Here we list domains for which the correct IP was apparently not found since there are no neighbouring hits.
These are suspicious, and suggest either that we didn't obtain the correct reverse IP, or a change in CIA methodology from an older time at which they were not yet using the obscene IP ranges.
For example, in the case of inews-today.com, 2013 DNS Census gave one IP 193.203.49.212, but then viewdns.info gave another one 66.175.106.146 which fit into an existing IP range, and which assumed to be the correct IP of interest.
A similar case happened when we found IP 212.209.74.126 for headlines2day.com with dnshistory.org: dnshistory.org/historical-dns-records/a/headlines2day.com.
It is interesting to note that Reuters seems to have featured disproportionately many hits from that range, one wonders why that happened. It is possible that they chose these because they actually didn't have any nearby hits to give away less obvious information, though they did pick some from the ranges as wel.
In what follows we list the domains with possible reverse IPs and what was explored so far for each. We consider IPs not in a range to be uncertain, and that instead their domains might have been previously in a range which we
dailynewsandsports.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches
- 216.119.129.94. rdns source: viewdns.info "location": "United States", "owner": "A2 Hosting, Inc.", "lastseen": "2012-04-13". Tested viewdns.info range: 216.119.129.85 - 216.119.129.86, 216.119.129.89 - 216.119.129.99, ran out of queries for 87 and 88
- 216.119.129.90: eastdairies.com 2011-04-04. Promising name and date, but no archives alas.
- 216.119.129.97: miideaco.com 2016-02-01
- 216.119.129.114 Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches, also present on viewdns.info but at a later date from previous "location": "United States", "owner": "A2 Hosting, Inc.", "lastseen": "2013-11-29". Tested viewdns.info range: 216.119.129.109 - 216.119.129.119
- 216.119.129.110: dommoejmechty.com.ua. Legit.
- 216.119.129.111: dailybeatz.com: Legit
- 216.119.129.113:
- audreygeneve.com
- reyzheng.com
- jacintorey.com
- 216.119.129.114: dailynewsandsports.com. hit.
- 216.119.129.115: afxchange.com legit/broken
- 216.119.129.116: danafunkfinancial.com: legit
- 208.73.33.194 on securitytrails.com
iranfootballsource.com:
- 34.98.99.30 Kansas City - United States Google LLC 2021-05-24
- 184.168.221.94 United States GoDaddy.com 2020-07-21
- 50.63.202.66 United States GoDaddy.com 2020-07-07
- 50.63.202.86 United States GoDaddy.com 2020-05-28
- 184.168.221.94 United States GoDaddy.com 2020-05-13
- 50.63.202.74 United States GoDaddy.com 2020-04-29
- 50.18.223.191 San Jose - United States Amazon.com 2015-03-23. Sources: 2013 DNS Census and viewdns.info
- no viewdns.info hits +- 10
- 85.13.200.108 United Kingdom Coreix Dedicated Customer Allocation 2013-06-30. Source: viewdns.info
- 85.13.200.108: 1000 hits, so unlikely to be the one
iraniangoalkicks.com:
- 68.178.232.100: treverse IP source: viewdns.info. see rastadirect.net.
- 208.71.138.130 2010-02-22 -> 2010-08-06, QWK.net Hosting, L.L.C.. source: dnshistory.org/historical-dns-records/a/iraniangoalkicks.com. Large shared hosting domain, no good nearby hits, several legit sites.
iraniangoals.com:
- 68.178.232.100: see rastadirect.net
- 69.65.33.21 - Flushing - United States - GigeNET - 2011-09-08. Also at: dnshistory.org/historical-dns-records/a/iraniangoals.com 2009-08-03 -> 2011-01-12 69.65.33.21
- 69.65.33.2: onemincustomerservice.com. web.archive.org/web/20091015044922/http://www.onemincustomerservice.com/. Doesn't feel like a hit.
- 69.65.33.5: 400+ domains
- 69.65.33.6: 4 domains but recent resolutions only
- similar status for everything else withing +-20. A couple of domains, no easy hits
football-enthusiast.com:
- 212.4.18.14: Tested viewdns.info range: 212.4.18.1 - 212.4.18.29. This is a curious case, rather close to 212.4.18.129 sightseeingnews.com, but not quite in the same range apparently. Viewdns.info also agrees on its history with only "212.4.18.14", "location" : "Milan - Italy", "owner" : "MCI Worldcom Italy Spa", "lastseen" : "2013-06-30" of interest.
rastadirect.net:
- 68.178.232.100 - United States - GoDaddy.com - 2011-05-02. Reverse IP source: viewdns.infoThere are actualy talk pages about this IP
- +-20 range: several domains on each IP, but can't find any hits easily
- 209.162.192.49: source: securitytrails.com
todaysengineering.com:
- 208.254.38.39. rdns source: both viewdns.info and 2013 DNS Census. Tested viewdns.info range: 208.254.38.34 - 208.254.38.44. Weirdly empty, doesn't even show the domain iteslf!
- 68.178.232.100: source: securitytrails.com. 2009-11-24 - 2009-12-11, GoDaddy.com, LLC
worldofonlinenews.com:
- dnshistory.org/historical-dns-records/a/worldofonlinenews.com 2015-12-15 -> 2016-04-21 108.167.161.90 presumably from the legit era
- viewdns.info/iphistory/?domain=worldofonlinenews.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-07-02 virtual
- 207.150.191.68 Saudi Arabia Saudi Telecom Company JSC 2011-04-04 virtual
mywebofnews.com:
- dnshistory.org/historical-dns-records/a/mywebofnews.com 2010-03-09 -> 2010-08-14 207.150.191.68 But this has several hits for the same IP on DNS Census 2013 which is unusual:
3xhunter.com|2012-04-12T07:53:24|207.150.191.68 dreamersoul.net|2012-04-11T22:06:18|207.150.191.68 exdump.com|2012-02-03T11:42:44|207.150.191.68
- viewdns.info/iphistory/?domain=mywebofnews.com no hits
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-07-27 virtual
- 207.150.191.68 Saudi Arabia Saudi Telecom Company JSC 2011-06-22 virtual
cyhiraeth-intlnews.com:
- dnshistory.org/historical-dns-records/a/cyhiraeth-intlnews.com 2009-07-31 -> 2011-01-05 0.0.0.0 WTF?
- viewdns.info/iphistory/?domain=cyhiraeth-intlnews.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-07-27 virtual
- 0.0.0.0 Unknown Unknown 2011-07-02. Hmm also the 0.0.0.0. Weird!
news-latina.com:
- dnshistory.org/historical-dns-records/a/news-latina.com 2010-03-11 -> 2010-08-16 64.92.111.3. this has several hits for the same IP on DNS Census 2013 which is unusual. Tested viewdns.info range: 64.92.111.1 - 64.92.111.13
- 64.92.111.2 virtual
- 64.92.111.3 virtual
- viewdns.info/iphistory/?domain=news-latina.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-08-11 virtual
- 64.92.111.3 United States MASSIVE-NETWORKS 2011-07-27 virtual
europeannewsflash.com:
- viewdns.info/iphistory/?domain=europeannewsflash.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-10-09 virtual
- 216.131.66.209 San Francisco - United States STRTEC 2011-09-08. Tested viewdns.info range: 216.131.66.201 216.131.66.219
- dnshistory.org/historical-dns-records/a/europeannewsflash.com 2010-02-06 -> 2010-08-02 216.131.66.209. Tested.
outlooknewscast.com:
- dnshistory.org/historical-dns-records/a/outlooknewscast.com
- 2009-08-08 -> 2011-02-11 74.53.159.130. Tested viewdns.info range: 74.53.159.120 - 74.53.159.140
- 74.53.159.130: aeromedhistory.org 2014-11-29
- 74.53.159.130: mariposahorticultural.com 2022-11-28
- 74.53.159.130: thewritestuffresume.com 2011-04-04. Legit.
- 2009-08-08 -> 2011-02-11 74.53.159.130. Tested viewdns.info range: 74.53.159.120 - 74.53.159.140
- viewdns.info/iphistory/?domain=outlooknewscast.com
- 204.93.178.121 Chicago - United States SERVERCENTRAL 2011-09-08. Tested viewdns.info range: 204.93.178.111 - 204.93.178.131. Skimmed through, nothing of great interest.
- 74.53.159.130 United States SOFTLAYER 2011-04-04. Tested.
24hoursprimenews.com:
- dnshistory.org/historical-dns-records/a/24hoursprimenews.com 2009-12-14 -> 2011-10-04 216.9.68.24. Virtual.
- viewdns.info/iphistory/?domain=24hoursprimenews.com 216.9.68.24 United States VONAGE-BUSINESS 2012-01-11. Tested.
farsi-newsandweather.com:
- dnshistory.org/historical-dns-records/a/farsi-newsandweather.com 2010-02-07 -> 2010-08-03 69.49.101.19. Tested viewdns.info range: 69.49.101.9 - 69.49.101.19
- viewdns.info/iphistory/?domain=farsi-newsandweather.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-01-11 virtual
- 69.49.101.19 Canada INFB-AS 2011-11-13. Tested.
global-view-news.com:
- dnshistory.org/historical-dns-records/a/global-view-news.com 2010-02-13 -> 2010-08-04 67.220.228.130. Tested viewdns.info range: 67.220.228.120 - 67.220.228.160:
- 67.220.228.150: investfromhome.co.uk 2011-09-05. No archives.
- viewdns.info/iphistory/?domain=global-view-news.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-01-11 virtual
- 69.90.161.195 Canada COGECO-PEER1 2011-09-08. Unknown. Tested viewdns.info range: 69.90.161.185 69.90.161.205. Some virtual misses.
health-men-today.com:
- dnshistory.org/historical-dns-records/a/health-men-today.com
- 2009-11-30 -> 2010-05-27 67.220.228.224. New range with global-view-news.com? Tested viewdns.info range: 67.220.228.214 67.220.228.234
- 67.220.228.223: stagedwithdistinction.com 2011-10-09. One archive of godaddy only.
- 2009-08-01 -> 2009-09-19 69.42.58.50. Tested viewdns.info range: 69.42.58.40 - 69.42.58.60. Virtuals, canada.
- 2011-01-07 -> 2011-01-07 69.90.162.165. Tested viewdns.info range: 69.90.162.155 - 69.90.162.175. Virtuals.
