍﻳﻦ ﻛﻠﻤﻪ‬

    ‫‪8‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﻏـﻴﺮ ﻣـﺘﻌﺎﺭﻑ ﺍﻧﺠـﺎﻡ ﺩﺍﺩﻡ‪ .‬ﺑﻌـﺪ ﺍﺯ ﺑﺮﺭﺳﻲ ﻧﺘﺎﻳﺞ ﺑﺮ ﺭﻭﻱ ﻳﻜﻲ ﺍﺯ ﻟﻴﻨﻚﻫﺎﻱ ﺍﻣﻴﺪﺑﺨﺶ ﻛﻠﻴﻚ ﻛﺮﺩﻩ ﻭ ﺑﺎ‬
    ‫ﺻﻔﺤﻪ ﺯﻳﺮ ﺭﻭﺑﺮﻭ ﺷﺪﻡ )ﺷﻜﻞ ‪.(٦‬‬

    ‫ﺷﻜﻞ ‪٦‬‬
    ‫ﺻﻔﺤﻪ ﻭﺏ ‪) THR34T security crew's‬ﺩﺭﺣﺎﻝ ﺣﺎﺿﺮ ﺩﻳﮕﺮ ‪ Online‬ﻧﻴﺴﺖ(‬

    ‫ﺩﺭ ﺍﻳﻨﺠﺎ ﺑﻮﺩ ﻛﻪ ﺑﺎ ﺩﻳﺪﻥ ﺳﺎﻳﺖ‪ ،‬ﺑﺮ ﺍﺛﺮ ﺧﻨﺪﻩ ﺷﺪﻳﺪ ﺍﺯ ﺻﻨﺪﻟﻲ ﺑﻪ ﺯﻣﻴﻦ ﺍﻓﺘﺎﺩﻡ! ﻫﻴﭻ ﭼﻴﺰﻱ ﺑﺮﺍﻱ‬
    ‫ﺍﻧﻄﺒﺎﻕ ﺑﺎ ﺁﻧﭽﻪ ﻣﻮﺭﺩ ﻧﻈﺮﻡ ﺑﻮﺩ ﻭﺟﻮﺩ ﻧﺪﺍﺷﺖ ﻭ ﻣﻦ ﻛﺎﻣﻼ ﻣﻄﻤﺌﻦ ﺑﻮﺩﻡ ﻛﻪ ﺳﺎﻳﺖ ‪THR34T security‬‬
    ‫‪ crew‬ﺍﻃﻼﻋﺎﺕ ﺯﻳﺎﺩﻱ ﺩﺭ ﻣﻮﺭﺩ ﺍﺳﺐ ﺗﺮﻭﺍﻱ ‪ IRC‬ﻧﺪﺍﺭﺩ‪ .‬ﺍﺣﺘﻤﺎﻻ ﻣﺬﺍﻛﺮﻩ ﺑﺎ ‪ DOOM‬ﻛﻪ ﻗﺒﻼ ﻋﻨﻮﺍﻥ ﺷﺪ‪،‬‬
    ‫ﺑـﺮﻧﺎﻣﻪ ‪ IRC‬ﻛـﻪ ﺍﻭ ﺍﺳـﺘﻔﺎﺩﻩ ﻣﻲﻛﺮﺩ ﻭ ﭘﻴﺎﻡ ‪ good-bye‬ﺍﺯ ﺟﺎﻧﺐ ‪ DiCise‬ﻛﺎﻓﻲ ﻧﺒﻮﺩﻩﺍﻧﺪ ﻭ ﻣﻦ ﻣﺘﻮﺟﻪ‬
    ‫ﺷﺪﻡ ﻛﻪ ﺑﺎﻳﺪ ﻓﺎﻳﻠﻬﺎﻱ ﻧﺼﺐ ﺳﺮﻭﺭ ‪ TK Disto Ftp‬ﺭﺍ ﺑﺪﻗﺖ ﺑﺮﺭﺳﻲ ﻛﻨﻢ ﺗﺎ ﺷﺎﻳﺪ ﺷﻨﺎﺳﻪ ﻭﺭﻭﺩﻱ ﺑﺎ ﻧﺎﻡ‬
    ‫‪ DOOM‬ﻭﺟﻮﺩ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ‪ .‬ﺑﻪ ﻧﻈﺮ ﺷﻤﺎ ﺩﺭ ﭼﻪ ﻣﻮﺭﺩﻱ‪ ،‬ﺑﺪﻳﻬﻴﺎﺕ ﺭﺍ ﻧﺪﻳﺪﻩ ﮔﺮﻓﺘﻪﺍﻳﻢ؟‬

