Al-Ansar Jihadist Site: Mapping Jihad
Seeing the traffic lately on Twitter between @allthingsct and Jokey, I thought it prudent to once again put some perspective on jokey’s little venture and how futile it really is. So, I bring to you this report I have generated on “Ansar-AlJihad”, a consortium of sites that are run by the same “persons” of interest and serve up jihadi content and links.
The picture above is a stealth mirror site of Ansar. The site is located in the US on a server that I assume the owners do not know has been compromised. This is just one of twelve sites that Ansar has stood up on varying servers and domains. Several of these sites all reside on IP addresses out of the US but being registered domains whose owner claims to be in Brussels.
The stealth site is physically located in Provo UT:
While the other sites primarily reside in Washington State:
The last site is physically located in Malaysia, which interestingly enough is a very active area for jihadi activity these last few years. All of these sites though, mirror the data that is updated consistently over all sites. Thus, should any site be taken down or denied service, one can just go to the next in line located on the main page, and get your jihadi content.
The addition of the stealth site proves the point that even IF all of the sites were to be taken down, they would indeed back up to the stealth site strategy and just keep popping sites to upload to. So, jokey’s little idea that just annoying them offline forever and they will just go away is a fallacy at best and half baked logic at worst.
Meanwhile, let’s consider the other way to deal with these sites. By tracking them, their users, and their data.
By looking at the domains, the home IP addresses, and the links as well as the data on these sites you can get a pretty good picture of who may be setting up these sites and who may be using them. In the case of Al Ansar, I was able to use Maltego to get a line on one site of interest that gave up a solid name and email address.
The Maltego made the connection between the Ansar site and three Blogspot accounts. The one that was the most of interest was pathtomartyrdom.blogspot.com:
The owner of this site actually used a hotmail address and a name to set up the blog.
This address was used in a few posts on Yahoo and not much else. However, I am sure that the authorities would be able to talk to M$ about opening that one up and seeing who said what to whom. Of course given the recent flap with Cryptome and the M$ guide for LEO’s I am quite sure they have all the logged traffic and can provide it when asked.
So, as you can see, with a little footprinting, a little digging, and some patience, you can do a lot more than just DDoS a site offline. You can in fact provide the authorities with the data needed to maybe catch these guys instead of drive them under the digital carpet.
My hope is that these sites are already in the hands of the authorities here in the states and their traffic being logged. It would be great to see that the server had been set up to have all the captures taken so even if the jihadists were using proxies they could at least track those too. It’s all links in a chain that can be followed to the source.
It may also be a key practice that these sites are not only watched, but also being actively added to by the authorities here. One would hope that they would be members on these sites also, adding content to “disinform” the jihadi’s and catch them in the act.
Ahh well.. One can hope huh?
Needless to say, I have posted the findings report to the feds and will wait to see what they do…