2010/12/19

Domains found on Wikileaks.info IP address 92.241.190.202

Domains found on Wikileaks.info IP address 92.241.190.202

Electix.biz Maps4all.net
2-ston3d4-you.info Marburginfo.com
321uhren.com Mda.to
35cent.com Media-online24.com
3g-restposten.com Media-world24.com
3xpl0r3r.net Medikamente-rezeptfrei.com
Abccasino.info Meine-games.net
Abgefuckt.org Melanotan-deutschland.com
Accmania.net Mlm-ticker.com
Acidhead.org Moviearea.org
Actillegally.us Movieload.biz
Afaction.tk Muttermale-entfernen.com
Afaction.us Mymagicmushrooms.com
Aktion-gegen-kipo.info Mys1q.com
Albenjunkies.org Napstore.net
Albumz.net Nationales-infoblatt.net
Allesbilliger24.com Nokia-zone.mobi
Allstore.org Ns-zwickau.info
Amateur-schlampe.net O-fakes.com
Amateurteenstreff.com Onlinedownloaden.de
Anabol-empire.com Onlineminigames.org
Anabolika-store.org Operationmt2.com
Anacom.info Ould-versand.com
Anacom.us P0rntub3.com
Anatoxis-tools.net P2pxchange.org
Android-appz.org Packstation-shop.com
Animalsin.in Packstation-verif.info
Anime-inside.org Packstation-verifizieren.net
Annas-tube.com Packstationverifizierung.com
Antifa-dortmund.info Pay4-quality.com
Antirip.us Paypal-24.com
Aphogetics.com Paypal-securitycenter.com
Apple-ware.net Pdfs.us
Appload.us Permagnus-networking.com
Art1088443technologie-freiepresse-berlin.com Picfreak.net
Atlanticamt2.com Pillenbar.com
Auth-account.com Pixel-banner.com
Awewill.com Pkv-versicherungsvergleich.biz
B4ltd.org Playlame.com
Babes-board.org Pornarea.us
Biggbossy0.com Pornoextr.com
Billiger-gehts-immer.com Prepaid2webcash.net
Billiger-ist-geschenkt.com Proeroticmedia.com
Blmt2.com Psc-spread.com
Bloodflow.org Psc2webmoney.net
Bodybuilding-wars.com Qatar2022bidrevealed.com
Bookaneer.org R0uteyou.net
Busteed.us Rainer-hackerodt.info
Carding-world.com Razorandyahomie.info
Casino-site24.com Real-world2.net
Cc-store.info Recherche-ruhrgebiet.net
Century-of-legends.com Remixmt2.com
Change-id.net Replica-watch-links.com
Chatin24-advision.us Restpostenhandel-direkt.com
Choco-network.com Rosenberg-soehne.com
Club-exclusiveaustria.org Rosenberg-und-partner.com
Conan-base.net Russkyhost.net
Cr0wn-st0re.net Sakeco.info
Crazy-porn.net Salefire.info
Creampiegangbang.us Saugzone.info
Cvmt2.eu Scene-bay.net
Cvmt2.net Scenelisters.com
Dark-world.biz Sceneprotected.net
Dark-world2.com Sceneshopping.info
Datenkrieger.biz Scenestuff.info
Datenladen.com Schandfleck.org
Datensau.info Schnaeppchen-planet.com
De-ostium-dhl-registration.net School-of-hack.org
Deepbluesea.info Secored.us
Deiniphone4g.com Securaweb.net
Deliusweb.com Sene-sector.info
Der-verbrauchertest.com Sexation.us
Dev-united.com Sexinka.com
Dhl-verifikation.com Share-music.org
Dhl24.org Shared4.us
Dinghost.net Shisha-bay.com
Dirtytape.info Shoxx-network.info
Division-nordland.net Skillyourgame.com
Dizepticonz2.com Sky-world2.com
Dolce-diva.us Sload.us
Dominikfm.net Sp33dw0rld.com
Dopedeal.info Splatter-crew.org
Downtime-solutions.info Sportmedical.org
Dreamstuff.info Steamstore.info
Dumped24.org Stiffmt2.com
Eddinc.org Strassendate.net
Einfachekelhaft.com Stream-x.org
Elektro-konkurswaren-shop.com Street-evolution.com
Elite-crew.net Suncotec.com
Elite-share.org Supernicegirlz.com
