Refspoofing is the practice of sending incorrect data in an HTTP request in order to prevent a site from obtaining accurate data on the identity of web page previously visited by the user. It is a nifty little trick that can be used to access hidden directories on websites and sometimes even find passwords or user names. Most people use this little trick to find free porn or to steal music.
Several years ago there was a site named Hell.com and it had a flashy front end that was intentionally creepy. On a particularly slow afternoon in 2005, I got bored and decided to poke around the site to see if I could find anything interesting. As I dived through directory after seemingly empty directory. I noticed I was in a seemingly recursive loop of folders. The site was primarily coded in flat HTML and it used embed tags to showcase various Flash presentations. However, I had noticed a few references in the source code for various forms being handled by a PHP script. On a whim, I changed my referrer ID to a page commonly found in phpMyadmin. Just like that, the next directory, one I had already been to and found empty, was filled with links to various pages.
Most of the pages seemed to be strange avant-garde art presentations. Some were videos and others were rather well-designed web pages. Looking back, some of the pages looked a lot like what we now call “Web 2.0”. In 2005, it looked almost futuristic. As I watched a slideshow set to industrial techno, where each slide showed a different children’s book that was photoshopped to have a perverted title. “Goodnight Boob” and “Everybody Shits,” were two of many. I switched windows to look at the source code.
I found an internal link I’d seen on a few other pages, but when I had clicked it before, I was redirected to another random page. In fact, that was how I had landed where I was at. I had my referrer ID locked on that phpMYadmin page, so I reset my ID and clicked the link as if I had just come from the page I was on. It was a blank white page with a .htaccess login prompt. I was prepare for this one. I loaded up a brute force application and began submitting random usernames and passwords while I got up and went to the corner store for a soda. I hadn’t made much progress with the brute force in the short time I was gone, so I went to pester my roommate for a while. A few hours later, I returned to find the attack had been a success and I had landed on the front page of the real site.
Everything I had found up to that point had been a smokescreen put up to confuse and entice visitors into thinking the site itself to be mysterious and/or supernatural. The truth was almost as interesting. The site itself was a collective of artists, musicians and filmmakers who came together to work on high concept projects. I recognized a couple of names from the member’s directory almost immediately: Darren Aronofsky and Brian Warner. In fact, there were several other names linked to individuals who were not celebrities then, but are now. Before I could do anything of merit with this information, I was kicked from the site. The account I had used to log in was temporarily suspended.
Now this is where it gets odd. Out of nowhere, my browser history, download history bookmarks and several other common features of my browser were completely wiped. Moreover, my roommate was shouting from the other room, as his computer had suffered the same fate. I assumed it was a tech-savvy sysop that hacked me to make a point or something. I had been stealing my neighbor’s wifi for the hack and I could only assume I had been IP banned as well, so I grabbed my laptop and went to a local coffee shop.
I recreated the hack from memory. I followed every step and eventually got to the point where I had to brute force my way in. I minimized the window and passed some time on my Gameboy. About an hour later, I was back in, but it wasn’t the same page. This sysop was good. In the time it took me to get back in, he was able to change the structure of the site to make sure that the page I landed on was nothing more than a flash video in the center of a black background.
The video that followed was gruesome on a level I had not never seen. Most shock sites are boring to me. I can even boast that by this point, screamers didn’t even make me jump. Amongst all these gruesome images and video clips of what can only be described as horrific crimes against humanity, some red text slowly came into focus.
“Those who seek hell are destined to find it.”
I closed my laptop and headed home. It was getting late and I figured I could take another crack at it in the morning. On the way back, I walked past a church sign that read: “Those who seek hell are destined to find it.”
When I got home, I hopped on my desktop and logged into a game called Tibia. If you haven’t played it you aren’t missing much. As I ran around killing mythical creatures and chatting with other players, a GM, noted for typing in red text, typed: “Those who seek hell are destined to find it.” I asked the GM if he had spent anytime on Hell.com recently and within a few minutes, I was banned from the game for using “inappropriate language.” With little else to entertain myself, I went to sleep.
The next morning, there was a knock on the door. It was the FBI. They said they first stopped at my neighbor’s house, but after a quick conversation, they headed downstairs to ask me some questions. The sysop of Hell.com reported the unlawful access. While the agents couldn’t prove any misdeeds on my part, they were sure to confiscate my desktop and scold me for my illicit behavior. As they walked out the door, he made a snide remark.
“Careful kid. Those who go lookin’ for hell tend to find it.”
It was only the fifth or sixth time I had run into that phrase. After the agents left, I pulled my laptop from the false bottom in my desk drawer and Googled the phrase. No results. You can Google it now and find all sorts of references, but on that very day at that time, it returned no results. With the Feds scare and everything else, I decided to back off.
Years passed. Everything blew over, apparently the sysop nuking my history was enough to make it look as if I hadn’t accessed the site. In fact, I hadn’t thought about it since until this morning. A certified letter arrived via UPS from an address in Nevada. Inside was a letter with a single phrase written in red: “Those who seek hell are destined to find it.” I’ve moved six times since then. None of the utilities are in my name. Hell, I haven’t received any mail at this address in my name since I moved here. This guy is good. There’s one more thing. On the bottom of the letter it was signed, “LCF”. The PS read: “See you soon.”