NobodyCoder
NobodyCoder is a well known hacker, or, well, at least a script kiddie, who has hacked several thousands of web pages. He updates his attacks on the following website and defaces websites based on known exploits. He even recently hacked our website, Scientificforums.Net.
Because of the fact that he’s hacked well over 8,000 websites, Psinetic.Org is launching a personal campaign against him. Hacking our site is one thing, but a tangent hacker is something else. He’s cocky and thinks he knows better than everyone else. Fact is, he’s really not that good of a hacker. Like I said before, he’s a script kiddie.
Therefore, this entire blog is setup for him, to catch him, and to assist those who have been attacked by him.
For now everything that we’ve been updating has been posted on a Malware Removal website, but I have put a comment in that thread that I am now updating everything here i this blog. So read everything there, and come back here for your responses. He also seems to like to use the name handle “Khodam”.
What do we want from you? Well it’s simple. In order to catch a hacker, I would like for you to post your site(s) that was/were hacked, the approximate TIME it was hacked, the ip address used to REGISTER and/or to HACK the site with, the username registered on your site if any, and any other information you can provide.
The more information you give us, the better off we are at catching this guy. Thank you all for your time.
-Psinetic
————————-UPDATE—————————-
Here are the IP’s we have so far linked to their respective whois. Notice that he uses one particular IP or range. Could simply be a spoofing trick, to make us think that’s where his real ip is, but it might actually at least be on the same network, which makes my job alot easier:
obviously more to come…
———————-UPDATE—————————-
I just sent an email to the guy, here’s the conversation as well as the headers:
his email: nobodycoder@yahoo.com
From Me:
Nobody,
because that’s what you are. Did I ask for you to hack my site? No. I didn’t. Do I support Obama, no, I didn’t even vote for the guy. But to get your point across you’ve attempted to hack my site’s far too many times. It ends here and now. STOP. Your hacking is a rampage. You’ve gotten your point across to several thousands of people, and yet, you STILL haven’t caught Obama’s attention. And even if you did, he’s only toss your opinions to the site and not give a day’s thought about them. I can tell you that from experience.
You are a brute skiddie. You couldn’t hack if your life depended on it. Instead you rely on exploits and scripts and automation. You’re a fool. You think you’re so hot just because you can exploit alot of people’s bad security ethics. Let me tell you now. You haven’t yet hacked ONE SINGLE big site. You’ve hacked smaller sites and you’re settling with that. If you think you’re a good hacker, PROVE IT. Hack a big site. See if you can hide yourself from them and then tell me you’re some hot shot. So far you’ve just hacked wordpress and mybb forums and you haven’t even done anything. You just play around a little bit. Since 2006 you’ve been doing your stupid scam hacks, and I’m going to tell you now, you did the WRONG thing hacking my site.
You know if it were simply a single hack by some kid who didn’t like me, I wouldn’t lift two thoughts about it, but when i did my research and found that you’ve done the same thing to 8,000 other people, I determined that you’re nothing more than a coward skiddie who just knows how to launch exploits scripts. You don’t know the first thing about hacking. If you want to hack my website, fine, ok. Do as you like. I’ll tell you now you’re not just messing with a stupid American, you’re messing with a professional IT who works for the United States Military. I deal with people like you everyday and eat them for breakfast. Do you really think you scare me with your stupid spoofings? You’ve already made some really big mistakes and are going to pay big time for some of the things you’ve done. You’ve cost hundreds of thousands of dollars in websites repairs, and you either need to stop or be stopped.
Your time will come Skiddie, your time will come.
Psinetic
From Nobody:
Look asshole!
Now I decided to publish my message very fast to entire world, that’s why I hacked a lot of websites with my automated script.
I coded it. I know programming and reverse engineering very well… I hacked a lot of sites without an exploit from sites…
I found a lotof security holes myself, but as my e-mail is monitored I can’t explain more….