Eoq-medicals.com Sveiven.info
Everestcapitalag.com Sweetleet.info
F0xb0x.com Szene-kritiker.info
Fabrik-direktverkauf.com Tax-fas.com
Facebook-picture.com Team-crime.com
Fake-scans.com Technik-base.com
Fake-watches.net Technikteufel.net
Falcon-global.com Teenizer.net
Flashstrike.net The-next-kurzick-generation.info
Flatrate-socks.com Toolbase24.net
Flexxx.info Top-pserver.com
Flyangel-xxx.org Totalinspire.com
Foodco-fruits.com Toxicsys.net
Football-soccer-live.com Toxmade-crew.com
Forever-alone.com Trabware.org
Foto-vektorgrafik.com Travelst0re.us
Freakupper.com Tritium-auth.biz
Free-sex.to True-world2.com
Freewarearchiv.org Trustsale.biz
Freies-europa.org Trusttradinggroup.com
Fuck-of-gf.com Turkeygoals.com
Fusenext.biz Tvjunkies.eu
Game-keyshop.com Uhren-imitate.net
Gamezworld.info Uhren-plagiate.com
Gehtwas.org Uhren-replicas.com
Geld-money-argent.info Uhren-replicas.de
Genesis-medicals.com Uhren-replicas.net
Get-big.org Uhren-store.com
Gfx.name Uldb.net
Gg-reallife.org Underground-city.com
Ggwblog.org Underground-elite.com
Gigalinknetwork.com Underground-links.com
Gk4u.net Unique-video.us
Goddessgalleries.com United-nw.net
Goldanlage24.net United-nw.org
Goldperle.info Universeporn.us
Goomedia24.com Unleash-greece.com
Grow-it.org Unlimited-hacks.net
H4ck3rz.biz Upg-reloaded.org
Habboevents.net Urbanlabs.us
Habbowelle.net Urkash.net
Habbowelt.net Usenext-flatrate.info
Hack-world.net Veritasetaequitas.net
Hackproject.info Viagra-original.net
Handyguthaben-kostenlos.com Viagraladen.com
Haxore.com Vinquix.com
Hd-channel.net Vipsocks.biz
Hd-hive.org Virefrei-runterladen.com
Hitback2.com Viren-killer.net
Hollywood-streams.com Warez-linkz.net
Holyhosting.info Warez-schweiz.info
Holyshop.info Warezdc.com
Holyshop.tk We-host-you.net
Homeaffair.biz Wikileaks.info
Hupers.info Work-global.net
Hw-st0re.info Wow-x-store.com
Ibetyoucant.us Wrzserv.org
Iblizz.net Xclusivemt2.com
Ifake.info Xdlgayporn.com
Ihacks4.com Xmsloads.org
Illigal-coderz.net Xortor.net
Immolead.info Xprotechx.net
Include-st0re.com Yes-st0re.info
Include-st0re.info Yourboard.info
Incspace.org Ytimq.com
Javasun.info Zexxn.com
Jewlake.net Zigaretten-guenstiger.com
Julia-porn.com Zigaretten-versand.net
Justicemt2.org Zpanti22.com
Keystore.us Royal-crew.net
Kingloads.us Anabolika-bestellen.net
Kinky-stars.com Anabolika-undergrund.com
Kino-stream.to Steroide-kaufen.net
Kinofilme.us Zigaretten-online-kaufen.com
Knuddel-buy.com Elektro-wegner.info
Knuddeln.us Estrilento.com
Knuddels-cheat.net Feuerfreaks.com
Knuddels-cheats.net Fsev-mhg.com
Knuddels-login.net Infporn.net
Knuddelss.com Sload.info
Kosovadc.com Elite-hacks.info
Kostenlos-openoffice-download.com Flashh.info
L4x-hack.us Pictures-host.com
Lanubia.com Findstream.net
Lhblackbox.org Anabolika-bodybuilding.net
Lirix.info Dark-market.biz
Longju6.net Felsennest.com
Longju6.org Golden-flows.com
Lostraum.com Steriods6.com
Love-sarah-kern.com Szene-designz.biz
Loves-nulled-scriptz.info 1337store.info
Ltunes-store.com Buy-this.info
Luxuslive24.com Geschenkefuersie.net
M-enace.com Money-cheat.com
M2codes.com Spiegelbest.info
Magic-finger-tippers.org Ur-shop.info
Magiclifestyle.info Usenext-board.net
Main-store.net Sceptusleap.info
Mandy-nackt.info

