2010/12/19

Domains found on Wikileaks.info IP address 92.241.190.202

Domains found on Wikileaks.info IP address 92.241.190.202

Electix.biz Maps4all.net
2-ston3d4-you.info Marburginfo.com
321uhren.com Mda.to
35cent.com Media-online24.com
3g-restposten.com Media-world24.com
3xpl0r3r.net Medikamente-rezeptfrei.com
Abccasino.info Meine-games.net
Abgefuckt.org Melanotan-deutschland.com
Accmania.net Mlm-ticker.com
Acidhead.org Moviearea.org
Actillegally.us Movieload.biz
Afaction.tk Muttermale-entfernen.com
Afaction.us Mymagicmushrooms.com
Aktion-gegen-kipo.info Mys1q.com
Albenjunkies.org Napstore.net
Albumz.net Nationales-infoblatt.net
Allesbilliger24.com Nokia-zone.mobi
Allstore.org Ns-zwickau.info
Amateur-schlampe.net O-fakes.com
Amateurteenstreff.com Onlinedownloaden.de
Anabol-empire.com Onlineminigames.org
Anabolika-store.org Operationmt2.com
Anacom.info Ould-versand.com
Anacom.us P0rntub3.com
Anatoxis-tools.net P2pxchange.org
Android-appz.org Packstation-shop.com
Animalsin.in Packstation-verif.info
Anime-inside.org Packstation-verifizieren.net
Annas-tube.com Packstationverifizierung.com
Antifa-dortmund.info Pay4-quality.com
Antirip.us Paypal-24.com
Aphogetics.com Paypal-securitycenter.com
Apple-ware.net Pdfs.us
Appload.us Permagnus-networking.com
Art1088443technologie-freiepresse-berlin.com Picfreak.net
Atlanticamt2.com Pillenbar.com
Auth-account.com Pixel-banner.com
Awewill.com Pkv-versicherungsvergleich.biz
B4ltd.org Playlame.com
Babes-board.org Pornarea.us
Biggbossy0.com Pornoextr.com
Billiger-gehts-immer.com Prepaid2webcash.net
Billiger-ist-geschenkt.com Proeroticmedia.com
Blmt2.com Psc-spread.com
Bloodflow.org Psc2webmoney.net
Bodybuilding-wars.com Qatar2022bidrevealed.com
Bookaneer.org R0uteyou.net
Busteed.us Rainer-hackerodt.info
Carding-world.com Razorandyahomie.info
Casino-site24.com Real-world2.net
Cc-store.info Recherche-ruhrgebiet.net
Century-of-legends.com Remixmt2.com
Change-id.net Replica-watch-links.com
Chatin24-advision.us Restpostenhandel-direkt.com
Choco-network.com Rosenberg-soehne.com
Club-exclusiveaustria.org Rosenberg-und-partner.com
Conan-base.net Russkyhost.net
Cr0wn-st0re.net Sakeco.info
Crazy-porn.net Salefire.info
Creampiegangbang.us Saugzone.info
Cvmt2.eu Scene-bay.net
Cvmt2.net Scenelisters.com
Dark-world.biz Sceneprotected.net
Dark-world2.com Sceneshopping.info
Datenkrieger.biz Scenestuff.info
Datenladen.com Schandfleck.org
Datensau.info Schnaeppchen-planet.com
De-ostium-dhl-registration.net School-of-hack.org
Deepbluesea.info Secored.us
Deiniphone4g.com Securaweb.net
Deliusweb.com Sene-sector.info
Der-verbrauchertest.com Sexation.us
Dev-united.com Sexinka.com
Dhl-verifikation.com Share-music.org
Dhl24.org Shared4.us
Dinghost.net Shisha-bay.com
Dirtytape.info Shoxx-network.info
Division-nordland.net Skillyourgame.com
Dizepticonz2.com Sky-world2.com
Dolce-diva.us Sload.us
Dominikfm.net Sp33dw0rld.com
Dopedeal.info Splatter-crew.org
Downtime-solutions.info Sportmedical.org
Dreamstuff.info Steamstore.info
Dumped24.org Stiffmt2.com
Eddinc.org Strassendate.net
Einfachekelhaft.com Stream-x.org
Elektro-konkurswaren-shop.com Street-evolution.com
Elite-crew.net Suncotec.com
Elite-share.org Supernicegirlz.com