- 2009-11-30 -> 2010-05-27 67.220.228.224. New range with global-view-news.com? Tested viewdns.info range: 67.220.228.214 67.220.228.234
- viewdns.info/iphistory/?domain=health-men-today.com
- 204.11.56.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2014-04-19. Virtuals.
- 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20. Unknown range.
- 69.90.162.165 Canada COGECO-PEER1 2012-06-29. Tested.
firstnewssource.com:
- dnshistory.org/historical-dns-records/a/firstnewssource.com
- 2010-02-09 -> 2010-02-09 67.220.228.150 TODO new range with global-view-news.com? Tested.
- 2010-08-03 -> 2010-08-03 69.90.162.70 TODO new range with global-view-news.com?
theworldnewsfeeds.com:
- dnshistory.org/historical-dns-records/a/theworldnewsfeeds.com no hits
- viewdns.info/iphistory/?domain=theworldnewsfeeds.com
- 199.19.110.7 Los Angeles - United States FIBER-LOGIC 2012-01-11 unknown range
- 74.200.252.212 United States RACKSPACE 2011-11-13 unknown range
pars-technews.com:
- dnshistory.org/historical-dns-records/a/pars-technews.com 2009-08-08 -> 2011-02-13 74.220.219.104 Tested viewdns.info range: 74.220.219.94 74.220.219.114. Virtuals.
- viewdns.info/iphistory/?domain=pars-technews.com 74.220.219.104 United States UNIFIEDLAYER-AS-1 2012-11-12. Tested.
newdaynewsonline.com:
- dnshistory.org/historical-dns-records/a/newdaynewsonline.com 2010-03-10 -> 2010-08-15 76.163.54.16. Tested viewdns.info range: 76.163.54.6 76.163.54.26
- 76.163.54.23: leewoodwork.com 2014-07-05
- viewdns.info/iphistory/?domain=newdaynewsonline.com
- 74.91.154.56 United States INTERNAP-BLOCK-4 2012-11-12 unknown range. Tested viewdns.info range: 74.91.154.46 74.91.154.66
- 74.91.154.61: benefitsla.com 2013-04-21. Legit.
- 76.163.54.16 United States WINDSTREAM 2011-09-08 unknown range. Tested.
- 74.91.154.56 United States INTERNAP-BLOCK-4 2012-11-12 unknown range. Tested viewdns.info range: 74.91.154.46 74.91.154.66
sportsnewsfinder.com:
- dnshistory.org/historical-dns-records/a/sportsnewsfinder.com 2009-08-11 -> 2011-02-24 66.113.196.128. Tested viewdns.info range: 66.113.196.118 66.113.196.138.
- viewdns.info/iphistory/?domain=sportsnewsfinder.com
- 50.63.202.58 United States AS-26496-GO-DADDY-COM-LLC 2013-03-23 some similar hits on other sites, possibly all flukes
- 207.150.219.159 United States AFFINITY-INTER 2013-03-02
- 66.113.196.128 United States NETNATION 2012-01-11. Tested.
newsworldsite.com:
- viewdns.info/iphistory/?domain=newsworldsite.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2013-05-20 big virtual
- 204.93.159.80 Chicago - United States SERVERCENTRAL 2013-04-21. Tested viewdns.info range: 204.93.159.70 204.93.159.90
- 204.93.159.84: team-merk.com 2011-08-11. No archives.
todaysnewsreports.net:
- viewdns.info/iphistory/?domain=todaysnewsreports.net
- 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-07-01
- 205.178.189.129 United States NETWORK-SOLUTIONS-HOSTING 2013-05-20 likely virtual
- 173.255.131.72 Reno - United States UK-2 Limited 2012-08-27. Tested viewdns.info range: 173.255.131.62 173.255.131.82. Virtual and modern hits only.
- 67.213.211.232 United States UK-2 Limited 2011-09-07 unknown. Tested viewdns.info range: 67.213.211.222 67.213.211.242
- 67.213.211.236: icf-finan.com 2015-01-20
- 67.213.211.237: playinside.me 2016-02-04. Nice domain hack, but no.
- 67.213.211.239: reality-sexxx.com 2011-09-08
hassannews.net:
- viewdns.info/iphistory/?domain=hassannews.net
- 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-07-08
- 205.178.189.131 United States NETWORK-SOLUTIONS-HOSTING 2013-07-01. Likely virtual.
weblognewsinfo.com:
- dnshistory.org/historical-dns-records/a/weblognewsinfo.com 2010-05-10 -> 2010-10-07 64.120.20.234
- viewdns.info/iphistory/?domain=weblognewsinfo.com
- 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-09-26 virtual
- 173.208.81.2 Lombard - United States LEASEWEB-USA-CHI 2013-06-30 virtual with newsincirculation.com
newsincirculation.com
- dnshistory.org/historical-dns-records/a/newsincirculation.com
- 2010-03-10 -> 2010-08-15 64.120.20.234 virtual with weblognewsinfo.com
- 2013-11-26 -> 2013-11-26 70.32.43.226
- viewdns.info/iphistory/?domain=newsincirculation.com
- 70.32.43.226 Lombard - United States LEASEWEB-USA-CHI 2014-01-31
- 50.63.202.77 United States AS-26496-GO-DADDY-COM-LLC 2013-10-19. virutal?
- 70.32.43.226 Lombard - United States LEASEWEB-USA-CHI 2013-09-26 virtual?
- 69.147.228.5 Chicago - United States LEASEWEB-USA-CHI 2012-11-12 unknown. Tested viewdns.info range: 69.147.228.1 69.147.228.15. Nope.
- 173.208.81.2 Lombard - United States LEASEWEB-USA-CHI 2011-04-04 virtual
todayoutdoors.com:
- dnshistory.org/historical-dns-records/a/todayoutdoors.com
- 2009-08-11 -> 2010-07-07 174.133.44.90. Tested viewdns.info range: 174.133.44.80 174.133.44.100. Virtual and modern.
- 2011-03-01 -> 2011-03-01 174.123.172.82 unknown. Tested viewdns.info range: 174.123.172.72 174.123.172.92. Virtuals.
- viewdns.info/iphistory/?domain=todayoutdoors.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-07-02 virtual
- 174.123.172.82 United States SOFTLAYER 2011-04-04. Tested.
esmundonoticias.com:
- dnshistory.org/historical-dns-records/a/esmundonoticias.com 2010-02-05 -> 2010-08-02 216.93.248.194. Tested viewdns.info range: 216.93.248.184 216.93.248.204
- 216.93.248.194: coxsackielive.com 2012-06-29. No archives.
- 216.93.248.194: datapakassociates.org 2012-04-27. No rachives.
- 216.93.248.194: easywebworld.net 2012-02-27. Broken: web.archive.org/web/20101229051406/http://easywebworld.net/
- 216.93.248.194: esmundonoticias.com 2012-01-11
- 216.93.248.194: kukrinews.com 2011-06-22. Hit.
- dnshistory.org/historical-dns-records/a/kukrinews.com 2010-02-26 -> 2010-08-07 216.93.248.194
- viewdns.info/iphistory/?domain=kukrinews.com 216.93.248.194 Malden - United States TWDX 2011-06-22
- 216.93.248.194: librarianhelper.com 2013-06-30. Parked domain girl
- 216.93.248.194: tech-geek-news.com 2012-01-11. Very broken, Arabic script, but seems legit,
- 216.93.248.194: ualbanycornerstone.org 2012-04-13. Legit.
- viewdns.info/iphistory/?domain=esmundonoticias.com 216.93.248.194 Malden - United States TWDX 2012-01-11. Tested.
globaltourist.net:
- dnshistory.org/historical-dns-records/a/ 2009-07-30 -> 2011-01-01 69.59.20.215 unknown. Tested viewdns.info range: 69.59.20.205 69.59.20.225. Virtuals.
- viewdns.info/iphistory/?domain=globaltourist.net
- 216.172.170.14 United States NETWORK-SOLUTIONS-HOSTING 2013-07-08
- 216.21.239.197 United States NETWORK-SOLUTIONS-HOSTING 2012-06-25
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-04-09 big virtual
- 174.136.34.154 United States IHNET 2012-03-12 unknown. Tested viewdns.info range: 174.136.34.144 174.136.34.164
- 74.119.145.101 Frankfurt am Main - Germany PERFORMIVE 2011-09-07. Tested viewdns.info range: 74.119.145.91 74.119.145.111. One virtual.
- 69.59.20.215 United States ATLRETAIL 2011-06-22. Tested
all-sport-headlines.com:
- viewdns.info/iphistory/?domain=all-sport-headlines.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-11-12 virtual
- 216.104.38.114 United States SINGLEHOP-LLC 2012-09-21. Tested viewdns.info range: 216.104.38.104 216.104.38.124
- 216.104.38.110: afterawhilecrocodile.info 2011-07-26. Legit.
technologytodayandtomorrow.com:
- viewdns.info/iphistory/?domain=technologytodayandtomorrow.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-11-13 virtual
- 72.34.53.174 United States IHNET 2011-09-08. Tested viewdns.info range: 72.34.53.164 72.34.53.184
- 72.34.53.166: bjellaagency.com 2023-03-07
- 72.34.53.174: businesscardprinternyc.info 2012-04-18
- 72.34.53.174: dermozamsoe106.com 2011-07-02
- 72.34.53.174: electronictechreviews.com 2011-09-08. Hit.
- 72.34.53.174: glialcells2009paris.com 2012-11-12
- 72.34.53.174: hysfreedom.net 2013-07-08. Legit.
- 72.34.53.174: integrativetherapiesec.com 2013-06-30
- 72.34.53.174: intloil.org 2012-04-27. Possible hit, a bit off style, but possibly because too broken. Copyright 2005. Present at pastebin.com/CTXnhjeSp.
- 72.34.53.174: islamicnewsonline.com 2013-03-23. No archives in date range.
- 72.34.53.174: larumbaknox.com 2012-01-11. Parked domain girl
- 72.34.53.174: myonlinegamesource.com 2012-01-11
- 72.34.53.174: mytravelopian.com 2011-04-04. Feels legit, but there's some chance.
- 72.34.53.174: recursosdenoticias.com 2012-06-29. Hit.
- 72.34.53.174: todaysnewsandweather-ru.com 2012-01-11. Hit.
- 72.34.53.181: theebizguy.com 2022-12-26
- 72.34.53.183: nofatchics.com 2012-01-11
terrain-news.com:
- JAR
- viewdns.info/iphistory/?domain=terrain-news.com None in simple ranges.
