2010/12/19
Domains found on Wikileaks.info IP address 92.241.190.202
Hehachi, AnonOps, WikiLeaks and SpamHaus
Obviously this may or may not be an attempt evade website take downs of the information they Wikileaks is publishing. However, this author was horrified the choice of hosting provider. Heihachi is all to well known as a resource for scammers and other internet miscreants that uses the anonymity of the net to victimize innocent internet users. In my observations I have found a constant flow of:
- Phishing kits
- Infected music downloads
- Carding forums (Carders.cc also ran to Heihachi after being hacked, though by no means unique)
- Hacking tools
- DDoS Tools
- DDos Command and Control's
- Hate websites (including one publishing a list of home addresses of police in Germany for victimization)
Of concern is the responses of Heihachi to abuse reports and communications, they condone abuse. Only one example response is "we allow botnets.","Yes, sure, we allow. Give us money and we host you and we will **** the german police".
In the light of the recent Wikileaks debacle, when hosting was taken up for a mirror Wikileaks, it directly flew in the face of what Wikileaks is supposed to stand for. Here we have Wikileaks, that defends the rights to know of normal people, being mirrored at a party that specializes in victimizing ordinary people and in effect assists in depriving law enforcement of methods to protecting ordinary citizens. Now matter your view on this Wikileaks issue, any party supporting cyber crime should not be a business partner.
As such I could only nod in silent appreciation of SpamHaus'es warning to Wikileaks. A similar warning was issued by Trend Micro.
However what followed was a bizzare and all to well know pattern of DDoS against anybody that dare mention about anything negative Hehachi related. At the same time at this refute appeared on wikileaks.info:
Spamhaus' False Allegations Against wikileaks.info
Published 15-Dec-2010, 8:00 AM GMT
On Tuesday, 14-Dec-2010 Spamhaus has issued a statement wherein it labels wikileaks.info as "unsafe", as they consider our hosting company as a malware facilitator:
http://www.spamhaus.org/news.lasso?article=665
We find it very disturbing that Spamhaus labels a site as dangerous without even checking if there is any malware on it. We monitor the wikileaks.info site and we can guarantee that there is no malware on it. We do not know who else is hosted with Heihachi Ltd and it is none of our business. They provide reliable hosting to us. That's it.
While we are in favour of "Blacklists", be it for mail servers or web sites, they have to be compiled with care. Just listing whole IP blocks as "bad" may be quick and easy for the blacklist editors, but will harm hosters and web site users.
Wikileaks has been pulled from big hosters like Amazon. That's why we are using a "bulletproof" hoster that does not just kick a site when it gets a letter from government or a big company. Our hoster is giving home to many political sites like castor-schottern.org and should not be blocked just because they might have hosted some malware sites.
Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser, for example), don't list us. We do hope that Spamhaus hasn't issued this statement due to political pressure.
Wikileaks.info will always be safe and clean. Promised:
Google Safe Browsing Check for wikileaks.info
Update (15-Dec-2010 17:00 PM GMT): Spamhaus has updated their statement to say that they don't blacklist us.
The wikileaks.info Team
Nothing of this debacle was mentioned on the officially verified Wikileaks mirrors.
Also of note, the same Google safe browsing link used in retort by wikileaks.info, just serves to confirm what Spamhaus, Trend Micro and a host of other parties know and are saying. From http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info
What happened when Google visited this site?
Of the 13 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-12-19, and suspicious content was never found on this site within the past 90 days.
This site was hosted on 3 network(s) including AS6772 (IMPNET), AS41947 (WEBALTA), AS8473 (BAHNHOF).
Very interesting, but however no guarantee for the future. But let us take a closer look at what Google is telling us:
AS6772 (IMPNET): Hosted 1.82% dangerous sites.
Of the 165 site(s) we tested on this network over the past 90 days, 3 site(s) .... served content that resulted in malicious software being downloaded and installed without user consent.AS41947 (WEBALTA): Hosted 7.63% dangerous sites.
Of the 37087 site(s) we tested on this network over the past 90 days, 2829 site(s), .... served content that resulted in malicious software being downloaded and installed without user consent.AS8473 (BAHNHOF): Hosted 1.10% dangerous sites.
