2010/05/23

Cans of worms

The recent hacking of carders.cc has really opened up more than a few cans of worms for the hosting and domaining industry. The contents of their forums, thus far hidden, has conclusively linked together suspected groups of cyber crime nests. It also sheds some light on service providers all too willing to make a quiet quick buck and to heck with the consequences and victims.

In this blog we will be publishing some of the rather incriminating posts and happenings, also specifically related to Heihachi.net, 4x2.ru, 133t-crew, Gigalinknetwork.com, Ideal Solution Ltd and their upstream, Webalta.ru

Note that dumps of the hacked forums have been posted all over the net, as such publsihing or using the contents does not constitute a violation of Blogger's
Terms of Service, specifically their Content Policy. This content is now in the public domain.

With that out of the way, let's move on ....

So, carders.cc was hacked, what now? Already this nest of cyber crime is getting ready to attack innocent victims again. Hosting has been unkindly provided by Heihachi.net. In fact the carders crew stated they would be using Heihachi:
Liebe User,
Wie ihr wohl schon alle mitbekommen habt, wurde Carders Opfer einer Hackerattacke. Meiner Meinung nach ein dunkler Tag für
die Szene, auch wenn sich jetzt viele schadensfroh im Keller einen ablachen. Leider wissen, oder verstehen diese Menschen nicht was für Konsequenzen so etwas haben kann.
Wie dem Deface-Text bereits zu entnehmen war, wurden einige IPs geloggt, dies jedoch nicht absichtlich sondern durch einen Fehler des (ehemaligen) Techmins Zagerus. An dieser Stelle ein großes Entschuldigung an
die User, die vom IP Logging betroffen waren. Dieser Vorfall sollte euch jedoch daran erinnern, dass ihr immer mit einem VPN / Socks5 / VicSocks, wie auch immer, unterwegs sein solltet. Alle User sollten natürlich ihre Passwörter ihrer E-Mails, anderen Accounts, ICQ Nummern etc. ändern! Selbst wenn nun mit der gehackten Datenbank gegen uns ermittelt wird, was nach dem deutschen Gesetz eigentlich verboten sind, (aber die wahren Kriminellen sind ja ohnehin die Behörden) haben die größten Teil der User NICHTS zu befürchten. Von diesen Ermittlungen wird größtenteils das Team betroffen sein.

Nachdem KRON0S und ich uns einige Zeit unterhalten haben, ist uns klar geworden, dass wir uns
die Tour von ein paar vorpubertären Hackerkindern die Stimmung nicht nehmen lassen (Es handlet sich hierbei btw. um die gleichen Hacker wie bei 1337-crew), und dass das nicht das Ende von Carders ist. Nein! Wir werden zurück kommen! Dies wird jedoch einige Tage in Anspruch nehmen, da wir 1. auf Heihachi umziehen 2. nach dem Hack verständlicherweise die Boardsoftware wechseln und 3. um zukünfige Hacks zu vermeiden, sehr viele Sicherheitstests durchführen werden. GGF. wird jedoch der Jabberserver schon früher laufen. Desweiteren wurde Zagerus nach der großen Panne bis auf weiteres suspendiert, und die Technik wurde einem erfahrenereren User übergeben. Wir sehen uns in einigen Tagen wieder!

THANAT0S im Namen der Administration

Indeed THANAT0S, how can anybody do what you do, never mind the hack? Shame on you!

So, what was the reception like at Heihachi?
carders.cc [92.241.190.3]
% Information related to '92.241.190.0 - 92.241.190.255'

inetnum: 92.241.190.0 - 92.241.190.255
netname: HEIHACHI
descr: Heihachi Ltd
country: RU
admin-c: HEI668-RIPE
tech-c: HEI668-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered

person: Andreas Mueller
address: Bella Vista, Calle 53, Marbella
address: Ciudad de Panama, Panama
remarks: Visit us under gigalinknetwork.com
remarks: ICQ 7979970
remarks: Dedicated Servers, Webspace, VPS, DDOS protected Webspace
remarks: Send abuse ONLY to: abuse@gigalinknetwork.com
remarks: Technical and sales info: support@gigalinknetwork.com
phone: +5078321458
abuse-mailbox: abuse@gigalinknetwork.com
nic-hdl: hei668-RIPE
mnt-by: WEBALTA-MNT
source: RIPE # Filtered

% Information related to '92.241.160.0/19AS41947'

route: 92.241.160.0/19
descr: Wahome IP's =)
origin: AS41947
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
So who is gigalinknetwork.com?
Domain name: gigalinknetwork.com

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()

Fax:
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (jnrbhcgls@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US

Technical Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (jnrbhcgls@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US

Status: Active

Name Servers:
ns1.heihachi.net
ns2.heihachi.net

Creation date: 26 Feb 2010 23:04:47
Expiration date: 26 Feb 2011 23:04:00
Not much help there.... but we will get back to this later on.