    ‫ﺧﻼﺻﻪ‬

    ‫‪9‬‬ ‫‪www.WebSecurityMgz.com‬‬
    ‫ﺭﻭ ﺩﺭ ﺭﻭﻱ ﺍﻧﻮﺍﻉ ﻫﻜﺮ‬

    ‫ﺩﺭ ﺍﻳـﻦ ﻣـﺮﺣﻠﻪ‪ ،‬ﺗﺤﻘـﻴﻖ ﻭ ﺑﺮﺭﺳـﻲ ﺩﻳﮕـﺮ ﺑـﺮﺍﻱ ﻣـﻦ ﺗﻤـﺎﻡ ﺷـﺪﻩ ﺑﻮﺩ‪ .‬ﻣﻦ ﺗﻤﺎﻡ ﭼﻴﺰﻫﺎﻳﻲ ﺭﺍ ﻛﻪ‬
    ‫ﻣـﻲﺧﻮﺍﺳـﺘﻢ ﭘـﻴﺪﺍ ﻛﻨﻢ ﭘﻴﺪﺍ ﻛﺮﺩﻩ ﺑﻮﺩﻡ‪ WHOIS .‬ﭼﻴﺰ ﺑﺎ ﺍﺭﺯﺷﻲ ﺑﺮﺍﻱ ﻣﻦ ﺑﺪﺳﺖ ﻧﻴﺎﻭﺭﺩ‪ log ،‬ﻓﺎﻳﻠﻬﺎﻱ‬
    ‫ﺳـﺮﻭﺭ ﺭﺍ ﺩﺭ ﺍﺧﺘـﻴﺎﺭ ﻧﺪﺍﺷـﺘﻢ ﻭ ‪ THR34T‬ﻧﺎﭘﺪﻳﺪ ﺷﺪﻩ ﺑﻮﺩ‪ .‬ﺩﺭ ﻫﻨﮕﺎﻣﻲ ﻛﻪ ﺑﻪ ﻧﻈﺮ ﻣﻲﺭﺳﻴﺪ ﮔﺴﺘﺮﺵ‬
    ‫ﺍﺳـﺐ ﺗﺮﻭﺍﻱ ﺍﺯ ﻧﻮﻉ ‪ IRC bot‬ﻫﻜﺮ ﻣﻮﺭﺩ ﻧﻈﺮ‪ ،‬ﻫﻤﻪ ﺟﺎ ﺭﺍ ﺩﺭ ﺑﺮ ﺑﮕﻴﺮﺩ‪ ،‬ﺍﻳﻦ ﺍﺳﺐ ﻣﺘﻮﻗﻒ ﺷﺪ‪ .‬ﺩﺭ ﺁﺧﺮﻳﻦ‬
    ‫ﺑﺎﺯﺩﻳﺪ ﺍﺯ ﺳﺮﻭﺭ ﻫﻚ ﺷﺪﻩ ‪ ٢٥) IRC‬ﻧﻮﺍﻣﺒﺮ ‪ #tkworld ،(٢٠٠٢‬ﻫﻨﻮﺯ ﭼﻨﺪ ﻧﻔﺮ ﻣﻘﻴﻢ ﺩﺭ ﺧﻮﺩ ﺩﺍﺷﺖ‪.‬‬
    ‫ﺩﺭ ﻧﻬﺎﻳـﺖ ﺍﺯ ﺳﺮﻭﺭ ﻫﻚ ﺷﺪﻩ ﻣﺎ ﻣﻲﺗﻮﺍﻥ ﺩﺭﺱ ﺑﺰﺭﮔﻲ ﺭﺍ ﺁﻣﻮﺧﺖ ﻣﺒﻨﻲ ﺑﺮ ﺍﻳﻨﻜﻪ ﺩﺭ ﺻﻮﺭﺕ ﻋﺪﻡ‬
    ‫ﻧﮕﻬـﺪﺍﺭﻱ ﺻﺤﻴﺢ ﻳﻚ ﻛﺎﻣﭙﻴﻮﺗﺮ ﺍﺗﻔﺎﻗﺎﺕ ﻧﺎﺧﻮﺷﺎﻳﻨﺪ ﺑﺴﻴﺎﺭﻱ ﺑﺮﺍﻱ ﺁﻥ ﺭﺥ ﺧﻮﺍﻫﺪ ﺩﺍﺩ‪ .‬ﻣﺸﻜﻞ ﭼﻪ ﻭﻳﺮﻭﺱ‬