Of the 1900 site(s) we tested on this network over the past 90 days, 21 site(s) .... served content that resulted in malicious software being downloaded and installed without user consent.While it is difficult quantifying those numbers, what is clear is that Webalta, the upstream provider for Heihaci, has a five times more likelihood of infecting your PC or stealing your information than other providers for wikileaks.info. In the global scheme of badness, Webalta ranked 4th worst in the HostExploit reports. While it needs to be noted that Heihachi is one hosting providers on the Webalta network, they have been linked to various groups, I refrain from saying business since we do not know if they really are, on Webalta.
In a separate post I will list on the domains hosted on the same address as Wikileaks.info. Reading through these domain names belies the Wikileaks.info statement.
Now, apparently AnonOps is responsible for the ongoing DDoS. Or is this just what some nefarious party would like you to believe? SpamHaus has done some digging and currently have published piece of information about the ongoing DDoS:
This is not the profile of DDoS traffic from the LOIC and other *OIC tools issued to script kiddies to DDoS "enemies of Anon" with. In fact, at some semi-private forums, the AnonOps members have denied the DDoS and have stated how much they hate spam and would not attack Spamhaus. It would seem some actually read and understood what our warning message was about. Rumors are that they have also distanced themselves from members who were promoting the use of botnets to attack sites.An IP address lookup done on the 9th of Dec 2010 on irc.anonops.net, also causes more reason for concern:
Non-authoritative answer:Of note is IP address 92.241.190.94
Name: irc.anonops.net
Addresses: 69.60.115.75, 83.169.21.109, 88.198.224.117, 91.121.72.103, 92.241.190.94, 199.19.226.231, 67.23.234.51, 67.220.74.147
inetnum: 92.241.190.0 - 92.241.190.255Did somebody give AnonOps some bad advice? On this IP address we find the following website: RESISTANCIA.ORG
netname: HEIHACHI
descr: Heihachi Ltd
country: RU
admin-c: HEI668-RIPE
tech-c: HEI668-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
It was also the IP address for the domains anonops.net. anonops.org and anonops.com, although the DNS has been disabled.
However the Heihachi worm gives another twist upon doing a whois lookup on RESISTANCIA.ORG:
Domain ID:D159346719-LRORAs the registrar Enom and a host of other providers for Heihachi have already been informed so many times, Calle 53, Marbella is the address of the World Trade Centre in Panama, an incomplete address not meeting the requirements of whois registration data.
Domain Name:RESISTANCIA.ORG
Created On:04-Jun-2010 20:34:17 UTC
Last Updated On:19-Dec-2010 10:00:05 UTC
Expiration Date:04-Jun-2011 20:34:17 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:917350c3ec1914e0
Registrant Name:Protected-ns.info Whois Protection Registrant Organization:Dinghost Limited Registrant Street1:Calle 53, Marbella Registrant Street2: Registrant Street3: Registrant City:Panama Registrant State/Province:PA Registrant Postal Code:10000 Registrant Country:PA Registrant Phone:+507.8321488 Registrant Phone Ext.: Registrant FAX:+507.8321488
Registrant FAX Ext.:
Registrant Email:abuse@protected-ns.info
Admin ID:917350c3ec1914e0
Admin Name:Protected-ns.info Whois Protection
Admin Organization:Dinghost Limited
Admin Street1:Calle 53, Marbella
Admin Street2:
Admin Street3:
Admin City:Panama
Admin State/Province:PA
Admin Postal Code:10000
Admin Country:PA
Admin Phone:+507.8321488
Admin Phone Ext.:
Admin FAX:+507.8321488
Admin FAX Ext.:
Admin Email:abuse@protected-ns.info
Tech ID:917350c3ec1914e0
Tech Name:Protected-ns.info Whois Protection
Tech Organization:Dinghost Limited
Tech Street1:Calle 53, Marbella
Tech Street2:
Tech Street3:
Tech City:Panama
Tech State/Province:PA
Tech Postal Code:10000
Tech Country:PA
Tech Phone:+507.8321488
Tech Phone Ext.:
Tech FAX:+507.8321488
Tech FAX Ext.:
Tech Email:abuse@protected-ns.info
Name Server:DNS1.NAME-SERVICES.COM
Name Server:DNS2.NAME-SERVICES.COM
Name Server:DNS3.NAME-SERVICES.COM
Name Server:DNS4.NAME-SERVICES.COM
Name Server:DNS5.NAME-SERVICES.COM
This address has been used all to many times by Heihachi. As an example, on 2010-05-17 the whois record for Heihachi.net reflected:
Registration Service Provided By: Heihachi LTD.Since then Heihachi have availed themselves of Whois Privacy Protection Service.
