Shamikh1.info: The New Den of Scum and Villainy
Well, that didn’t take long did it. At least Evan got one thing right, they’d be back up soon. So, here is the skinny on the new site and the core server that they have stood up. The site is still not fully back online, but this stage of things allows one to get a lot of intel on the server makeup and who is operating/hosting it because they had a direct link back to the sql instance. The site is not fully operational yet, but they are setting it up rapidly as I surmised they would on the domain of shamikh1.info which was registered in May as the backup domain.
I have begun the work of getting all of the pertinent details on the address owners/ops in Indonesia so soon all of their details will be available to those who want them. However, just with the short bit of work I have done here, I pretty much think you can all get a grasp of who’s where and what’s up huh? Sure, the server is in Indonesia, and, well, they are rather tepid on the whole GWOT thing so nothing much may happen…
You intelligence agencies out there looking for a leg up.. Well here it is… Enjoy.
Now, back to the events that brought us to today. The take down of the original site may have been only because someone got into the server and wiped it out as Evan suggests (without any proof as yet mind you) or, it may in fact be because the site was blocked at the domain level as I pointed out in my last post on this matter. Godaddy had suspended the domain and I am not sure if the mirrors on piradius were working before the alleged attack happened or not. At this point, it is anyone’s guess as to the attacks perpatraitors, methods, and final outcome until someone from the AQ camp speaks up on exactly what happened.
Meanwhile, the media will continue to spin on about MI6 hacking them or perhaps it was those mysterious “Brit” hackers that so many articles mentioned.
“Bollocks” As they say in England.
Domain ID:D38010794-LRMS Domain Name:SHAMIKH1.INFO Created On:14-May-2011 00:22:30 UTC Last Updated On:27-Jun-2011 07:43:57 UTC Expiration Date:14-May-2012 00:22:30 UTC Sponsoring Registrar:eNom, Inc. (R126-LRMS) Status:CLIENT TRANSFER PROHIBITED Status:TRANSFER PROHIBITED Registrant ID:fce7ae13f22aa29d Registrant Name:WhoisGuard Protected Registrant Organization:WhoisGuard Registrant Street1:11400 W. Olympic Blvd. Suite 200 Registrant Street2: Registrant Street3: Registrant City:Los Angeles Registrant State/Province:CA Registrant Postal Code:90064 Registrant Country:US Registrant Phone:+1.6613102107 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:firstname.lastname@example.org Admin ID:fce7ae13f22aa29d Admin Name:WhoisGuard Protected Admin Organization:WhoisGuard Admin Street1:11400 W. Olympic Blvd. Suite 200
Ip address: 22.214.171.124
Persons Attached: Daru Kuncoro & Yogie Nareswara
Names of Admins: Yogie Nareswara & Daru Kuncoro
Email Contacts: email@example.com firstname.lastname@example.org
Nmap Scan Report:
Starting Nmap 5.21 ( http://nmap.org ) at 2011-07-02 07:39 EDT Initiating Ping Scan at 07:39 Scanning 126.96.36.199 [2 ports] Completed Ping Scan at 07:39, 0.32s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 07:39 Completed Parallel DNS resolution of 1 host. at 07:39, 0.53s elapsed Initiating Connect Scan at 07:39 Scanning 188.8.131.52 [1000 ports] Discovered open port 80/tcp on 184.108.40.206 Discovered open port 110/tcp on 220.127.116.11 Discovered open port 993/tcp on 18.104.22.168 Discovered open port 143/tcp on 22.214.171.124 Discovered open port 21/tcp on 126.96.36.199 Discovered open port 443/tcp on 188.8.131.52 Discovered open port 3306/tcp on 184.108.40.206 Discovered open port 995/tcp on 220.127.116.11 Completed Connect Scan at 07:39, 11.74s elapsed (1000 total ports) Nmap scan report for 18.104.22.168 Host is up (0.30s latency). Not shown: 958 filtered ports, 34 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql
Tasty, they have a few ports open. Hey antisec skiddies, wanna play with some SQLi ?
Site Contact Data:
Guess they are still working on the server connections… I am sure as well, that soon they will have more stealth servers out there in Malaysia as well. So the mirroring will begin for the sql instance to do the push from. Lets see how long it is before this one is taken down shall we? Oh, and next time an attack happens, lets all get a lock on how it is happening as well as exactly what it is. I have had enough of the media hype with talking heads who have no idea what they are talking about when it comes to information warfare or network security.