In this blog we will be publishing some of the rather incriminating posts and happenings, also specifically related to Heihachi.net, 4x2.ru, 133t-crew, Gigalinknetwork.com, Ideal Solution Ltd and their upstream, Webalta.ru
Note that dumps of the hacked forums have been posted all over the net, as such publsihing or using the contents does not constitute a violation of Blogger's Terms of Service, specifically their Content Policy. This content is now in the public domain.
With that out of the way, let's move on ....
So, carders.cc was hacked, what now? Already this nest of cyber crime is getting ready to attack innocent victims again. Hosting has been unkindly provided by Heihachi.net. In fact the carders crew stated they would be using Heihachi:
Liebe User,
Wie ihr wohl schon alle mitbekommen habt, wurde Carders Opfer einer Hackerattacke. Meiner Meinung nach ein dunkler Tag für die Szene, auch wenn sich jetzt viele schadensfroh im Keller einen ablachen. Leider wissen, oder verstehen diese Menschen nicht was für Konsequenzen so etwas haben kann.
Wie dem Deface-Text bereits zu entnehmen war, wurden einige IPs geloggt, dies jedoch nicht absichtlich sondern durch einen Fehler des (ehemaligen) Techmins Zagerus. An dieser Stelle ein großes Entschuldigung an die User, die vom IP Logging betroffen waren. Dieser Vorfall sollte euch jedoch daran erinnern, dass ihr immer mit einem VPN / Socks5 / VicSocks, wie auch immer, unterwegs sein solltet. Alle User sollten natürlich ihre Passwörter ihrer E-Mails, anderen Accounts, ICQ Nummern etc. ändern! Selbst wenn nun mit der gehackten Datenbank gegen uns ermittelt wird, was nach dem deutschen Gesetz eigentlich verboten sind, (aber die wahren Kriminellen sind ja ohnehin die Behörden) haben die größten Teil der User NICHTS zu befürchten. Von diesen Ermittlungen wird größtenteils das Team betroffen sein.
Nachdem KRON0S und ich uns einige Zeit unterhalten haben, ist uns klar geworden, dass wir uns die Tour von ein paar vorpubertären Hackerkindern die Stimmung nicht nehmen lassen (Es handlet sich hierbei btw. um die gleichen Hacker wie bei 1337-crew), und dass das nicht das Ende von Carders ist. Nein! Wir werden zurück kommen! Dies wird jedoch einige Tage in Anspruch nehmen, da wir 1. auf Heihachi umziehen 2. nach dem Hack verständlicherweise die Boardsoftware wechseln und 3. um zukünfige Hacks zu vermeiden, sehr viele Sicherheitstests durchführen werden. GGF. wird jedoch der Jabberserver schon früher laufen. Desweiteren wurde Zagerus nach der großen Panne bis auf weiteres suspendiert, und die Technik wurde einem erfahrenereren User übergeben. Wir sehen uns in einigen Tagen wieder!
THANAT0S im Namen der Administration
Indeed THANAT0S, how can anybody do what you do, never mind the hack? Shame on you!
So, what was the reception like at Heihachi?
carders.cc [92.241.190.3]
% Information related to '92.241.190.0 - 92.241.190.255'So who is gigalinknetwork.com?
inetnum: 92.241.190.0 - 92.241.190.255
netname: HEIHACHI
descr: Heihachi Ltd
country: RU
admin-c: HEI668-RIPE
tech-c: HEI668-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
person: Andreas Mueller
address: Bella Vista, Calle 53, Marbella
address: Ciudad de Panama, Panama
remarks: Visit us under gigalinknetwork.com
remarks: ICQ 7979970
remarks: Dedicated Servers, Webspace, VPS, DDOS protected Webspace
remarks: Send abuse ONLY to: abuse@gigalinknetwork.com
remarks: Technical and sales info: support@gigalinknetwork.com
phone: +5078321458
abuse-mailbox: abuse@gigalinknetwork.com
nic-hdl: hei668-RIPE
mnt-by: WEBALTA-MNT
source: RIPE # Filtered
% Information related to '92.241.160.0/19AS41947'
route: 92.241.160.0/19
descr: Wahome IP's =)
origin: AS41947
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
Domain name: gigalinknetwork.comNot much help there.... but we will get back to this later on.
Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()
Fax:
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US
Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (jnrbhcgls@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US
Technical Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (jnrbhcgls@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O gigalinknetwork.com
Bellevue, WA 98007
US
Status: Active
Name Servers:
ns1.heihachi.net
ns2.heihachi.net
Creation date: 26 Feb 2010 23:04:47
Expiration date: 26 Feb 2011 23:04:00
Heihachi gladly accepted carders.cc and in fact even promptly gave them their own rDNS entry:
$ host 92.241.190.3Oh so kind of them. In fact a traceroute also clearly showed this:
3.190.241.92.in-addr.arpa domain name pointer carders.heihachi.net.
7 162 162 162 194.186.158.170 cat23.moscow.gldn.netAt least Heihachi cannot claim to have no control over what their clients are doing this time, as they so love doing. Here they in fact actively assisted by adding carders to the reverse DNS for heihachi.net. Surely even the dumbest network admin should hear a little alarm bell at the word "carders"?
8 319 201 204 195.239.10.202 te1-1.maxwell.msk.wahome.ru
9 164 164 162 92.241.190.3 carders.heihachi.net
I also wonder what the reception of the Indian authorities will be upon learning that Carders have a backup domain kindly sponsored by their ccTLD, carders.in (straight from the carders.cc dumps)?
carders.in [92.241.168.154]
% Information related to '92.241.168.0 - 92.241.169.254'My my, WebAlta is popular!
inetnum: 92.241.168.0 - 92.241.169.254
netname: NET-2X4
descr: 2x4.ru network
country: RU
admin-c: UDF667-RIPE
tech-c: UDF667-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
person: Pavel Ivanov
address: Sound & Vision House, Francis Rachel Str.
address: Victoria, Mahe, Seychelles
remarks: ***************************************
remarks: Virtual and shared hosting, Windows Linux FreeBSD
remarks: Virtual private Servers (VPS/VDS), Dedicated Servers
remarks: Protected managed hosting solutions, DDOS protection systems
remarks: Sattelite CPC/VSAT telecomunications
remarks: Wireless links services.
remarks: English and Russian Sales contact: ICQ 758291
remarks: ***************************************
abuse-mailbox: abuse@2x4.ru
remarks: West Europe customers office & NOC
phone: +44 20 3286 6617
remarks: East Europe customers office & NOC
phone: +7 495 657-90-57
mnt-by: IDEAL-MNT
nic-hdl: UDF667-RIPE
source: RIPE # Filtered
% Information related to '92.241.160.0/19AS41947'
route: 92.241.160.0/19
descr: Wahome IP's =)
origin: AS41947
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
... and following the bad rabbit:Domain ID:D3820900-AFIN
Domain Name:CARDERS.IN
Created On:07-Oct-2009 03:25:49 UTC
Last Updated On:23-Dec-2009 23:15:29 UTC
Expiration Date:07-Oct-2010 03:25:49 UTC
Sponsoring Registrar:Online Nic (R8-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:Oln53232178
Registrant Name:Juri Marshinov
Registrant Organization:Technique Ltd.
Registrant Street1:Calle 53, Marbella
Registrant Street2:
Registrant Street3:
Registrant City:Ciudad de Panamá
Registrant State/Province:Panama
Registrant Postal Code:0000
Registrant Country:PA
Registrant Phone:+7.4951476195
Registrant Phone Ext.:
Registrant FAX:+7.4951476195
Registrant FAX Ext.:
Registrant Email:abuse@carders.kz
Admin ID:Oln53232179
Admin Name:Juri Marshinov
Admin Organization:Technique Ltd.
