Spamhaus under DDOS from AnonOps (Wikileaks.info)
As many of you know, both Trend Micro and Spamhaus have published warnings about a Wikileaks mirror site 'wikileaks.info' which is run by the person or persons behind 'AnonOps' from an IP address of a Russian dedicated cybercrime host (Heihachi) on which there is nothing but malware and other cybercrime. Innocent people seeking to read or download Wikileaks documents are being directed to the rogue wikileaks.info server and into the hands of the crime gangs located there. For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all. As our site can't be reached now, you can not read our article on this, and we can not continue to warn Wikileaks users not to load things from the Heihachi IP. If you know journalists who would get this message out to Wikileaks users, please forward this message (entire) to them. The anonymous folks at AnonOps did not like our article update, here's what we said and what brought the ddos on us: ---- In a statement released today on wikileaks.info entitled "Spamhaus' False Allegations Against wikileaks.info", the person running the wikileaks.info site (which is not connected with Julian Assange or the real Wikileaks organization) called Spamhaus's information on his infamous cybercrime host "false" and "none of our business" and called on people to contact Spamhaus and "voice your opinion". Consequently Spamhaus has now received a number of emails some asking if we "want to be next", some telling us to stop blacklisting Wikileaks (obviously they don't understand that we never did) and others claiming we are "a pawn of US Government Agencies". None of the people who contacted us realised that the "Wikileaks press release" published on wikileaks.info was not written by Wikileaks and not issued by Wikileaks - but by the person running the wikileaks.info site only - the very site we are warning about. The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com. Because they are using a Wikileaks logo, many people thought that the "press release" was issued "by Wikileaks". In fact there has been no press release about this by Wikileaks and none of the official Wikileaks mirrors sites even recognise the wikileaks.info mirror. We wonder how long it will be before Wikileaks supporters wake up and start to question why wikileaks.info is not on the list of real Wikileaks mirrors at <a href="http://wikileaks.ch/mirrors.html">wikileaks.ch</a>. Currently wikileaks.info is serving highly sensitive leaked documents to the world, from a server fully controlled by Russian malware cybercriminals, to an audience that faithfully believes anything with a 'Wikileaks' logo on it. Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an official Wikileaks mirror site. We're not saying "don't go to Wikileaks" we're saying "Use the wikileaks.ch server instead". ---- Steve Linford The Spamhaus Project http://www.spamhaus.org
On 12/18/2010 6:58 AM, Steve Linford wrote:
For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all.
It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors. Jack
On Dec 18, 2010, at 4:00 PM, Jack Bates wrote:
On 12/18/2010 6:58 AM, Steve Linford wrote:
For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all.
It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors.
I get nothing from wikileaks.org, although the DNS is active : dig wikileaks.org ;; ANSWER SECTION: wikileaks.org. 4774 IN A 64.64.12.170 ;; AUTHORITY SECTION: wikileaks.org. 61470 IN NS ns100.dynadot.com. wikileaks.org. 61470 IN NS ns101.dynadot.com. 64.64.12.170 is NetRange: 64.64.0.0 - 64.64.31.255 CIDR: 64.64.0.0/19 OriginAS: AS25847 NetName: SERVINT and, at least here, a traceroute disappears into servint <snip> 8 64.125.195.222.t00883-02.above.net (64.125.195.222) 15.905 ms 12.172 ms 12.072 ms 9 sc-smv1766.servint.net (216.22.61.86) 15.879 ms 11.974 ms 13.761 ms 10 * * * According to this http://nanozen.info/2010/12/spamhaus-under-ddos-from-anonops-wikileaks-info/ wikileaks.info is being hosted by bad guys : "The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com." However, at least for me here in Virginia, wikileaks.org is not aliasing to anywhere, but instead simply times out. Regards Marshall
Jack
On 12/18/2010 5:15 PM, Marshall Eubanks wrote:
I get nothing from wikileaks.org, although the DNS is active :
$ host wikileaks.org wikileaks.org has address 64.64.12.170 $ telnet 64.64.12.170 80 Trying 64.64.12.170... Connected to 64.64.12.170. Escape character is '^]'. GET / HTTP/1.1 Host: wikileaks.org HTTP/1.1 302 Found Date: Sun, 19 Dec 2010 04:56:23 GMT Server: Apache Location: http://mirror.wikileaks.info/ Content-Length: 213 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://mirror.wikileaks.info/">here</a>.</p> </body></html> Connection to 64.64.12.170 closed by foreign host.
