Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)
On 12/18/2010 5:15 PM, Marshall Eubanks wrote: I get nothing from wikileaks.org, although the DNS is active : $ host wikileaks.org wikileaks.org has address 64.64.12.170 Doesn't it seem vaguely suspicious that whois was just updated? Domain ID:D130035267-LROR Domain Name:WIKILEAKS.ORG Created On:04-Oct-2006 05:54:19 UTC Last Updated On:17-Dec-2010 01:57:59 UTC Expiration Date:04-Oct-2018 05:54:19 UTC It seems like it'd be reasonable to be cautious. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
RE: Spamhaus under DDOS from AnonOps (Wikileaks.info)
The wikileaks.info press release points to Google's Safe Browsing page for wikileaks.info (http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info), which comes up clean. While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com. Any chance that will be done, so wikileaks.info's claims can be publicly refuted? Kind regards, Frank -Original Message- From: Jack Bates [mailto:jba...@brightok.net] Sent: Saturday, December 18, 2010 3:00 PM To: nanog@nanog.org Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info) On 12/18/2010 6:58 AM, Steve Linford wrote: For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all. It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors. Jack
Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not for nothing, but Spamhaus wasn't the only organization to warn about Heihachi: http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/ FYI, - - ferg On Sun, Dec 19, 2010 at 10:46 AM, Frank Bulk - iName.com frnk...@iname.com wrote: The wikileaks.info press release points to Google's Safe Browsing page for wikileaks.info (http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info), which comes up clean. While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com. Any chance that will be done, so wikileaks.info's claims can be publicly refuted? Kind regards, Frank -Original Message- From: Jack Bates [mailto:jba...@brightok.net] Sent: Saturday, December 18, 2010 3:00 PM To: nanog@nanog.org Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info) On 12/18/2010 6:58 AM, Steve Linford wrote: For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all. It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors. Jack -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFNDlQ5q1pz9mNUZTMRAn5XAKC0O3ZNO51bnAX7D99SRRqR04QIQQCfZDwH dQN8fG2TYk6RUFYplRAiHDE= =em1c -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)
On Dec 19, 2010, at 8:06 AM, Joe Greco wrote: On 12/18/2010 5:15 PM, Marshall Eubanks wrote: I get nothing from wikileaks.org, although the DNS is active : $ host wikileaks.org wikileaks.org has address 64.64.12.170 Doesn't it seem vaguely suspicious that whois was just updated? Domain ID:D130035267-LROR Domain Name:WIKILEAKS.ORG Created On:04-Oct-2006 05:54:19 UTC Last Updated On:17-Dec-2010 01:57:59 UTC Expiration Date:04-Oct-2018 05:54:19 UTC It seems like it'd be reasonable to be cautious. Yes. Now, for me, wikileaks.org does alias to wikileaks.info wget -r wikileaks.org --13:49:00-- http://wikileaks.org/ = `wikileaks.org/index.html' Resolving wikileaks.org... done. Connecting to wikileaks.org[64.64.12.170]:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://mirror.wikileaks.info/ [following] --13:49:00-- http://mirror.wikileaks.info/ = `mirror.wikileaks.info/index.html' Resolving mirror.wikileaks.info... done. Connecting to mirror.wikileaks.info[92.241.190.202]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 90,059 [text/html] Which, according to RIPE is assigned to Russia, but with a contact in Panama % Information related to '92.241.190.0 - 92.241.190.255' inetnum:92.241.190.0 - 92.241.190.255 netname:HEIHACHI descr: Heihachi Ltd country:RU admin-c:HEI668-RIPE tech-c: HEI668-RIPE status: ASSIGNED PA mnt-by: RU-WEBALTA-MNT source: RIPE # Filtered person: Andreas Mueller address:Bella Vista, Calle 53, Marbella address:Ciudad de Panama, Panama remarks:Visit us under gigalinknetwork.com remarks:ICQ 7979970 remarks:Dedicated Servers, Webspace, VPS, DDOS protected Webspace remarks:Send abuse ONLY to: ab...@gigalinknetwork.com remarks:Technical and sales info: supp...@gigalinknetwork.com phone: +5078321458 abuse-mailbox: ab...@gigalinknetwork.com nic-hdl:hei668-RIPE mnt-by: WEBALTA-MNT source: RIPE # Filtered neither of which would give me confidence. Regards Marshall ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)