Admin Street1:Calle 53, Marbella
Admin Street2:
Admin Street3:
Admin City:Ciudad de Panamá
Admin State/Province:Panama
Admin Postal Code:0000
Admin Country:PA
Admin Phone:+7.4951476195
Admin Phone Ext.:
Admin FAX:+7.4951476195
Admin FAX Ext.:
Admin Email:abuse@carders.kz
Tech ID:Oln53232180
Tech Name:Juri Marshinov
Tech Organization:Technique Ltd.
Tech Street1:Calle 53, Marbella
Tech Street2:
Tech Street3:
Tech City:Ciudad de Panamá
Tech State/Province:Panama
Tech Postal Code:0000
Tech Country:PA
Tech Phone:+7.4951476195
Tech Phone Ext.:
Tech FAX:+7.4951476195
Tech FAX Ext.:
Tech Email:abuse@carders.kz
Name Server:NS1.NAMESELF.COM
Name Server:NS2.NAMESELF.COM
carders.kz does not currently have an resolving A or MX record, as such no working email or website. Why?
I seems the registar RegTime took an exception to the Carders using their services:
In the next few posts we will be linking all these bits and pieces of information together using the information available from the carders.cc database dump.Domain Name............: carders.kz
Organization Using Domain Name
Name...................: Juri Marshinov
Organization Name......: Technique Ltd.
Street Address.........: Calle 53, Marbella
City...................: Ciudad de Panamá
State..................: Panama
Postal Code............: 0000
Country................: PA
Administrative Contact/Agent
NIC Handle.............: CA446803-RT
Name...................: Juri Marshinov
Phone Number...........: +7.4951476195
Fax Number.............:
Email Address..........: abuse@carders.kz
Nameserver in listed order
Primary server.........: ns1.nameself.com
Primary ip address.....: 195.161.113.218
Secondary server.......: ns2.nameself.com
Secondary ip address...: 217.16.27.43
Domain created: 2009-03-04 00:51:35.0
Last modified : 2009-10-05 18:51:22.0
Domain status : clientHold -
Registar created: REGTIME
Current Registar: WEBNAMES
the last few days heihachi.net was under DDoS attack, which made them change hosting for their domain heihachi.net to dragonara.net.
ReplyDeleteNo big surprise, wahome again...
% Information related to '91.205.40.0/22AS44557'
route: 91.205.40.0/22
descr: Dragonara Alliance
origin: AS44557
mnt-by: DRAGONARA-MNT
changed: lexa@wahome.ru 20080818
source: RIPE
Domain Name: DRAGONARA.NET
Registrar: GANDI SAS
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Name Server: NS1.DRAGONARA.NET
Name Server: NS2.DRAGONARA.NET
Status: clientTransferProhibited
Updated Date: 12-nov-2009
Creation Date: 16-nov-2007
Expiration Date: 16-nov-2010
Queried whois.gandi.net with "dragonara.net"...
domain: dragonara.net
reg_created: 2007-11-16 15:14:17
expires: 2010-11-16 15:14:17
created: 2007-11-16 16:12:11
changed: 2010-04-09 11:58:31
transfer-prohibited: yes
ns0: ns1.dragonara.net 194.8.74.187
ns1: ns2.dragonara.net 194.8.75.46
owner-c:
nic-hdl: RB2615-GANDI
owner-name: DRAGONARA ALLIANCE LTD
organisation: DRAGONARA ALLIANCE LTD
person: Rea Barreau
address: 'Geneva plase, Waterfront Drive, PO Box 3469'
zipcode: 1823
city: Road Town Tortola
country: British Virgin Islands (Tortola)
phone: +41.445807414
fax: ''
email: ba077399da81c72e4c0e3433fec34b1a-858326@contact.gandi.net
lastupdated: 2009-08-31 16:17:12
admin-c:
nic-hdl: RB2615-GANDI
owner-name: DRAGONARA ALLIANCE LTD
organisation: DRAGONARA ALLIANCE LTD
person: Rea Barreau
address: 'Geneva plase, Waterfront Drive, PO Box 3469'
zipcode: 1823
city: Road Town Tortola