and, at least here, a traceroute disappears into servint <snip> 8 64.125.195.222.t00883-02.above.net (64.125.195.222) 15.905 ms 12.172 ms 12.072 ms 9 sc-smv1766.servint.net (216.22.61.86) 15.879 ms 11.974 ms 13.761 ms 10 * * *
I see same timeouts, but tcp/80 is going through. Filtering, I suspect. Jack
On 12/18/2010 5:15 PM, Marshall Eubanks wrote:
I get nothing from wikileaks.org, although the DNS is active :
$ host wikileaks.org wikileaks.org has address 64.64.12.170
Doesn't it seem vaguely suspicious that whois was just updated? Domain ID:D130035267-LROR Domain Name:WIKILEAKS.ORG Created On:04-Oct-2006 05:54:19 UTC Last Updated On:17-Dec-2010 01:57:59 UTC Expiration Date:04-Oct-2018 05:54:19 UTC It seems like it'd be reasonable to be cautious. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Dec 19, 2010, at 8:06 AM, Joe Greco wrote:
On 12/18/2010 5:15 PM, Marshall Eubanks wrote:
I get nothing from wikileaks.org, although the DNS is active :
$ host wikileaks.org wikileaks.org has address 64.64.12.170
Doesn't it seem vaguely suspicious that whois was just updated?
Domain ID:D130035267-LROR Domain Name:WIKILEAKS.ORG Created On:04-Oct-2006 05:54:19 UTC Last Updated On:17-Dec-2010 01:57:59 UTC Expiration Date:04-Oct-2018 05:54:19 UTC
It seems like it'd be reasonable to be cautious.
Yes. Now, for me, wikileaks.org does alias to wikileaks.info wget -r wikileaks.org --13:49:00-- http://wikileaks.org/ => `wikileaks.org/index.html' Resolving wikileaks.org... done. Connecting to wikileaks.org[64.64.12.170]:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://mirror.wikileaks.info/ [following] --13:49:00-- http://mirror.wikileaks.info/ => `mirror.wikileaks.info/index.html' Resolving mirror.wikileaks.info... done. Connecting to mirror.wikileaks.info[92.241.190.202]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 90,059 [text/html] Which, according to RIPE is assigned to Russia, but with a contact in Panama % Information related to '92.241.190.0 - 92.241.190.255' inetnum: 92.241.190.0 - 92.241.190.255 netname: HEIHACHI descr: Heihachi Ltd country: RU admin-c: HEI668-RIPE tech-c: HEI668-RIPE status: ASSIGNED PA mnt-by: RU-WEBALTA-MNT source: RIPE # Filtered person: Andreas Mueller address: Bella Vista, Calle 53, Marbella address: Ciudad de Panama, Panama remarks: Visit us under gigalinknetwork.com remarks: ICQ 7979970 remarks: Dedicated Servers, Webspace, VPS, DDOS protected Webspace remarks: Send abuse ONLY to: abuse@gigalinknetwork.com remarks: Technical and sales info: support@gigalinknetwork.com phone: +5078321458 abuse-mailbox: abuse@gigalinknetwork.com nic-hdl: hei668-RIPE mnt-by: WEBALTA-MNT source: RIPE # Filtered neither of which would give me confidence. Regards Marshall
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not
The wikileaks.info press release points to Google's Safe Browsing page for wikileaks.info (http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info), which comes up clean. While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the "more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com." Any chance that will be done, so wikileaks.info's claims can be publicly refuted? Kind regards, Frank -----Original Message----- From: Jack Bates [mailto:jbates@brightok.net] Sent: Saturday, December 18, 2010 3:00 PM To: nanog@nanog.org Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info) On 12/18/2010 6:58 AM, Steve Linford wrote: like our free speech at all.
It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors. Jack
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not for nothing, but Spamhaus wasn't the only organization to warn about Heihachi: http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/ FYI, - - ferg On Sun, Dec 19, 2010 at 10:46 AM, Frank Bulk - iName.com <frnkblk@iname.com> wrote:
The wikileaks.info press release points to Google's Safe Browsing page for wikileaks.info (http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info), which comes up clean.
While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the "more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com." Any chance that will be done, so wikileaks.info's claims can be publicly refuted?
Kind regards,
Frank
-----Original Message----- From: Jack Bates [mailto:jbates@brightok.net] Sent: Saturday, December 18, 2010 3:00 PM To: nanog@nanog.org Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)
On 12/18/2010 6:58 AM, Steve Linford wrote:
For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all.
It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors.
Jack
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFNDlQ5q1pz9mNUZTMRAn5XAKC0O3ZNO51bnAX7D99SRRqR04QIQQCfZDwH dQN8fG2TYk6RUFYplRAiHDE= =em1c -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On 19/12/10 18:51, Paul Ferguson wrote:
Not for nothing, but Spamhaus wasn't the only organization to warn about Heihachi:
http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/
All the domains listed by Trend Micro as neighbours appear to be down. Have to say as someone whose employer will buy and host a domain name if you fill in the credit card details and the credit card company accept them, if you listed only the sites we've cancelled first thing on a Monday morning (or as soon as we are notified) we'd look pretty poor.
From the many adverse comments about the hosting services in use they look as bad as they come, but on the other hand this weakens the usefulness of the Trend statement (well to people who check what they are told).
