Chewy ruko

Introduction

This is a compilation of the reasons I think you should investigate the player known as "Chewy ruko", he has repeatedly tried to DDOS my alliance's services, and fleet commanders to gain advantages ingame, appeared to use input broadcasting on multiple occasions, and appears to use python injection.

General Info

Main character: chewy ruko
Known other characters: StrigoiuCacacios, OhuGohu, MataChioara, Piticul Porno, Sifoane, furyloy, Labyrnth, Sifoane

Timeline of our interactions with him

The events described in this email take place over the period of May and June 2015.

Logs are included to demonstrate timing and interactions between players, server logs are in UTC where not specified, emails are in CEST.

2015.05.15 - Intercepted alliance mail asking for Skype/IP data

When we started fighting Drop the Hammer, he sent out the following alliance mail:

From: chewy ruko  
Sent: 2015.05.15 16:23  
To: Drop the Hammer,

500m for Lacco, wheniaminspace skype id ; 250m for pizza ts3

http:// (LINK INTENTIONALLY BROKEN) members.cyno.link/srp_request/1B000ABA

submit it there  

Apparently calling for members to get him the skype IDs of PIZZA fleet commanders and IP addresses of PIZZA services for ISK.

It is possible through a number of skype exploits to get the real IP address of someone based on their skype username, being a common vector for DDOSing people with dynamic IPs.

2015.05.26 to 2015.06.02, DDOSing Stephan Schneider

Stephan Schneider, one of our FCs gets DDOSed for a few days in a row

27.05.2015 18:10:39 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
27.05.2015 17:05:14 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
27.05.2015 15:05:10 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
27.05.2015 14:13:17 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
27.05.2015 04:42:13 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
27.05.2015 02:27:11 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
27.05.2015 02:25:10 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
27.05.2015 02:23:11 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
27.05.2015 00:23:08 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
26.05.2015 22:23:12 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
26.05.2015 20:23:11 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
26.05.2015 18:38:10 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
26.05.2015 18:22:48 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
26.05.2015 18:21:35 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
26.05.2015 18:20:22 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
26.05.2015 18:18:56 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  
26.05.2015 18:17:53 DoS (Denial of Service) Angriff SYN Flood wurde entdeckt. (FW101)  

Chewy then gloats about it in local by telling stephan his skype name

[ 2015.06.02 16:33:18 ] chewy ruko > stephan.schneider420
[ 2015.06.02 16:33:24 ] chewy ruko > :D
[ 2015.06.02 16:33:24 ] Stephan Schneider > thanks for the ddos
[ 2015.06.02 16:33:26 ] Stephan Schneider > you guys are great
[ 2015.06.02 16:34:11 ] chewy ruko > whatever you say
[ 2015.06.02 16:34:16 ] Stephan Schneider > ;)
[ 2015.06.02 16:34:16 ] n3xxz > lmao
[ 2015.06.02 16:34:22 ] Golar Crexis > Lol
[ 2015.06.02 16:34:24 ] n3xxz > its not blatant or anything lel
[ 2015.06.02 16:34:36 ] Golar Crexis > Just try not to DDOS again pleasE?
[ 2015.06.02 16:34:40 ] Golar Crexis > Resist those urges
[ 2015.06.02 16:35:19 ] Stephan Schneider > try to get good
[ 2015.06.02 16:35:20 ] Stephan Schneider > maybe
[ 2015.06.02 16:35:28 ] Stephan Schneider > then you wont ahve to rely on ddosing anymore
[ 2015.06.02 16:36:33 ] chewy ruko > so you are the one complaining about getting ddosed whiled my internet shut off each time I had a fight that involved ruca or pizza for the past month?
[ 2015.06.02 16:36:40 ] Stephan Schneider > why the fuck
[ 2015.06.02 16:36:41 ] chewy ruko > okay man
[ 2015.06.02 16:36:42 ] Stephan Schneider > would you link
[ 2015.06.02 16:36:43 ] Stephan Schneider > my skype name
[ 2015.06.02 16:36:44 ] Stephan Schneider > in local
[ 2015.06.02 16:36:50 ] Stephan Schneider > why else
[ 2015.06.02 16:36:52 ] Stephan Schneider > goo dsir
[ 2015.06.02 16:37:07 ] chewy ruko > proving you recruited my alt? ^^
[ 2015.06.02 16:37:12 ] Stephan Schneider > through what means
[ 2015.06.02 16:37:14 ] Stephan Schneider > skype?