- 204.11.56.25 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-11-08. Virtuals.
- 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20>. Virtual 167. viewdns.info/reverseip/?host=208.91.197.19&t=1 not very promising.
- 208.187.167.20 United States DATANOC 2012-01-11. Tested viewdns.info range: 208.187.167.10 208.187.167.30. Newer domains.
intlnewsdaily.com
- dnshistory.org/historical-dns-records/a/intlnewsdaily.com 2010-02-21 -> 2010-08-06 75.126.136.179. unknown range.
- viewdns.info/iphistory/?domain=intlnewsdaily.com
- 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20. Virtual. Tested.
- 63.247.95.50 Austell - United States NTHL 2012-06-29 unknown. Tested viewdns.info range: 63.247.95.40 63.247.95.60
- 63.247.95.50: 2b-sports.com 2013-04-21
- 63.247.95.50: caldentalinsurance.com 2014-07-05
- 63.247.95.50: cameronbal-photography.com 2012-06-29
- 63.247.95.50: congbetham.com 2014-07-05
- 63.247.95.50: essentialintelligenceagency.com 2023-03-07
- 63.247.95.50: isabellavalentina.com 2014-07-05
- 63.247.95.50: jhraccounting.com.au 2021-05-03
- 63.247.95.50: missouribreaks294.com 2012-06-29
- 63.247.95.50: startorganize.com 2011-08-11
- 63.247.95.50: tifocus.net 2011-08-11
- 63.247.95.50: tifocus.org 2011-08-10
- 63.247.95.50: whitepartyorlando.com 2012-01-11
- 204.11.56.25 (ipinf.ru)
opensourcenewstoday.com:
- viewdns.info/iphistory/?domain=opensourcenewstoday.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-11-13 virtual
- 64.16.193.48 Riyadh - Saudi Arabia Saudi Telecom Company JSC 2011-09-08. Tested viewdns.info range: 64.16.193.38 64.16.193.41. Ran out.
techwatchtoday.com:
- dnshistory.org/historical-dns-records/a/techwatchtoday.com 2009-08-11 -> 2011-02-26 66.11.225.226 big shared host
- viewdns.info/iphistory/?domain=techwatchtoday.com
- 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-11-29 virtual
- 66.11.225.226 United States TNWEB-LEW-001 2012-01-11 unknown
alljohnny.com: one of the Reuters websites.
- 208.91.197.132: rdns source: viewdns.info. Big virtual.
- 65.218.91.17: rdns source? : viewdns.info. Tested viewdns.info range: 65.218.91.13 - 65.218.91. 17
- 65.218.91.9: welcometonyc.net. Hit. rdns source: ipinf.ru. Later also at 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-10-21 by viewdns.info
- also on: 65.218.91.17,
- international-smallbusiness.com. Stylitsic match, but some uncommon features like the country seelctor dropdown.
- Archives:Also a potential unarchived CGI comms: web.archive.org/web/20110202031627/https://ssl.international-smallbusiness.com/cgi-bin/starting.cgi Perhaps with some better HTML reversing we could confirm a hit.
- 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-10-19. Big virtual.
- 65.218.91.17 United States UUNET 2013-09-06
- Archives:
- international-smallbusiness.com. Stylitsic match, but some uncommon features like the country seelctor dropdown.
- 216.168.229.50: whoisxmlapi 2008-09-01 (15 years) 2010-04-17. Checked viewdns.info range: 216.168.229.45 - 216.168.229.55
62.22.60.49: telecom-headlines.com. Found with: visual inspection of full 2013 DNS Census virtual host cleanup list just before worldnewsnetworking.com. Tested viewdns.info range: 62.22.60.34 - 62.22.60.66
- 62.22.60.33: newsperk.com. Unclear. Stylistically perfect, but no comms not found. 2011. English. Egypt. news.
- 62.22.60.34: freeslideshow.net. Legit? Attempting to open any HTML archives leads to an infinite page load loop, e.g. 2010. A subpage however exists: web.archive.org/web/20101230001640/http://freeslideshow.net/index_files/a.htm and appears legit.
- 62.22.60.40: travel-passage.com. Unclear. No archives of toplevel, only subpage: 2009. No clear comms. Chinese.
- 62.22.60.42: newsupdatesite.com. Hit.
- 62.22.60.46: flyingtimeline.com. Hit.
- 62.22.60.47: globalemergenceadvisorsbkserver.com. Legit.
- 62.22.60.48: currentcommunique.com. Hit.
- 62.22.60.49: telecom-headlines.com. Hit.
- 62.22.60.52: collectedmedias.com. Hit.
- 62.22.60.54: romulusactualites.com. No archives.
- 62.22.60.55: thefilmcentre.com. Hit.
- 62.22.60.56: traveltimenews.com. Hit.
62.22.61.206 worldnewsnetworking.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 62.22.61.188 - 62.22.61.224
- 62.22.61.193: awfaoi.org. Hit.
- 62.22.61.197: rc5sports.com. Hit.
- 62.22.61.198: inside-vc.com. Hit.
- 62.22.61.202: bailsnboots.com. Hit.
- 62.22.61.203: the-cricketer-online.com. Hit.
- 62.22.61.204: hollywoodscreen.net. Hit.
- 62.22.61.206: worldnewsnetworking.com. Hit.
- 62.22.61.212: nuestrasfinanzas.com. Hit.
- 62.22.61.215: the-tech-mind.com. Welcome to the US Petabox
- 62.22.61.217: court-masters.com. Hit.
- 62.22.61.219: allworldstatistics.com. Hit.
- 62.22.61.220: newsjaka.com. Hit.
- 62.22.61.221: biochemresource.com. Archive broken/empty. One archive: contains an epically long URL that might shed light into something: web.archive.org/web/20120529121245/http://www.biochemresource.com/?fp=iboHtuxnjLG66y52DkK1xCFuZDBnVC8wovQepLt2Tk%2Bo1JIgIdVb6WL8kv6sSOEtxwcq4EbiJ0GxFY9N6HSWlg%3D%3D&prvtof=97vgfKVqt1Sd68qgNDPXB0o7Rwo%2FO3GKiiMG7fane6A%3D&poru=Zd9DHFaHFZ6ZrRLm8SW3egagqvdpzHhWb%2FoulRGeEYIUSVATB5gwTIDhluetONjG7xovtb%2FrvDStoqiAF1O8wA%3D%3D&. Asked at: stackoverflow.com/questions/47310661/any-idea-what-are-fp-prvtof-poru-in-a-url but no reply so far. One day my friend, one day.
- 62.22.61.222: www.news-blitz-ar.com (ipinf.ru). No archives. Perfect theme match.
63.131.229.12 cyberreportagenews.com. Tested viewdns.info range: 63.131.228.248 - 63.131.229.30
- 63.131.229.2: fightskillsresource.com. Hit
- 63.131.229.4: unitedterritorynews.com. Hit
- 63.131.229.9: show-dustry.com. Hit
- 63.131.229.10: afghanpoetry.net. Hit. Also at 74.254.12.166 in another range.
- 63.131.229.11: mythriftytrip.com. Hit
- 63.131.229.12: cyberreportagenews.com. Hit.
- 63.131.229.13: sunrise-news.com. Hit.
- 63.131.229.15: cricketnewsforindia.com. Archive quite broken, likely hit.
- 63.131.229.16:
- nutricion-saludable.info. No archives.
- nutricion-saludable.net. Hit.
- 63.131.229.18: itnl-xchange.com. Hit.
- 63.131.229.20:
- fixashion.net. Hit.
- a few others
63.130.160.50 theglobalheadlines.com. Found with: 2013 DNS census secureserver.net MX records intersection 2013 DNS Census virtual host cleanup. Tested viewdns.info range: 63.130.160.35 - 63.130.160.75
- 63.130.160.50: theglobalheadlines.com. Hit.
- 63.130.160.51:
- hai-pow.com. Hit.
- secudenetworksecurity.com. No archives.
- 63.130.160.53: echessnews.com. Hit.
- 63.130.160.59: technologiewissen.com. No archives from the time. Would be Technology knowledge in German, so another likely German hit. Shame.
- 63.130.160.60: boxingstop.net. Hit.
- 63.130.160.61: bookmarksthis.com. No archives.
- 63.130.160.62: azerinews.org. Hit.
64.16.204.55 holein1news.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 64.16.204.50 - 64.16.204.63. With did Wayback Machine have so few archives here? TODO stopping viewdns.info exploration a bit short due to that.
- 64.16.204.35: ironcityfootball.com. Legit/broke.
- 64.16.204.51: africannewsandsports.com. No archives. rdns source: viewdns.info
- 64.16.204.53: bosniakbusinessnews.com. No archives. A Bosniak is someone from an ethnicity from Bosnia.
- 64.16.204.54: affairesdumonde.com. No archives. rdns source: viewdns.info
- 64.16.204.55: holein1news.com. Hit.
- 64.16.204.56: fightorgohome.com. No archives. rdns source: viewdns.info
- 64.16.204.58: tech-topix.com. Hit.
- 64.16.204.60: pakpoldaily.com. No archives. rdns source: viewdns.info. TODO meaning? Might be Indonesian, maybe linked to police: www.facebook.com/watch/?v=880204266271955
65.61.127.163 capture-nature.com. whois.arin.net/rest/net/NET-65-61-96-0-1/pft?s=65.61.127.163: Net Range: 65.61.96.0 - 65.61.127.255. Organization. Name: TierPoint, LLC. Tested viewdns.info range: 65.61.127.149 -
- 65.61.127.46: anahuacchamber.com 2012-12-22T14:59:01
- 65.61.127.117: medicaresupplementalinsurance.com, 2013-08-21T09:49:41. Legit.
- 65.61.127.121: counter-images.com 2013-08-22T11:14:44: web.archive.org/web/20110208173132/http://www.counter-images.com/
- 65.61.127.125 zaphound.com 2013-08-21T02:25:40. Legit.
- 65.61.127.130: ambitions.org 2013-08-22T01:43:40. Legit.
- 65.61.127.161: european-footballer.com. 2011 archive. web.archive.org/web/20110319111233/http://european-footballer.com/. The website is quite broken so it is hard to say, but possible hit.
- 65.61.127.163: capture-nature.com. Hit.
