by Ciro Santilli (@cirosantilli, 35)
Scrapped justdropped data, patched:
+++ b/cia-2010-covert-communication-websites/cdx-post.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # Post process the output of cdx.sh to enrich IDs even further, and reconstruct easier to Web Archive inspect domain names.
-grep -P -e '([^,)]+)\)\/\1\.swf|\)/[^/]+.jar|([^,)]+),([^,)]+),([^,)]+)\)/cgi-bin/[^/]+\.cgi' "$1" |
-  sed -r 's/\).*//' | awk -F, '{ printf("%s.%s\n", $2, $1) }' | uniq -c | awk '$1 == 1{ print $2 }' | tee $1.post
+grep -P -e '([^,)]+)\)\/\1\.swf|\)/[^/]+.jar|([^,)]+),([^,)]+),([^,)]+)\)/cgi-bin/[^/]+\.cgi' "$1"|
+  sed -r 's/\).*//' | awk -F, '{ printf("%s.%s\n", $2, $1) }' | uniq -c | awk '{ print $2 }' | tee $1.post
and then:
./hupo-cdx-tor.sh out 'news|headline|internationali|mondo|mundo|mondi|iran|today' 2006 2022
web.archive.org/web/20110203041325/http://financecentraltoday.com/
web.archive.org/web/20110202221328/http://thenewsofpakistan.com/
web.archive.org/web/20050424123432/http://www.pokernewsweb.com/ likely legit in the intended emulated style
web.archive.org/web/20101226225311/http://world-news-online.net/
web.archive.org/web/20100923090646/http://mideasttoday.net/
web.archive.org/web/20110209045123/http://dryterrainnews.com/
web.archive.org/web/20100206221718/http://euronewsonline.net/
web.archive.org/web/20110208063146/http://news-and-sports.com/ Hit.
  • viewdns.info/iphistory/?domain=news-and-sports.com says:
    • 204.11.56.25 British Virgin Islands CONFLUENCE-NETWORK-INC 2014-07-05
    • 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20
    • 66.104.175.42 United States XO-AS15 2012-06-29 In range.
web.archive.org/web/20110202054628/http://intoworldnews.com/ hit.
  • viewdns.info/iphistory/?domain=intoworldnews.com says:
    • 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20
    • 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-04-21
    • 219.90.61.118 Taiwan UUNET 2013-03-02
      19.90.61.118
  • securitytrails:
    • 219.90.61.118 Verizon Business 2010-12-11 (14 years) 2011-07-13 (14 years) 7 months
    • 205.178.189.129 Network Solutions, LLC 2010-03-10 (15 years) 2010-03-29 (15 years) 19 days
web.archive.org/web/20110207171340/http://mydailynewsreport.com/ hit
web.archive.org/web/20050508220858/http://www.asianewsupdate.com/ this looks like the exact format of legitimate site the CIA was emulating. Copyright 2005, a CGI link to as: www.asianewsupdate.com:80/cgi-sys/FormMail.cgi There's a phone there 01 647-0910 so seems less likely?
2010. JAR unarchived. rss, split image
  • viewdns.info/iphistory/?domain=newsdelivered.net says:
    • 192.96.218.41 United States 123NET 2013-06-10
    • 196.40.84.210 Costa Rica RADIOGRAFICA COSTARRICENSE 2013-05-20
    • 50.63.202.40 United States AS-26496-GO-DADDY-COM-LLC 2013-04-08
    • 74.220.207.158 United States UNIFIEDLAYER-AS-1 2013-03-11. viewdns.info/reverseip/?host=74.220.207.158&t=1 says large virtual.
  • securitytrails:
    • 192.96.218.41 123.Net, Inc. 2013-05-29 (12 years) 2013-06-02 (12 years) 4 days
    • 196.40.84.210 RADIOGRAFICA COSTARRICENSE 2013-05-21 (12 years) 2013-05-27 (12 years) 6 days
    • 74.220.207.158 Unified Layer 2008-09-01 (17 years) 2009-02-26 (16 years) 6 months
2010. JAR. Split header.
2011. JAR unarchived. Split header.
2011. JAR. Farsi. RSS, split images.
2011. JAR. a.newslink, a.newslinkalt.
2011. Arabic. RSS.
web.archive.org/web/20110129115400/http://kmirano.com/ shallow but off style? Has a kmirano.sfw... viewdns.info/iphistory/?domain=kmirano.com says 211.1.224.71 Japan NTT SmartConnect Corporation 2012-01-11
2011. JAR. Copyright 2008. Split header and other images. They are obsessed about CDMA (2G).
2011. JAR. split header, RSS.
