Ciro Santilli (@cirosantilli) - New articles

Possible hits  Updated 2025-04-05  +Created 2025-04-05

Likely hits possible but whose archives is too broken to be easily certain. If:

nearby IP hits
proper reverse engineering of their comms if any, or any other page fingerprints

were to ever be found, these would be considered hits.

216.97.231.56 nouvelles-d-aujourdhuis.com. 2011. Stylistically perfect, but no nearby IP hits. domainsbyproxy.com. Maybe looking into HTML would help confirm:
- rss-items
But wrong IP? likely CGI comms variant under the signup page: web.archive.org/web/20090405045548/http://nouvelles-d-aujourdhuis.com/members.html.
Tested viewdns.info range: 216.97.231.46 - 216.97.231.66. Not a single reverse IP hit in there.
viewdns.info also assigns it 50.63.202.46, GoDaddy.com, LLC, 2013-11-08 in addition to 216.97.231.56, Canada, IPXO LLC, 2013-09-06. This is very near other iranfootballsource.com flukes, so likely useless.
securitytrails.com also gives it one earlier IP 209.200.240.250 last seen 2008-09-20: securitytrails.com/domain/nouvelles-d-aujourdhuis.com/history/a Hydra Communications Ltd before 216.97.231.56 "ASU doctor" first seen 2008-09-20 (15 years)> Tested viewdns.info range: 209.200.240.240 - 209.200.240.260 empty at the time of interest.
Marked copyright 2006, so mega early.

africainnews.com

no archives of the HTML. dawhois.com/www/africainnews.com.html somewhat in-style but unclear.
SWF. A reverse engineering of the SWF should be able to confirm.
web.archive.org/web/20111007194814/http://africainnews.com/robots.txt
dnshistory.org/historical-dns-records/a/africainnews.com
- 2009-12-29 -> 2010-07-28 72.167.232.43. Tested viewdns.info range: 72.167.232.33 - 72.167.232.53. Several virtual hosts there. viewdns.info/reverseip/?t=1&host=72.167.232.43 medium virtual haven't bothered to explore much
- 2011-10-14 -> 2011-10-14 68.178.232.100 virtual
- 2012-08-12 -> 2012-08-12 97.74.42.79. Tested viewdns.info range: 97.74.42.69 - 97.74.42.89
  - 97.74.42.74: landtex.net 2023-03-22
  - 97.74.42.76: solidasshonky.com 2023-03-07
  - 97.74.42.77: solidasshonky.com 2023-03-07
  - 97.74.42.78: blakebrothers.co 2018-05-05
  - 97.74.42.78: learningjbe.com 2023-02-02
  - 97.74.42.78: solidasshonky.com 2023-03-07
  - 97.74.42.78: sourceuae.com 2023-03-07
  - 97.74.42.78: superiorfoodservicesales.com 2017-09-10
  - 97.74.42.79: large virtual
  - 97.74.42.80: waiasialtd.com 2016-10-17
viewdns.info/iphistory/?domain=africainnews.com
- 50.63.202.92 United States AS-26496-GO-DADDY-COM-LLC 2013-06-30. Likely large virtual.
- 97.74.42.79 United States AS-26496-GO-DADDY-COM-LLC 2013-05-20. tested.
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-06-29 virtual
- 68.178.232.99 United States AS-26496-GO-DADDY-COM-LLC 2011-11-13
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-10-09 virtual
- 72.167.232.43 United States GO-DADDY-COM-LLC 2011-09-08. Tested.

globalsentinelsite.com. dawhois.com/www/globalsentinelsite.com.html empty. Copyright 2011 on top and 2008 on bottom. Unusually wide, has a few sections, but somewhat shallow. Copyright 2008. JAR JAR. a.rss-item

dnshistory.org/historical-dns-records/a/globalsentinelsite.com 2010-02-13 -> 2010-08-04 74.124.210.249 unknown
viewdns.info/iphistory/?domain=globalsentinelsite.com
- 74.124.210.249 United States INMOTION 2011-11-13 unknown viewdns.info/reverseip/?host=74.124.210.249&t=1 has 347 hits

JAR file structure:

./META-INF/MANIFEST.MF
./META-INF/WORLD.DSA
./META-INF/WORLD.SF
./global
./global/applet
./global/applet/A.class
./global/applet/Aa.class
./resource/resources.bin

with:

Manifest-Version: 1.0
Created-By: 1.4.2_15-b02 (Sun Microsystems Inc.)
Ant-Version: Apache Ant 1.6.5

Name: global/applet/Bs.class
SHA1-Digest: R1qrWUT6kYTLKa6TSmyWbBhLQSw=

Name: global/applet/Ay.class
SHA1-Digest: L0xOVdhBzEcmW8czjERAVH+tNyI=

todaysolar.com. This might just be legit, but keeping it around just in case.

