As many of you know, both Trend Micro and Spamhaus have published warnings about a Wikileaks mirror site 'wikileaks.info' which is run by the person or persons behind 'AnonOps' from an IP address of a Russian dedicated cybercrime host (Heihachi) on which there is nothing but malware and other cybercrime. Innocent people seeking to read or download Wikileaks documents are being directed to the rogue wikileaks.info server and into the hands of the crime gangs located there.
For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all.
As our site can't be reached now, you can not read our article on this, and we can not continue to warn Wikileaks users not to load things from the Heihachi IP. If you know journalists who would get this message out to Wikileaks users, please forward this message (entire) to them.
The anonymous folks at AnonOps did not like our article update, here's what we said and what brought the ddos on us:
It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors.
For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. The criminals there do not like our free speech at all.
It appears that wikileaks.org is operational again and redirecting to mirros.wikileaks.info, which draws concern of who now controls wikileaks.org. .info definitely isn't the same layout as all the mirrors.
I get nothing from wikileaks.org, although the DNS is active :
and, at least here, a traceroute disappears into servint
<snip>
8 64.125.195.222.t00883-02.above.net (64.125.195.222) 15.905 ms 12.172 ms 12.072 ms
9 sc-smv1766.servint.net (216.22.61.86) 15.879 ms 11.974 ms 13.761 ms
10 * * *
"The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com."
However, at least for me here in Virginia, wikileaks.org is not aliasing to anywhere, but instead simply times out.
I get nothing from wikileaks.org, although the DNS is active :
$ host wikileaks.org wikileaks.org has address 64.64.12.170
$ telnet 64.64.12.170 80
Trying 64.64.12.170...
Connected to 64.64.12.170.
Escape character is '^]'.
GET / HTTP/1.1
Host: wikileaks.org
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://mirror.wikileaks.info/">here</a>.</p>
</body></html>
Connection to 64.64.12.170 closed by foreign host.
and, at least here, a traceroute disappears into servint
<snip>
8 64.125.195.222.t00883-02.above.net (64.125.195.222) 15.905 ms 12.172 ms 12.072 ms
9 sc-smv1766.servint.net (216.22.61.86) 15.879 ms 11.974 ms 13.761 ms
10 * * *
I see same timeouts, but tcp/80 is going through. Filtering, I suspect.
Doesn't it seem vaguely suspicious that whois was just updated?
Domain ID:D130035267-LROR
Domain Name:WIKILEAKS.ORG
Created On:04-Oct-2006 05:54:19 UTC
Last Updated On:17-Dec-2010 01:57:59 UTC
Expiration Date:04-Oct-2018 05:54:19 UTC
While I tend to trust Steve and Spamhaus because of their built up
reputation, it would be helpful if some concrete facts were published about
the "more than 40 criminal-run sites operating on the same IP address as
wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and
bank phishes paypal-securitycenter.com and postbank-kontodirekt.com." Any
chance that will be done, so wikileaks.info's claims can be publicly
refuted?
Doesn't it seem vaguely suspicious that whois was just updated?
Domain ID:D130035267-LROR
Domain Name:WIKILEAKS.ORG
Created On:04-Oct-2006 05:54:19 UTC
Last Updated On:17-Dec-2010 01:57:59 UTC
Expiration Date:04-Oct-2018 05:54:19 UTC
It seems like it'd be reasonable to be cautious.
Yes. Now, for me, wikileaks.org does alias to wikileaks.info
All the domains listed by Trend Micro as neighbours appear to be down.
Have to say as someone whose employer will buy and host a domain name if
you fill in the credit card details and the credit card company accept
them, if you listed only the sites we've cancelled first thing on a
Monday morning (or as soon as we are notified) we'd look pretty poor.
From the many adverse comments about the hosting services in use they
look as bad as they come, but on the other hand this weakens the
usefulness of the Trend statement (well to people who check what they
are told).
The sites that were listed are just a few examples of the hundreds of
domains located there that are engaged in criminal activity. The fact that
they are down now really doesn't factor into the equation -- the history of
criminal activity within that prefix speaks for itself.
The evidence is for Webalta, which hosts Heihachi (which hosts
wikileaks.info). I spent some minutes checking Heihachis IP block
92.241.190.0 � 92.241.190.255.
I found 255 .com/.net domains which use this IP block and Heihachis DNS
servers. Google reports that none of them is used to serve malware. Two
of them, dhl24-servicecenter.com and pixel-banner.com, are reported as
phishing sites. Both are down at the moment.
Thanks for your note and the many others. I think it could have been stated
more clearly that wikileaks.info, while in a bad neighborhood, and set up to
suggest it is Wikileaks or part of the Wikileaks organization, does not (at
this time) host or facilitate distribution of malware. The Spamhaus
announcement was not so clear.