- 65.61.127.164: futbolistico.net. 2012-02-20T03:25:33. Legit. web.archive.org/web/20130509004058/http://futbolistico.net/
- 65.61.127.165: travelconnectionsonline.com. Ciro initially though this might be a hit. But upon Googling it, there's now a mirror at: travelconn.tripod.com/. Combined with the lack of a standard communications mechanism and the 2001 copyright, maybe it isn't a hit after all
- 65.61.127.166: globalnewsbulletin.com: Hit.
- 65.61.127.167: internationalwhiskylounge.com. No Wayback Machine archives.
- 65.61.127.168: the-golden-rule.info 2013-09-20T02:13:52. Website error archived: web.archive.org/web/20131011012026/http://the-golden-rule.info/
- 65.61.127.169: crossovernews.net. Hit.
- 65.61.127.170: newsidori.com. Very broken 2013 archive: 2013. "Idori" sounds Japanese, but the meaning is unclear.
- 65.61.127.171: nrgconsultingandnews.com. 2013-08-13T18:45:05. No archives.
- 65.61.127.172: premierstriker.com. No Wayback Machine archives from the time, and has been since parked by something apparently as of 2022 onwards. Last resolved: 2012-01-11.
- 65.61.127.174: dedrickonline.com. Hit.
- 65.61.127.175: altworldnews.com. Hit.
- 65.61.127.176: american-historyonline.com. No Wayback Machine archives. Last resolved: 2011-09-08.
- 65.61.127.177: material-science.org 2009. Shallow, narrow. No comms found. .org hit?
- 65.61.127.178: tee-shot.net. Hit.
- 65.61.127.180: screencentral.info. Buggy Wayback Machine archive from 2013: web.archive.org/web/20130713224951/http://screencentral.info/. Last resolved: 2013-05-08.
- 65.61.127.181: worldnewsandtravel.com. No Wayback Machine archives. Last resolved: 2011-11-13.
- 65.61.127.182: pangawana.com. Hit.
- 65.61.127.183: cutabovenews.com. Hit.
- 65.61.127.184: worldwildlifeadventure.com. Hit.
- 65.61.127.186: explorealtmeds.com. Hit.
- 65.61.127.194: 16 domains, so unclear.
- about-video-games.com: web.archive.org/web/20121013013710/http://about-video-games.com/
- aboutfaceonline.com: web.archive.org/web/20120701000000*/aboutfaceonline.com
- 65.61.127.200: cdl-link.com (ipinf.ru). Legit.
- 65.61.127.222: asianwhitecoffee.com 2012-07-16T09:21:05 web.archive.org/web/20110903080036/http://asianwhitecoffee.com/. Could be legit.
66.45.179.205 noticiasporjanua.com. Found with: 2013 DNS Census virtual host cleanup. Tested viewdns.info range: 66.45.179.187 - 66.45.179.223
- 66.45.179.187: mail03.gatesfoundation.org. Legit.
- 66.45.179.192: thegraceofislam.com. Hit.
- 66.45.179.193: arabicnewsunfiltered.com. Hit.
- 66.45.179.194: raulsonsglobalnews.com. Hit.
- 66.45.179.195: aryannews.net. Hit.
- 66.45.179.199: attivitaestremi.com. Hit.
- 66.45.179.200: foodwineandsuch.com. No archives.
- 66.45.179.201: hitthepavementnow.com. Hit.
- 66.45.179.203: noticiascontinental.com. Hit.
- 66.45.179.205: noticiasporjanua.com. Hit.
- 66.45.179.206: podisticamondiale.com. Hit.
- 66.45.179.207: reflectordenoticias.com. Hit.
- 66.45.179.208: havenofgamerz.com. Hit.
- 66.45.179.209: vejaaeuropa.com. web.archive.org/web/20130810131440/http://www.vejaaeuropa.com/: Welcome to the US Petabox. Shame, could be another Brazil hit since "veja" (look in Brazilian Portuguese) would be "mira" in Spanish, not "veja".
- 66.45.179.210: sa-michigan.com. Hit.
- 66.45.179.211: absolutebearing.net. Hit.
- 66.45.179.212: grandretirement.net. No archives.
- 66.45.179.213: myportaltonews.com. Hit.
- 66.45.179.214: investmentintellect.com. Hit.
- 66.45.179.215: nigeriastar.net 2012-03-12. Hit.
66.104.169.184 bcenews.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 66.104.169.158 - 66.104.169.189
- 66.104.169.162: bestsportsnews.net. Archive broken.
- 66.104.169.163: doctorsoncallsite.com. Hit.
- 66.104.169.164: lightandshadowonline.com. Hit.
- 66.104.169.168: plugged-into-news.net. Hit.
- 66.104.169.169: worldsportsite.com. Likely hit, but comms not found. 2011. Arabic. . sports. has some apparently unrelated archives from 2008.
- 66.104.169.171: golf-on-holiday.com. Hit.
- 66.104.169.172: perspectiva-noticias.com. Hit.
- 66.104.169.175: aquaswimming.com. Hit.
- 66.104.169.177: dojo-temple.com. Hit.
- 66.104.169.179: neighbour-news.com. Hit.
- 66.104.169.180: medicatechinfo.com. Hit.
- 205.178.189.131: securitytrails.com 2009-06-25 - 2009-07-02 Network Solutions, LLC., "ip_count": 726755. Moved to new one 2009-07-02 - 2010-11-03
- 66.104.169.181: brickmanfinancialnews.com. Hit.
- 66.104.169.182: casanewsnow.com. Hit.
- 66.104.169.183: aworldofnews.com. No archives.
- 66.104.169.184: bcenews.com. Hit.
- 66.104.169.197: teamshula.com. Legit.
66.104.173.186 myworldlymusic.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 66.104.173.158 - 66.104.173.194
- 66.104.173.161: fanatic-pc-gamers.com. 2013: Welcome to the US Petabox
- 66.104.173.163: runakonews.com. Hit.
- 66.104.173.164: shoppingadventure.net. Hit.
- 66.104.173.165: entertaining-ly.com. Hit.
- 66.104.173.166: zubeenews.com. Hit.
- 66.104.173.169: smart-financeology.com. Hit.
- 66.104.173.173: remarkably has two potential hits, both shown in viewdns.info, and one of them was also in the 2013 DNS Census.
- worldfeedstoday.com. No main page archives. Subpage archive: 2011. English. news.
- world-newsfeeds.com. No archives.
- 66.104.173.175: media-coverage-now.com. Hit.
- 66.104.173.176: jbc-online-news.com. Hit.
- 66.104.173.177: webscooper.com. Hit.
- 66.104.173.178: dk-dcinvestment.com. Hit.
- 66.104.173.179: newsforthetech.com. Welcome to the US Petabox.
- 66.104.173.180: stara-turistick.com. Hit.
- 66.104.173.181: playbackpolitics.com. Hit.
- 66.104.173.182: snapnewsfront.net. Hit.
- 66.104.173.183: ingenuitytrendz.com. Hit.
- 66.104.173.184: armashoy.com. Hit.
- 66.104.173.185: baocontact.com. Hit.
- 66.104.173.186: myworldlymusic.com. Hit.
- 66.104.173.189: hitpoint-gaming.com. Hit.
66.104.175.40 beyondnetworknews.com. whois.arin.net/rest/net/NET-66-104-0-0-1/pft?s=66.104.175.40. Net Range:66.104.0.0 - 66.107.255.255. 2012 Internet Census puts most/all hits in this range under ip66-104-175-34.z175-104-66.customer.algx.net,
algx.net
redirects to verizon.com as of 2023. Related: superuser.com/questions/956568/why-are-my-pings-going-to-customer-algx-net. Tested viewdns.info range: 66.104.175.24 - unknown- 66.104.175.34: itwebtoday.com. Hit.
- 66.104.175.35: drglobalnews.com. Hit.
- 66.104.175.36: adilnews.net. Hit.
- 66.104.175.37: technewstogo.com. web.archive.org/web/20110201205946/http://technewstogo.com/ "UNDER CONSTRUCTION"
- 66.104.175.40: beyondnetworknews.com. Hit.
- 66.104.175.41: grubbersworldrugbynews.com. Hit.
- 66.104.175.44: yourtripfinder.net. Hit.
- 66.104.175.45: rollinsnetwork.com. Hit.
- 66.104.175.46: infosharenews.com. Hit.
- 66.104.175.47: southasiaheadlines.com. Hit.
- 66.104.175.48: worlddispatch.net. Hit.
- 66.104.175.49: webworldsports.com. Hit.
- 66.104.175.50: fly-bybirdies.com. Hit.
- 66.104.175.51: businessexchangetoday.com. Hit.
- 66.104.175.52: mensajeradenoticias.com. Hit.
- 66.104.175.53: info-ology.net. Hit.
- 66.104.175.54: marketflows.net. Hit.
- 66.104.175.57: metanewsdaily.com. Hit.
- 66.104.175.218: remote.taxconsultantsgroup.com. No archives.
66.175.106.148 activegaminginfo.com. whois.arin.net/rest/net/NET-66-175-106-128-1/pft?s=66.175.106.148: Net Range: 66.175.106.128 - 66.175.106.159. Customer Name: DIAMOND-COLESON. Tested viewdns.info range: 66.175.106.131 - 66.175.106.178
- 66.175.106.10: nationalchecktrust.com. Legit?
- 66.175.106.134: paddlescoop.com. Hit.
- 66.175.106.137: kessingerssportsnews.com. Hit.
- 66.175.106.138: factorforcenews.com. Hit.
- 66.175.106.140: aroundthemiddleeast.com. No Wayback Machine hits. Last resolved: 2012-06-29.
- 66.175.106.142: kanata-news.com. Hit.
- 66.175.106.143: thecricketfan.com. Hit.
- 66.175.106.146: inews-today.com. Initially found with 2013 DNS Census virtual host cleanup heuristic keyword searches which gave IP address 193.203.49.212. But that has no nearby hits. 66.175.106.146 was later found on viewdns.info, and slotted into this other existing IP range.
- 193.203.49.211 datingso.com: legit? Russian dating website
- 193.203.49.212 inews-today.com. Hit.
- 193.203.49.223 zatysi.net: legit
- 193.203.49.226 kinotopik.com: legit? Russian
- 193.203.49.229 rotor-volgograd.com. Legit.
- 193.203.49.233 ordercytotec.com. Broken.
- 66.175.106.147: starwarsweb.net. Hit.
- 66.175.106.149: feedsdemexicoyelmundo.com. Hit.