2010. Suspicious. But no clear fingrenprint. Also not as shallow as others. Also Joomla based which would be novel.
  • viewdns.info/iphistory/?domain=eqranews.com says:
  • securitytrails.com/domain/eqranews.com/history/a says
    • 69.64.147.243 Amazon.com, Inc. 2011-04-28 (14 years) 2012-01-19 (13 years) 9 months
    • 67.228.81.180 SoftLayer Technologies Inc. 2011-04-18 (14 years) 2011-04-28 (14 years) 10 days
    • 174.37.172.68 SoftLayer Technologies Inc. 2011-04-13 (14 years) 2011-04-18 (14 years) 5 days
    • 67.228.81.180 SoftLayer Technologies Inc. 2011-03-19 (14 years) 2011-04-13 (14 years) 25 days
    • 74.220.215.62 Unified Layer 2010-03-18 (15 years) 2011-03-19 (14 years) 1 year
2010. JAR.
newspapergateway.com/ web.archive.org/web/20110208070309/http://newspapergateway.com/ hard to tell but generally off. Has both JAR and SWF.
2011 Farsi. JAR. RSS.
2010 JAR. Split header, rss.
2011. English. Split header, RSS.
sandstormnews.com 2011, SWF Arabic. ul.rss-items > li.rss-item, split header
zerosandonesnews.com 2011. SWF Split header, ul.rss-items > li.rss-item
differentviewtoday.com: web.archive.org/web/20110202185635/http://differentviewtoday.com/ split header images JAR archived at: web.archive.org/web/20110202185659/http://differentviewtoday.com/bwm.jar
lasthournews.com web.archive.org/web/20100513182623/http://lasthournews.com/. Urdu. JAR at: web.archive.org/web/20100513182724/http://lasthournews.com/recent.jar. Split header images.
mynepalnews.com, split header images, ul.rss-items > li.rss-item, Unarchived jar:
  • viewdns.info/iphistory/?domain=mynepalnews.com
    • 5.9.240.230 Falkenstein - Germany Hetzner Online GmbH 2014-01-31
    • 142.4.222.67 Canada OVH SAS 2013-12-20
    • 72.9.137.7 Nepal WorldLink Communications Pvt Ltd 2013-06-30. Big virtual.
    • 64.71.179.79 United States HURRICANE 2012-11-12. Nothing else on 64.71.179.71 - 64.71.179.89
  • securitytrails.com/domain/mynepalnews.com/history/a
    • 5.9.219.166 Hetzner Online GmbH 2013-12-31 (11 years) 2014-01-08 (11 years) 8 days
    • 142.4.222.67 OVH SAS 2013-12-02 (11 years) 2013-12-31 (11 years) 29 days
    • 72.9.137.7 WorldLink Communications Pvt Ltd 2013-01-24 (12 years) 2013-04-02 (12 years) 2 months
    • 64.71.179.79 Hurricane Electric LLC 2008-09-01 (17 years) 2008-10-21 (16 years) 2 months
Summary: this is just a red herring. Wakatime owner likely registered the domains just after this article was published as a publicity stunt. Fair play though.
As raised at: news.ycombinator.com/item?id=36280666, many, but not all, of the domains currently redirect to wakatime.com/ as of 2023, and apparently they were taken up in 2013 (TODO how to confirm that). TODO what is the explanation for that? Some examples that do:
But some failed resolution examples:
Even more suspiciously, according to his LinkedIn: www.linkedin.com/in/alanhamlett/, the owner of Wakatime, Alan Hamlett, worked at WhiteHat Security, Inc from Aug 2011 - Sep 2013. The company was then acquired by Synopsys in 2022. Holy crap!!! As shown at: web.archive.org/web/20131013193406/https://www.whitehatsec.com/ that company made website security tools. Did that dude use the tools to find the vulnerabilty and then just gobble up all the domains??? What a fucking legend if he did!!!
Running e.g.
curl -vvv dedrickonline.com
gives:
*   Trying 162.255.119.197:80...
* Connected to dedrickonline.com (162.255.119.197) port 80 (#0)
> GET / HTTP/1.1
> Host: dedrickonline.com
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 12 Jun 2023 20:30:19 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 55
< Connection: keep-alive
< Location: https://wakatime.com
< X-Served-By: Namecheap URL Forward
< Server: namecheap-nginx
< 
<a href='https://wakatime.com'>Moved Permanently</a>.