Picking out random domains:
Fake-scans.com - buy fake ID documents, credit card info
Replica-watch-links.com - fake watches
Paypal-24.com and Paypal-securitycenter.com - Not PayPal related
Hack-world.net - hacking and exploit site
Underground-links.com - Warez like
L4x-hack.us - Game hacks - and so much for .US domain requirements (One of many above, Enom??).
O-fakes.com - redirect front for u-fakes.com - fake watches
Genesis-medicals.com - Drugs (Steroids)

... and so the list continues. I believe I have no need to describe some of the other sites found.

Also do not be fooled by notices that the site is "down to non-payment". In the past many sub-domains and hidden websites have been found hidden on such websites, happily being abused.

Wikileaks.info is not keeping good company. Can we blame everybody with half a grain of concern for the average internet surfer being concerned about it?

Hehachi, AnonOps, WikiLeaks and SpamHaus

As you may or may not know, somebody has recently hosted a WikiLeaks website, wikileaks.info, on Heihachi.net. Whether the wikileaks.info mirror is under control of Wikileaks or not is debatable and I would truly hope not. However a mirror of a popular website under criminal control does pose many opportunities for a cyber criminal. We need to note that the official list of Wikileaks mirrors does not link to wikileaks.info, whereas wikileaks.info claims affiliation with the official mirrors.

Obviously this may or may not be an attempt evade website take downs of the information they Wikileaks is publishing. However, this author was horrified the choice of hosting provider. Heihachi is all to well known as a resource for scammers and other internet miscreants that uses the anonymity of the net to victimize innocent internet users. In my observations I have found a constant flow of:
  • Phishing kits
  • Infected music downloads
  • Carding forums (Carders.cc also ran to Heihachi after being hacked, though by no means unique)
  • Hacking tools
  • DDoS Tools
  • DDos Command and Control's
  • Hate websites (including one publishing a list of home addresses of police in Germany for victimization)
... and a list of other websites that any self respecting hosting provider would never allow on his servers.

Of concern is the responses of Heihachi to abuse reports and communications, they condone abuse. Only one example response is "we allow botnets.","Yes, sure, we allow. Give us money and we host you and we will **** the german police".

In the light of the recent Wikileaks debacle, when hosting was taken up for a mirror Wikileaks, it directly flew in the face of what Wikileaks is supposed to stand for. Here we have Wikileaks, that defends the rights to know of normal people, being mirrored at a party that specializes in victimizing ordinary people and in effect assists in depriving law enforcement of methods to protecting ordinary citizens. Now matter your view on this Wikileaks issue, any party supporting cyber crime should not be a business partner.

As such I could only nod in silent appreciation of SpamHaus'es warning to Wikileaks. A similar warning was issued by Trend Micro.