Contact: support@heihachi.net
Visit: www.heihachi.net
Domain name: heihachi.net
Registrant Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION ()
Fax:
Calle 53, Marbella
Bella Vista
Panama, PA 00000
PA
Administrative Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION (abuse@heihachi.net)
+507.8321668
Fax: +507.8321668
Calle 53, Marbella
Bella Vista
Panama, PA 00000
PA
Technical Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION (support@heihachi.net)
+507.8321668
Fax:
Calle 53, Marbella
Bella Vista
Panama, PANAMA 00000
PA
Status: Locked
Name Servers:
NS0.XNAME.ORG
NS1.XNAME.ORG
NS2.XNAME.ORG
A search on the given telephone number +507.8321488 yields interesting results:
macbilliger.com with scam alertsIt seems Heihachi is related to DingHost in whatever affiliation and in turn resistancia.org used DingHost.
russiansubtitles.com where a Google search says a lot
hardcoremt2.com no explanation needed
But a quick search on resistancia.org reveals malware issues for this domain. As an example http://support.clean-mx.de/
Likewise http://www.threatexpert.com
So who is behind this SpamHaus attack?
At this stage all I would risk saying is Wikileaks are not part and parcel of the issue at hand. This does beg the question who is though. What is known is that a previously exploit domain resistancia.org shared the same IP address as AnonOps, Wikileaks.info is sharing a very direty IP address that does not belong on any clean IP list by any stretch of imagination.
What is clear is that SpamHaus and WikiLeaks are both victims to something that hatched on Heihachi and whatever it was, it was not good, showing the all to familiar pattern DDoS'ing.
A very big question mark hangs over AnonOps. We have to consider this is a group of loosely associated individuals. If the party arranging the hosting and tools of AnonOps was in the know of what was happening or not on Heihachi's IP's is another question. It does serve as a major red flag for those who merrily follow an unknown Pied Piper in "good causes". Make sure who you associate with.
It is also just another example of bad unaccountable things emanating from Heihachi or touching anything to do with Heihachi.
Personally I have no doubt the Wikileaks situation became exploitable when SpamHaus highlighted this serious issue. Immediately Operation Payback became payback for past blacklistings by SpamHaus, using an instant army of unwitting do-gooders protecting freedom of speech, or so the DDoS'ers thought.
In a separate post I will be posting domains found on the same IP address, 92.241.190.202, as which is used for Wikileaks.info.
2010/05/23
Cans of worms
In this blog we will be publishing some of the rather incriminating posts and happenings, also specifically related to Heihachi.net, 4x2.ru, 133t-crew, Gigalinknetwork.com, Ideal Solution Ltd and their upstream, Webalta.ru
Note that dumps of the hacked forums have been posted all over the net, as such publsihing or using the contents does not constitute a violation of Blogger's Terms of Service, specifically their Content Policy. This content is now in the public domain.
With that out of the way, let's move on ....
So, carders.cc was hacked, what now? Already this nest of cyber crime is getting ready to attack innocent victims again. Hosting has been unkindly provided by Heihachi.net. In fact the carders crew stated they would be using Heihachi:
Liebe User,
Wie ihr wohl schon alle mitbekommen habt, wurde Carders Opfer einer Hackerattacke. Meiner Meinung nach ein dunkler Tag für die Szene, auch wenn sich jetzt viele schadensfroh im Keller einen ablachen. Leider wissen, oder verstehen diese Menschen nicht was für Konsequenzen so etwas haben kann.
