Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

isdratetp4donyfy.onion The Da’esh Darknet Propaganda Site: Down But Still Telling Tales

leave a comment »

Screenshot from 2015-11-15 16:46:15

The Isdarat Onion and the MoD Address:

After posting my second piece on the da’esh propaganda site in the darknet (under the hood) it wasn’t long before the darknet site was down for the count. Interestingly though, before it went down some information could be gleaned as to perhaps it’s IP address as well as what it was running. I had already mentioned that it was running a WordPress frontend but behind everything was a bit more interesting. When a whatweb was carried out on the url it came back with an IP address that on the face of it was just another IP. However, when Googled, the IP had a nice little hit that shed some light on perhaps what may have been going on before I got there.

Whatweb -v

http://isdratetp4donyfy.onion/ [200]
http://isdratetp4donyfy.onion [200] Country[RESERVED][ZZ], HTTPServer[nginx/1.8.0], IP[10.213.114.145], UncommonHeaders[link], nginx[1.8.0], x-pingback[http://isdratetp4donyfy.onion/ar/xmlrpc.php]
URL    : http://isdratetp4donyfy.onion
Status : 200
Country ——————————————————————–
Description: Shows the country the IPv4 address belongs to. This uses
the GeoIP IP2Country databTEXTase from
http://software77.net/geo-ip/. Instructions on updating the
database are in the plugin comments.
String     : RESERVED
Module     : ZZ

HTTPServer —————————————————————–
Description: HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String     : nginx/1.8.0 (from server string)

IP ————————————————————————-
Description: IP address of the target, if available.
String     : 10.213.114.145

UncommonHeaders ————————————————————http://isdratetp4donyfy.onion/ [200]
http://isdratetp4donyfy.onion [200] Country[RESERVED][ZZ], HTTPServer[nginx/1.8.0], IP[10.213.114.145], UncommonHeaders[link], nginx[1.8.0], x-pingback[http://isdratetp4donyfy.onion/ar/xmlrpc.php]
URL    : http://isdratetp4donyfy.onion
Status : 200
Country ——————————————————————–
Description: Shows the country the IPv4 address belongs to. This uses
the GeoIP IP2Country database from
http://software77.net/geo-ip/. Instructions on updating the
database are in the plugin comments.
String     : RESERVED
Module     : ZZ

HTTPServer —————————————————————–
Description: HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String     : nginx/1.8.0 (from server string)

IP ————————————————————————-
Description: IP address of the target, if available.
String     : 10.213.114.145

UncommonHeaders ————————————————————
Description: Uncommon HTTP server
Description: Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at http://www.http-stats.com
String     : link (from headers)

nginx ———————————————————————-
Description: Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server. – Homepage: http://nginx.net/
Version    : 1.8.0

x-pingback —————————————————————–
Description: A pingback is one of three types of linkbacks, methods for
Web authors to request notification when somebody links to
one of their documents. This enables authors to keep track
of who is linking to, or referring to their articles. Some
weblog software, such as Movable Type, Serendipity,
WordPress and Telligent Community, support automatic
pingbacks
String     : http://isdratetp4donyfy.onion/ar/xmlrpc.php

Once you Googled the IP address alone you got some usual stuff but one thing stood out. and index of logs for that IP and another. What was this? Well, it was a site holding the logs for a keylogger by DarkZhyk a Russian keylogger RAT. So, it seems that this IP address as of February 28th 2015 had a RAT/Kelogger on the box that had the IP at the time. Now, the question is was this IP a static box that held the onion or was this somehow the box that the webserver sat on? I really would have to do some more digging but let’s just leave that for now because it is the second address that is the interesting bit. It seems that 25.154.73.36 belongs to the Ministry of Defense in the U.K.

Screenshot from 2015-11-24 14:42:06

Screenshot from 2015-11-24 14:42:58

Screenshot from 2015-11-24 14:44:25

That’s right kids, in February of this year that IP address cited from that whatweb was logged into by the MoD. Quite the interesting tidbit huh? I did not poke around the MoD at all but I have told some peeps to keep their eyes open and maybe wink wink nudge nudge some folks about this. Could this be a sign that the site was already compromised? The box itself compromised? That the MoD knew about this box and already had been inside it? One wonders. I do know thought that the clearnet RSS feed was a Windows box as well and in all it took no time whatsoever for the kiddies to take this site down. It’s pretty much as I intoned in the last piece that this site was pretty poorly secured.

So let the games begin!

But wait, there’s more!

Screenshot from 2015-11-25 13_54_33

In the interim as the site was down I decided to do all the OSINT work on the players involved. See, unlike Anonymous or goatsec I actually do research on targets before I do any kind of reporting. In looking at these guys it became clear that not only were their sites all over the place but also that they are in fact Indonesian in origin. It seems that these guys spend quite a bit of time buying domains anonymously to RSS feed this shit to the world under the “Isdarat” moniker. Isdarat by the way is “to spread” in Arabic so basically to spread the word so to speak. While anonymous has been trying to swat all these sites down they have just gone back to backup sites as usual with no real effect on their ability to stream videos and push the propaganda levers for da’esh.

Screenshot from 2015-11-29 12_30_43

http://isdarat.in.hypestat.com/

http://isdarat.xyz.hypestat.com/

http://isdarat.xyz.hypestat.com/

http://isdarat.tv.hypestat.com/

http://isdarat.sd.hypestat.com/

http://isdarattv.blogspot.com/

http://isdarat.tumblr.com/

http://isdarat-istube.cf

https://khilafahdaulahislamiyyah.wordpress.com/

http://web.archive.org/web/20150430091539/http://isdarat.in/

http://khilafahtoday.blogspot.no/2015/05/terowongan-tentara-khilafah-menyusup-ke.html

https://plus.google.com/100434261915807680617/posts

https://www.facebook.com/pages/Khilafah-daulah-Islamiyyah/726338634152991

http://www.al-hisbah.com/

Isdarat Admin: http://mig.me/u/isdarat

http://www.muqawamah.net/contact-us/ —————–> redaksi.muqawamah@gmail.com

and… redaski.daulahislamiyyah@gmail.com

 

Screenshot from 2015-11-29 12_33_40

Screenshot from 2015-11-29 12_31_58

Screenshot from 2015-11-29 12_31_21

 

Screenshot from 2015-11-29 12_27_28

 

Screenshot from 2015-11-29 11_56_07

 

Screenshot from 2015-11-29 11_21_42

 

Screenshot from 2015-11-29 11_19_14

 

Yep, these guys are all over the place. So far I have yet to get a lock on any real names. So far all the pseudonyms come back to either nonsense or in one case the name of a famous Indo jihadi who died back in 2009. The upshot here is that not too many people talk about the Malay or Indo areas where Jihad and da’esh are concerned. These players have been around for a long time and I used to see a lot of activity by them for AQ. Piradius, the hosting/internet company was the Mos Eisley of the internet back in the day and it may be time to circle back to that neck of the woods again and take a look around.

Oh well, I am sure the KDI/daulahislamiyyah guys will be back with main sites again to go along with all the other ones they have hidden around.

Anonymous/goatsec 0

daulahislamiyyah 1

 

K.

Written by Krypt3ia

2015/11/29 at 21:42

Posted in Da'esh, DARKNET

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: