Daesh Darknet: Under The Hood
After having mirrored the new “unofficial” official da’esh darknet site I have some more insight into who may have done this as well as where the data is coming from. First off a mea culpa of sorts that this site claims to be the “unofficial” source for the darknet but they are using feeds from official sources. So really I guess unless you really don’t understand da’esh you could say it is unofficial but the reality is they will claim just about anything as a win and at their behest so make of that what you will. In either case this site exists, it is using approved da’esh propaganda from Al-Hayat, and thus to me it’s still pretty official.
So back to the under the hood look at this new darknet propaganda tool…
Once I started looking at the site code the following became apparent:
- It’s a wordpress site
- It’s got a backend feed in the clear
- It’s a re-hash of a site out on the clearnet called isdarat.tv
- It’s an amateur job at darknet security
Since this story hit all the news sites many people called into question whether or not this was a ‘real’ site because… Well I have no idea why people would call it into question really. Anyway, the fact of the matter is that this was put up by an acolyte of da’esh who at least has enough wherewithal to get a host in the darknet and forward a clearnet feed to it. The fact that they are using WordPress 4.3 is another interesting tidbit. Perhaps they are not as mental genius as some people, maybe the ones calling this site into question in the first place might have been thinking. You see kids, these guys are not all mental geniuses ok? They make mistakes all the time and most of the time they are rookie stupid ones at that.
That said, here is the data I pulled from the site:
inetnum: 188.8.131.52 – 184.108.40.206
descr: Choopa, LLC
status: ALLOCATED PA
source: RIPE # Filtered
org-name: Choopa, LLC
address: 100 Matawan Rd. Suite 420
address: NJ 07747
address: UNITED STATES
source: RIPE # Filtered
person: Choopa Network
address: 100 Matawan Rd. Suite 420 Matawan, NJ 07747
source: RIPE # Filtered
As you can see the site in the clearnet is hosted out of Choopa LLC which has it’s HQ in New Jersey. However, when you start to dig on this you also get information that the server actually resides in Amsterdam.
Either way, the system behind this data feed is in fact a windows box and could be vulnerable to some attacks as you can see from this Nmap:
Nmap scan report for 220.127.116.11.vultr.com (18.104.22.168) ———-> VULTR.com is a virtual hosting connected to choopa
Host is up (0.11s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
1720/tcp filtered H.323/Q.931
All this data leads me to believe that the end user can be tracked down easily enough by authorities but I also think that without that, I can still track down who set this up without having to attack an onion site like the FBI. Besides, I don’t have a million dollars to give to a university to deanonymize anything. So let’s look at it from another angle. When you look at the onion site, if you look carefully, at the bottom right corner of the pages you see the following address: esdaratreturn.info Let’s have a closer look at that and see what we find shall we?
EsdaratReturn is a re-spelling of “Isdarat” which was a site put together by da’eshbags in the past to be the alternative to YouTube as you can see below. This site is presently offline it seems and my guess is that this person(s) wanted to re-kindle that flame in the darknet because their site went boom boom. Isdarat started in May it seems and I am not fully up to speed on it’s history. That will be for my next blog post. I plan on continuing the backtrace to accounts on twitter that mentioned not only Isdarat, but also esdarat. Once I backtrack I believe I will be able to come up with the who and more of the why this site came to be in the darknet.
In the meantime though, I suspect that this post will cause a stir in the jimmies not only to the creator of the onion site but also all those keen watchers out there who wanna take things down like esdarat or isdarat or whatever shingle the daeshbags hang to serve their propaganda from. Since the rss box is in the clearnet and the content seems to be coming from Google, I expect to see a site in the darknet soon without any real content on it if you know what I mean… Have fun kids!
Make it so.
UPDATE: Seems the daeshbag onion has fallen down and gone boom already!
UPDATE 2 11/23/2015
Now both of the sites are down. The onion site and the backend RSS in the clearnet.
Fall down… Go boom.