But you can see here:
http://www.zone-h.com/archive/special=1/defacer=NobodyCoder
(here’s the header of that email he sent me:
Delivered-To: psinetic@gmail.com
Received: by 10.150.230.4 with SMTP id c4cs158879ybh;
Tue, 30 Jun 2009 06:00:41 -0700 (PDT)
Received: by 10.140.203.9 with SMTP id a9mr374523rvg.236.1246366840671;
Tue, 30 Jun 2009 06:00:40 -0700 (PDT)
Return-Path: <nobodycoder@yahoo.com>
Received: from web111510.mail.gq1.yahoo.com (web111510.mail.gq1.yahoo.com [67.195.15.187])
by mx.google.com with SMTP id b39si1633728rvf.8.2009.06.30.06.00.39;
Tue, 30 Jun 2009 06:00:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of nobodycoder@yahoo.com designates 67.195.15.187 as permitted sender)
client-ip=67.195.15.187;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of nobodycoder@yahoo.com designates
67.195.15.187 as permitted sender) smtp.mail=nobodycoder@yahoo.com; dkim=pass (test mode) header.i=@yahoo.com
Received: (qmail 87547 invoked by uid 60001); 30 Jun 2009 13:00:20 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1246366820;
bh=wdDF7a55BDgc7IZlQe/BFuyrhl3S4x5mTYbKL5QOuLE=; h=Message-ID:X-YMail-OSG:
Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=SQu+SGijM16/6VZ1qHMED86VyjDfZ3p4fF6J1E1l9C4dT/lhGxhryY3SQ3+wdjaFWwqpS6zw7oWpiEE9sgLn1umtQK5dRLyYN95
l1hci1YH2p7s2Lk69gM567Krj4Puy3T1J/vzwkkUTNUdZ2LCiHWm0zkKGIgDirtqGGbL3yUQ=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=iZGH90+ZPUzoQ8mucXMkvKCy1fhYj11BJiJHs55vhniysvfC5T0RqyzL8+1t4e+rQI8TeumjxpvnT3kYAkyARvOVp49D8zuRI/
kstJjzpk9cwv+0ZH0wGt7E+W+J9uCmIQInan89x4HooTVAZRp0eLowTjMEV0+GBY+rEGOhWWw=;
Message-ID: <156834.69078.qm@web111510.mail.gq1.yahoo.com>
X-YMail-OSG: VjHryqcVM1k9X8AvJehiTt6BmKv2HqrOkUUTmW5VU6HpbzrNVKNgaEdXcTY6rvyTO5SVE3tTR9YEJWb9z6RQe
PUDRJlWQZpv30t5UICyedGje4fOWP8xkNn1syLaMTESjs8MgUb7ued750p4BUOAjkkicg9sUu_.FX9yz4UrA1cLuoNwChBlZY5SA
aEZOwgaXRdKr_vcHilQn2Syzc7jXINbBZw63dutx97GfH3PYbZ5Nw3xc7.ravbY4Mrvt5S8YSb_DjTGbyCgeoFkfphM2Kn1vpXYu
dfJwDxmqqnxoN7qaZRxaotEsZ7RTl4cN.J9MvnXo_NR6Xt0z_vbjUK4FJU-
Received: from [94.101.131.240] by web111510.mail.gq1.yahoo.com via HTTP; Tue, 30 Jun 2009 06:00:19 PDT
X-Mailer: YahooMailClassic/5.4.17 YahooMailWebService/0.7.289.15
Date: Tue, 30 Jun 2009 06:00:19 -0700 (PDT)
From: nobody coder <nobodycoder@yahoo.com>
Subject: Re: Not as good as you think you are
To: Eric Wright <psinetic@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-762526019-1246366819=:69078"
)
Another from Nobody right after the last one:
Just know when I published a paper in highly profiled hack and exploit site, I got a lot of attention,
questions, emails, thanks and...
My knowledge is too wide, programming, security, reverse engineering, hacking, wireless networks,
cryptography and...
But I'm not here to prove myself to you... You can think as you like... WHO CARES?!
Also the header:
(
Delivered-To: psinetic@gmail.com
Received: by 10.150.230.4 with SMTP id c4cs159091ybh;
Tue, 30 Jun 2009 06:06:04 -0700 (PDT)
Received: by 10.140.161.11 with SMTP id j11mr6206719rve.129.1246367163491;
Tue, 30 Jun 2009 06:06:03 -0700 (PDT)
Return-Path: <nobodycoder@yahoo.com>
Received: from web111501.mail.gq1.yahoo.com (web111501.mail.gq1.yahoo.com [67.195.15.133])
by mx.google.com with SMTP id g22si7267673rvb.45.2009.06.30.06.06.01;
Tue, 30 Jun 2009 06:06:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of nobodycoder@yahoo.com designates 67.195.15.133 as permitted sender)
client-ip=67.195.15.133;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of nobodycoder@yahoo.com designates
67.195.15.133 as permitted sender) smtp.mail=nobodycoder@yahoo.com; dkim=pass (test mode) header.i=@yahoo.com
Received: (qmail 30831 invoked by uid 60001); 30 Jun 2009 13:06:01 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1246367161;
bh=lwaIv/+d+0tz14cgQOyeuk3yHKSWyIC+lSY3yXwpfPg=;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=n9aK6z9ebebWBhjfIE8ZTEJmZBDm9jH1PE1rGNoD3pxO3EaOe86lWbJiGqXo6cSWTSWDGoQ13/
fEA3AjtUNJXSVhUjipoDSmTNa8fm5XL9SblSL3r7EsCHSVKpzuuh1a+1dFDeGmYF1fjk799FGB+h3aRzg4ycC852tT4m9EkNk=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=r02r1haWKBEz1aJa70+2/SUGxm1Cw7fXyp30mzG9VvzpK01rSIyJKdrDg4A1W/7U/
BBisezIZMVcftf3Z9BuaIN24UY8FwiSfgayfnA22I7NgczgtectogvjY4BH6pUji0uVXNj/KMAfX3nT4J98Dwe4VnYCukkm4d/u0FKEH2U=;
Message-ID: <132348.30265.qm@web111501.mail.gq1.yahoo.com>
X-YMail-OSG: CC4sqk0VM1l.ODfb.4hkpjtrSpagtRBbUrA.oApEy6QxmUwDwJ21WnrAeSr35ZV
Xf.NIvOFfPbfCfxLiAU7TeHsinxqTq2HfEqZ42EkJII2.VjYef0pUN4WOZo5xbj9zN91x3sATr2UiojhNgmUcF1hptQtYJjQ
91lH.jxhsuOxV.eBM8M2WM179uPOzB99Tinj3DXV0lbvW6ii9KZEKE8jX9qOLISG8amEuRnesgA_fj74_dAwKJdZONqsuD
y3RwpeT.ROgKCdHJFmW6NRsbsNnQGkSQPuwSUDwU.WJpO5ZB8RvLdtepFHGaYvXFc9gHcn.8EwC
Received: from [94.101.131.240] by web111501.mail.gq1.yahoo.com via HTTP; Tue, 30 Jun 2009 06:06:00 PDT
X-Mailer: YahooMailClassic/5.4.17 YahooMailWebService/0.7.289.15
Date: Tue, 30 Jun 2009 06:06:00 -0700 (PDT)
From: nobody coder <nobodycoder@yahoo.com>
Subject: Re: Not as good as you think you are
To: Eric Wright <psinetic@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1497833610-1246367160=:30265"
)
and of course, this was my reply and he hasn't sent anything back yet:
considering the fact that your email is being monitored, i think you SHOULD care.