    ‫ﺑﺎﺷﺪ‪ ،‬ﭼﻪ ﻛﺮﻡ‪ ،‬ﺍﺳﺐ ﺗﺮﻭﺍ ﻭ ﻳﺎ ﺣﺘﻲ ﻫﻤﻪ ﺁﻧﻬﺎ‪ ،‬ﻻﺯﻡ ﺍﺳﺖ ﻛﻪ ﺍﺯ ﺩﺍﺭﺍﺋﻴﺘﺎﻥ ﺑﻪ ﺷﺪﺕ ﻣﺮﺍﻗﺒﺖ ﻛﻨﻴﺪ‪ .‬ﻭﻗﺘﻲ ﻛﻪ‬
    ‫ﻳﻜـﻲ ﺍﺯ ﻛﺎﺭﻫﺎﻱ ﻋﻤﺪﻩ ﺳﺮﻭﺭﻱ‪ ،‬ﺗﻬﻴﻪ ﻣﻨﺒﻊ ﺑﺰﺭﮔﻲ ﺍﺯ ﺳﺮﮔﺮﻣﻲﻫﺎ ﺑﺎﺷﺪ‪ ،‬ﺑﺎﻳﺪ ﺑﻪ ﻣﺪﻳﺮ ﺁﻥ ﺳﺮﻭﺭ ﺩﺭ ﻣﻮﺭﺩ‬
    ‫ﺗﻔﻜﺮﻱ ﻛﻪ ﺩﺭﺑﺎﺭﻩ ﺍﻣﻨﻴﺖ ﻧﺎﻣﻪﻫﺎﻱ ﺍﻟﻜﺘﺮﻭﻧﻴﻜﻲ‪ ،‬ﺩﺍﺩﻩﻫﺎﻱ ﺗﺠﺎﺭﻱ ﻭ ﺍﻳﻨﮕﻮﻧﻪ ﻣﻮﺍﺭﺩ ﺩﺍﺭﺩ‪ ،‬ﺷﻚ ﻛﺮﺩ‪.‬‬
    ‫ﺑـﺎ ﺁﻧﻜـﻪ ﻣـﻦ ﻧﻤـﻲﺗﻮﺍﻧﻢ ﺍﺯ ﻧﻘﺶ ﻋﻤﻠﻲ ‪ THR34T‬ﺩﺭ ﺧﻠﻖ ﻭ ﺗﻮﺯﻳﻊ ﺍﻳﻦ ﻛﺮﻡ ﻣﻄﻤﺌﻦ ﺑﺎﺷﻢ‪ ،‬ﺍﻣﺎ‬
    ‫ﺑـﻨﻈﺮ ﻣﻲﺭﺳﺪ ﻛﻪ ﺁﻧﻬﺎ ﭼﻴﺰﻫﺎﻳﻲ ﺩﺭﺑﺎﺭﻩ ﺁﻥ ﻣﻲﺩﺍﻧﻨﺪ‪ .‬ﻣﺘﺎﺳﻔﺎﻧﻪ ﺗﻤﺎﻡ ﺍﻳﻤﻴﻞﻫﺎ ﺑﻪ ‪ DOOM‬ﭘﺲ ﻓﺮﺳﺘﺎﺩﻩ‬
    ‫ﺷﺪ ﻭ ﻭﺏ ﺳﺎﻳﺖ ﺁﻧﻬﺎ ﻫﻢ ﺩﻳﮕﺮ ﻭﺟﻮﺩ ﻧﺪﺍﺭﺩ‪ ،‬ﺑﻨﺎﺑﺮﺍﻳﻦ ﻓﻜﺮ ﻣﻲﻛﻨﻢ ﻛﻪ ﻣﻦ ﺩﻳﮕﺮ ﺩﺭﺑﺎﺭﻩ ﺁﻥ ﭼﻴﺰﻱ ﻧﺪﺍﻧﻢ‪.‬‬
    ‫ﺩﺭ ﻫﻨﮕﺎﻣـﻲ ﻛـﻪ ﺍﻳـﻦ ﻣﻘﺎﻟـﻪ ﺭﺍ ﺑﺮﺍﻱ ﺗﺤﻮﻳﻞ ﺑﺎﺯﺑﻴﻨﻲ ﻣﻲﻛﺮﺩﻡ‪ ،‬ﺗﺼﻤﻴﻢ ﮔﺮﻓﺘﻢ ﺗﺎ ﺩﻭﺑﺎﺭﻩ ﻳﻚ ﻧﮕﺎﻩ‬
