Hacker in the Wild: #hacking

Showing posts with label #hacking. Show all posts

16 October 2014

Traffic Bots.

In my last installment of Bot fighting I was tracking down a bot style that was placed onto servers that where then used to spread SPAM. Today I'll talk about a slightly different bot, web traffic bots.

This is kind of what the google and yahoo spiders of old use to be, programs that would scrape your site for key words and the like. Not we all like these because they give us legit hits to our web sites, but these spiders aren't all that friendly.

Semalt.com hits.

If first found out about these bot when this showed up in my Apache server log files.

201.50.251.78 - - [18/Sep/2014:10:47:06 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

89.154.210.157 - - [21/Sep/2014:05:16:27 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

201.34.81.160 - - [22/Sep/2014:05:37:09 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

189.46.62.91 - - [22/Sep/2014:18:44:26 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

96.245.234.41 - - [23/Sep/2014:10:28:52 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

189.75.142.7 - - [23/Sep/2014:13:30:36 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

187.113.82.65 - - [28/Sep/2014:07:19:14 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

177.10.198.243 - - [28/Sep/2014:12:29:53 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

188.153.203.167 - - [29/Sep/2014:04:41:00 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

84.240.35.233 - - [29/Sep/2014:15:15:12 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

187.41.170.68 - - [30/Sep/2014:08:39:03 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

79.40.98.43 - - [30/Sep/2014:09:03:43 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

186.233.117.92 - - [01/Oct/2014:09:28:48 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

201.95.200.9 - - [03/Oct/2014:12:16:13 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

201.217.47.207 - - [03/Oct/2014:15:35:10 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

188.250.87.122 - - [05/Oct/2014:07:02:08 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

200.131.62.31 - - [07/Oct/2014:04:45:57 -0700] "GET / HTTP/1.0" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

179.252.38.142 - - [07/Oct/2014:06:28:36 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

177.104.209.216 - - [10/Oct/2014:08:24:27 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

177.135.177.50 - - [10/Oct/2014:13:37:12 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

190.83.233.158 - - [10/Oct/2014:16:49:57 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

2.150.32.8 - - [11/Oct/2014:05:41:54 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

201.34.219.216 - - [13/Oct/2014:17:01:59 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

187.10.159.143 - - [14/Oct/2014:16:48:03 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

186.215.131.42 - - [15/Oct/2014:10:00:38 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

Now as you can they are all coming from different addresses, and when I did some digging on these address they where all residential fixed line or Moble ISP IP most of them coming out of Brazil. I thought this was very and seemed much like a bot attack. So I followed the link.

This sure looked a bit shady.....no info about the company and a page source code filled with data collecting java scripts.

So I did some more digging on Google and was surprised to find a very active account proclaiming to be the manager of the company. Some more queries and digging I found people all over reporting their stats being messed up by very large numbers of hits proclaiming to be references from this site. But those complaining had not paid for this service. Most of these where responded to by the manager sending them to links or vague treatments. See below with my Tiwtter feed about this.

The official Nataliya linked me to a page basically saying, "hey man this is the net, deal with it." But I would ask you to go look at it your self and make a judgement.

http://semalt.com/project_crawler.php

I went ahead a filled out the form on this page for one of my sites and I haven't seem the bots for a bit now, but that is only one day.

When Google says bad things about you.

With some more digging on Google I found several reports on Semalt being connected to a malware in a software called Soundfrost. Links to these article below, as they do a great job covering this.

http://blog.nabble.nl/post/93306955157/semalt-infecting-computers-to-spam-the-web

http://blog.nabble.nl/post/93407897762/semalt-soundfrost-caught-spying

Then more I dug into Google the worse it looked. I found out that the area of the world where Soundfrost was most used..... wait for it.... Brazil.

The hard facts.

So with all this in mind I went about proving this my self. Because.... why not!?

I used VMplayer and installed windows XP SP3 on it. On my main system I was running wireshark monitoring all the traffic from the VMPlayer's emulated NIC. I then went on to find a copy of Soundfrost to see what would happen.

Going to soundfrost.org I was able to download a copy, and nothing happened. It seem this copy didn't have the malware on it.

So I then went to http://soundfrost.en.softonic.com/ and found another copy of the software, this was infected and started talking to the mother ship right away.

After a bit of digging I found the proof I was looking for.

As you can see from the screenshot the same traffic I saw on my web server my honeypot VMplayer was sending to another server. So, how does it work? I only have part of it figured part of it out and hope to get some more info as time goes on.

How site hits work.