Seems our hacker is a little cocky, what do you think? Seems he REALLY likes that IP address there too. That means one of a couple of things:
a) he has direct access to this machine.
b) it is a standard and he uses it all the time.
———————-UPDATE————————-
So he sent me another email, and I actually consider this one funny. “Yahoo closed my account…” it’s gotta suck when SANS get’s involved in a skiddie hacker’s plot of mini-world take over…or not.
Email by Nobody:
Yahoo closed my account, NobodyCoder is here… If you replied to my last 2 e-mails, you have to send them here… I was not able to check them.
I haven’t replied back yet. Nor do i have the headers at this moment, but be assured, I will get them on here as well.
His new email?: nobodycoder.cpp@gmail.com
And then here’s another email he sent me:
I saw your last e-mail in your fucked blog:
considering the fact that your email is being monitored, i think you SHOULD care.
I don’t care babe… I don’t care… Because nobody from outside of Iran could access inside of Iran. Iran is different than all other countries, you have to understand this, you asshole!
MOV OUTOFPANT, NOBODYCODERSCOCK
PUSH NOBODYCODERSCOCK
POP NOBODYCODERSCOCK
PUSH NOBODYCODERSCOCK
POP NOBODYCODERSCOCK
So I push and pop my cock in and out of stack, assume stack is your ass… That would be great!
LOOOOOOOOOOOOOL
What an arrogant, but ignorant, fool. Iranian networks are no different than the rest of the world, otherwise, they wouldn’t be able to communicate with the rest of the world, because they wouldn’t exist. I KNOW networks my friend, I work with them on a daily basis. I told you once, and I’ll tell you again, “Your time will come Skiddie, your time will come.”
——————–UPDATE————————–
New Email From Nobody:
Hey, if I swear to your mom, you’ll publish it in your blog??? That’s great! Excellent! I’ll do that if needed.
Look babe, if you think Iran isn’t different, do you best… I’ll publish comments every day in your fucked blog… So people will understand I’m still around!
Babe… For a reverse engineering GOD and programming expert, owning IP addresses of the world isn’t something hard… Do you know I have illegal access to how many servers in Iran, USA, Germany, France, Netherlands, etc… ? You cannot find my IP asshole, I install OpenVPN on all servers I get root access… Iran, USA, Germany is most interesting for me…
So asshole, keep working on your own work/business (if you have, I doubt)…
First of all Nobody, I’m not your “babe” and I most certainly DON’T want to be a gay fagot homo queer like you. I have better things to do during my day than to hack websites all day. Instead, I’ll devote the same time you’ve devoted to hacking to simply finding you. Do you think an OpenVPN will keep us from tracking you? HA!!! You’re funny, really. You think you’re so superior. Wow. What an arrogant retard.
—————UPDATE————–
Ladies and gentlmen, we have ourselves a possible suspect. After some research, we’ve found some interesting things. First, we searched his user handle he uses so much, it’s repeditive, which means he likes to use it alot. So it’s deeper than JUST a simple username. And we hit this rather quick:
http://en.netlog.com/khodam
http://www.villagehub.com/khodam8
and just in case he wanted to remove those after i posted them here, i took screen shots 
You see, what caught my eye, was his location. Tehran, Iran. I looked at my Google Analytics logs, and found six hits from that city:
So we continued out search, this time, with the name(s) he used:
JAVAD ASGARI
Looks to me, like this is the one used the most. Probably his REAL name:
http://www.childrenshospitalla.org/atf/cf/%7B1CB444DF-77C3-4D94-82FA-E366D7D6CE04%7D/Imagine%20Honor%20Roll%202009.pdf
In page 18, third column, seventh and eighth down, is his name. Oh, and here’s a direct picture of him, as far as we can see:
And this here looks like either his or his dad’s store:
http://www.21food.com/offerdetail/134414/Buy-sun-or-soya-acid-oil.html
For now, that’s all we have. Enjoy everyone