Wie dem Deface-Text bereits zu entnehmen war, wurden einige IPs geloggt, dies jedoch nicht absichtlich sondern durch einen Fehler des (ehemaligen) Techmins Zagerus. An dieser Stelle ein großes Entschuldigung an die User, die vom IP Logging betroffen waren. Dieser Vorfall sollte euch jedoch daran erinnern, dass ihr immer mit einem VPN / Socks5 / VicSocks, wie auch immer, unterwegs sein solltet. Alle User sollten natürlich ihre Passwörter ihrer E-Mails, anderen Accounts, ICQ Nummern etc. ändern! Selbst wenn nun mit der gehackten Datenbank gegen uns ermittelt wird, was nach dem deutschen Gesetz eigentlich verboten sind, (aber die wahren Kriminellen sind ja ohnehin die Behörden) haben die größten Teil der User NICHTS zu befürchten. Von diesen Ermittlungen wird größtenteils das Team betroffen sein.
Nachdem KRON0S und ich uns einige Zeit unterhalten haben, ist uns klar geworden, dass wir uns die Tour von ein paar vorpubertären Hackerkindern die Stimmung nicht nehmen lassen (Es handlet sich hierbei btw. um die gleichen Hacker wie bei 1337-crew), und dass das nicht das Ende von Carders ist. Nein! Wir werden zurück kommen! Dies wird jedoch einige Tage in Anspruch nehmen, da wir 1. auf Heihachi umziehen 2. nach dem Hack verständlicherweise die Boardsoftware wechseln und 3. um zukünfige Hacks zu vermeiden, sehr viele Sicherheitstests durchführen werden. GGF. wird jedoch der Jabberserver schon früher laufen. Desweiteren wurde Zagerus nach der großen Panne bis auf weiteres suspendiert, und die Technik wurde einem erfahrenereren User übergeben. Wir sehen uns in einigen Tagen wieder!
THANAT0S im Namen der Administration
Indeed THANAT0S, how can anybody do what you do, never mind the hack? Shame on you!
So, what was the reception like at Heihachi?
carders.cc [92.241.190.3]
% Information related to '92.241.190.0 - 92.241.190.255'So who is gigalinknetwork.com?
inetnum: 92.241.190.0 - 92.241.190.255
netname: HEIHACHI
descr: Heihachi Ltd
country: RU
admin-c: HEI668-RIPE
tech-c: HEI668-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
person: Andreas Mueller
address: Bella Vista, Calle 53, Marbella
address: Ciudad de Panama, Panama
remarks: Visit us under gigalinknetwork.com
remarks: ICQ 7979970
remarks: Dedicated Servers, Webspace, VPS, DDOS protected Webspace
remarks: Send abuse ONLY to: abuse@gigalinknetwork.com
remarks: Technical and sales info: support@gigalinknetwork.com
phone: +5078321458
abuse-mailbox: abuse@gigalinknetwork.com
nic-hdl: hei668-RIPE
mnt-by: WEBALTA-MNT
source: RIPE # Filtered
% Information related to '92.241.160.0/19AS41947'
route: 92.241.160.0/19
descr: Wahome IP's =)
origin: AS41947
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
Domain name: gigalinknetwork.comNot much help there.... but we will get back to this later on.
Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()
Fax:
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US
Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (jnrbhcgls@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US
Technical Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (jnrbhcgls@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US
Status: Active
Name Servers:
ns1.heihachi.net
ns2.heihachi.net
Creation date: 26 Feb 2010 23:04:47
Expiration date: 26 Feb 2011 23:04:00
Heihachi gladly accepted carders.cc and in fact even promptly gave them their own rDNS entry:
$ host 92.241.190.3Oh so kind of them. In fact a traceroute also clearly showed this:
3.190.241.92.in-addr.arpa domain name pointer carders.heihachi.net.
7 162 162 162 194.186.158.170 cat23.moscow.gldn.netAt least Heihachi cannot claim to have no control over what their clients are doing this time, as they so love doing. Here they in fact actively assisted by adding carders to the reverse DNS for heihachi.net. Surely even the dumbest network admin should hear a little alarm bell at the word "carders"?