There are two programs that seem to do the most communicating, the Controlagent.exe and the ControlContent.exe. Both start out by connecting to soundfrost.com. The controlcontent.exe did a GET request for updates and keep getting a 0 back. The Controlagent.exe seem to do most of the work on this time around.

First it would set a GET request out to soundfrost.com/get_link.php, Then it got a error 302, and redirected to server19.soundfrost.com. Here it was sent a link like this.

http://semalt.semalt.com/semalt.php?u=http://ozzibylittlelotus.com

Then It would follow this link, and get something like this back.

<html>

<head>

window.onload = function() {

var myEvt = document.createEvent('MouseEvents');

myEvt.initEvent('click', true, true);

document.getElementById('myLink').dispatchEvent(myEvt);

}

</script>

</html>

<body>

<a id="myLink" href="http://semalt.semalt.com/crawler.php?u=http://ozzibylittlelotus.com">Redirecting ...</a>

</body>

</html>

It would then follow this link and get this back.

..<html>

..<head>

..<title>...</title>

..<meta HTTP-EQUIV="Content-Type" content="text/html; charset=windows-1251">

..<script language="JavaScript">

..window.onload = function() {

..var myEvt = document.createEvent('MouseEvents');

..myEvt.initEvent('click', true, true);

..document.getElementById('myLink').dispatchEvent(myEvt);

..}

..</script>

..</html>

..<body>

..<a id="myLink" href="http://ozzibylittlelotus.com">Redirecting ...</a>

..</body>

..</html>

Then it would follow the final link and send the info as we saw up in the wireshark capture.

From playing around with this using curl I was able to figure out that the whole process allows the backend a very simple kind of handshaking with out any sensitive data being passed. So if the semalt.php doesn't get the same URL that get_link.php passed to the bot, it does nothing. And like wise the crawler.php does the same thing.

Now I wasn't able to get curl to work with crawler.php as it seem to be looking at the user agent and doing some kind of Java based redirect to the target site in question.

What's the point?

All in all, I'm not sure what the end goal of this is. It seems like they are making some money with this as I see reports of people using their service, though I don't know what happens after that. Other article I've seen indicate that the company uses artificial "clicks" to boost sites, but then why give that away for free?

On top of this they are using a botnet of a fair size, estimated to be in the 100,000 range.

So with all this why just fake clicks? I don't know yet.

The servers seem to be well locked down, nothing that makes it clear who may be running things behind it all. I have found some links to a Ukrainian company and the Russian search engine Yadex. But the connection to Yadex seems to stop in that they use them for analytic.Any one else that has info on this Please share and so that we can find out more about all of this.

Maybe they are don't have any other plans at all, but they have done a lot of work just to give away fake clicks.....

22 September 2014

SPAM Bots!!!

About a month ago a large attack was targeted on US server farms from the bot nets. Now this isn't an odd thing in of itself, but the results from it were a bit odd.

The SPAM

So I don't normally see the direct effects of these kinds of attacks as the company I work for is small. But we do see the secondary and tertiary effects of this in the form of SPAM.Our company gets well over 2,000 emails a day, 1,500 of them are SPAM! Most the time my filters block most of these emails, via blacklisting and some content filtering. But after this most recent attack I started seeing a new breed of SPAM. It was walking right through all my filters and took it WEEKS to get black listed. Below is an example of this new SPAM:

Return-Path: <PeterGarcia@cc34b8f738cc4489fda151ad551de4.sortut.com>
X-Original-To: ME
Delivered-To: ME
Received: from cc34b8f738cc4489fda151ad551de4.sortut.com (cc34b8f738cc4489fda151ad551de4.sortut.com [37.156.202.220])
 by ME.MAIL.localhost (ME.MAIL.localhost) with ESMTP id 72A6224FDA
 for <ME>; Thu, 18 Sep 2014 16:36:53 -0700 (PDT)
Message-ID: <Peter.2ac7115c98f53c458ff0cd5b87345e2c@cc34b8f738cc4489fda151ad551de4.sortut.com>
From: Blood Sugar Discovery  <Peter@sortut.com>
To: <ME>
Date: Thu, 18 Sep 2014 16:39:54 -0700
Subject: Info released - 9/18
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Notice - Jeremiahp
Diabetes Cure Alert

- Begin Notice - 

------------------------------------------------
Regain control of Blood Sugar levels. 
- Scientifically Proven
- Turn-around of 3 weeks
------------------------------------------------

Exposed Remedy -> http://www.sortut.com/psa/video/released/dia/assoc.html

- End Notice - 
View Doctor Report: http://www.sortut.com/psa/video/released/dia/assoc.html

stop further diabetes notices - http://www.sortut.com/68i/werg/ju76/wt.sert32
or write - TGI Services
1324 Swan Drive_Bartlesville, Oklahoma 7 4 0 0 6