Eoq-medicals.com Sveiven.info
Everestcapitalag.com Sweetleet.info
F0xb0x.com Szene-kritiker.info
Fabrik-direktverkauf.com Tax-fas.com
Facebook-picture.com Team-crime.com
Fake-scans.com Technik-base.com
Fake-watches.net Technikteufel.net
Falcon-global.com Teenizer.net
Flashstrike.net The-next-kurzick-generation.info
Flatrate-socks.com Toolbase24.net
Flexxx.info Top-pserver.com
Flyangel-xxx.org Totalinspire.com
Foodco-fruits.com Toxicsys.net
Football-soccer-live.com Toxmade-crew.com
Forever-alone.com Trabware.org
Foto-vektorgrafik.com Travelst0re.us
Freakupper.com Tritium-auth.biz
Free-sex.to True-world2.com
Freewarearchiv.org Trustsale.biz
Freies-europa.org Trusttradinggroup.com
Fuck-of-gf.com Turkeygoals.com
Fusenext.biz Tvjunkies.eu
Game-keyshop.com Uhren-imitate.net
Gamezworld.info Uhren-plagiate.com
Gehtwas.org Uhren-replicas.com
Geld-money-argent.info Uhren-replicas.de
Genesis-medicals.com Uhren-replicas.net
Get-big.org Uhren-store.com
Gfx.name Uldb.net
Gg-reallife.org Underground-city.com
Ggwblog.org Underground-elite.com
Gigalinknetwork.com Underground-links.com
Gk4u.net Unique-video.us
Goddessgalleries.com United-nw.net
Goldanlage24.net United-nw.org
Goldperle.info Universeporn.us
Goomedia24.com Unleash-greece.com
Grow-it.org Unlimited-hacks.net
H4ck3rz.biz Upg-reloaded.org
Habboevents.net Urbanlabs.us
Habbowelle.net Urkash.net
Habbowelt.net Usenext-flatrate.info
Hack-world.net Veritasetaequitas.net
Hackproject.info Viagra-original.net
Handyguthaben-kostenlos.com Viagraladen.com
Haxore.com Vinquix.com
Hd-channel.net Vipsocks.biz
Hd-hive.org Virefrei-runterladen.com
Hitback2.com Viren-killer.net
Hollywood-streams.com Warez-linkz.net
Holyhosting.info Warez-schweiz.info
Holyshop.info Warezdc.com
Holyshop.tk We-host-you.net
Homeaffair.biz Wikileaks.info
Hupers.info Work-global.net
Hw-st0re.info Wow-x-store.com
Ibetyoucant.us Wrzserv.org
Iblizz.net Xclusivemt2.com
Ifake.info Xdlgayporn.com
Ihacks4.com Xmsloads.org
Illigal-coderz.net Xortor.net
Immolead.info Xprotechx.net
Include-st0re.com Yes-st0re.info
Include-st0re.info Yourboard.info
Incspace.org Ytimq.com
Javasun.info Zexxn.com
Jewlake.net Zigaretten-guenstiger.com
Julia-porn.com Zigaretten-versand.net
Justicemt2.org Zpanti22.com
Keystore.us Royal-crew.net
Kingloads.us Anabolika-bestellen.net
Kinky-stars.com Anabolika-undergrund.com
Kino-stream.to Steroide-kaufen.net
Kinofilme.us Zigaretten-online-kaufen.com
Knuddel-buy.com Elektro-wegner.info
Knuddeln.us Estrilento.com
Knuddels-cheat.net Feuerfreaks.com
Knuddels-cheats.net Fsev-mhg.com
Knuddels-login.net Infporn.net
Knuddelss.com Sload.info
Kosovadc.com Elite-hacks.info
Kostenlos-openoffice-download.com Flashh.info
L4x-hack.us Pictures-host.com
Lanubia.com Findstream.net
Lhblackbox.org Anabolika-bodybuilding.net
Lirix.info Dark-market.biz
Longju6.net Felsennest.com
Longju6.org Golden-flows.com
Lostraum.com Steriods6.com
Love-sarah-kern.com Szene-designz.biz
Loves-nulled-scriptz.info 1337store.info
Ltunes-store.com Buy-this.info
Luxuslive24.com Geschenkefuersie.net
M-enace.com Money-cheat.com
M2codes.com Spiegelbest.info
Magic-finger-tippers.org Ur-shop.info
Magiclifestyle.info Usenext-board.net
Main-store.net Sceptusleap.info
Mandy-nackt.info