country: British Virgin Islands (Tortola)
phone: +41.445807414
fax: ''
email: ba077399da81c72e4c0e3433fec34b1a-858326@contact.gandi.net
lastupdated: 2009-08-31 16:17:12
tech-c:
nic-hdl: RB2615-GANDI
owner-name: DRAGONARA ALLIANCE LTD
organisation: DRAGONARA ALLIANCE LTD
person: Rea Barreau
address: 'Geneva plase, Waterfront Drive, PO Box 3469'
zipcode: 1823
city: Road Town Tortola
country: British Virgin Islands (Tortola)
phone: +41.445807414
fax: ''
email: ba077399da81c72e4c0e3433fec34b1a-858326@contact.gandi.net
lastupdated: 2009-08-31 16:17:12
bill-c:
nic-hdl: RB2615-GANDI
owner-name: DRAGONARA ALLIANCE LTD
organisation: DRAGONARA ALLIANCE LTD
person: Rea Barreau
address: 'Geneva plase, Waterfront Drive, PO Box 3469'
zipcode: 1823
city: Road Town Tortola
country: British Virgin Islands (Tortola)
phone: +41.445807414
fax: ''
email: ba077399da81c72e4c0e3433fec34b1a-858326@contact.gandi.net
lastupdated: 2009-08-31 16:17:12
AS41947 = WEBALTA-AS Wahome networks
ReplyDeleteneeds some serious attention by LEO´s ....
check out these forums:
http://forum.autosec4u.info/
http://forum.aa419.org/viewforum.php?f=30
over 60 scam sites on 1 IP !
Address lookup
ReplyDeletecanonical name heihachi.net.
aliases
addresses 194.8.75.64
Domain Whois record
Queried whois.internic.net with "dom heihachi.net"...
Domain Name: HEIHACHI.NET
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Status: clientTransferProhibited
Updated Date: 22-jul-2010
Creation Date: 04-sep-2008
Expiration Date: 04-sep-2011
Domain name: heihachi.net
Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()
Fax:
PMB 368, 14150 NE 20th St - F1
C/O heihachi.net
Bellevue, WA 98007
US
Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (prjcxxfb@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O heihachi.net
Bellevue, WA 98007
US
Technical Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (prjcxxfb@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O heihachi.net
Bellevue, WA 98007
US
Status: Locked
Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com
Creation date: 05 Sep 2008 01:23:00
Expiration date: 05 Sep 2011 01:23:00
Network Whois record
Queried whois.ripe.net with "-B 194.8.75.64"...
% Information related to '194.8.74.0 - 194.8.75.255'
inetnum: 194.8.74.0 - 194.8.75.255
netname: DRAGONARA-NET
descr: Dragonara Alliance Ltd
country: GB
org: ORG-DRAG1-RIPE
admin-c: AGAV2-RIPE
tech-c: AGAV2-RIPE
status: ASSIGNED PI
notify: noc@dragonara.net
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: DRAGONARA-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: DRAGONARA-MNT
mnt-domains: DRAGONARA-MNT
changed: hostmaster@ripe.net 20080205
changed: hostmaster@ripe.net 20080229
source: RIPE
organisation: ORG-DRAG1-RIPE
org-name: Dragonara Alliance Ltd
org-type: OTHER
address: Geneva Place, Waterfront Drive,
P. O. Box 3469, Road Town, Tortola,
British Virgin Islands
e-mail: abuse@dragonara.net
mnt-ref: DRAGONARA-MNT
mnt-by: DRAGONARA-MNT
changed: noc@dragonara.net 20080212
source: RIPE
person: Andrey Gavrilog
address: Geneva Place, Waterfront Drive,
P. O. Box 3469, Road Town, Tortola,
British Virgin Islands
mnt-by: DRAGONARA-MNT
abuse-mailbox: abuse@dragonara.net
phone: +41 435.001.009
nic-hdl: AGAV2-RIPE
changed: noc@dragonara.net 20080212
source: RIPE
% Information related to '194.8.74.0/23AS44557'
route: 194.8.74.0/23
descr: Dragonara Alliance
origin: AS44557
mnt-by: DRAGONARA-MNT
changed: tech@dragonara.net 20080206
source: RIPE