On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote: While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com. I found this: http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru (as well as the SBL records those reference) quite interesting. ---rsk
Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)
additional evidence http://www.malwaredomainlist.com/mdl.php?search=41947colsearch=Allquantity=50inactive=on On Sun, Dec 19, 2010 at 2:25 PM, Rich Kulawiec r...@gsp.org wrote: On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote: While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com. I found this: http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru (as well as the SBL records those reference) quite interesting. ---rsk
Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)
On 19/12/10 18:51, Paul Ferguson wrote: Not for nothing, but Spamhaus wasn't the only organization to warn about Heihachi: http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/ All the domains listed by Trend Micro as neighbours appear to be down. Have to say as someone whose employer will buy and host a domain name if you fill in the credit card details and the credit card company accept them, if you listed only the sites we've cancelled first thing on a Monday morning (or as soon as we are notified) we'd look pretty poor. From the many adverse comments about the hosting services in use they look as bad as they come, but on the other hand this weakens the usefulness of the Trend statement (well to people who check what they are told). Were the sites up when the announcement was made?
Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Dec 19, 2010 at 12:29 PM, Simon Waters sim...@zynet.net wrote: On 19/12/10 18:51, Paul Ferguson wrote: Not for nothing, but Spamhaus wasn't the only organization to warn about Heihachi: http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhoo d/ All the domains listed by Trend Micro as neighbours appear to be down. Have to say as someone whose employer will buy and host a domain name if you fill in the credit card details and the credit card company accept them, if you listed only the sites we've cancelled first thing on a Monday morning (or as soon as we are notified) we'd look pretty poor. From the many adverse comments about the hosting services in use they look as bad as they come, but on the other hand this weakens the usefulness of the Trend statement (well to people who check what they are told). Were the sites up when the announcement was made? The sites that were listed are just a few examples of the hundreds of domains located there that are engaged in criminal activity. The fact that they are down now really doesn't factor into the equation -- the history of criminal activity within that prefix speaks for itself. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFNDnKvq1pz9mNUZTMRAt1oAKDUBfzjaxV2EfXZk5jHvfDew9doRACbBEtw kgzjPTjszG03KdQT+XJakUA= =v2QK -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)
On 12/19/2010 08:33 PM, Ned Moran wrote: additional evidence http://www.malwaredomainlist.com/mdl.php?search=41947colsearch=Allquantity=50inactive=on On Sun, Dec 19, 2010 at 2:25 PM, Rich Kulawiec r...@gsp.org wrote: On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote: While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com. I found this: http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru (as well as the SBL records those reference) quite interesting. ---rsk The evidence is for Webalta, which hosts Heihachi (which hosts wikileaks.info). I spent some minutes checking Heihachis IP block 92.241.190.0 – 92.241.190.255. I found 255 .com/.net domains which use this IP block and Heihachis DNS servers. Google reports that none of them is used to serve malware. Two of them, dhl24-servicecenter.com and pixel-banner.com, are reported as phishing sites. Both are down at the moment. http://support.clean-mx.de/clean-mx/rss?scope=virusesas=AS41947 reports 4 addresses on this IP block, all seems to be up. http://www.malwaredomainlist.com/mdl.php?search=92.241.190colsearch=Allquantity=50 reports 3 addresses on underground-infosource.info. This site is not online at the moment. If Heihachi hasn't cleaned up very good the last days I would say that they behave much better than Webaltas customers in general.