Picking out random domains:
Fake-scans.com - buy fake ID documents, credit card info
Replica-watch-links.com - fake watches
Paypal-24.com and Paypal-securitycenter.com - Not PayPal related
Hack-world.net - hacking and exploit site
Underground-links.com - Warez like
L4x-hack.us - Game hacks - and so much for .US domain requirements (One of many above, Enom??).
O-fakes.com - redirect front for u-fakes.com - fake watches
Genesis-medicals.com - Drugs (Steroids)

... and so the list continues. I believe I have no need to describe some of the other sites found.

Also do not be fooled by notices that the site is "down to non-payment". In the past many sub-domains and hidden websites have been found hidden on such websites, happily being abused.

Wikileaks.info is not keeping good company. Can we blame everybody with half a grain of concern for the average internet surfer being concerned about it?

Hehachi, AnonOps, WikiLeaks and SpamHaus

As you may or may not know, somebody has recently hosted a WikiLeaks website, wikileaks.info, on Heihachi.net. Whether the wikileaks.info mirror is under control of Wikileaks or not is debatable and I would truly hope not. However a mirror of a popular website under criminal control does pose many opportunities for a cyber criminal. We need to note that the official list of Wikileaks mirrors does not link to wikileaks.info, whereas wikileaks.info claims affiliation with the official mirrors.

Obviously this may or may not be an attempt evade website take downs of the information they Wikileaks is publishing. However, this author was horrified the choice of hosting provider. Heihachi is all to well known as a resource for scammers and other internet miscreants that uses the anonymity of the net to victimize innocent internet users. In my observations I have found a constant flow of:
  • Phishing kits
  • Infected music downloads
  • Carding forums (Carders.cc also ran to Heihachi after being hacked, though by no means unique)
  • Hacking tools
  • DDoS Tools
  • DDos Command and Control's
  • Hate websites (including one publishing a list of home addresses of police in Germany for victimization)
... and a list of other websites that any self respecting hosting provider would never allow on his servers.

Of concern is the responses of Heihachi to abuse reports and communications, they condone abuse. Only one example response is "we allow botnets.","Yes, sure, we allow. Give us money and we host you and we will **** the german police".

In the light of the recent Wikileaks debacle, when hosting was taken up for a mirror Wikileaks, it directly flew in the face of what Wikileaks is supposed to stand for. Here we have Wikileaks, that defends the rights to know of normal people, being mirrored at a party that specializes in victimizing ordinary people and in effect assists in depriving law enforcement of methods to protecting ordinary citizens. Now matter your view on this Wikileaks issue, any party supporting cyber crime should not be a business partner.

As such I could only nod in silent appreciation of SpamHaus'es warning to Wikileaks. A similar warning was issued by Trend Micro.

However what followed was a bizzare and all to well know pattern of DDoS against anybody that dare mention about anything negative Hehachi related. At the same time at this refute appeared on wikileaks.info:

Spamhaus' False Allegations Against wikileaks.info

Published 15-Dec-2010, 8:00 AM GMT

On Tuesday, 14-Dec-2010 Spamhaus has issued a statement wherein it labels wikileaks.info as "unsafe", as they consider our hosting company as a malware facilitator:

http://www.spamhaus.org/news.lasso?article=665

We find it very disturbing that Spamhaus labels a site as dangerous without even checking if there is any malware on it. We monitor the wikileaks.info site and we can guarantee that there is no malware on it. We do not know who else is hosted with Heihachi Ltd and it is none of our business. They provide reliable hosting to us. That's it.

While we are in favour of "Blacklists", be it for mail servers or web sites, they have to be compiled with care. Just listing whole IP blocks as "bad" may be quick and easy for the blacklist editors, but will harm hosters and web site users.

Wikileaks has been pulled from big hosters like Amazon. That's why we are using a "bulletproof" hoster that does not just kick a site when it gets a letter from government or a big company. Our hoster is giving home to many political sites like castor-schottern.org and should not be blocked just because they might have hosted some malware sites.

Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser, for example), don't list us. We do hope that Spamhaus hasn't issued this statement due to political pressure.

Wikileaks.info will always be safe and clean. Promised:

Google Safe Browsing Check for wikileaks.info

Update (15-Dec-2010 17:00 PM GMT): Spamhaus has updated their statement to say that they don't blacklist us.

The wikileaks.info Team


Nothing of this debacle was mentioned on the officially verified Wikileaks mirrors.

Also of note, the same Google safe browsing link used in retort by wikileaks.info, just serves to confirm what Spamhaus, Trend Micro and a host of other parties know and are saying. From http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info

What happened when Google visited this site?

Of the 13 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-12-19, and suspicious content was never found on this site within the past 90 days.

This site was hosted on 3 network(s) including AS6772 (IMPNET), AS41947 (WEBALTA), AS8473 (BAHNHOF).

Very interesting, but however no guarantee for the future. But let us take a closer look at what Google is telling us:
AS6772 (IMPNET): Hosted 1.82% dangerous sites.
Of the 165 site(s) we tested on this network over the past 90 days, 3 site(s) .... served content that resulted in malicious software being downloaded and installed without user consent.
AS41947 (WEBALTA): Hosted 7.63% dangerous sites.
Of the 37087 site(s) we tested on this network over the past 90 days, 2829 site(s), .... served content that resulted in malicious software being downloaded and installed without user consent.
AS8473 (BAHNHOF): Hosted 1.10% dangerous sites.
Of the 1900 site(s) we tested on this network over the past 90 days, 21 site(s) .... served content that resulted in malicious software being downloaded and installed without user consent.
While it is difficult quantifying those numbers, what is clear is that Webalta, the upstream provider for Heihaci, has a five times more likelihood of infecting your PC or stealing your information than other providers for wikileaks.info. In the global scheme of badness, Webalta ranked 4th worst in the HostExploit reports. While it needs to be noted that Heihachi is one hosting providers on the Webalta network, they have been linked to various groups, I refrain from saying business since we do not know if they really are, on Webalta.

In a separate post I will list on the domains hosted on the same address as Wikileaks.info. Reading through these domain names belies the Wikileaks.info statement.

Now, apparently AnonOps is responsible for the ongoing DDoS. Or is this just what some nefarious party would like you to believe? SpamHaus has done some digging and currently have published piece of information about the ongoing DDoS:
This is not the profile of DDoS traffic from the LOIC and other *OIC tools issued to script kiddies to DDoS "enemies of Anon" with. In fact, at some semi-private forums, the AnonOps members have denied the DDoS and have stated how much they hate spam and would not attack Spamhaus. It would seem some actually read and understood what our warning message was about. Rumors are that they have also distanced themselves from members who were promoting the use of botnets to attack sites.
An IP address lookup done on the 9th of Dec 2010 on irc.anonops.net, also causes more reason for concern:
Non-authoritative answer:
Name: irc.anonops.net
Addresses: 69.60.115.75, 83.169.21.109, 88.198.224.117, 91.121.72.103, 92.241.190.94, 199.19.226.231, 67.23.234.51, 67.220.74.147
Of note is IP address
92.241.190.94
inetnum: 92.241.190.0 - 92.241.190.255
netname: HEIHACHI
descr: Heihachi Ltd
country: RU
admin-c: HEI668-RIPE
tech-c: HEI668-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
Did somebody give AnonOps some bad advice? On this IP address we find the following website: RESISTANCIA.ORG

It was also the IP address for the domains anonops.net. anonops.org and anonops.com, although the DNS has been disabled.