However what followed was a bizzare and all to well know pattern of DDoS against anybody that dare mention about anything negative Hehachi related. At the same time at this refute appeared on wikileaks.info:

Spamhaus' False Allegations Against wikileaks.info

Published 15-Dec-2010, 8:00 AM GMT

On Tuesday, 14-Dec-2010 Spamhaus has issued a statement wherein it labels wikileaks.info as "unsafe", as they consider our hosting company as a malware facilitator:

http://www.spamhaus.org/news.lasso?article=665

We find it very disturbing that Spamhaus labels a site as dangerous without even checking if there is any malware on it. We monitor the wikileaks.info site and we can guarantee that there is no malware on it. We do not know who else is hosted with Heihachi Ltd and it is none of our business. They provide reliable hosting to us. That's it.

While we are in favour of "Blacklists", be it for mail servers or web sites, they have to be compiled with care. Just listing whole IP blocks as "bad" may be quick and easy for the blacklist editors, but will harm hosters and web site users.

Wikileaks has been pulled from big hosters like Amazon. That's why we are using a "bulletproof" hoster that does not just kick a site when it gets a letter from government or a big company. Our hoster is giving home to many political sites like castor-schottern.org and should not be blocked just because they might have hosted some malware sites.

Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser, for example), don't list us. We do hope that Spamhaus hasn't issued this statement due to political pressure.

Wikileaks.info will always be safe and clean. Promised:

Google Safe Browsing Check for wikileaks.info

Update (15-Dec-2010 17:00 PM GMT): Spamhaus has updated their statement to say that they don't blacklist us.

The wikileaks.info Team


Nothing of this debacle was mentioned on the officially verified Wikileaks mirrors.

Also of note, the same Google safe browsing link used in retort by wikileaks.info, just serves to confirm what Spamhaus, Trend Micro and a host of other parties know and are saying. From http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info

What happened when Google visited this site?

Of the 13 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-12-19, and suspicious content was never found on this site within the past 90 days.

This site was hosted on 3 network(s) including AS6772 (IMPNET), AS41947 (WEBALTA), AS8473 (BAHNHOF).

Very interesting, but however no guarantee for the future. But let us take a closer look at what Google is telling us:
AS6772 (IMPNET): Hosted 1.82% dangerous sites.
Of the 165 site(s) we tested on this network over the past 90 days, 3 site(s) .... served content that resulted in malicious software being downloaded and installed without user consent.
AS41947 (WEBALTA): Hosted 7.63% dangerous sites.
Of the 37087 site(s) we tested on this network over the past 90 days, 2829 site(s), .... served content that resulted in malicious software being downloaded and installed without user consent.
AS8473 (BAHNHOF): Hosted 1.10% dangerous sites.
Of the 1900 site(s) we tested on this network over the past 90 days, 21 site(s) .... served content that resulted in malicious software being downloaded and installed without user consent.
While it is difficult quantifying those numbers, what is clear is that Webalta, the upstream provider for Heihaci, has a five times more likelihood of infecting your PC or stealing your information than other providers for wikileaks.info. In the global scheme of badness, Webalta ranked 4th worst in the HostExploit reports. While it needs to be noted that Heihachi is one hosting providers on the Webalta network, they have been linked to various groups, I refrain from saying business since we do not know if they really are, on Webalta.

In a separate post I will list on the domains hosted on the same address as Wikileaks.info. Reading through these domain names belies the Wikileaks.info statement.

Now, apparently AnonOps is responsible for the ongoing DDoS. Or is this just what some nefarious party would like you to believe? SpamHaus has done some digging and currently have published piece of information about the ongoing DDoS:
This is not the profile of DDoS traffic from the LOIC and other *OIC tools issued to script kiddies to DDoS "enemies of Anon" with. In fact, at some semi-private forums, the AnonOps members have denied the DDoS and have stated how much they hate spam and would not attack Spamhaus. It would seem some actually read and understood what our warning message was about. Rumors are that they have also distanced themselves from members who were promoting the use of botnets to attack sites.
An IP address lookup done on the 9th of Dec 2010 on irc.anonops.net, also causes more reason for concern:
Non-authoritative answer:
Name: irc.anonops.net
Addresses: 69.60.115.75, 83.169.21.109, 88.198.224.117, 91.121.72.103, 92.241.190.94, 199.19.226.231, 67.23.234.51, 67.220.74.147
Of note is IP address
92.241.190.94
inetnum: 92.241.190.0 - 92.241.190.255
netname: HEIHACHI
descr: Heihachi Ltd
country: RU
admin-c: HEI668-RIPE
tech-c: HEI668-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
Did somebody give AnonOps some bad advice? On this IP address we find the following website: RESISTANCIA.ORG

It was also the IP address for the domains anonops.net. anonops.org and anonops.com, although the DNS has been disabled.