- 66.175.106.150: noticiasmusica.net. Hit.
- 66.175.106.155: atomworldnews.com. Hit.
- 66.175.106.158: nouvellesetdesrapports.com. Hit.
- 66.175.106.166: exchange.katzbarron.com. Legit. Reverse IP source: 2012 Internet Census
- 66.175.106.183: mail.lfdatacenter.com. No archives.
66.237.236.247 comunidaddenoticias.com. Tested viewdns.info range: 66.237.236.222 - 66.237.236.254
- 66.237.236.227: newsandmusicminute.com. Hit.
- 66.237.236.229: pearls-playlist.com 2011-11-13. Hit.
- 66.237.236.230: beyondthefringe.info 2013-01-02. Hit.
- 66.237.236.231: primetimemovies.net 2011-06-22. Hit.
- 66.237.236.235: persephneintl.com. Hit.
- 66.237.236.236: directoalgrano.net 2012-01-23. Hit.
- 66.237.236.240: actualizaciondebeisbol.com. Hit.
- 66.237.236.243: mygadgettech.com. Hit.
- 66.237.236.247: comunidaddenoticias.com. Hit.
- 66.237.236.249: sumerjaseahora.com. Hit.
69.84.156.90 stickshiftnews.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 69.84.156.64 - 69.84.156.95
- 69.84.156.69: al-ashak-news-me.com. Hit.
- 69.84.156.70: theventurenews.info. No archives. business.
- 69.84.156.71: worldfinancetoday.net. Hit.
- 69.84.156.72: autonewsarabia.com. Hit.
- 69.84.156.74: blue-moon-news.com. Hit.
- 69.84.156.75: theoutergreen.com. No archives. Might have been another golf hit.
- 69.84.156.76: tnc-urdu.com. Hit.
- 69.84.156.79: jassimnews.com. No archives/broken.
- 69.84.156.80: noticiasdenuestromundo.com. No archives. Spanish. news.
- 69.84.156.82: arabicnewsonline.com. Hit.
- 69.84.156.83: unganadormundial.com. Hit.
- 69.84.156.84: focusonbokeh.com. No archives/broken. Only a "Sony" logo remains: web.archive.org/web/20110207222330/http://focusonbokeh.com/images/logo_014.jpg
- 69.84.156.85: classic-rocktopia.com. No archives. Presumably rock climbing.
- 69.84.156.87: i7diver.com. No archives.
- 69.84.156.88: diariodeelmundo.com. Hit.
- 69.84.156.89: todaysarabnews.com. Hit.
- 69.84.156.90: stickshiftnews.com. Hit.
- 69.84.156.91: theinternationalgoal.com. Hit.
74.116.72.236 techtopnews.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 74.116.72.215 - 74.116.72.254
- 74.116.72.199: newsungraphics.com. Legit.
- 74.116.72.209: newsung.com. Legit/broken.
- 74.116.72.214: ofinancialinc.com. Legit.
- 74.116.72.219: stockpromoters.com. Legit.
- 74.116.72.227: dayenews.com. hit.
- 74.116.72.229: guide-daventure.com. Hit.
- 74.116.72.230: spaceage-exchange.com. No archives.
- 74.116.72.231: bleachersfootballnews.com. Hit.
- 74.116.72.232: indirectfreekick.com. Hit.
- 74.116.72.233: wwiichronicles.net. Hit.
- 74.116.72.234: petroleumagenews.com. Hit.
- 74.116.72.235: the-open-book-online.com. Hit.
- 74.116.72.236: techtopnews.com. Hit.
- 74.116.72.237: noticiasdiariasdedeportes.com. No archives. Sad, another potential Brazil hit.
- 74.116.72.238: pohandakhbar.com. No archives. TODO meaning. "akhbar" is news in Arabic. But what is "Poh"? Sounds like a South Asian name.
- 74.116.72.239: crickettoday.info. Hit.
- 74.116.72.240: zafernews.com. Hit.
- 74.116.72.241: itechnewstoday.com. Broken/GoDaddy takeover
- 74.116.72.242: gdgtsource.com. Hit.
- 74.116.72.243: waronfilmonline.com. No archives.
- 74.116.72.244: arborstribune.org. No archives.
- 74.116.72.245: wineenthusiastonline.com. Welcome to the US Petabox.
- 74.116.72.246: vuvuzelanews.com. Hit.
- 74.116.72.247: ballbatstumpsandbails.com. Hit.
- 74.116.72.248: kioni-sailing.com. No archives.
- 74.116.72.249: round-trip-travel.com. Hit.
- 74.116.72.250: arabicnewsource.com. Hit.
74.254.12.168 non-stop-news.net. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 74.254.12.158 - 74.254.12.195. This domain exceptionally also has a second IP also with multihits: 207.239.196.230. The fact that the range has rdns sources with hits from both 2013 DNS Census and viewdns.info suggests this range is correct.
- 74.254.12.163: half-court.net. Hit.
- 74.254.12.163: dailywellnessnews.com. Hit.
- 74.254.12.165: dylandon.net. Hit. rdns source: viewdns.info.
- 74.254.12.166: afghanpoetry.net. Hit.
- 74.254.12.168: non-stop-news.net. Hit.
- 74.254.12.169: soldiersofsouthasia.com. Hit.
- 74.254.12.170: greek-news.info. 2013. Welcome to the US Petabox. rdns source: viewdns.info
- 74.254.12.171: autism-news.org. Hit.
- 74.254.12.172: thesportsguidebook.com. rdns source: 2013 DNS Census. Only has archive of one subpage: 2009. English. sports.
- 74.254.12.174: reliefline.info. web.archive.org/web/20090416064302/http://www.reliefline.info:80/ Archive too broken.
- 74.254.12.176: pakcricketgrd.com. Hit.
- 74.254.12.177: networkofnews.com. Hit.
- 74.254.12.179: wineconnaisseur.net. Hit.
- 74.254.12.180: helpinghandssite.com. Hit.
- 74.254.12.185: newskwest.com. No archives.
- 74.254.12.187: efiinvestment.com. No archives.
- 74.254.12.188: first-tee-golf.com. Hit.
- 74.254.12.189: fabu-foto.com. Hit.
- 74.254.12.190: viptravelabroad.com. Hit.
199.85.212.118 just-kidding-news.com
- 199.85.212.118 rdns source: 2013 DNS Census virtual host cleanup heuristic keyword searches, dnshistory.org (2009-09-23 -> 2011-01-25) and viewdns.info: "location": "United States", "owner": "VIMRO, LLC", "lastseen": "2012-01-11". Tested viewdns.info range: 199.85.212.95 - 199.85.212.128. Not sure worth it given the many 2013 DNS Census misses surrounding.
- 199.85.212.98: colorsxpress.com. Legit
- 199.85.212.104:
- jobindons.com 2013-10-19.
- piogroup.org 2012-12-29.
- 199.85.212.105: mide-news.com. Hit.
- 199.85.212.109: game2be.com. Infinite load loop: web.archive.org/web/20080102074404/http://www.game2be.com/
- 199.85.212.111:
- newsandsportscentral.com. Hit.
- and many many others, not bothering with it
- 199.85.212.115: veryperi.com. Legit? 2011. Style is similar.
- 199.85.212.116: approselect.com. Legit?
- 199.85.212.117: innovative-software-solutions.com. broken/legit
- 199.85.212.118: just-kidding-news.com. Hit.
- 199.85.212.119: invisus.com. Legit
- 199.85.212.120: allurebyjustine.com. Legit?
- 199.85.212.121: stockprouniversity.com
- 199.85.212.122: stjosephswoodshop.com Legit?
- 199.85.212.125: time-spacer.net. Welcome to the US Petabox.
- 199.85.212.132: qualitytrans.net. Legit?
- 199.85.212.134: mywellnessminder.com. Legit?
- 199.85.212.138: crystalglassinc.com
- 199.85.212.140: davistech-llc.com
- 68.178.232.100: see rastadirect.net. rdns source: viewdns.info: "location": "United States", "owner": "GoDaddy.com, LLC", "lastseen": "2012-06-29"
- 209.85.45.84. Tested viewdns.info range: 209.85.45.74 - 209.85.45.94.
- 209.85.45.2: dz8.dailyrazor.com
- 209.85.45.2: jr4consulting.com
- 209.85.45.41: guitarzza.com. No archives of time.
- 209.85.45.46: evergraindecking.com. No archives of time.
- 209.85.45.114: mauritiuspropertyconsultant.com. Legit/ broken.
- 209.85.45.160: bieltvedt.net. No archives of time.
- 209.85.45.160: golfstats.dk. No archives.
- 209.85.45.225: infokus.ca
- 209.85.45.225: mail.tomlatham.net
- 209.85.45.225: mail.tomlatham.org
- 209.85.45.239: flavacationcenter.com
204.176.38.143 noticiassofisticadas.com. Found with: 2013 DNS Census virtual host cleanup. Tested viewdns.info range: 204.176.38.125 - 204.176.38.154
- 204.176.38.130: i-pressnews.com. Hit.
- 204.176.38.132: turkishnewslinks.com. Hit.
- 204.176.38.134: photographyarecord.com. Hit.
- 204.176.38.135: breakingthewicket.com. Hit.
- 204.176.38.136: politicalworldtoday.com. Hit.
- 204.176.38.137: hi-tech-today.com. Hit.
- 204.176.38.138: continental-business-news.com. TODO. 2011. Cannot find comms. Also header and footer are not limited width which is unusual. Further HTML similarity reversing would be needed.
- 204.176.38.139: bigscreenbattles.com. Hit.
- 204.176.38.141: rakotafootball.com. Hit.
- 204.176.38.142: senderosdemontana.com. Hit.
- 204.176.38.143: noticiassofisticadas.com. Hit.
- 204.176.38.144: techno-today.com. Hit.
- 204.176.38.145: tickettonews.com. Hit.
- 204.176.38.146: dps-digitalphotosharing.com. Hit.
- 204.176.38.147: theputtingreen.com. Hit.
- 204.176.38.149: sportsnewstodayar.com. Hit.
- 204.176.38.150: kairuafricanews.com. Hit.
204.176.39.115 globalprovincesnews.com. Tested viewdns.info range: 204.176.39.93 - 204.176.39.124
- 204.176.39.97: beamingnews.com. Hit.
- 204.176.39.98: cubriendonoticias.com. Hit.
- 204.176.39.100: rowleyworldpost.com. Hit.