full log available at http://pastebin.com/t8ZZuhKz , includes members of my alliance being quite rude

2015.05.28 - input broadcasting and first TS3 DDOS

On the 28th of May we were fighting Drop the Hammer and allies over the OK-FEM constellation in Delve, when fighting in YAW at around 2330 game time he bombed us multiple times with his alts, observably decloaking, bombing and warping on the same server ticks, appearing to use some kind of input broadcasting, bot reports were made.

Shortly after our teamspeak3 server was DDOSed and we had to move to a backup one to continue fighting over the systems.

This DDOS was not severe enough to cause hosting to protect from it, but it made TS3 basically unusable, making me start up our backup server:

2015-05-29 00:28:52.866302|INFO    |ServerLibPriv |   | TeamSpeak 3 Server 3.0.10.3 (2014-01-01 16:28:39)  
2015-05-29 00:28:52.876739|INFO    |ServerLibPriv |   | SystemInformation: Linux 3.18.5-x86_64-linode52 #1 SMP Thu Feb 5 12:18:36 EST 2015 x86_64 Binary: 64bit  
2015-05-29 00:28:52.876813|INFO    |ServerLibPriv |   | Using hardware aes  
2015-05-29 00:28:52.906504|INFO    |DatabaseQuery |   | dbPlugin name:    SQLite3 plugin, Version 2, (c)TeamSpeak Systems GmbH  
2015-05-29 00:28:52.906913|INFO    |DatabaseQuery |   | dbPlugin version: 3.7.3  
2015-05-29 00:28:52.911387|INFO    |DatabaseQuery |   | checking database integrity (may take a while)  
2015-05-29 00:28:53.200079|INFO    |Accounting    |   | Your license was updated by the licensing server  
2015-05-29 00:28:53.205430|INFO    |Accounting    |   | Licensing Information  
2015-05-29 00:28:53.205491|INFO    |Accounting    |   | type              : Non-profit  
2015-05-29 00:28:53.205587|INFO    |Accounting    |   | starting date     : Tue Apr 28 00:00:00 2015  
2015-05-29 00:28:53.205635|INFO    |Accounting    |   | ending date       : Fri Oct 30 00:00:00 2015  
2015-05-29 00:28:53.205670|INFO    |Accounting    |   | max virtualservers: 10  
2015-05-29 00:28:53.205703|INFO    |Accounting    |   | max slots         : 512  
2015-05-29 00:28:53.975426|INFO    |              |   | Puzzle precompute time: 705  
2015-05-29 00:28:54.008510|INFO    |FileManager   |   | listening on 0.0.0.0:30033  
2015-05-29 00:28:54.008617|INFO    |VirtualSvrMgr |   | executing monthly interval  
2015-05-29 00:28:54.010125|INFO    |VirtualSvrMgr |   | reset virtualserver traffic statistics  
2015-05-29 00:28:54.143858|INFO    |CIDRManager   |   | updated query_ip_whitelist ips: 127.0.0.1,  
2015-05-29 00:28:54.145013|INFO    |Query         |   | listening on 0.0.0.0:10011  
2015-05-29 01:10:41.454147|INFO    |ServerMain    |   | Received signal SIGTERM, shutting down.  

2015.06.07 - another DDOS when attacking Drop the Hammer space

We formed up large fleets with our allies and went down to Period Basis to reinforce Drop the Hammer's stations and systems, prompting another DDOS, this one was strong enough to be detected by my hosting:

To: andi@andimiller.net  
Content-Transfer-Encoding: 8bit  
From: validation-world@kimsufi.com  
Message-Id: <20150607184506.66C5486B@mozg-vac2.ovh.ha.ovh.net>  
Date: Sun,  7 Jun 2015 20:45:06 +0200 (CEST)  
X-Ovh-Tracer-Id: 10462424886532914770

SAS OVH - http://www.kimsufi.com/en/  
2 rue Kellermann  
BP 80157  
59100 Roubaix

Dear Customer,

We have just detected an attack on IP address 37.59.50.21.

