The Federal Bureau of Investigation is targeting a Texas-based computer network that the government thinks was hijacked for the Anonymous group's Operation: Payback DDoS attack on PayPal.

"As part of the process of identifying the computer system that I seek to search, I may be forced to check each system belonging to the target customer until I have determined that it is the computer to be searched," the author of the FBI's Affidavit in Support of a Search Warrant of the facility explains.

The FBI's request was obtained by The Smoking Gun news site. It comes following Anonymous or 4chan's attempt to bring down various financial service companies that refused to do business with Wikileaks, most notably PayPal and the Swiss bank PostFinance.

Vote for your target

According to the document, PayPal contacted the FBI on December 6, following 4chan's DDoS attack on PayPal's blog, which was pushed offline for several hours. Several days later, PayPal came under full assault again.

By the government's account, Anonymous used Twitter to recruit participants for the online offensive, directing them to an Internet Relay Chat server at irc.anonops.net. Once there, they were told to install an open source network stress testing application—the Low Orbit Ion Cannon (LOIC), which can flood a site with HTTP requests and TCP packets.

"Within the 'anops' IRC server site there were a number of different channels administered by members of 'Anonymous'," the affidavit notes. "Within these channels, users discussed their opinions of 'Operation Payback,' obtained technical support on how to install and use the LOIC program, and voted for which websites should be the next target of a DDoS attack."

PayPal investigators directed the FBI to eight IP addresses hosting the IRC site. The Bureau determined that one of them belonged to the Canadian company FranTech Solutions. Another was traced to a server located in Herlisheim France, owned by Host Europe, with root-level access coming from an administrator with a Dallas, Texas based IP address: Tailor Made Servers, a colocation facility service.

Good night PayPal

Commands for the DDoS attack came from the Dallas computers, according to log entries cited in the FBI's search request:

[Thu Dec 9 11:14:27 2010] - OVERRIDE: root(root@72.9.153.142) TOPCI #loic'!lazor default targethost=api.paypal.comsubsite=/ speed=3 threads=15 method=tcp wait=false random=true checked=false message=Good_night_paypal_Sweet_dreams_from_AnonOPs port=443 stop'

The agent's affidavit seeks permission to probe any of Tailor Made's machines. "Based on my experience and training, I know that companies providing co-location facilities do not always label or externally identify the computer servers at their facilities with their IP address," the document notes.

"Once the desired computer system has been identified, no other computer systems will be checked."