Were the sites up when the announcement was made?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Dec 19, 2010 at 12:29 PM, Simon Waters <simonw@zynet.net> wrote:
On 19/12/10 18:51, Paul Ferguson wrote:
Not for nothing, but Spamhaus wasn't the only organization to warn about Heihachi:
http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhoo d/
All the domains listed by Trend Micro as neighbours appear to be down.
Have to say as someone whose employer will buy and host a domain name if you fill in the credit card details and the credit card company accept them, if you listed only the sites we've cancelled first thing on a Monday morning (or as soon as we are notified) we'd look pretty poor.
From the many adverse comments about the hosting services in use they look as bad as they come, but on the other hand this weakens the usefulness of the Trend statement (well to people who check what they are told).
Were the sites up when the announcement was made?
The sites that were listed are just a few examples of the hundreds of domains located there that are engaged in criminal activity. The fact that they are down now really doesn't factor into the equation -- the history of criminal activity within that prefix speaks for itself. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFNDnKvq1pz9mNUZTMRAt1oAKDUBfzjaxV2EfXZk5jHvfDew9doRACbBEtw kgzjPTjszG03KdQT+XJakUA= =v2QK -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Thanks for your note and the many others. I think it could have been stated more clearly that wikileaks.info, while in a bad neighborhood, and set up to suggest it is Wikileaks or part of the Wikileaks organization, does not (at this time) host or facilitate distribution of malware. The Spamhaus announcement was not so clear. Frank -----Original Message----- From: Paul Ferguson [mailto:fergdawgster@gmail.com] Sent: Sunday, December 19, 2010 12:52 PM To: frnkblk@iname.com Cc: Jack Bates; nanog@nanog.org Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not for nothing, but Spamhaus wasn't the only organization to warn about Heihachi: http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/ FYI, - - ferg On Sun, Dec 19, 2010 at 10:46 AM, Frank Bulk - iName.com <frnkblk@iname.com> wrote:
The wikileaks.info press release points to Google's Safe Browsing page for wikileaks.info (http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info), which comes up clean.
While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the "more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com." Any chance that will be done, so wikileaks.info's claims can be publicly refuted?
Kind regards,
Frank
-----Original Message----- From: Jack Bates [mailto:jbates@brightok.net] Sent: Saturday, December 18, 2010 3:00 PM To: nanog@nanog.org Subject: Re: Spamhaus under DDOS from AnonOps (Wikileaks.info)
On 12/18/2010 6:58 AM, Steve Linford wrote:
For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all.
It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors.
Jack
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFNDlQ5q1pz9mNUZTMRAn5XAKC0O3ZNO51bnAX7D99SRRqR04QIQQCfZDwH dQN8fG2TYk6RUFYplRAiHDE= =em1c -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote:
While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the "more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com."
I found this: http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru (as well as the SBL records those reference) quite interesting. ---rsk
additional evidence http://www.malwaredomainlist.com/mdl.php?search=41947&colsearch=All&quantity=50&inactive=on On Sun, Dec 19, 2010 at 2:25 PM, Rich Kulawiec <rsk@gsp.org> wrote:
On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote:
While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the "more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com."
I found this:
http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru
(as well as the SBL records those reference) quite interesting.
---rsk
On 12/19/2010 08:33 PM, Ned Moran wrote:
additional evidence
http://www.malwaredomainlist.com/mdl.php?search=41947&colsearch=All&quantity=50&inactive=on
On Sun, Dec 19, 2010 at 2:25 PM, Rich Kulawiec <rsk@gsp.org> wrote:
On Sun, Dec 19, 2010 at 12:46:33PM -0600, Frank Bulk - iName.com wrote:
While I tend to trust Steve and Spamhaus because of their built up reputation, it would be helpful if some concrete facts were published about the "more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com." I found this:
http://www.spamhaus.org/sbl/listings.lasso?isp=webalta.ru
(as well as the SBL records those reference) quite interesting.
---rsk
The evidence is for Webalta, which hosts Heihachi (which hosts wikileaks.info). I spent some minutes checking Heihachis IP block 92.241.190.0 – 92.241.190.255. I found 255 .com/.net domains which use this IP block and Heihachis DNS servers. Google reports that none of them is used to serve malware. Two of them, dhl24-servicecenter.com and pixel-banner.com, are reported as phishing sites. Both are down at the moment. http://support.clean-mx.de/clean-mx/rss?scope=viruses&as=AS41947 reports 4 addresses on this IP block, all seems to be up. http://www.malwaredomainlist.com/mdl.php?search=92.241.190&colsearch=All&quantity=50 reports 3 addresses on underground-infosource.info. This site is not online at the moment. If Heihachi hasn't cleaned up very good the last days I would say that they behave much better than Webaltas customers in general.
participants (10)
-
foks
-
Frank Bulk - iName.com
-
Jack Bates
-
Joe Greco
-
Marshall Eubanks
-
Ned Moran
-
Paul Ferguson
-
Rich Kulawiec
-
Simon Waters
-
Steve Linford