However the Heihachi worm gives another twist upon doing a whois lookup on RESISTANCIA.ORG:
Domain ID:D159346719-LROR
Domain Name:RESISTANCIA.ORG
Created On:04-Jun-2010 20:34:17 UTC
Last Updated On:19-Dec-2010 10:00:05 UTC
Expiration Date:04-Jun-2011 20:34:17 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:917350c3ec1914e0
Registrant Name:Protected-ns.info Whois Protection Registrant Organization:Dinghost Limited Registrant Street1:Calle 53, Marbella Registrant Street2: Registrant Street3: Registrant City:Panama Registrant State/Province:PA Registrant Postal Code:10000 Registrant Country:PA Registrant Phone:+507.8321488 Registrant Phone Ext.: Registrant FAX:+507.8321488
Registrant FAX Ext.:
Registrant Email:abuse@protected-ns.info
Admin ID:917350c3ec1914e0
Admin Name:Protected-ns.info Whois Protection
Admin Organization:Dinghost Limited
Admin Street1:Calle 53, Marbella
Admin Street2:
Admin Street3:
Admin City:Panama
Admin State/Province:PA
Admin Postal Code:10000
Admin Country:PA
Admin Phone:+507.8321488
Admin Phone Ext.:
Admin FAX:+507.8321488
Admin FAX Ext.:
Admin Email:abuse@protected-ns.info
Tech ID:917350c3ec1914e0
Tech Name:Protected-ns.info Whois Protection
Tech Organization:Dinghost Limited
Tech Street1:Calle 53, Marbella
Tech Street2:
Tech Street3:
Tech City:Panama
Tech State/Province:PA
Tech Postal Code:10000
Tech Country:PA
Tech Phone:+507.8321488
Tech Phone Ext.:
Tech FAX:+507.8321488
Tech FAX Ext.:
Tech Email:abuse@protected-ns.info
Name Server:DNS1.NAME-SERVICES.COM
Name Server:DNS2.NAME-SERVICES.COM
Name Server:DNS3.NAME-SERVICES.COM
Name Server:DNS4.NAME-SERVICES.COM
Name Server:DNS5.NAME-SERVICES.COM
As the registrar Enom and a host of other providers for Heihachi have already been informed so many times, Calle 53, Marbella is the address of the World Trade Centre in Panama, an incomplete address not meeting the requirements of whois registration data.

This address has been used all to many times by Heihachi. As an example, on 2010-05-17 the whois record for Heihachi.net reflected:
Registration Service Provided By: Heihachi LTD.
Contact: support@heihachi.net
Visit: www.heihachi.net

Domain name: heihachi.net

Registrant Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION ()

Fax:
Calle 53, Marbella
Bella Vista
Panama, PA 00000
PA

Administrative Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION (abuse@heihachi.net)
+507.8321668
Fax: +507.8321668
Calle 53, Marbella
Bella Vista
Panama, PA 00000
PA

Technical Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION (support@heihachi.net)
+507.8321668
Fax:
Calle 53, Marbella
Bella Vista
Panama, PANAMA 00000
PA

Status: Locked

Name Servers:
NS0.XNAME.ORG
NS1.XNAME.ORG
NS2.XNAME.ORG
Since then Heihachi have availed themselves of Whois Privacy Protection Service.

