Carfiliot seems a bit iffy about looking at stuff from Dork, so Im not sending him any more of it. But Ive had the idea to saerch the whole of the files for ‘ginger’ and see if its mentioned. It took a total age and nothing then i thouht what about Wastbasket and it was worth the while there was a file with a list of jpg urls includeing carfilhiot.co.uk in off course the ginger subdirectry so I went thru all the urls and mostly all of them were 404’s but two sets had the same pictures as the ones in Carfs web site.

Heres another picture from the set that had the ginger pic in it. This one and the prevous one are both photoshoped from photographs. I think the APACHE chopper is photoshoped in too. Because one of the piccys in the temprary internet files is a color photo thats a lot like the burning car in the piccy. and that comes off one of the palestine supporters sites.
Ive spent the last two days looking at evrything in Dorks filestore. It does’nt amount to much. Off course theres the usual Wndows garbage. Its a Dell running Win98ME which is well past its sellby and a slow 500Mhz cpu. The temprary internet files is vast but mostly not intresting.
One thing I was worried that they might have been looking at Carfilhiot, but I checked before I sent Saturdays stuff to Carf, and no they havent.
My Documents had a lot of crap in it but all in English and mostly Word docs about bank and credit cards which I have sent to Carfilhiot too. Thats up his street!!!

I just copyed all the file store from the machine - I call it Dork - to my own, via Carfilhiots ftupload directry. Now I got to go thru it all and see wots wot.
I took like a risk last night and instaled another vnc service under a diffrent name so I can get into the machine anytime I like. At the same time Im doing the filestore Im watching Dorks screen out the corner of my eye and I wake up evry time someone uses it. One of the usrs likes porn and Ive seen some stuff I didnt know was possible.
But most of them use sites with foreign (I spellchecked that one) languages (and that) on then wich I suppose its arabic but sometimes not. Lots of piccys of guys with balaklavas and teacloths on their heads running about with guns and rockets.
Emailed Carfilhiot with the story so far and the vnc psw so he can see whats going on.

When youre in vnc you can actually use the target machine like its local. But you have got to be careful because if they see you move the mouse or type in they smell a rat. Because its likely in the US, I waited till the screen was still and all the US should be in bed and checked local time zone which is GMT -5 - Eastern Standard I think - New York etc - and you wonder.
The next thing is when youre in VNC you can see the filestore and the email and everything - you really own that machine. I found the picture thats on Carf’s web site and three others in the same directory - same kind of thing with the code.
I dont know if the machine Ive captured is a private one or a public, but its in use a lot mostly for all sorts different sites on the internet so I think its public or at least shared.
Anoter thing is the keyboard hits and the mouse moves are difefrent from one use to another so I am almost sertain that its all diffrent users. And its been switched on 24 hours so far. Lets hope its 24/7.

Result! Someone used the old VNC with the hole in it on just one of the macines that was accessing the photo that we think is put there by Ginger - one that did a lot of acces, so now I have the screen of that machine in a window of mine. Its an IP that ought to be in the US. Often site maintenance people will put a vnc service on all the machines their servising so they can do fixes over the internet without traveling to the place were the machine is. I think thats it. They have probly forgot they did it by now.

I do’nt beleive its still runing. But it is and I have no idea how far its got.

[later] Spoke too soon. It completed at 15:07 today. No vulnerabilities.

Ive been thinking about vnc and wether any of the IP machines have it on. Because there’s a hole in VNC. So I set up a script that tries each IP with a modified vnc connect. Its not like you can just connect without having a password. Its a bit more complicated or evryone would be doing it already. hehe

Its still going! Nothing yet.

Modifyed a little program in java that checks thru a list of IP’s and tries a few tests to see if their zombies. Thres a few well-known things you can try-

• EMBO-27
• Consolidater
• zombo3
• Mother

with a set of port / user / psw people have used before.
It comes on a file and I got it all from a mate at Computer Club. It takes ages to run the prog because some of the IP’s close down so often and you have to re-conn. Thats why it is best to make it auto.

No progress with this code. I dont supose its possible for us to decode it. I sent it to the realy clever kids at
Unforum which are well expert at this stuff but no result.
So, anyway I’m going to start working through all the IP addreses that have accesed the piccy, and see what I can find out.