However the Heihachi worm gives another twist upon doing a whois lookup on RESISTANCIA.ORG:
Domain ID:D159346719-LROR
Domain Name:RESISTANCIA.ORG
Created On:04-Jun-2010 20:34:17 UTC
Last Updated On:19-Dec-2010 10:00:05 UTC
Expiration Date:04-Jun-2011 20:34:17 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:917350c3ec1914e0
Registrant Name:Protected-ns.info Whois Protection Registrant Organization:Dinghost Limited Registrant Street1:Calle 53, Marbella Registrant Street2: Registrant Street3: Registrant City:Panama Registrant State/Province:PA Registrant Postal Code:10000 Registrant Country:PA Registrant Phone:+507.8321488 Registrant Phone Ext.: Registrant FAX:+507.8321488
Registrant FAX Ext.:
Registrant Email:abuse@protected-ns.info
Admin ID:917350c3ec1914e0
Admin Name:Protected-ns.info Whois Protection
Admin Organization:Dinghost Limited
Admin Street1:Calle 53, Marbella
Admin Street2:
Admin Street3:
Admin City:Panama
Admin State/Province:PA
Admin Postal Code:10000
Admin Country:PA
Admin Phone:+507.8321488
Admin Phone Ext.:
Admin FAX:+507.8321488
Admin FAX Ext.:
Admin Email:abuse@protected-ns.info
Tech ID:917350c3ec1914e0
Tech Name:Protected-ns.info Whois Protection
Tech Organization:Dinghost Limited
Tech Street1:Calle 53, Marbella
Tech Street2:
Tech Street3:
Tech City:Panama
Tech State/Province:PA
Tech Postal Code:10000
Tech Country:PA
Tech Phone:+507.8321488
Tech Phone Ext.:
Tech FAX:+507.8321488
Tech FAX Ext.:
Tech Email:abuse@protected-ns.info
Name Server:DNS1.NAME-SERVICES.COM
Name Server:DNS2.NAME-SERVICES.COM
Name Server:DNS3.NAME-SERVICES.COM
Name Server:DNS4.NAME-SERVICES.COM
Name Server:DNS5.NAME-SERVICES.COM
As the registrar Enom and a host of other providers for Heihachi have already been informed so many times, Calle 53, Marbella is the address of the World Trade Centre in Panama, an incomplete address not meeting the requirements of whois registration data.

This address has been used all to many times by Heihachi. As an example, on 2010-05-17 the whois record for Heihachi.net reflected:
Registration Service Provided By: Heihachi LTD.
Contact: support@heihachi.net
Visit: www.heihachi.net

Domain name: heihachi.net

Registrant Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION ()

Fax:
Calle 53, Marbella
Bella Vista
Panama, PA 00000
PA

Administrative Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION (abuse@heihachi.net)
+507.8321668
Fax: +507.8321668
Calle 53, Marbella
Bella Vista
Panama, PA 00000
PA

Technical Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION (support@heihachi.net)
+507.8321668
Fax:
Calle 53, Marbella
Bella Vista
Panama, PANAMA 00000
PA

Status: Locked

Name Servers:
NS0.XNAME.ORG
NS1.XNAME.ORG
NS2.XNAME.ORG
Since then Heihachi have availed themselves of Whois Privacy Protection Service.

A search on the given telephone number +507.8321488 yields interesting results:
macbilliger.com with scam alerts
russiansubtitles.com where a Google search says a lot
hardcoremt2.com no explanation needed
It seems Heihachi is related to DingHost in whatever affiliation and in turn resistancia.org used DingHost.

But a quick search on resistancia.org reveals malware issues for this domain. As an example http://support.clean-mx.de/
Likewise http://www.threatexpert.com

So who is behind this SpamHaus attack?

At this stage all I would risk saying is Wikileaks are not part and parcel of the issue at hand. This does beg the question who is though. What is known is that a previously exploit domain resistancia.org shared the same IP address as AnonOps, Wikileaks.info is sharing a very direty IP address that does not belong on any clean IP list by any stretch of imagination.

What is clear is that SpamHaus and WikiLeaks are both victims to something that hatched on Heihachi and whatever it was, it was not good, showing the all to familiar pattern DDoS'ing.

A very big question mark hangs over AnonOps. We have to consider this is a group of loosely associated individuals. If the party arranging the hosting and tools of AnonOps was in the know of what was happening or not on Heihachi's IP's is another question. It does serve as a major red flag for those who merrily follow an unknown Pied Piper in "good causes". Make sure who you associate with.

It is also just another example of bad unaccountable things emanating from Heihachi or touching anything to do with Heihachi.

Personally I have no doubt the Wikileaks situation became exploitable when SpamHaus highlighted this serious issue. Immediately Operation Payback became payback for past blacklistings by SpamHaus, using an instant army of unwitting do-gooders protecting freedom of speech, or so the DDoS'ers thought.

In a separate post I will be posting domains found on the same IP address, 92.241.190.202, as which is used for Wikileaks.info.