Updates / I inspected CIA websites that have no Wayback Machine archive on CQ Counter to reveal new previously unseen screenshots

While procrastinating I suddenly remembered that cqcounter.com/siteinfo/ has screenshots of many many old websites, and I decided to look at possible hits in known IP ranges for which the Wayback Machine archive was broken.

This led to finding about 30 novel screenshots of previously examined domains that are in perfect CIA-style, thus confirming them as hits almost beyond reasonable doubt. This therefore revealed for the first time how a few new websites looked like.

The websites were all just soulless bulk or mildly cute like the vast majority, but I did find found 4 new screenshots of CIA websites that targeted democracies on cqcounter.com/siteinfo/

The fingerprint of "having a visually similar CQ Counter screenshot" is definitely weaker than a Wayback Machine archive as we only have a screenshot and can't inspect the HTML to find the communication mechanism. But when the screenshot is perfectly in CIA style and in a known IP range, the evidence is too strong and we'll consider it as a hit moving forward.

I'm also going to reclassify previously known domains with Wayback Machine archives with matching visual style but no clear comms that are in known IP domains as hits, it just feels too probable.

I love how this project has led me to use whatever random sources come in hand! CQ Counter is the ONLY website that I know of besides the Wayback Machine that has historical screenshots of a huge number of domains. Their database is VERY complete. But they are so obscure!

They even have the old IP of the domain. But because they don't have reverse IP to domain reverse search, and are heavily CAPTCHAed preventing search engines from properly indexing them, we can't use them to fill in existing IP ranges... So the search for the most complete DNS database that doesn't cost 15k USD like DomainTools continues www.reddit.com/r/OSINT/comments/1j8uasm/does_domaintools_offer_historical_reverse_ip_ie/

I also understood a bit better the Mass Deface III pastebin pastebin.com/CTXnhjeS discovered by Oleg Shakirov which contains some hits: I think that the hits are purely coincidental when some hacker broke into "Condor Hosting" systems and then defaced several websites it contained, inadvertently also taking down some CIA websites along the day which is funny.

And this seems to be a small host chosen by the CIA, so it contained a disproportionate dense concentration of CIA hits. But the original hackers likely had no idea of what they did. www.zone-h.com/mirror/id/18994983 suggests that Iranian hacker group Sejeal was behind the defacing.

I also squeezed a few of the previously known IPs without clear range a bit harder on viewdns.info , as I now understand that there do exist a few websites that share the same IPs. This led to X entirely new hits, and also me moving a few domains that were previously marked as "unknown range" to a specific IP when two or more domains were found in a given IP.

I also squeezed whoisXMLAPI harder but nothing much came out. The vast majority of domains use domainsbyproxy.com privacy which does not seem to leak any information on their whois. I did notice however that some of the sites are registered with Network Solutions, LLC and a few others in Godaddy without domainsbyproxy.com. These have names of people on them, and I did as many whoisXMLAPI searches for those names as I had the patience for. A few had another known hit on the results, and a new hit domain came out of this: rolling-in-rapids.com which as it turns out has no Wayback machine archive, but does have a CQ Counter archive which allowed me to confirm the hit page style. That one was found by reverse searching for the registrant of alljohnny.com, "Glaze, L." on tools.whoisxmlapi.com/reverse-whois-search and its IP matches 65.218.91.9 from welcometonyc.net.