* Connection #0 to host dedrickonline.com left intact
so we see that he must have setup redirection with Namecheap as mentioned at: www.namecheap.com/support/knowledgebase/article.aspx/385/2237/how-to-redirect-a-url-for-a-domain/
Let's also try DNS history
  • whoisrequest.com/history/:
    • dedrickonline.com: registered: 1 Nov, 2010, dropped: 24 Nov, 2013
    • activegaminginfo.com : registered: 1 Feb, 2010, dropped: 1 Apr, 2012
  • tools.whoisxmlapi.com/whois-history-search
    • dedrickonline.com:
      • CIA (registrar: Godaddy, registrant name: domainsbyproxy.com)
        • Created Date: October 27, 2010 00:00:00 UTC
        • Updated Date: October 28, 2013 00:00:00 UTC
        • Expires Date: October 27, 2014 00:00:00 UTC
      • Alan (namecheap):
        • Created Date: June 11, 2023 09:59:25 UTC
        • Expires Date: June 11, 2024 09:59:25 UTC
    • activegaminginfo.com:
      • CIA (Network Solutions, registrant name: LLC. Corral, Elizabeth|ATTN ACTIVEGAMINGINFO.COM|care of Network Solutions)
        • Created Date: January 26, 2010 00:00:00 UTC
        • Updated Date: November 27, 2010 00:00:00 UTC
        • Expires Date: January 26, 2012 00:00:00 UTC
      • Alan:
        • Created Date: June 11, 2023 09:59:40 UTC
        • Expires Date: June 11, 2024 09:59:40 UTC
    • iraniangoalkicks.com:
      • CIA (registrar: Godaddy, registrant name: domainsbyproxy.com)
        • Created Date: April 9, 2007 00:00:00 UTC
        • Updated Date: March 2, 2011 00:00:00 UTC
        • Expires Date: April 9, 2011 00:00:00 UTC
      • Alan:
        • Created Date: June 11, 2023 09:59:20 UTC
        • Expires Date: June 11, 2024 09:59:20 UTC
    • iraniangoals.com:
      • CIA (registrar: Godaddy, registrant name: domainsbyproxy.com):
        • Created Date: March 6, 2008 00:00:00 UTC
        • Updated Date: March 7, 2011 00:00:00 UTC
        • Expires Date: March 6, 2014 00:00:00 UTC
      • Reuters:
        • Created Date: September 29, 2022 11:16:09 UTC
        • Updated Date: September 29, 2022 11:16:09 UTC
        • Expires Date: September 29, 2023 11:16:09 UTC
So these suggest Alan might have just come along in 2023 way after the 2022 Reuters article and did the same basic IP range search that Ciro is doing now, so possibly no new tech. Let's ask... twitter.com/cirosantilli/status/1668369786865164289
The domain name history presented is however of interest, and could lead to patterns being found.
Searching tools.whoisxmlapi.com/reverse-whois-search with term "Corral, Elizabeth" gave no results unfortunately.
Basic search under tools.whoisxmlapi.com/reverse-whois-search for "Corral" also empty. They can't see their own data? Ah, need advanced. Marked "Historic" and selected "Corral, Elizabeth", ony one hit, activegaminginfo.com.
Some dumps from us looking for patterns, but could not find any.
whoisxmlapi WHOIS history April 11, 2011:
  • Created Date: March 6, 2008 00:00:00 UTC
  • Updated Date: March 7, 2011 00:00:00 UTC
  • Expires Date: March 6, 2014 00:00:00 UTC
  • Registrant Name: domainsbyproxy.com.
  • Registrant Organization: Domains by Proxy, Inc.
  • Registrant Street: 15111 N. Hayden Rd., Ste 160,
  • Registrant City: Scottsdale
  • Registrant State/Province: Arizona
  • Registrant Postal Code: 85260
  • Registrant Country: UNITED STATES
  • Name servers: NS29.WORLDNIC.COM|NS30.WORLDNIC.COM
Folowed by reuters registration in 2022.
whoisrequest.com/history/ mentions:
  • 1 Apr, 2008: Domain created*, nameservers added. Nameservers:
  • ns1.webhostingpad.com
  • ns2.webhostingpad.com
whoisxmlapi WHOIS history March 23, 2011:
  • Created Date: April 9, 2007 00:00:00 UTC
  • Updated Date: March 2, 2011 00:00:00 UTC
  • Expires Date: April 9, 2011 00:00:00 UTC
  • Registrant Name: domainsbyproxy.com
  • Name servers: dns1.registrar-servers.com|dns2.registrar-servers.com
whoisrequest.com/history/ mentions:
1 May, 2007: Domain created*, nameservers added. Nameservers:
  • ns1.qwknetllc.com
  • ns2.qwknetllc.com
whoisxmlapi WHOIS history March 22, 2011:
  • Registrar Name: NETWORK SOLUTIONS, LLC.
  • Created Date: January 26, 2010 00:00:00 UTC
  • Updated Date: November 27, 2010 00:00:00 UTC
  • Expires Date: January 26, 2012 00:00:00 UTC
  • Registrant Name: Corral, Elizabeth|ATTN ACTIVEGAMINGINFO.COM|care of Network Solutions
  • Registrant Street: PO Box 459
  • Registrant City: PA
  • Registrant State/Province: US
  • Registrant Postal Code: 18222
  • Registrant Country: UNITED STATES
  • Administrative Name: Corral, Elizabeth|ATTN ACTIVEGAMINGINFO.COM|care of Network Solutions
  • Administrative Street: PO Box 459
  • Administrative City: Drums
  • Administrative State/Province: PA
  • Administrative Postal Code: 18222
  • Administrative Country: UNITED STATES
  • Administrative Email: xc2mv7ur8cw@networksolutionsprivateregistration.com
  • Administrative Phone: 5707088780
  • Name servers: NS23.DOMAINCONTROL.COM|NS24.DOMAINCONTROL.COM
whoisxmlapi WHOIS record on April 28, 2011
  • Registrar Name: GODADDY.COM, INC
  • Created Date: February 9, 2010 00:00:00 UTC
  • Updated Date: February 9, 2010 00:00:00 UTC
  • Expires Date: February 9, 2015 00:00:00 UTC
  • Registrant Name: domainsbyproxy.com
  • Name servers: NS55.DOMAINCONTROL.COM|NS56.DOMAINCONTROL.COM
whoisxmlapi WHOIS record on September 13, 2011
  • Registrar Name: NETWORK SOLUTIONS, LLC
  • Created Date: February 17, 2010 00:00:00 UTC
  • Updated Date: February 17, 2010 00:00:00 UTC
  • Expires Date: February 17, 2015 00:00:00 UTC
  • Registrant Name: See, Megan|ATTN NOTICIASMUSICA.NET|care of Network Solutions
  • Registrant Street: PO Box 459
  • Registrant City: PA
  • Registrant State/Province: US
  • Registrant Postal Code: 18222
  • Registrant Country: UNITED STATES
  • Administrative Contact
  • Administrative Name: See, Megan|ATTN NOTICIASMUSICA.NET|care of Network Solutions
  • Administrative Street: PO Box 459
  • Administrative City: Drums
  • Administrative State/Province: PA
  • Administrative Postal Code: 18222
  • Administrative Country: UNITED STATES
  • Administrative Email: hf3eg77c4nn@networksolutionsprivateregistration.com
  • Administrative Phone: 5707088780
  • Name Servers: NS45.WORLDNIC.COM|NS46.WORLDNIC.COM
2012:
  • Registrant Country: PANAMA
whoisxmlapi WHOIS record on April 17, 2011
  • Created Date: April 9, 2010 00:00:00 UTC
  • Updated Date: April 9, 2010 00:00:00 UTC
  • Expires Date: April 9, 2012 00:00:00 UTC
  • Registrant Name: domainsbyproxy.com
  • Name servers: NS33.DOMAINCONTROL.COM|NS34.DOMAINCONTROL.COM

Ancestors (10)

  1. CIA 2010 covert communication websites
  2. Central Intelligence Agency
  3. Intelligence agency
  4. Secret service
  5. Espionage
  6. War
  7. Social science
  8. Scientific method
  9. Science
  10. Home

View article source

Discussion (0)

+ New discussion

There are no discussions about this article yet.

Articles by others on the same topic (0)

There are currently no matching articles.
See all articles in the same topic + Create my own version