I'm not sure about this and it's not very useful, but the following were cute.
216.105.98.132 europeantravelcafe.com is a very likely hit that:This suggests that this was an internal site management link for the site operators which was later noticed and removed across versions, leaking the management method in the process.
- had a "Plan Your Trip" link in 2010: web.archive.org/web/20100724024623/http://www.europeantravelcafe.com/ linking to an external website: secure-cert.net/~etc/transport.html
- and had the link removed in 2011: web.archive.org/web/20110201192245/http://europeantravelcafe.com/
2010 Wayback Machine archive of www.europeantravelcafe.com
. Source. The suspicious "Plan Your Trip" link that was later removed is highlighted with an arrow made by us.199.187.208.12 webofcheer.com has an exceedingly weird HTML page title:which feels like it could be a leak of an internal identifier for this website, or perhaps even worse, for the CIA program itself.
pg1c
Better understanding and understanding of IP range owners Updated 2025-04-16 +Created 2025-04-15
I also started to better note down the IP owner and location of each IP range from viewdns.info at Hits with nearby IP hits, as this is an important information which could offer further clues. All IPs in each range belong to the same provider, since IPs are generally bought in blocks. For example:These don't necessarily tell us directly who the CIA hosted with, since in some cases hosting providers can indirectly rent out IPs from other providers, e.g. Heroku uses AWS. But it does suggest that some nearby IP ranges were done on the same hosting provider while others weren't.
- 62.22.60.49 telecom-headlines.com was owned by the company UUNET and hosted from Spain, and the same is true for neighboring IPs such as:
- 62.22.60.48: currentcommunique.com
- 62.22.60.52: collectedmedias.com
- 63.131.229.12 cyberreportagenews.com was owned by the company ADHOST and hosted from Coeur d'Alene - United States. Interestingly US-based hosts also offer city-level information while foreign ones don't.
whoisXMLAPI whois history squeezed further and better understood Updated 2025-04-16 +Created 2025-04-15
I also squeezed whoisXMLAPI harder but nothing much came out.
The vast majority of domains use domainsbyproxy.com privacy which does not seem to leak any information on their whois except dates which appear well spread out.
I did notice however that some of the sites are registered with Network Solutions, LLC and a few others in Godaddy without domainsbyproxy.com. These have names of people on them, and I did as many whoisXMLAPI searches for those names as I had the patience for.
A few had another known hit on the results, and a new hit domain came out of this: rolling-in-rapids.com which as it turns out has no Wayback machine archive, but does have a CQ Counter archive which allowed me to confirm the hit page style. That one was found by reverse searching for the registrant of
alljohnny.com, "Glaze, L." on tools.whoisxmlapi.com/reverse-whois-search and its IP matches 65.218.91.9 from welcometonyc.net.If anyone would like to donate 140 USD to dump into whoisXMLAPI I could dump all the known hit histories and have a look at them to see if anything else comes out on reverse search.
I also squeezed a few of the previously known IPs without clear range a bit harder on viewdns.info, as I now understand that there do exist a few websites that share the same IPs. This led to X entirely new hits, and also me moving a few domains that were previously marked as "unknown range" to a specific IP when two or more domains were found in a given IP.
I also understood a bit better the Mass Deface III pastebin pastebin.com/CTXnhjeS discovered by Oleg Shakirov which contains some hits: I think that the hits are purely coincidental when some hacker broke into "Condor Hosting" systems and then defaced several websites it contained, inadvertently also taking down some CIA websites along the day which is funny.
And this seems to be a small host chosen by the CIA, so it contained a disproportionate dense concentration of CIA hits. But the original hackers likely had no idea of what they did. www.zone-h.com/mirror/id/18994983 suggests that Iranian hacker group Sejeal was behind the defacing.
60 new CIA website screenshots discovered on CQ Counter Updated 2025-04-16 +Created 2025-04-15 2025-04-16
This is an update to the article: Section "CIA 2010 covert communication websites"
While procrastinating I suddenly remembered that cqcounter.com/siteinfo/ has screenshots of many many old websites, and I decided to look at possible hits in known IP ranges for which the Wayback Machine archive was broken.
Luckily I had already maintained a clear list of known domains in IP ranges which had no or broken wayback machine archive, so I just went over those.
This led to finding 60 novel screenshots of previously examined domains that are in common CIA-style, thus confirming them as hits beyond reasonable doubt in my mind. This also publicly revealed for the first time how a few new websites looked like, and what was their content, and in particular the target language, which could sometimes not be easily determined from the domain name alone.