A search on the given telephone number +507.8321488 yields interesting results:
macbilliger.com with scam alerts
russiansubtitles.com where a Google search says a lot
hardcoremt2.com no explanation needed
It seems Heihachi is related to DingHost in whatever affiliation and in turn resistancia.org used DingHost.

But a quick search on resistancia.org reveals malware issues for this domain. As an example http://support.clean-mx.de/
Likewise http://www.threatexpert.com

So who is behind this SpamHaus attack?

At this stage all I would risk saying is Wikileaks are not part and parcel of the issue at hand. This does beg the question who is though. What is known is that a previously exploit domain resistancia.org shared the same IP address as AnonOps, Wikileaks.info is sharing a very direty IP address that does not belong on any clean IP list by any stretch of imagination.

What is clear is that SpamHaus and WikiLeaks are both victims to something that hatched on Heihachi and whatever it was, it was not good, showing the all to familiar pattern DDoS'ing.

A very big question mark hangs over AnonOps. We have to consider this is a group of loosely associated individuals. If the party arranging the hosting and tools of AnonOps was in the know of what was happening or not on Heihachi's IP's is another question. It does serve as a major red flag for those who merrily follow an unknown Pied Piper in "good causes". Make sure who you associate with.

It is also just another example of bad unaccountable things emanating from Heihachi or touching anything to do with Heihachi.

Personally I have no doubt the Wikileaks situation became exploitable when SpamHaus highlighted this serious issue. Immediately Operation Payback became payback for past blacklistings by SpamHaus, using an instant army of unwitting do-gooders protecting freedom of speech, or so the DDoS'ers thought.

In a separate post I will be posting domains found on the same IP address, 92.241.190.202, as which is used for Wikileaks.info.





2010/05/23

Cans of worms

The recent hacking of carders.cc has really opened up more than a few cans of worms for the hosting and domaining industry. The contents of their forums, thus far hidden, has conclusively linked together suspected groups of cyber crime nests. It also sheds some light on service providers all too willing to make a quiet quick buck and to heck with the consequences and victims.

In this blog we will be publishing some of the rather incriminating posts and happenings, also specifically related to Heihachi.net, 4x2.ru, 133t-crew, Gigalinknetwork.com, Ideal Solution Ltd and their upstream, Webalta.ru

Note that dumps of the hacked forums have been posted all over the net, as such publsihing or using the contents does not constitute a violation of Blogger's
Terms of Service, specifically their Content Policy. This content is now in the public domain.

With that out of the way, let's move on ....

So, carders.cc was hacked, what now? Already this nest of cyber crime is getting ready to attack innocent victims again. Hosting has been unkindly provided by Heihachi.net. In fact the carders crew stated they would be using Heihachi:
Liebe User,
Wie ihr wohl schon alle mitbekommen habt, wurde Carders Opfer einer Hackerattacke. Meiner Meinung nach ein dunkler Tag für
die Szene, auch wenn sich jetzt viele schadensfroh im Keller einen ablachen. Leider wissen, oder verstehen diese Menschen nicht was für Konsequenzen so etwas haben kann.
Wie dem Deface-Text bereits zu entnehmen war, wurden einige IPs geloggt, dies jedoch nicht absichtlich sondern durch einen Fehler des (ehemaligen) Techmins Zagerus. An dieser Stelle ein großes Entschuldigung an
die User, die vom IP Logging betroffen waren. Dieser Vorfall sollte euch jedoch daran erinnern, dass ihr immer mit einem VPN / Socks5 / VicSocks, wie auch immer, unterwegs sein solltet. Alle User sollten natürlich ihre Passwörter ihrer E-Mails, anderen Accounts, ICQ Nummern etc. ändern! Selbst wenn nun mit der gehackten Datenbank gegen uns ermittelt wird, was nach dem deutschen Gesetz eigentlich verboten sind, (aber die wahren Kriminellen sind ja ohnehin die Behörden) haben die größten Teil der User NICHTS zu befürchten. Von diesen Ermittlungen wird größtenteils das Team betroffen sein.