I've changed the solenoid. My battery has over 12 volts, but will not crank the engine. When I turn the key, I may get one or two halfhearted attempts then nothing. When I charge the battery up to over 13.5 volts, it turns over like nothing is wrong. I've tested the ignition switch and I have continuity, it doesn't read to 000's but it beeps and goes to like 0.26 or so. I've unplugged the wire from the solenoid that comes from the ignition and I get 12.5 volts through there. It's a 4 pole solenoid. I get 12+ volts on the post with the red wire that seems to be connected to the battery. I don't get 12 volts on the starter end. And when I try to crank the engine from the ignition, I don't get 12 volts to the starter. How can I test the wire from the solenoid to the starter? Or is that even an issue? I'm at a loss. Any help will be greatly I have a 'quill' now with a grease fitting on top, however (looking inside it) it has Sealed bearings on both ends, so the grease fitting seems kinda useless on this quill , (I would think anyhow, but correct me if I'm wrong).. 

After your post about the pulley, I did put my dial indicator on today to check more accurately the pulley for run-out, & it has .029" run-out on the outer edge.. 
Hard to see by eye, but it is not as true as I thought.. But being stamped steel, would that be considered TOO much out of true ? No it doesn't sound like much.. But nothing else makes sense.. 
Your advice is Always most appreciated.. Now I have a direction to concentrate on.. I want to check for run-out on that 'quill' (spindle top) to see if it is the pulley or the spindle first.. & then test the other Good side for run-out as well.. If it's the pulley, I could possibly true it to a much better tolerance, or make it much worse.. LOL Time will tell.. I'm a bit reluctant to even touch the good side, that is still the original assembly (over 6 yrs old)..

And as I posted above, the bearings are holding up very well, it is the housing that gets the seats for the bearings beat out.

*Note: I have changed things as to not expose any info about my work, Every thing else is as I received it*

So the odd thing about this email is the last part, It's some text aboooooou a guy fixing his starter. WTF? I saw 24 plus emails like this show in my inbox at work and got reports of people getting these emails as well. I found out that the text at the bottom was scrapped from an open forum. This post is from http://www.hobbytalk.com/bbs1/showthread.php?t=421200, a post made in August this year.  The server hosting the forum was not compromised from what I could tell. So I'm guessing what ever the script was that generated this email used a web crawler to gather this text from open forums. The other emails had every thing from talking about home build airplanes to beauty tips. So it seem to be all over the board. But the oddity did stop there....

The Servers

After seeing so many of these emails getting through I started to dig into this further. I couldn't find any info on this with deep google so I dug in my self. All of direct sources of this SPAM seem to be from servers, either was looked like home run servers or long forgotten servers in datacenters for web hosting.They where a mix of Windows and Linux, about 2/3 of the servers that I tested where running Windows 2008 the rest where running Redhat kernel 2.6.x.

This pattern on its own is not so abnormal, as this is what most of the compromised boxes on the net look like from what I have seen. The bit that was abnormal was how the servers had been changed. Most the Windows servers had a very minimalist SMPT and HTTP server installed. No content on the HTTP, just some way to rediect you to another site. The SMPT server had just about everything disabled. Most of them seem to be some version of PowerMTA, an alternative MTA for windows. The Linux servers had a very limited POSTFIX server.

The HTTP was NGINX that had just about everything turned off on it.

The security on the servers where basic, but enough to keep any random person from getting in. I didn't try too hard to break in to gather more info, this was just the reconnaissance.

The Trap

After looking at the servers I started looking at the "path" that the links would take you. I must give a warring here to any one who wants to try this. Use chorme's incognito tabs for this, doing this out side of a sandbox WILL DAMAGE YOUR SYSTEM!!!

So if you open the link you will find that it just sits there for a few, then pops up with annoying add site. If you grab the site with wget -r you will something like this:

wget -r http://www.sortut.com/psa/video/released/dia/assoc.html

--2014-09-22 10:25:31-- http://www.sortut.com/psa/video/released/dia/assoc.html

Resolving www.sortut.com (www.sortut.com)... 66.172.90.246

Connecting to www.sortut.com (www.sortut.com)|66.172.90.246|:80... connected.

HTTP request sent, awaiting response... 302 Moved Temporarily

Location: http://affiliate.gosotrack.com/rd/r.php?sid=928&pub=220319&c1=&c2=&c3=0918864UNIE [following]

--2014-09-22 10:25:32-- http://affiliate.gosotrack.com/rd/r.php?sid=928&pub=220319&c1=&c2=&c3=0918864UNIE

Resolving affiliate.gosotrack.com (affiliate.gosotrack.com)... 173.230.238.191

Connecting to affiliate.gosotrack.com (affiliate.gosotrack.com)|173.230.238.191|:80... connected.