This novel CQ Counter screenshot interpretation, plus a few new random discoveries and a slight relaxation of fingerprint requisites described described below moves us to 473 hits up from the previous 397!
The newly found websites were all just soulless bulk or mildly cute like the vast majority of them, but I did find found a few new screenshots of CIA websites that targeted other democracies:
- affairesdumonde.com (France)
- romulusactualites.com (France)
- ordenpolicial.com (Spain)
- vejaaeuropa.com (Brazil)
- european-footballer.com (Croatia)
I've also decided to now classify garanziadellasicurezza.com (Italy) as a hit due to various forms of supporting evidence being present. The archive is very broken however unfortunately.
2011 cqcounter archive of affairesdumonde.com targeting France
. Source. 
2011 cqcounter archive of romulusactualites.com targeting France
. Source. 
2011 cqcounter archive of ordenpolicial.com targeting Spain
. Source. 
2011 cqcounter archive of vejaaeuropa.com targeting Brazil
. Source. 
2011 cqcounter archive of european-footballer.com targeting Croatia
. Source. The fingerprint of "having a visually similar CQ Counter screenshot" is definitely weaker than a Wayback Machine archive as we only have a screenshot and can't inspect the HTML to find the communication mechanism. But when the screenshot is perfectly in CIA style and in a known IP range, the evidence is too strong and we'll consider it as a hit moving forward.
I'm also going to reclassify a few previously known domains in confirmed IP ranges as hits as hits either when:This is a slight moving of goalposts, but those cases just feel overwhelmingly probably.
- they have Wayback Machine archives with matching visual style
- they have broken Wayback Machine archives but with indication of comms or known HTML elements like rss-item
I love how this project has led me to use whatever random sources come in hand! CQ Counter is the ONLY website that I know of besides the Wayback Machine that has historical screenshots of a huge number of domains. Their database is VERY complete. But they are so obscure!
They even have the old IP of the domain. But because they don't have reverse IP to domain reverse search, and are heavily CAPTCHAed preventing search engines from properly indexing them, we can't use them to fill in existing IP ranges... So the search for the most complete DNS database that doesn't cost 15k USD like DomainTools continues www.reddit.com/r/OSINT/comments/1j8uasm/does_domaintools_offer_historical_reverse_ip_ie/
Interestingly a large number of the websites with broken Wayback Machine are from regions outside of the USA, presumably being slower to load from Wayback Machine US-based servers makes he archives more likely to break.
Likely hits possible but whose archives is too broken to be easily certain. If:were to ever be found, these would be considered hits.
- nearby IP hits
- proper reverse engineering of their comms if any, or any other page fingerprints
- 216.97.231.56 nouvelles-d-aujourdhuis.com. 2011. Stylistically perfect, but no nearby IP hits. domainsbyproxy.com. Maybe looking into HTML would help confirm:But wrong IP? likely CGI comms variant under the signup page: web.archive.org/web/20090405045548/http://nouvelles-d-aujourdhuis.com/members.html.
rss-items
Tested viewdns.info range: 216.97.231.46 - 216.97.231.66. Not a single reverse IP hit in there.viewdns.info also assigns it 50.63.202.46, GoDaddy.com, LLC, 2013-11-08 in addition to 216.97.231.56, Canada, IPXO LLC, 2013-09-06. This is very near other iranfootballsource.com flukes, so likely useless.securitytrails.com also gives it one earlier IP 209.200.240.250 last seen 2008-09-20: securitytrails.com/domain/nouvelles-d-aujourdhuis.com/history/a Hydra Communications Ltd before 216.97.231.56 "ASU doctor" first seen 2008-09-20 (15 years)> Tested viewdns.info range: 209.200.240.240 - 209.200.240.260 empty at the time of interest.Marked copyright 2006, so mega early.
africainnews.com
- no archives of the HTML. dawhois.com/www/africainnews.com.html somewhat in-style but unclear.
- SWF. A reverse engineering of the SWF should be able to confirm.