Heihachi gladly accepted carders.cc and in fact even promptly gave them their own rDNS entry:
$ host 92.241.190.3
3.190.241.92.in-addr.arpa domain name pointer carders.heihachi.net
.
Oh so kind of them. In fact a traceroute also clearly showed this:
7 162 162 162 194.186.158.170 cat23.moscow.gldn.net
8 319 201 204 195.239.10.202 te1-1.maxwell.msk.wahome.ru
9 164 164 162 92.241.190.3 carders.heihachi.net
At least Heihachi cannot claim to have no control over what their clients are doing this time, as they so love doing. Here they in fact actively assisted by adding carders to the reverse DNS for heihachi.net. Surely even the dumbest network admin should hear a little alarm bell at the word "carders"?

I also wonder what the reception of the Indian authorities will be upon learning that Carders have a backup domain kindly sponsored by their ccTLD, carders.in (straight from the carders.cc dumps)?
carders.in [92.241.168.154]
% Information related to '92.241.168.0 - 92.241.169.254'

inetnum: 92.241.168.0 - 92.241.169.254
netname: NET-2X4
descr: 2x4.ru network
country: RU
admin-c: UDF667-RIPE
tech-c: UDF667-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered

person: Pavel Ivanov
address: Sound & Vision House, Francis Rachel Str.
address: Victoria, Mahe, Seychelles
remarks: ***************************************
remarks: Virtual and shared hosting, Windows Linux FreeBSD
remarks: Virtual private Servers (VPS/VDS), Dedicated Servers
remarks: Protected managed hosting solutions, DDOS protection systems
remarks: Sattelite CPC/VSAT telecomunications
remarks: Wireless links services.
remarks: English and Russian Sales contact: ICQ 758291
remarks: ***************************************
abuse-mailbox: abuse@2x4.ru
remarks: West Europe customers office & NOC
phone: +44 20 3286 6617
remarks: East Europe customers office & NOC
phone: +7 495 657-90-57
mnt-by: IDEAL-MNT
nic-hdl: UDF667-RIPE
source: RIPE # Filtered

% Information related to '92.241.160.0/19AS41947'

route: 92.241.160.0/19
descr: Wahome IP's =)
origin: AS41947
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
My my, WebAlta is popular!

Domain ID:D3820900-AFIN
Domain Name:CARDERS.IN
Created On:07-Oct-2009 03:25:49 UTC
Last Updated On:23-Dec-2009 23:15:29 UTC
Expiration Date:07-Oct-2010 03:25:49 UTC
Sponsoring Registrar:Online Nic (R8-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:Oln53232178
Registrant Name:Juri Marshinov
Registrant Organization:Technique Ltd.
Registrant Street1:Calle 53, Marbella
Registrant Street2:
Registrant Street3:
Registrant City:Ciudad de Panamá
Registrant State/Province:Panama
Registrant Postal Code:0000
Registrant Country:PA
Registrant Phone:+7.4951476195
Registrant Phone Ext.:
Registrant FAX:+7.4951476195
Registrant FAX Ext.:
Registrant Email:abuse@carders.kz
Admin ID:Oln53232179
Admin Name:Juri Marshinov
Admin Organization:Technique Ltd.
Admin Street1:Calle 53, Marbella
Admin Street2:
Admin Street3:
Admin City:Ciudad de Panamá
Admin State/Province:Panama
Admin Postal Code:0000
Admin Country:PA
Admin Phone:+7.4951476195
Admin Phone Ext.:
Admin FAX:+7.4951476195
Admin FAX Ext.:
Admin Email:abuse@carders.kz
Tech ID:Oln53232180
Tech Name:Juri Marshinov
Tech Organization:Technique Ltd.
Tech Street1:Calle 53, Marbella
Tech Street2:
Tech Street3:
Tech City:Ciudad de Panamá
Tech State/Province:Panama
Tech Postal Code:0000
Tech Country:PA
Tech Phone:+7.4951476195
Tech Phone Ext.:
Tech FAX:+7.4951476195
Tech FAX Ext.:
Tech Email:abuse@carders.kz
Name Server:NS1.NAMESELF.COM
Name Server:NS2.NAMESELF.COM
... and following the bad rabbit:

carders.kz does not currently have an resolving A or MX record, as such no working email or website. Why?

I seems the registar RegTime took an exception to the Carders using their services:
Domain Name............: carders.kz

Organization Using Domain Name
Name...................: Juri Marshinov
Organization Name......: Technique Ltd.
Street Address.........: Calle 53, Marbella
City...................: Ciudad de Panamá
State..................: Panama
Postal Code............: 0000
Country................: PA

Administrative Contact/Agent
NIC Handle.............: CA446803-RT
Name...................: Juri Marshinov
Phone Number...........: +7.4951476195
Fax Number.............:
Email Address..........: abuse@carders.kz

Nameserver in listed order

Primary server.........: ns1.nameself.com
Primary ip address.....: 195.161.113.218

Secondary server.......: ns2.nameself.com
Secondary ip address...: 217.16.27.43

Domain created: 2009-03-04 00:51:35.0
Last modified : 2009-10-05 18:51:22.0
Domain status : clientHold -

Registar created: REGTIME
Current Registar: WEBNAMES
In the next few posts we will be linking all these bits and pieces of information together using the information available from the carders.cc database dump.