Work log

ID: cia-2010-covert-communication-websites/work-log

CIA 2010 covert communication websites / Work log by Ciro Santilli 36 Updated +Created
Scrapped justdropped data, patched:
+++ b/cia-2010-covert-communication-websites/cdx-post.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # Post process the output of cdx.sh to enrich IDs even further, and reconstruct easier to Web Archive inspect domain names.
-grep -P -e '([^,)]+)\)\/\1\.swf|\)/[^/]+.jar|([^,)]+),([^,)]+),([^,)]+)\)/cgi-bin/[^/]+\.cgi' "$1" |
-  sed -r 's/\).*//' | awk -F, '{ printf("%s.%s\n", $2, $1) }' | uniq -c | awk '$1 == 1{ print $2 }' | tee $1.post
+grep -P -e '([^,)]+)\)\/\1\.swf|\)/[^/]+.jar|([^,)]+),([^,)]+),([^,)]+)\)/cgi-bin/[^/]+\.cgi' "$1"|
+  sed -r 's/\).*//' | awk -F, '{ printf("%s.%s\n", $2, $1) }' | uniq -c | awk '{ print $2 }' | tee $1.post
and then:
./hupo-cdx-tor.sh out 'news|headline|internationali|mondo|mundo|mondi|iran|today' 2006 2022
web.archive.org/web/20110203041325/http://financecentraltoday.com/
web.archive.org/web/20110202221328/http://thenewsofpakistan.com/
web.archive.org/web/20050424123432/http://www.pokernewsweb.com/ likely legit in the intended emulated style
web.archive.org/web/20100923090646/http://mideasttoday.net/
web.archive.org/web/20100206221718/http://euronewsonline.net/
web.archive.org/web/20110208063146/http://news-and-sports.com/ Hit.
web.archive.org/web/20110202054628/http://intoworldnews.com/ hit.
web.archive.org/web/20110207171340/http://mydailynewsreport.com/ hit
web.archive.org/web/20050508220858/http://www.asianewsupdate.com/ this looks like the exact format of legitimate site the CIA was emulating. Copyright 2005, a CGI link to as: www.asianewsupdate.com:80/cgi-sys/FormMail.cgi There's a phone there 01 647-0910 so seems less likely?
2010. JAR unarchived. rss, split image
2010. JAR. Split header.
2011. JAR unarchived. Split header.
2011. JAR. a.newslink, a.newslinkalt.
2011. Arabic. RSS.
web.archive.org/web/20110129115400/http://kmirano.com/ shallow but off style? Has a kmirano.sfw... viewdns.info/iphistory/?domain=kmirano.com says 211.1.224.71 Japan NTT SmartConnect Corporation 2012-01-11
2011. JAR. Copyright 2008. Split header and other images. They are obsessed about CDMA (2G).
2011. JAR. split header, RSS.
2010. Suspicious. But no clear fingrenprint. Also not as shallow as others. Also Joomla based which would be novel.
2010. JAR.
newspapergateway.com/ web.archive.org/web/20110208070309/http://newspapergateway.com/ hard to tell but generally off. Has both JAR and SWF.
2011 Farsi. JAR. RSS.
2010 JAR. Split header, rss.
2011. English. Split header, RSS.
sandstormnews.com 2011, SWF Arabic. ul.rss-items > li.rss-item, split header
zerosandonesnews.com 2011. SWF Split header, ul.rss-items > li.rss-item
lasthournews.com web.archive.org/web/20100513182623/http://lasthournews.com/. Urdu. JAR at: web.archive.org/web/20100513182724/http://lasthournews.com/recent.jar. Split header images.
mynepalnews.com, split header images, ul.rss-items > li.rss-item, Unarchived jar:

New to topics? Read the docs here!