    ‫ﺯﻳﺮﭼﺸـﻤﻲ ﺑـﻪ ﺳﺮﻭﺭ ﻫﻚ ﺷﺪﻩ ‪ IRC‬ﺩﺍﺷﺘﻪ ﺑﺎﺷﻢ‪ .‬ﺑﺎ ﺗﻌﺠﺐ ﺩﻳﺪﻡ ﻛﻪ ﺳﺎﻳﺖ ﺩﺭ ﺟﺮﻳﺎﻥ ﻣﻲﺑﺎﺷﺪ‪ .‬ﺻﺪﻫﺎ‬
    ‫ﻛﺎﻣﭙـﻴﻮﺗﺮ ﺷﺨﺼـﻲ ﺩﺭ ﺁﻥ ﻭﺍﺭﺩ ﺷﺪﻩ ﺑﻮﺩﻧﺪ ﻭ ﺗﻌﺪﺍﺩﻱ ﻫﻢ ﺩﻗﺎﻳﻘﻲ ﺩﻳﮕﺮ ﻭﺍﺭﺩ ﻣﻲﺷﺪﻧﺪ‪ .‬ﻣﻘﺪﺍﺭﻱ ﺩﺭ ﺳﺎﻳﺖ‬
    ‫ﺩﺭﻧﮓ ﻛﺮﺩﻡ ﻭ ﻣﺘﻮﺟﻪ ﺷﺪﻡ ﻛﻪ ﭼﻨﺪ ﺷﺨﺺ ﺣﻘﻴﻘﻲ ﺑﺎ ﻣﻦ ﺩﺭ ﺳﺮﻭﺭ ﻫﺴﺘﻨﺪ‪ .‬ﺑﻌﺪ ﺍﺯ ﺍﻧﺠﺎﻡ ﭼﻨﺪﻳﻦ ﻣﻜﺎﻟﻤﻪ ﻭ‬
    ‫ﺩﺭ ﺣﺎﻟـﻴﻜﻪ ﺑـﺎ ﺍﻃﻼﻋـﺎﺕ ﺑﺴـﻴﺎﺭ ﻛـﻢ ﻭ ﻧﺎﺩﺭﺳﺘﻲ ﺗﻐﺬﻳﻪ ﻣﻲﺷﺪﻡ ﻭ ﺩﺭ ﻧﻬﺎﻳﺖ ﻫﻢ ﺑﺎ ﻳﻚ ﺣﻤﻠﻪ ‪ DDoS‬ﺩﺭ‬
    ‫ﺣـﺪﻭﺩ ‪ ١٠‬ﺳــﺎﻋﺖ ‪ Offline‬ﺑـﻮﺩﻡ‪ ،‬ﺑﺎﻻﺧـﺮﻩ ﺩﻝ ﻳﻜـﻲ ﺍﺯ ﺍﻋﻀﺎﺀ ‪ Thr34t Krew‬ﺑﻪ ﺣﺎﻝ ﻣﻦ ﺳﻮﺧﺖ ﻭ‬
    ‫ﻣﻜﺎﻟﻤﻪﺍﻱ ﺧﻮﺏ ﺑﺎ ﻣﻦ ﺍﻧﺠﺎﻡ ﺩﺍﺩ‪ .‬ﺍﻭ ﻫﻤﻪ ﭼﻴﺰ ﺭﺍ ﺩﺭﺑﺎﺭﻩ ‪ ،Krew‬ﺩﺭﺟﻪ ﺍﻣﻨﻴﺘﻲ ﻛﻪ ﺑﺮﺍﻱ ﺣﻔﻆ ﮔﻤﻨﺎﻣﻲ ﺧﻮﺩ‬
    ‫ﺍﻧﺠـﺎﻡ ﺩﺍﺩﻩ ﺑﻮﺩﻧـﺪ ﻭ ﻫﻤﭽﻨﻴﻦ ﺩﺭﺑﺎﺭﻩ ﻗﺪﺭﺕ ﻭ ﻭﺳﻌﺖ ﺷﺒﻜﻪﺷﺎﻥ ﺑﻪ ﻣﻦ ﮔﻔﺖ‪ .‬ﺍﻭ ﻫﻤﭽﻨﻴﻦ ﺑﻪ ﻣﻦ ﮔﻔﺖ ﻛﻪ‬
    ‫ﺁﻧﻬﺎ ﻣﻲﺧﻮﺍﺳﺘﻨﺪ ﺳﺮﻭﺭ ‪ IRC‬ﺭﺍ ﺑﻪ ﺧﺎﻃﺮ ﻛﺎﻭﺵﻫﺎﻱ ﻣﻦ ﭘﺎﻙ ﻛﺮﺩﻩ ﻭ ﺑﻪ ﺳﺮﻭﺭ ﺩﻳﮕﺮﻱ ﻧﻘﻞ ﻣﻜﺎﻥ ﻛﻨﻨﺪ‪.‬‬