2011
JAR
dnshistory.org/historical-dns-records/a/todaysolar.com 2009-08-11 -> 2011-03-01 74.208.62.112 unknown
viewdns.info/iphistory/?domain=todaysolar.com 74.208.62.112 United States PROFITBRICKS-USA 2012-11-12

 Read the full article

JS comms  Updated 2025-04-05  +Created 2025-04-05

 Read the full article

cqcounter  Updated 2025-04-05  +Created 2025-04-05

 View more

cqcounter.com has an exceptionally complete database containing:

domains
IP of the domain in the past e.g. cqcounter.com/whois/site/activegaminginfo.com.html which actually contains the IP 66.175.106.148!
727 x 545 screenshots from the past e.g. at: cqcounter.com/whois/www/activegaminginfo.com.html. These were also presumably meant to show as a thumbnail on the main page: cqcounter.com/whois/www/activegaminginfo.com.html but don't because it's buggy. It's not as good as the HTML from Wayback machine as we can't confirm comms like that, but still this can d help to verify if known in-range domains that the wayback machine didn't archive well (because it is buggy as hell?) have correct style and if they have anything fun in them

Unfortunately I can't find a reverse IP search method.

And perhaps due to having lots of CAPTCHAs, Google doesn't seem to index that website very well... it even has a tiny screenshot! And it also shows some more metadata beyond IP, e.g. HTTP response headers, which notably contain stuff like Server: Apache-Coyote/1.1.

They seem to have an exceptionally complete database.

Forward search of expired domains appears to often work however, and contains correct IPs and the screenshots. Note that direct access as follows does not work for some reason, you have to type them into the search bar manually:

OMG so close. If only Google would index that website we'd be done!!!

Both cqcounter.com/whois/www/teclafinance.com.html and cqcounter.com/whois/site/activegaminginfo.com.html both are broken, so it appears that their screenshot mechanism at the time did nor support Chinese characters well.

They also have some random localized versions:

These can be useful if your IP gets blacklisted on the main site because you were checking too many sites.

 Read the full article

Network Solutions  Updated 2025-04-05  +Created 2025-04-05

 Read the full article

Unicode character property  Updated 2025-04-05  +Created 2025-04-05

 Read the full article

I inspected CIA websites that have no Wayback Machine archive on CQ Counter to reveal new previously unseen screenshots  Updated 2025-04-05  +Created 2025-04-05

 View more

While procrastinating I suddenly remembered that cqcounter.com/siteinfo/ has screenshots of many many old websites, and I decided to look at possible hits in known IP ranges for which the Wayback Machine archive was broken.

This led to finding about 30 novel screenshots of previously examined domains that are in perfect CIA-style, thus confirming them as hits almost beyond reasonable doubt. This therefore revealed for the first time how a few new websites looked like.

The websites were all just soulless bulk or mildly cute like the vast majority, but I did find found 4 new screenshots of CIA websites that targeted democracies on cqcounter.com/siteinfo/

Figure 1.
2011 cqcounter archive of affairesdumonde.com targeting France
. Source.

Figure 2.
2011 cqcounter archive of ordenpolicial.com targeting Spain
. Source.

Figure 3.
2011 cqcounter archive of vejaaeuropa.com targeting Brazil
. Source.

Figure 4.
2011 cqcounter archive of european-footballer.com targeting Croatia
. Source.

The fingerprint of "having a visually similar CQ Counter screenshot" is definitely weaker than a Wayback Machine archive as we only have a screenshot and can't inspect the HTML to find the communication mechanism. But when the screenshot is perfectly in CIA style and in a known IP range, the evidence is too strong and we'll consider it as a hit moving forward.

I'm also going to reclassify previously known domains with Wayback Machine archives with matching visual style but no clear comms that are in known IP domains as hits, it just feels too probable.

I love how this project has led me to use whatever random sources come in hand! CQ Counter is the ONLY website that I know of besides the Wayback Machine that has historical screenshots of a huge number of domains. Their database is VERY complete. But they are so obscure!

They even have the old IP of the domain. But because they don't have reverse IP to domain reverse search, and are heavily CAPTCHAed preventing search engines from properly indexing them, we can't use them to fill in existing IP ranges... So the search for the most complete DNS database that doesn't cost 15k USD like DomainTools continues www.reddit.com/r/OSINT/comments/1j8uasm/does_domaintools_offer_historical_reverse_ip_ie/

I also understood a bit better the Mass Deface III pastebin pastebin.com/CTXnhjeS discovered by Oleg Shakirov which contains some hits: I think that the hits are purely coincidental when some hacker broke into "Condor Hosting" systems and then defaced several websites it contained, inadvertently also taking down some CIA websites along the day which is funny.

And this seems to be a small host chosen by the CIA, so it contained a disproportionate dense concentration of CIA hits. But the original hackers likely had no idea of what they did. www.zone-h.com/mirror/id/18994983 suggests that Iranian hacker group Sejeal was behind the defacing.

I also squeezed a few of the previously known IPs without clear range a bit harder on viewdns.info , as I now understand that there do exist a few websites that share the same IPs. This led to X entirely new hits, and also me moving a few domains that were previously marked as "unknown range" to a specific IP when two or more domains were found in a given IP.

I also squeezed whoisXMLAPI harder but nothing much came out. The vast majority of domains use domainsbyproxy.com privacy which does not seem to leak any information on their whois. I did notice however that some of the sites are registered with Network Solutions, LLC and a few others in Godaddy without domainsbyproxy.com. These have names of people on them, and I did as many whoisXMLAPI searches for those names as I had the patience for. A few had another known hit on the results, and a new hit domain came out of this: rolling-in-rapids.com which as it turns out has no Wayback machine archive, but does have a CQ Counter archive which allowed me to confirm the hit page style. That one was found by reverse searching for the registrant of alljohnny.com, "Glaze, L." on tools.whoisxmlapi.com/reverse-whois-search and its IP matches 65.218.91.9 from welcometonyc.net.