- 204.176.39.101: noticiastopicas.com. No archives.
- 204.176.39.103: economicnewsbuzz.com. Hit.
- 204.176.39.104: spectranewsonline.com. Hit.
- 204.176.39.105: entertainmentnewscompany.com. Hit.
- 204.176.39.107: guidetoelectronics.net. Uncertain. 2010. English. tech, electronics. Possible CGI comms variant.
- 204.176.39.110: arabnewsatdawn.com. Hit.
- 204.176.39.114: messengergalaxy.com. Uncertain. 2011. Would be the first example of something more commercial/service offering we've seen so far. Possible CGI comms variant.
- 204.176.39.115: globalprovincesnews.com. Hit.
- 204.176.39.116: mahparah-news.com. Hit.
- 204.176.39.119: commercialspacedesign.com. Hit.
207.210.250.132 aeronet-news.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 207.210.250.126 - 207.210.250.157
- 207.210.250.131: starrynightnews.com. Hit.
- 207.210.250.132: aeronet-news.com. Hit.
- 207.210.250.133: bakaribulletin.com. Hit.
- 207.210.250.134: deprensaenlarevisiondehoy.com. Hit.
- 207.210.250.135: icwb-news.com. Hit.
- 207.210.250.136: sportsreelhighlights.com. Hit.
- 207.210.250.137: fashionforward.info. No archives.
- 207.210.250.138: inquiry-human-past.com. Hit.
- 207.210.250.139: thefairwaysaregreen.com. Hit.
- 207.210.250.142: russiaupdate.com 2011-11-13. No archives of the time, only older unrelated archives: web.archive.org/web/20010429003443/http://russiaupdate.com/.
- 207.210.250.143: archaeologyreview.net. Hit.
- 207.210.250.144: highspeed-news.com. No archives.
- 207.210.250.146: noticias-caracas.com. Hit.
- 207.210.250.147: bailandstump.com. Hit.
- 207.210.250.148: classicalmusic4arab.com. No archives.
- 207.210.250.149: globalventurestat.com. Hit.
- 207.210.250.152: al-rashidrealestate.com. Hit.
- 207.210.250.153: newsintheworld-ru.com. Hit.
- 207.210.250.154: news-unlimited.info. No archives. Shame, as perfect theme, and has per ipinf.ru/domains/207.210.250.154/
208.254.40.117 worldnewsandent.com. whois.arin.net/rest/net/NET-208-192-0-0-1/pft?s=208.254.40.117: Net Range 208.192.0.0 - 208.255.255.255. Tested viewdns.info range: 208.254.40.92 - 208.254.40.135
- 208.254.40.96: sixty2media.com. Hit.
- 208.254.40.99: newspoliticssource.com. Hit.
- 208.254.40.110 musical-fortune.net. Hit.
- 208.254.40.113: ashoka-gemstones.com. Hit.
- 208.254.40.117: worldnewsandent.com. Hit.
- 208.254.40.124: riskandrewardnews.com. Hit.
- 208.254.40.129: mailb.casella.com. Legit.
208.254.42.205 driversinternationalgolf.com. Not too far from 208.254.40.117 right? Tested viewdns.info range: 208.254.42.178 - 208.254.42.233.
- 208.254.42.35: mystorytimefriends.com. Broken/legit.
- 208.254.42.194: it-proonline.com. Hit.
- 208.254.42.200: riccs.mwcog.org. Legit. Reverse IP source: 2012 Internet Census, 2012-05-14.
- 208.254.42.205: driversinternationalgolf.com. Hit.
- 208.254.42.209: mardelsurnoticias.com. Hit. Reverse IP source: viewdns.info
- 208.254.42.215: nowfreshfinances.com. Hit.
- 208.254.42.216: circulatingnews.net. Hit.
- 208.254.42.219: westingtonpassnews.com. Hit. Reverse IP source: 2013 DNS Census
- 208.254.44.155: brandimpact.com. Legit/broken: web.archive.org/web/20070801000000*/brandimpact.com
- 208.254.45.105: operatorenum.com. Legit/broken: web.archive.org/web/20100301000000*/operatorenum.com
210.80.75.55 philippinenewsonline.net. Tested viewdns.info range: 210.80.75.30 - 210.80.75.67
- 210.80.75.35: aroundtheworldnews.net. No archives. ipinf.ru/domains/210.80.75.33/ disagrees and places it at .33.
- 210.80.75.36: e-commodities.net. Hit.
- 210.80.75.37: trekkingtoday.com. Hit.
- 210.80.75.41: multinews-33.com. Hit.
- 210.80.75.42: movimientodenticias.com. No archives.
- 210.80.75.43: gulfandmiddleeastnews.com. Hit.
- 210.80.75.44: whirlybirdinflight.com. Hit.
- 210.80.75.45: kings-game.net. Hit.
- 210.80.75.46: topglobalnewsdaily.com. Hit.
- 210.80.75.49: recipe-dujour.com. Hit.
- 210.80.75.53: sportsman-elite.com. No archives.
- 210.80.75.55: philippinenewsonline.net. Hit.
- 210.80.75.56: technewsforme.com. Hit.
- 210.80.75.59: goldeportesnoticias.com. No archives.
- 210.80.75.68: gigabyte-usa.com. Legit.
212.4.16.232 mynewscheck.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 212.4.16.214 - 212.4.17.10.Other hits:
- 212.4.16.224: lanoticiasdehoyelinforme.com. Hit.
- 212.4.16.232: mynewscheck.com. Hit.
- 212.4.16.239: saktimarsgolf.com 2012-06-29. Broken/legit/no archives of relevant date: web.archive.org/web/20081031060207/http://saktimarsgolf.com/
- 212.4.16.245: financial-crisis-news.com. Hit.
- 212.4.16.252: minutosdenoticias.com. Hit. web.archive.org/web/20100517151612/http://minutosdenoticias.com/
- 208.91.197.132. rdns source: viewdns.info: "location" : "British Virgin Islands", "owner" : "Confluence Networks Inc", "lastseen" : "2013-09-26". So this is after the previous one, unlikely to be correct.
- 205.178.189.131. source: securitytrails.com
212.4.17.38 fightwithoutrules.com. whois.arin.net/rest/net/NET-208-192-0-0-1/pft?s=208.254.40.117. Net Range: 208.192.0.0 - 208.255.255.255. Organization: Name: Verizon Business. Tested viewdns.info range: 212.4.17.8 - 212.4.17.79There were also some other reverse IP hits for fightwithoutrules.com, but no CIA websites there:
- 212.4.17.41: newtechfrontier.com. Hit.
- 212.4.17.43: smart-travel-consultant.com. Hit.
- 212.4.17.46: atentlaloc.com. Hit.
- 212.4.17.53: newsresolution.net. Hit.
- 212.4.17.56: lesummumdelafinance.com. Hit.
- 212.4.17.56: thepinnacleoffinance.com. No Wayback machine archives.
- 212.4.17.61: tech-stop.org. Archive: 2011. Feels likely. No commons found. .org hit? Has subdomain "gear.tech-stop.org" according to 2013 DNS Census, which suggests CGI comms, but no links to it
- 212.4.17.98: topbillingsite.com. Hit.
- 212.4.17.122: b2bworldglobal.com. Hit.
- 204.11.56.25 - British Virgin Islands - Confluence Networks Inc - 2013-09-26. Many domains.
- 208.91.197.19 - British Virgin Islands - Confluence Networks Inc - 2013-05-20. Many domains.
212.4.18.129 sightseeingnews.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 212.4.18.115 - 212.4.18.148. TODO expand. Interesting wide/sparse range? Or perhaps it's two separate ranges?
- 212.4.18.129: sightseeingnews.com. Hit. Presumably also present under fgnl.net on its second IP range, since this is near 212.4.18.133? viewdns.info gives this as the only IP for the domain.
- 212.4.30.210: iprintitaly.com. Legit: web.archive.org/web/20230000000000*/http://www.iprintitaly.com/
212.209.74.105 globalbaseballnews.com. Tested viewdns.info range: 212.209.74.100 - 212.209.74.132. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches
- 212.209.74.105: globalbaseballnews.com. Hit.
- 212.209.74.106: football-de-luxe.com. Hit.
- 212.209.74.111: worldconcerns.info. No archives.
- 212.209.74.112: developmental-league.com. Unclear. CGI comms variant? 2010. English. CGI. American football.
- 212.209.74.115: mediocampodefutbol.com. Hit.
- 212.209.74.117: myengineeringaffinity.com. Hit.
- 212.209.74.122: atthemovies.biz. Archive very broken. Has link to unarchived JAR: web.archive.org/web/20110809232811oe_/http://www.atthemovies.biz/movieslides.jar. Would have been the fist .biz hit found: Non .com .net TLDs
- 212.209.74.123: worldfinancialexchangenews.com. Hit.
- 212.209.74.124: urouttahere.com. No archives. Meaning presumably "you're out of here"? One wonders what the theme would have been!
- 212.209.74.125: avoilurefixe.com. Hit.
- 212.209.74.126: headlines2day.com. Hit.
- 118.139.174.11. Reverse IP source: viewdns.info
- 118.139.174.11: 712 domain hits on it
- 118.139.174.21: theargentineanwineco.com 2013-09-26. No Wayback machine archive.
- nothing else on the +-20 range
- 184.168.221.91. Reverse IP source: 2013 DNS Census
- 184.168.221.91: 40k hits on 2013 DNS Census
- 118.139.174.11. Reverse IP source: viewdns.info
- 212.209.74.127: construction-zones.com. Unclear. CGI comms variant? 2009. No known comms found. English. construction. Has a login page: web.archive.org/web/20091130144158/http://construction-zones.com/login.html so maybe CGI comms variant
212.209.79.40 hydradraco.com. Found with: visual inspection of full 2013 DNS Census virtual host cleanup list just after globalbaseballnews.com. Tested viewdns.info range: 212.209.79.35 - 212.209.79.63
- 212.209.79.34: fgnl.net. Hit. securitytrails.com provides IP history:both under MCI Communications Services, Inc. d/b/a Verizon Business.
- 212.209.79.34: 2008-09-01 - 2010-04-19.
- 212.4.18.133: 2010-04-19 - 2019-06-19. Tested viewdns.info range: 212.4.18.122 - 212.4.18.148
- 212.209.79.37: fitness-sources.com. Hit.
- 212.209.79.40: hydradraco.com. Hit.