- web.archive.org/web/20111007194814/http://africainnews.com/robots.txt
- dnshistory.org/historical-dns-records/a/africainnews.com
- 2009-12-29 -> 2010-07-28 72.167.232.43. Tested viewdns.info range: 72.167.232.33 - 72.167.232.53. Several virtual hosts there. viewdns.info/reverseip/?t=1&host=72.167.232.43 medium virtual haven't bothered to explore much
- 2011-10-14 -> 2011-10-14 68.178.232.100 virtual
- 2012-08-12 -> 2012-08-12 97.74.42.79. Tested viewdns.info range: 97.74.42.69 - 97.74.42.89
- 97.74.42.74: landtex.net 2023-03-22
- 97.74.42.76: solidasshonky.com 2023-03-07
- 97.74.42.77: solidasshonky.com 2023-03-07
- 97.74.42.78: blakebrothers.co 2018-05-05
- 97.74.42.78: learningjbe.com 2023-02-02
- 97.74.42.78: solidasshonky.com 2023-03-07
- 97.74.42.78: sourceuae.com 2023-03-07
- 97.74.42.78: superiorfoodservicesales.com 2017-09-10
- 97.74.42.79: large virtual
- 97.74.42.80: waiasialtd.com 2016-10-17
- viewdns.info/iphistory/?domain=africainnews.com
- 50.63.202.92 United States AS-26496-GO-DADDY-COM-LLC 2013-06-30. Likely large virtual.
- 97.74.42.79 United States AS-26496-GO-DADDY-COM-LLC 2013-05-20. tested.
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-06-29 virtual
- 68.178.232.99 United States AS-26496-GO-DADDY-COM-LLC 2011-11-13
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-10-09 virtual
- 72.167.232.43 United States GO-DADDY-COM-LLC 2011-09-08. Tested.
globalsentinelsite.com. dawhois.com/www/globalsentinelsite.com.html empty. Copyright 2011 on top and 2008 on bottom. Unusually wide, has a few sections, but somewhat shallow. Copyright 2008. JAR JAR. a.rss-item
- dnshistory.org/historical-dns-records/a/globalsentinelsite.com 2010-02-13 -> 2010-08-04 74.124.210.249 unknown
- viewdns.info/iphistory/?domain=globalsentinelsite.com
- 74.124.210.249 United States INMOTION 2011-11-13 unknown viewdns.info/reverseip/?host=74.124.210.249&t=1 has 347 hits
- JAR file structure:with:
./META-INF/MANIFEST.MF ./META-INF/WORLD.DSA ./META-INF/WORLD.SF ./global ./global/applet ./global/applet/A.class ./global/applet/Aa.class ./resource/resources.binManifest-Version: 1.0 Created-By: 1.4.2_15-b02 (Sun Microsystems Inc.) Ant-Version: Apache Ant 1.6.5 Name: global/applet/Bs.class SHA1-Digest: R1qrWUT6kYTLKa6TSmyWbBhLQSw= Name: global/applet/Ay.class SHA1-Digest: L0xOVdhBzEcmW8czjERAVH+tNyI=
todaysolar.com. This might just be legit, but keeping it around just in case.
- 2011
- JAR
- dnshistory.org/historical-dns-records/a/todaysolar.com 2009-08-11 -> 2011-03-01 74.208.62.112 unknown
- viewdns.info/iphistory/?domain=todaysolar.com 74.208.62.112 United States PROFITBRICKS-USA 2012-11-12
cqcounter.com has an exceptionally complete database containing:
- domains
- IP of the domain in the past e.g. cqcounter.com/whois/site/activegaminginfo.com.html which actually contains the IP 66.175.106.148!
- 727 x 545 screenshots from the past e.g. at: cqcounter.com/whois/www/activegaminginfo.com.html. These were also presumably meant to show as a thumbnail on the main page: cqcounter.com/whois/www/activegaminginfo.com.html but don't because it's buggy. It's not as good as the HTML from Wayback machine as we can't confirm comms like that, but still this can d help to verify if known in-range domains that the wayback machine didn't archive well (because it is buggy as hell?) have correct style and if they have anything fun in them
Unfortunately I can't find a reverse IP search method.
And perhaps due to having lots of CAPTCHAs, Google doesn't seem to index that website very well... it even has a tiny screenshot! And it also shows some more metadata beyond IP, e.g. HTTP response headers, which notably contain stuff like
Server: Apache-Coyote/1.1.They seem to have an exceptionally complete database.
Both cqcounter.com/whois/www/teclafinance.com.html and cqcounter.com/whois/site/activegaminginfo.com.html both are broken, so it appears that their screenshot mechanism at the time did nor support Chinese characters well.
They also have some random localized versions:These can be useful if your IP gets blacklisted on the main site because you were checking too many sites.
As of 2025 they are marked at cqcounter.com/ as "Copyright 2000-2004".
There are two toplevel boxes, one contains only input, and all output goes to the second one. The second one may also contain some input.
A point is a 1-square.
Unlisted articles are being shown, click here to show only listed articles.