HTTP request sent, awaiting response... 302 Moved Temporarily

Location: http://tracking.routeoffers.com/aff_c?offer_id=22&aff_id=1154&aff_sub=220319&aff_sub2=SUBIDHERE&aff_sub3=SUBIDHERE&url_id=162 [following]

--2014-09-22 10:25:32-- http://tracking.routeoffers.com/aff_c?offer_id=22&aff_id=1154&aff_sub=220319&aff_sub2=SUBIDHERE&aff_sub3=SUBIDHERE&url_id=162

Resolving tracking.routeoffers.com (tracking.routeoffers.com)... 54.183.46.151

Connecting to tracking.routeoffers.com (tracking.routeoffers.com)|54.183.46.151|:80... connected.

HTTP request sent, awaiting response... 302 Moved Temporarily

Location: https://buyglucohealth.com/pages/report-video?AFFID=1154&C1=220319&C2=SUBIDHERE&C3=SUBIDHERE&trackslugs[]={trackslug_1}&trackslugs[]={trackslug_2}&trackslugs[]={trackslug_3} [following]

--2014-09-22 10:25:33-- https://buyglucohealth.com/pages/report-video?AFFID=1154&C1=220319&C2=SUBIDHERE&C3=SUBIDHERE&trackslugs[]=%7Btrackslug_1%7D&trackslugs[]=%7Btrackslug_2%7D&trackslugs[]=%7Btrackslug_3%7D

Resolving buyglucohealth.com (buyglucohealth.com)... 192.64.176.135

Connecting to buyglucohealth.com (buyglucohealth.com)|192.64.176.135|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: unspecified [text/html]

Saving to: `www.sortut.com/psa/video/released/dia/assoc.html'

[ <=> ] 9,540 --.-K/s in 0.005s

2014-09-22 10:25:34 (1.94 MB/s) - `www.sortut.com/psa/video/released/dia/assoc.html' saved [9540]

FINISHED --2014-09-22 10:25:34--

Total wall clock time: 2.4s

Downloaded: 1 files, 9.3K in 0.005s (1.94 MB/s)

You can see if bounces you around 4 different sites before landing you on the ad site where there are so many trackers and pop ups that it feels like the `90's all over again.

The sites that they are bounced through advertise themselves as "Social networking advertising market places." I haven't dug into this much, but from talking with my friends in the marketing world these would be the companies that promise to get your add more clicks, and thousands of more views. They just leave out that it will be views from very pissed off people or lots of unknowing old people.
The end site you land on seems to be really selling what they are saying they want to sell. Complete with all the info to comply with the CANSPAM act burried under 15 pop ups.

Questions

After all this digging I'm still left with a lot of questions. What connection does these SPAM "sources" have with the attack a month ago, if it has any connection?

What is the backend behind all of these bot servers, what packages are they using and how do they work?

Have the bot herders moved from using personal connections to servers to spread SPAM? or are the personal computers used to attack the servers?

Who is behind the command and control systems of these bot nets?

And how are these advertising "markets" connected with the bot nets?

What companies are using these tickets and how can we shed light on what is really behind this kind of marketing?

In the end I want to try to help with reducing the SPAM on the internet and making network admin's jobs easier around the world. I spend a good 60% of my work day on just SPAM.

If any of you out there have info on this please leave a comment below or give me a shout out on twitter @KD7DMP with your info.

Thanks all, until next time.

04 September 2014

Things you wouldn't think of as a "hack".

There are many people out there that think you have to know something about coding or electronics to be a hacker. But there are many non-tech ways to hack.
A good example is a guest post my partner Andrea did on Offbeat Home.
Why damaged tablecloths may be the most surprisingly useful item in your home
Here simply simply asking about damaged tablecloths at your local rental store could get you some useful gear.
This is also a great example of look in places that you wouldn't think of looking.
Andrea also found found a good portion of the parts for this DIY thresher.
*soon to come post from Andrea on that*

One of our local scrap places sells these used plastic barrels for $20. I had the steel 75 gallon drum sitting around my farm. The strap was found along the rail road tracks. The motor was sitting in my pole barn, and the better arms where built out of old lumber laying around both of our places.
There are no microcontrollers, no computers at all, just good old fashion farm hacking.

And this is just example of this, there are many many more out there on the net.
So just remember, you don't have to be a tech wizard to be a hacker.

Keep on hack'n!!