- 212.209.79.41: noticiasdelmundolatino.com. Hit.
- 212.209.79.42: suparakuvi.com. Hit.
- 212.209.79.44: myigadgets.net. Unclear. 2010. tech. Contains some helpers to: iGoogle. This page is very interesting. and quite different from the others, as it contains highly specialized functionality. No known comms found. The choice of homepage languages is also very suspicious: Arabic, Farsi, French, Chinese and Spanish.
- 212.209.79.46: cetusdelph.com. Hit.
- 212.209.79.47: willtoworship.com. Hit.
- 212.209.79.48: themvconnection.com. Hit.
- 212.209.79.51: pi-resources.net. Hit.
- 212.209.79.52: newel-adserver.com. Redirects to newel.com which is legit.
- 212.209.79.53: ourscubaworld.com. Hit.
- 212.209.79.58: tech-love-home.com. Hit.
- 212.209.79.60: first-solo-aviation.com. Hit.
- 212.209.79.61: china-destinations.org. Hit.
212.209.90.84 thenewseditor.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 212.209.90.64 - 212.209.90.99
- 212.209.90.69: worldedgenews.com. Hit.
- 212.209.90.72: talkingpointnews.info. No archives.
- 212.209.90.75: prebitinvestment.com. No archives.
- 212.209.90.77: energy-bulb.com 2011. English. energy. Comms not found, but has unarchived link to: web.archive.org/web/20110128182345/https://webmail.energy-bulb.com/login.html. CGI comms variant?
- 212.209.90.79: freeblink.com. No archives for timerange, then legit.
- 212.209.90.80: nsmovies.net. Hit.
- 212.209.90.82: middleeastjournal.net. Hit.
- 212.209.90.84: thenewseditor.com. Hit.
- 212.209.90.87: newsandweathersource.com. Hit.
- 212.209.90.89: pakisports.com. Hit.
- 212.209.90.90: vriha-aesthetics.com. Hit.
- 212.209.90.92: amishkanews.com. Hit.
- 212.209.90.93: theentertainbiz.com. Hit.
- 212.209.90.94: eurosportssummary.com. Hit.
- 212.209.91.14: teracom.net. Legit
216.105.98.152: modernarabicnews.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 216.105.98.125 - 216.105.98.167
- 216.105.98.118:
- estudashboard.com: broken
- fintrade.us: legit
- 216.105.98.132: europeantravelcafe.com. Likely a hit, but comms not found. 2010. English. Europe. travel. Marked copyright 2009. There's a currency converter at: web.archive.org/web/20100724024644/http://www.europeantravelcafe.com/tools.html which could be suspicious.
- 216.105.98.134: fuenteneta.com. No archives.
- 216.105.98.135: ilat-news.com. No archives.
- 216.105.98.136: etherealinspirations.net. No archives.
- 216.105.98.137: the-news-zone.com. Archive very broken: web.archive.org/web/20130814194744/http://the-news-zone.com/
- 216.105.98.138: photozoomnews.com. No archives.
- 216.105.98.139: cultura-digital.net. Hit.
- 216.105.98.140: uaeshoppingspree.com. Hit.
- 216.105.98.141: jabarifootball.com. No archives. "Jabari" is a Swahili/Arabic name[ref]
- 216.105.98.142: globalreview-ar.com. No archives. Shame, could have been our first Argentinian site.
- 216.105.98.144: garanziadellasicurezza.com. Archives quite broken: web.archive.org/web/20110424044637/http://www.garanziadellasicurezza.com:80/ Unarchived JAR:
/web/20110424044637oe_/http://www.garanziadellasicurezza.com/garanzia.jar
Would be another precious Italy hit... - 216.105.98.145: montanismoaventura.com. Hit.
- 216.105.98.146: large-format-news.com. No archives.
- 216.105.98.147: nepalnewsbrief.com. Hit. dnshistory.org marks it as having IP 2010-03-10 -> 2010-08-15 216.169.148.94 [ref]. This range does feel a bit different from the others, too many broken archives, and relatively early ones too. Explored viewdns.info range: 216.169.148.84 - 216.169.148.104, empty for period.
- 216.105.98.148: teclafinance.com. No archives. One wonders what "tecla" would have stood for. It is Portuguese for "keyboard key", but finance is English so.
- 216.105.98.149: entreman.com: legit? web.archive.org/web/20110128212738/http://entreman.com/
- 216.105.98.152: modernarabicnews.com. Hit.
- 216.105.98.153: global-headlines.com. No archives of the period, then was a legitimate WordPress website for a while.
- 216.105.98.154: everythingcricket.org. Hit.
- 216.105.98.156: familyhealthonline.net. Hit.
- 216.105.98.157: delacorne.com. No archives.
- 216.105.98.158: econfutures.com. No archives.
- 216.105.98.161: kstcloud.com. No archives.
219.90.61.123 journeystravelled.com Tested viewdns.info range: 219.90.61.100 - 219.90.61.133
- 219.90.61.100: pressstory.com: "Under construction". web.archive.org/web/20110128124548/http://pressstory.com/
- 219.90.61.103: bet2plays.com. "Under construction". Unlikely thematic, too spicy.
- 219.90.61.110: surya-brahma.com. Hit
- 219.90.61.111: classicalmusicboxonline.com. Hit.
- 219.90.61.116: athletepro.net. Hit.
- 219.90.61.117: lajornadanow.com. Hit.
- 219.90.61.119: aviation-navigation.com. No archives.
- 219.90.61.120: theinternationalworld.com. Hit.
- 219.90.61.121: thepyramidnews.com. Hit.
- 219.90.61.122: iran-newslink-today.com. Hit.
- 219.90.61.123: journeystravelled.com. Hit.
219.90.62.243 fitness-dawg.com. whois.arin.net/rest/net/NET-219-0-0-0-1/pft?s=219.90.62.243. Net Type: Allocated to APNIC. Tested viewdns.info range: unknown - 219.90.62.255
- 219.90.62.173:
- dominatingduos.com: 2013-08-12T17:53:09. No archive
- has other domains
- 219.90.62.193: centralnewsreleasers.com. Only a 2018 of the robots.txt: web.archive.org/web/*/http://centralnewsreleasers.com/* so likely not a hit
- 219.90.62.209: penniesbythemillions.com. No archives.
- 219.90.62.229: information-junky.com. Hit.
- 219.90.62.231: todosperuahora.com. Hit.
- 219.90.62.232: race26point2.com. Hit. No archives, but has subdomain: secure.race26point2.com, so likely CGI comms.
- 219.90.62.233: theworld-news.net. Hit.
- 219.90.62.234: recuerdosdeviajeonline.com. Hit
- 219.90.62.235: ordenpolicial.com. No Wayback Machine archives. Last resolved: 2012-01-11.
- 219.90.62.237: elcorreodenoticias.com. Hit.
- 219.90.62.238: freshtechonline.com. Hit.
- 219.90.62.240: cityworldnewsnow.com. Hit. No archives but has subdomain: secure.cityworldnewsnow.com so likely CGI comms.
- 219.90.62.241: newscentertoday.com. Hit.
- 219.90.62.242: ride-captain.com. Hit.
- 219.90.62.244: easytraveleurope.com. Hit.
- 219.90.62.245: world-news-now.net. Hit.
- 219.90.62.246: negativeaperture.com. Hit.
- 219.90.62.247: conquermstoday.com. Hit
- 219.90.62.249: forensic-exchange.com. 2013 archive: web.archive.org/web/20130714094026/http://forensic-exchange.com/. Appears to be a buggy Wayback Machine archive somehow, so inconclusive.
secure subdomain search on 2013 DNS Census by Ciro Santilli 35 Updated 2024-12-23 +Created 1970-01-01
Grepping the 2013 DNS Census first by overused CGI comms subdomains
secure.
and ssl.
leaves 200k lines. Grepping for the overused "news" led to hits:- secure.worldnewsandent.com,2012-02-13T21:28:15,208.254.40.117
- ssl.beyondnetworknews.com,2012-02-13T20:10:13,66.104.175.40
Also tried but failed:
sports
:- secure.motorsportdealers.com,2012-04-10T20:19:09,64.73.117.38 web.archive.org/web/20110501000000*/motorsportdealers.com
OK, after the initial successes in New results: only one...
secure.
, we went a bit more data intensive:- took all
secure.*
ssl.*
URLs in the 2013 DNS Census, 70k entries - cleaned up a bit, e.g. only
.com
or.net
. this left only, 30k entries only - lopped over all of them in archive CDX: Wayback Machine CDX scanning, searching for those that also end in
.cgi
web.archive.org/cdx/search/cdx?url=$domain&matchType=domain&filter=urlkey:.*.cgi&to=20140101000000. Took an afternoon, but no rate limit block. - this leaves about 1000, so we loop over all of them manually on web archive with a script, and opened any that had the pattern of very vew hits between 2010 and 2013 only, and on those check for visual/thematic style match. Careful not to make more than 15 requests per minute or else 5 min blacklist!
- 208.254.42.205 secure.driversinternationalgolf.com,2012-02-13T10:42:20,
After 2013 DNS Census virtual host cleanup heuristic keyword searches we later understood why there were so few hits here: the 2013 DNS Census didn't capture the
secure.
subdomains of many domains it had for some reason. Shame, because if it had, this method would have yielded many more results.There are four main types of communication mechanisms found:These have short single word names with some meaning linked to their website.
- There is also one known instance where a .zip extension was used! web.archive.org/web/20131101104829*/http://plugged-into-news.net/weatherbug.zip as:
<applet codebase="/web/20101229222144oe_/http://plugged-into-news.net/" archive="/web/20101229222144oe_/http://plugged-into-news.net/weatherbug.zip"
JAR is the most common comms, and one of the most distinctive, making it a great fingerprint.Several of the JAR files are named something like either:as if to pose as Internet speed testing tools? The wonderful subtleties of the late 2000s Internet are a bit over our heads.- meter.jar
- bandwidth.jar
- speed.jar
All JARs are directly under root, not in subdirectories, and the basename usually consist of one word, though sometimes two camel cased. - JavaScript file. There are two subtypes:
- JavaScript with SHAs. Rare. Likely older. Way more fingerprintable.
- JavaScript without SHAs. They have all been obfuscated slightly different and compressed. But the file sizes are all very similar from 8kB to 10kB, and they all look similar, so visually it is very easy to detect a match with good likelyhood.