In order to protect your infrastructure, we vacuumed up your traffic onto our mitigation infrastructure.

The entire attack will thus be filtered by our infrastructure, and only legitimate traffic will reach your servers.


At the end of the attack, your infrastructure will be immediately withdrawn from the mitigation.

For more information on the OVH mitigation infrastructure: http://www.kimsufi.com/en/anti-ddos/

Best regards,

Customer service Kimsufi.com  
Contact: http://forum.kimsufi.com  
From Monday to Friday: 9h00 - 20h00  

Yet again I had to bring up our backup teamspeak server to cope with this:

2015-06-07 18:46:22.498560|INFO    |ServerLibPriv |   | TeamSpeak 3 Server 3.0.10.3 (2014-01-01 16:28:39)  
2015-06-07 18:46:22.498810|INFO    |ServerLibPriv |   | SystemInformation: Linux 3.18.5-x86_64-linode52 #1 SMP Thu Feb 5 12:18:36 EST 2015 x86_64 Binary: 64bit  
2015-06-07 18:46:22.498862|INFO    |ServerLibPriv |   | Using hardware aes  
2015-06-07 18:46:22.500948|INFO    |DatabaseQuery |   | dbPlugin name:    SQLite3 plugin, Version 2, (c)TeamSpeak Systems GmbH  
2015-06-07 18:46:22.501039|INFO    |DatabaseQuery |   | dbPlugin version: 3.7.3  
2015-06-07 18:46:22.501727|INFO    |DatabaseQuery |   | checking database integrity (may take a while)  
2015-06-07 18:46:22.775516|INFO    |Accounting    |   | Licensing Information  
2015-06-07 18:46:22.775589|INFO    |Accounting    |   | type              : Non-profit  
2015-06-07 18:46:22.775665|INFO    |Accounting    |   | starting date     : Tue Apr 28 00:00:00 2015  
2015-06-07 18:46:22.775726|INFO    |Accounting    |   | ending date       : Fri Oct 30 00:00:00 2015  
2015-06-07 18:46:22.775771|INFO    |Accounting    |   | max virtualservers: 10  
2015-06-07 18:46:22.775820|INFO    |Accounting    |   | max slots         : 512  
2015-06-07 18:46:23.497853|INFO    |              |   | Puzzle precompute time: 702  
2015-06-07 18:46:23.498303|INFO    |FileManager   |   | listening on 0.0.0.0:30033  
2015-06-07 18:46:23.560262|INFO    |CIDRManager   |   | updated query_ip_whitelist ips: 127.0.0.1,  
2015-06-07 18:46:23.561460|INFO    |Query         |   | listening on 0.0.0.0:10011  
2015-06-07 20:46:30.800810|ERROR   |Accounting    |   | virtual server id 1 is running elsewhere, shutting down!  

The DDOS then ended at 2100 CEST

To: andi@andimiller.net  
Content-Transfer-Encoding: 8bit  
From: validation-world@kimsufi.com  
Message-Id: <20150607190005.DD10E86B@mozg-vac2.ovh.ha.ovh.net>  
Date: Sun,  7 Jun 2015 21:00:05 +0200 (CEST)  
X-Ovh-Tracer-Id: 10715470889272622674

SAS OVH - http://www.kimsufi.com/en/  
2 rue Kellermann  
BP 80157  
59100 Roubaix

Dear Customer,


We are no longer able to detect any attack on IP address 37.59.50.21


Your infrastructure has now been withdrawn from our mitigation system.

For more information on the OVH mitigation infrastructure: http://www.kimsufi.com/en/anti-ddos/

Best regards,

Customer service Kimsufi.com  
Contact: http://forum.kimsufi.com  
From Monday to Friday: 9h00 - 20h00  

General Secondary Sources

Offering to DDOS enemy FCs while in Black Legion.

While in Black Legion. previously, he offered to DDOS enemies, which can be confirmed with Raknor Bile (a Black Legion. fleet commander)

Python Injection for gatecamping

Ex-alliancemates (Nambo and Yannimoreplz) have confirmed to us that he mentioned the use of python injection in relation to the character Sifoane getting perfect decloaks and instalocks while gatecamping.