Nachdem KRON0S und ich uns einige Zeit unterhalten haben, ist uns klar geworden, dass wir uns
die Tour von ein paar vorpubertären Hackerkindern die Stimmung nicht nehmen lassen (Es handlet sich hierbei btw. um die gleichen Hacker wie bei 1337-crew), und dass das nicht das Ende von Carders ist. Nein! Wir werden zurück kommen! Dies wird jedoch einige Tage in Anspruch nehmen, da wir 1. auf Heihachi umziehen 2. nach dem Hack verständlicherweise die Boardsoftware wechseln und 3. um zukünfige Hacks zu vermeiden, sehr viele Sicherheitstests durchführen werden. GGF. wird jedoch der Jabberserver schon früher laufen. Desweiteren wurde Zagerus nach der großen Panne bis auf weiteres suspendiert, und die Technik wurde einem erfahrenereren User übergeben. Wir sehen uns in einigen Tagen wieder!

THANAT0S im Namen der Administration

Indeed THANAT0S, how can anybody do what you do, never mind the hack? Shame on you!

So, what was the reception like at Heihachi?
carders.cc [92.241.190.3]
% Information related to '92.241.190.0 - 92.241.190.255'

inetnum: 92.241.190.0 - 92.241.190.255
netname: HEIHACHI
descr: Heihachi Ltd
country: RU
admin-c: HEI668-RIPE
tech-c: HEI668-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered

person: Andreas Mueller
address: Bella Vista, Calle 53, Marbella
address: Ciudad de Panama, Panama
remarks: Visit us under gigalinknetwork.com
remarks: ICQ 7979970
remarks: Dedicated Servers, Webspace, VPS, DDOS protected Webspace
remarks: Send abuse ONLY to: abuse@gigalinknetwork.com
remarks: Technical and sales info: support@gigalinknetwork.com
phone: +5078321458
abuse-mailbox: abuse@gigalinknetwork.com
nic-hdl: hei668-RIPE
mnt-by: WEBALTA-MNT
source: RIPE # Filtered

% Information related to '92.241.160.0/19AS41947'

route: 92.241.160.0/19
descr: Wahome IP's =)
origin: AS41947
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
So who is gigalinknetwork.com?
Domain name: gigalinknetwork.com

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()

Fax:
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (jnrbhcgls@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US

Technical Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (jnrbhcgls@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US

Status: Active

Name Servers:
ns1.heihachi.net
ns2.heihachi.net

Creation date: 26 Feb 2010 23:04:47
Expiration date: 26 Feb 2011 23:04:00
Not much help there.... but we will get back to this later on.

Heihachi gladly accepted carders.cc and in fact even promptly gave them their own rDNS entry:
$ host 92.241.190.3
3.190.241.92.in-addr.arpa domain name pointer carders.heihachi.net
.
Oh so kind of them. In fact a traceroute also clearly showed this:
7 162 162 162 194.186.158.170 cat23.moscow.gldn.net
8 319 201 204 195.239.10.202 te1-1.maxwell.msk.wahome.ru
9 164 164 162 92.241.190.3 carders.heihachi.net
At least Heihachi cannot claim to have no control over what their clients are doing this time, as they so love doing. Here they in fact actively assisted by adding carders to the reverse DNS for heihachi.net. Surely even the dumbest network admin should hear a little alarm bell at the word "carders"?

I also wonder what the reception of the Indian authorities will be upon learning that Carders have a backup domain kindly sponsored by their ccTLD, carders.in (straight from the carders.cc dumps)?
carders.in [92.241.168.154]
% Information related to '92.241.168.0 - 92.241.169.254'

inetnum: 92.241.168.0 - 92.241.169.254
netname: NET-2X4
descr: 2x4.ru network
country: RU
admin-c: UDF667-RIPE
tech-c: UDF667-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered

person: Pavel Ivanov
address: Sound & Vision House, Francis Rachel Str.
address: Victoria, Mahe, Seychelles
remarks: ***************************************
remarks: Virtual and shared hosting, Windows Linux FreeBSD
remarks: Virtual private Servers (VPS/VDS), Dedicated Servers
remarks: Protected managed hosting solutions, DDOS protection systems
remarks: Sattelite CPC/VSAT telecomunications
remarks: Wireless links services.
remarks: English and Russian Sales contact: ICQ 758291
remarks: ***************************************
abuse-mailbox: abuse@2x4.ru
remarks: West Europe customers office & NOC
phone: +44 20 3286 6617
remarks: East Europe customers office & NOC
phone: +7 495 657-90-57
mnt-by: IDEAL-MNT
nic-hdl: UDF667-RIPE
source: RIPE # Filtered

% Information related to '92.241.160.0/19AS41947'

route: 92.241.160.0/19
descr: Wahome IP's =)
origin: AS41947
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
My my, WebAlta is popular!

Domain ID:D3820900-AFIN
Domain Name:CARDERS.IN
Created On:07-Oct-2009 03:25:49 UTC
Last Updated On:23-Dec-2009 23:15:29 UTC
Expiration Date:07-Oct-2010 03:25:49 UTC
Sponsoring Registrar:Online Nic (R8-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:Oln53232178
Registrant Name:Juri Marshinov
Registrant Organization:Technique Ltd.
Registrant Street1:Calle 53, Marbella
Registrant Street2:
Registrant Street3:
Registrant City:Ciudad de Panamá
Registrant State/Province:Panama
Registrant Postal Code:0000
Registrant Country:PA
Registrant Phone:+7.4951476195
Registrant Phone Ext.:
Registrant FAX:+7.4951476195
Registrant FAX Ext.:
Registrant Email:abuse@carders.kz
Admin ID:Oln53232179
Admin Name:Juri Marshinov
Admin Organization:Technique Ltd.
Admin Street1:Calle 53, Marbella
Admin Street2:
Admin Street3:
Admin City:Ciudad de Panamá
Admin State/Province:Panama
Admin Postal Code:0000
Admin Country:PA
Admin Phone:+7.4951476195
Admin Phone Ext.:
Admin FAX:+7.4951476195
Admin FAX Ext.:
Admin Email:abuse@carders.kz
Tech ID:Oln53232180
Tech Name:Juri Marshinov
Tech Organization:Technique Ltd.
Tech Street1:Calle 53, Marbella
Tech Street2:
Tech Street3:
Tech City:Ciudad de Panamá
Tech State/Province:Panama
Tech Postal Code:0000
Tech Country:PA
Tech Phone:+7.4951476195
Tech Phone Ext.:
Tech FAX:+7.4951476195
Tech FAX Ext.:
Tech Email:abuse@carders.kz
Name Server:NS1.NAMESELF.COM
Name Server:NS2.NAMESELF.COM
... and following the bad rabbit:

carders.kz does not currently have an resolving A or MX record, as such no working email or website. Why?

I seems the registar RegTime took an exception to the Carders using their services:
Domain Name............: carders.kz

Organization Using Domain Name
Name...................: Juri Marshinov
Organization Name......: Technique Ltd.
Street Address.........: Calle 53, Marbella
City...................: Ciudad de Panamá
State..................: Panama
Postal Code............: 0000
Country................: PA

Administrative Contact/Agent
NIC Handle.............: CA446803-RT
Name...................: Juri Marshinov
Phone Number...........: +7.4951476195
Fax Number.............:
Email Address..........: abuse@carders.kz

Nameserver in listed order

Primary server.........: ns1.nameself.com
Primary ip address.....: 195.161.113.218

Secondary server.......: ns2.nameself.com
Secondary ip address...: 217.16.27.43

Domain created: 2009-03-04 00:51:35.0
Last modified : 2009-10-05 18:51:22.0
Domain status : clientHold -

Registar created: REGTIME
Current Registar: WEBNAMES
In the next few posts we will be linking all these bits and pieces of information together using the information available from the carders.cc database dump.