- Adobe Flash swf file. In all instances found so far, the name of the SWF matches the name of the second level domain exactly, e.g.:While this is somewhat of a fingerprint, it is worth noting that is was a relatively commonly used pattern. But it is also the rarest of the mechanisms. This is a at a dissonance with the rest of the web, which circa 2010 already had way more SWF than JAR apparently.
http://tee-shot.net/tee-shot.swf
- CGI comms
Because the communication mechanisms are so crucial, they tend to be less varied, and serve as very good fingerprints. It is not ludicrous, e.g. identical files, but one look at a few and you will know the others.
We've come across a few shallow and stylistically similar websites on suspicious ranges with this pattern.
No JS/JAR/SWF comms, but rather a subdomain, and an HTTPS page with .cgi extension that leads to a login page. Some names seen for this subdomain:
secure.
: most commonssl.
: also common- various other more creative ones linked to the website theme itself, e.g.:
- musical-fortune.net has a backstage.musical-fortune.net
The question is, is this part of some legitimate tooling that created such patterns? And if so which? Or are they actual hits with a new comms mechanism not previously seen?
The fact that:suggests to Ciro that they are an actual hit.
- hits of this type are so dense in the suspicious ranges
- they are so stylistically similar between on another
- citizenlabs specifically mentioned a "CGI" comms method
In particular, the
secure
and ssl
ones are overused, and together with some heuristics allowed us to find our first two non Reuters ranges! Section "secure subdomain search on 2013 DNS Census"Some currently known URLsIf we could do a crawl search for
- backstage.musical-fortune.net/cgi-bin/backstage.cgi
- clients.smart-travel-consultant.com/cgi-bin/clients.cgi
- members.it-proonline.com/cgi-bin/members.cgi
- members.metanewsdaily.com/cgi-bin/ABC.cgi
- miembros.todosperuahora.com/cgi-bin/business.cgi
- secure.altworldnews.com/cgi-bin/desk.cgi
- secure.driversinternationalgolf.com/cgi-bin/drivers.cgi
- secure.freshtechonline.com/cgi-bin/tech.cgi
- secure.globalnewsbulletin.com/cgi-bin/index.cgi
- secure.negativeaperture.com/cgi-bin/canon.cgi
- secure.riskandrewardnews.com/cgi-bin/worldwide.cgi
- secure.theworld-news.net/cgi-bin/news.cgi
- secure.topbillingsite.com/cgi-bin/main.cgi
- secure.worldnewsandent.com/cgi-bin/news.cgi
- ssl.beyondnetworknews.com/cgi-bin/local.cgi
- ssl.newtechfrontier.com/cgi-bin/tech.cgi
- www.businessexchangetoday.com/cgi-bin/business.cgi
- heal.conquermstoday.com (path unknown)
secure.*com/cgi-bin/*.cgi
that might be a good enough fingerprint, maybe even *.*com/cgi-bin/*.cgi
. Edit: it is not perfect, but we kind of did it: Section "secure subdomain search on 2013 DNS Census".Edit: Carson was found Oleg Shakirov's findingsby Oleg Shakirov:
alljohnny.com
, communicated at: twitter.com/shakirov2036/status/1746729471778988499, earliest archive from 2004 (!): web.archive.org/web/20040113025122/http://alljohnny.com/, The domain was hidden in plain sight, it was present in a not very visible watermark visible in the Reuters article screenshot! The watermark was added to the CIA to the background image, it is actually present on the website. In retrospect, it was actually present at on the expired domain trackers dataset, but the mega discrete all
second word made Ciro Santilli miss it: github.com/cirosantilli/expired-domain-names-by-day-2015/blob/9d504f3b85364a64f7db93311e70011344cff788/07/05/02#L1572What follows is the previous
The fact that the Reuters article has a screenshot of it, and therefore a Wayback Machine link, plus the specificity of the website topic, will likely keep Ciro awake at night for a while until someone finds that domain.
Some text visible on the Reuters screenshot:It is unclear however if this text is plaintext or part of a an image.
Johnny Carson and The Tonight Show
Your Favorite Host and Comedic Genius
Submit Your Favorite Carson Moment
Heeere's Johnny!
Holy crap, the "Here's Johnny" line from The Shining (1980) is a reference to Johnny Carson: www.youtube.com/watch?v=WDpipB4yehk, www.youtube.com/watch?v=aYnyPAkgyvc, Ciro never knew that... but every American would have understood it at the time.
Some failed attempts, either dry guesses or from DNS grepping dataset searches:
- johnnycarson.com: official
- johnnycarson.net: fan site: web.archive.org/web/20010501225614/http://johnnycarson.net/
- johnnycarsontonight.com
- carson-johnny.com: legit
- johnnycarsonshow.com: web.archive.org/web/20110208005558/http://johnnycarsonshow.com/captcha/index.php?d=johnnycarsonshow.com your IP has been blocked
- tributetojohnnycarson.com: only one archive web.archive.org/web/20180805132430/http://tributetojohnnycarson.com/
- bestofjohnnycarson.com: web.archive.org/web/20130525035938/http://bestofjohnnycarson.com/ Lived past 2013.
- bestofjohnny.com/: web.archive.org/web/20130506011824/http://bestofjohnny.com/ empty
- johnnycarsonvideo.com: dead early 2000s web.archive.org/web/20130605152818/http://johnnycarsonvideo.com/
- johnnycarsontv.com: web.archive.org/web/20230000000000*/johnnycarsontv.com
- thejohnnycarsonshow.com: web.archive.org/web/20230000000000*/thejohnnycarsonshow.com
- carsonsbest.com: web.archive.org/web/20230000000000*/carsonsbest.com
- johnnycarsonfans.com: web.archive.org/web/20230000000000*/johnnycarsonfans.com
- web.archive.org/web/20230000000000*/carsonified.com
- night:
- amazing:
- johnnyamazing.com: broken archives: web.archive.org/web/*/http://johnnyamazing.com/*
- carson
- johnneycarson.com: no archives
- johnnycarson.co: no archives
- johnnycarsons.info
- johnnycarsons.com
- johnnycarson.org
- johnnycarsonsdesk.com
- johnny-carson-video.com
- johnnycarsondvd.org
- johnnycarsondvds.org
- johnnycarsondvd.net
- johnnycarsondvd.tv
- johnnycarsondvds.net
- johnnycarsondvds.tv
- johnnycarson.tv
- johnnyguitarcarson.com
- johnnycarsonmovie.com
- hookedonjohnnycarson.com
- johnnycarsonbook.com
- licensingjohnnycarson.com
- johnnnycarson.com
- johnnycarson360.com
- koalajohnnycarson.com
- johnny-carson.com
- johnnycarsonbirthplace.com
- johnnycarsonbirthplace.net
- johnny:
- heres:
- heresjohnnyfilm.com: web.archive.org/web/20131011115733/http://www.heresjohnnyfilm.com/ legit
- hereisjohnny.net: no archives
- heresjohnnyradioshow.com: web.archive.org/web/20130509042107/http://heresjohnnyradioshow.com/, Legit most likely: web.archive.org/web/20140517103512/http://heresjohnnyradioshow.com/
- wherejohnnylives.net: broken archives
- heresjohnny.com: squat web.archive.org/web/20130607145841/http://heresjohnny.com/ Many other TlD like .net, .co.uk
- heeeeresjohnny.com: web.archive.org/web/20130612211448/http://heeeeresjohnny.com/: legit
- night:
- johnnylatenight.com: web.archive.org/web/20150801132622/http://johnnylatenight.com/ Legit broken
- web.archive.org/web/20110208161513/http://www.johnnysnight.com/
- heres:
- johnnycarson.org: squatted past 2013, nothing before
- carsonshow.com: squat: web.archive.org/web/20110224211714/http://carsonshow.com/
- tonightshow247.net: web.archive.org/web/20101226190209/http://tonightshow247.net/: squat
- tonightshow.tv: web.archive.org/web/20141221222442/http://www.tonightshow.tv/: legit
Searching the Wayback Machine proved fruitless. There is no full text search: Wayback Machine full text search, and a heuristic web.archive.org/web/20230000000000*/Johnny%20Carson search has relevant hits but not the one we want.
Another attempt was to search for "carson" on webmasterhome.cn which lists expired domains in bulk by expiration day, and it search engine friendly. It contains most of the domains we've found so far. Google either doesn't support partial word search or requires you to be a God to find it
so we settle for DuckDuckGo which supports it: duckduckgo.com/?q=site%3Awebmasterhome.cn+%22carson%22&t=h_&ia=web Adding years also helps: duckduckgo.com/?q=site%3Awebmasterhome.cn+%22carson%22+2011&ia=web with this we might be getting all possible results. Ciro went through all in 2011, 2012 and 2013 but no luck. Also fuck en.wikipedia.org/wiki/Carson_City,_Nevada and en.wikipedia.org/wiki/Carson,_California :-)
Let's search tools.whoisxmlapi.com/reverse-whois-search for "carson" contained in any historic domain name. 10,001 lines. Grepping those, no good Wayback machine hits for those that also contain "johnny" or "show". Data at: raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/tools.whoisxmlapi.com_reverse-whois-search_carson.csv in case anyone want to try and dig...
Let's also search the fortuitously timed 2013 DNS Census.
All IP ranges have some holes in them for which we don't have a domain name.
It is because there was nothing there, or just because we don't have a good enough reverse IP database?
It can't be HTML crawl because presumably there wouldn't have been links to those websites? Presumably this is why Common Crawl doesn't seem to have any hits.
So they must have had some kind of DNS A record database?
Or would IPv4 sweep have worked, without the
Host
header with the CIA's setup?The same question also applies to the 2013 DNS Census. It has less hits, but still has many.
Whatever they did, we are so so glad that they did!
.com and .net are very dominant. Here we list other choices made:
.info
: has a few hits:Did a full Wayback Machine CDX scanning on .info after:That makes about 10k domains, so it's about the right size.grep -e news -e noticias -e nouvelles -e world -e global
.org
: has a least one hit, see: Are there .org hits?.biz
:- unarchived comms:
- atthemovies.biz
- unarchived comms:
The porn version of Crushbridge, died in 2020.
The name actually comes from "any". Amazing.
All known anyons are quasiparticles.
The Spiders' Web: Britain's Second Empire by Ciro Santilli 35 Updated 2024-12-23 +Created 1970-01-01
Unlisted articles are being shown, click here to show only listed articles.