    ‫ﺑﻪ ﻃﻮﺭ ﺧﻼﺻﻪ ﺍﻳﻦ ﺷﺨﺺ ‪ ١٦‬ﺳﺎﻟﻪ ﻭ ﺳﺎﻳﺮ ‪ ١٠‬ﻋﻀﻮ ‪) Krew‬ﻣﺘﻌﻠﻖ ﺑﻪ ﺍﻭ( ﺍﺳﺐ ﺗﺮﻭﺍ ‪ /‬ﻛﺮﻣﻲ‬
    ‫ﺳﺎﺧﺘﻪ ﺑﻮﺩﻧﺪ ﻛﻪ ﻗﺪﺭﺕ ﻭ ﻭﺳﻌﺘﻲ ﺑﺴﻴﺎﺭ ﺑﻴﺸﺘﺮ ﺍﺯ ﺑﻌﻀﻲ ﺩﻭﻟﺖﻫﺎ ﺩﺍﺭﺩ‪.‬‬
    ‫ﺑﻪ ﺁﻳﻨﺪﻩ ﺧﻮﺵ ﺁﻣﺪﻳﺪ‪ ،‬ﺟﺎﻳﻲ ﻛﻪ ﻣﺎﻟﻜﻴﺖ ﻣﻮﺿﻮﻉ ﭼﺸﻢﺍﻧﺪﺍﺯﻫﺎ ﺧﻮﺍﻫﺪ ﺑﻮﺩ ﻭ ﻗﺪﺭﺕ ﺑﺎ ﺗﻌﺪﺍﺩ‬
    ‫ﻛﺎﻣﭙﻴﻮﺗﺮﻫﺎ ﻭ ﻭﺳﻌﺘﻲ ﻛﻪ ﺩﺭ ﻛﻨﺘﺮﻝ ﺧﻮﺩ ﺩﺍﺭﻳﺪ‪ ،‬ﻣﺸﺨﺺ ﺧﻮﺍﻫﺪ ﺷﺪ‪.‬‬

    ‫ﻣﺘﺸﻜﺮ ﺑﻪ ﺧﺎﻃﺮ ﺍﻳﻨﻜﻪ ﺑﺎﻻﺧﺮﻩ ﺣﻤﻠﻪ ‪ DDoS‬ﺭﺍ ﻣﺘﻮﻗﻒ ﻛﺮﺩﻳﺪ!‬

    ‫‪10‬‬ ‫‪www.WebSecurityMgz.com‬‬

    You might also like