RE: Spamhaus under DDOS from AnonOps (Wikileaks.info)
Thanks for your note and the many others. I think it could have been stated more clearly that wikileaks.info, while in a bad neighborhood, and set up to suggest it is Wikileaks or part of the Wikileaks organization, does not (at this time) host or facilitate distribution of malware. The Spamhaus announcement was not so clear. Frank -Original Message- From: Paul Ferguson [mailto:fergdawgs...@gmail.com] Sent: Sunday, December 19, 2010 12:52 PM To: frnk...@iname.com Cc: Jack Bates; nanog@nanog.org Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not for nothing, but Spamhaus wasn't the only organization to warn about Heihachi: http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/ FYI, - - ferg On Sun, Dec 19, 2010 at 10:46 AM, Frank Bulk - iName.com frnk...@iname.com wrote: The wikileaks.info press release points to Google's Safe Browsing page for wikileaks.info (http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info), which comes up clean. While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com. Any chance that will be done, so wikileaks.info's claims can be publicly refuted? Kind regards, Frank -Original Message- From: Jack Bates [mailto:jba...@brightok.net] Sent: Saturday, December 18, 2010 3:00 PM To: nanog@nanog.org Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info) On 12/18/2010 6:58 AM, Steve Linford wrote: For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all. It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors. Jack -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFNDlQ5q1pz9mNUZTMRAn5XAKC0O3ZNO51bnAX7D99SRRqR04QIQQCfZDwH dQN8fG2TYk6RUFYplRAiHDE= =em1c -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)
On 12/18/2010 6:58 AM, Steve Linford wrote: For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all. It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors. Jack
Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)
On Dec 18, 2010, at 4:00 PM, Jack Bates wrote: On 12/18/2010 6:58 AM, Steve Linford wrote: For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all. It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors. I get nothing from wikileaks.org, although the DNS is active : dig wikileaks.org ;; ANSWER SECTION: wikileaks.org. 4774IN A 64.64.12.170 ;; AUTHORITY SECTION: wikileaks.org. 61470 IN NS ns100.dynadot.com. wikileaks.org. 61470 IN NS ns101.dynadot.com. 64.64.12.170 is NetRange: 64.64.0.0 - 64.64.31.255 CIDR: 64.64.0.0/19 OriginAS: AS25847 NetName:SERVINT and, at least here, a traceroute disappears into servint snip 8 64.125.195.222.t00883-02.above.net (64.125.195.222) 15.905 ms 12.172 ms 12.072 ms 9 sc-smv1766.servint.net (216.22.61.86) 15.879 ms 11.974 ms 13.761 ms 10 * * * According to this http://nanozen.info/2010/12/spamhaus-under-ddos-from-anonops-wikileaks-info/ wikileaks.info is being hosted by bad guys : The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com. However, at least for me here in Virginia, wikileaks.org is not aliasing to anywhere, but instead simply times out. Regards Marshall Jack
Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)
On 12/18/2010 5:15 PM, Marshall Eubanks wrote: I get nothing from wikileaks.org, although the DNS is active : $ host wikileaks.org wikileaks.org has address 64.64.12.170 $ telnet 64.64.12.170 80 Trying 64.64.12.170... Connected to 64.64.12.170. Escape character is '^]'. GET / HTTP/1.1 Host: wikileaks.org HTTP/1.1 302 Found Date: Sun, 19 Dec 2010 04:56:23 GMT Server: Apache Location: http://mirror.wikileaks.info/ Content-Length: 213 Content-Type: text/html; charset=iso-8859-1 !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title302 Found/title /headbody h1Found/h1 pThe document has moved a href=http://mirror.wikileaks.info/;here/a./p /body/html Connection to 64.64.12.170 closed by foreign host. and, at least here, a traceroute disappears into servint snip 8 64.125.195.222.t00883-02.above.net (64.125.195.222) 15.905 ms 12.172 ms 12.072 ms 9 sc-smv1766.servint.net (216.22.61.86) 15.879 ms 11.974 ms 13.761 ms 10 * * * I see same timeouts, but tcp/80 is going through. Filtering, I suspect. Jack