8 319 201 204 195.239.10.202 te1-1.maxwell.msk.wahome.ru
9 164 164 162 92.241.190.3 carders.heihachi.net
I also wonder what the reception of the Indian authorities will be upon learning that Carders have a backup domain kindly sponsored by their ccTLD, carders.in (straight from the carders.cc dumps)?
carders.in [92.241.168.154]
% Information related to '92.241.168.0 - 92.241.169.254'My my, WebAlta is popular!
inetnum: 92.241.168.0 - 92.241.169.254
netname: NET-2X4
descr: 2x4.ru network
country: RU
admin-c: UDF667-RIPE
tech-c: UDF667-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
person: Pavel Ivanov
address: Sound & Vision House, Francis Rachel Str.
address: Victoria, Mahe, Seychelles
remarks: ***************************************
remarks: Virtual and shared hosting, Windows Linux FreeBSD
remarks: Virtual private Servers (VPS/VDS), Dedicated Servers
remarks: Protected managed hosting solutions, DDOS protection systems
remarks: Sattelite CPC/VSAT telecomunications
remarks: Wireless links services.
remarks: English and Russian Sales contact: ICQ 758291
remarks: ***************************************
abuse-mailbox: abuse@2x4.ru
remarks: West Europe customers office & NOC
phone: +44 20 3286 6617
remarks: East Europe customers office & NOC
phone: +7 495 657-90-57
mnt-by: IDEAL-MNT
nic-hdl: UDF667-RIPE
source: RIPE # Filtered
% Information related to '92.241.160.0/19AS41947'
route: 92.241.160.0/19
descr: Wahome IP's =)
origin: AS41947
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
... and following the bad rabbit:Domain ID:D3820900-AFIN
Domain Name:CARDERS.IN
Created On:07-Oct-2009 03:25:49 UTC
Last Updated On:23-Dec-2009 23:15:29 UTC
Expiration Date:07-Oct-2010 03:25:49 UTC
Sponsoring Registrar:Online Nic (R8-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:Oln53232178
Registrant Name:Juri Marshinov
Registrant Organization:Technique Ltd.
Registrant Street1:Calle 53, Marbella
Registrant Street2:
Registrant Street3:
Registrant City:Ciudad de Panamá
Registrant State/Province:Panama
Registrant Postal Code:0000
Registrant Country:PA
Registrant Phone:+7.4951476195
Registrant Phone Ext.:
Registrant FAX:+7.4951476195
Registrant FAX Ext.:
Registrant Email:abuse@carders.kz
Admin ID:Oln53232179
Admin Name:Juri Marshinov
Admin Organization:Technique Ltd.
Admin Street1:Calle 53, Marbella
Admin Street2:
Admin Street3:
Admin City:Ciudad de Panamá
Admin State/Province:Panama
Admin Postal Code:0000
Admin Country:PA
Admin Phone:+7.4951476195
Admin Phone Ext.:
Admin FAX:+7.4951476195
Admin FAX Ext.:
Admin Email:abuse@carders.kz
Tech ID:Oln53232180
Tech Name:Juri Marshinov
Tech Organization:Technique Ltd.
Tech Street1:Calle 53, Marbella
Tech Street2:
Tech Street3:
Tech City:Ciudad de Panamá
Tech State/Province:Panama
Tech Postal Code:0000
Tech Country:PA
Tech Phone:+7.4951476195
Tech Phone Ext.:
Tech FAX:+7.4951476195
Tech FAX Ext.:
Tech Email:abuse@carders.kz
Name Server:NS1.NAMESELF.COM
Name Server:NS2.NAMESELF.COM
carders.kz does not currently have an resolving A or MX record, as such no working email or website. Why?
I seems the registar RegTime took an exception to the Carders using their services:
In the next few posts we will be linking all these bits and pieces of information together using the information available from the carders.cc database dump.Domain Name............: carders.kz
Organization Using Domain Name
Name...................: Juri Marshinov
Organization Name......: Technique Ltd.
Street Address.........: Calle 53, Marbella
City...................: Ciudad de Panamá
State..................: Panama
Postal Code............: 0000
Country................: PA
Administrative Contact/Agent
NIC Handle.............: CA446803-RT
Name...................: Juri Marshinov
Phone Number...........: +7.4951476195
Fax Number.............:
Email Address..........: abuse@carders.kz
Nameserver in listed order
Primary server.........: ns1.nameself.com
Primary ip address.....: 195.161.113.218
Secondary server.......: ns2.nameself.com
Secondary ip address...: 217.16.27.43
Domain created: 2009-03-04 00:51:35.0
Last modified : 2009-10-05 18:51:22.0
Domain status : clientHold -
Registar created: REGTIME
Current Registar: WEBNAMES